More HTTPS Scanning Reports
We did receive more packet captures registering scans for the SSL-PCT
exploit. It still appears like the THC exploit is used and additional
code is downloaded to the affected systems via tftp.
Problems With MS04-022
One reader reported problems installing MS04-022. This is in particular
of interest as an exploit for this vulnerability is already public. As
usual, we do advice to carefully test patches. The report we received
indicates that tasked scheduled with the task scheduler did no longer
execute. A sample error message:
A possible command channel / remote shell has been found on port 2003 in a
specific network. No widespread use of this port has been registered.
Host Based IDS for Windows
Frequently, users ask how to make sure that a system has not been compromissed, or how to determine for sure the scope of a compromise. Host based intrusion
detection systems are a good way to detect altered binaries. For Linux, a
wide range of free and commercial systems exist (AIDE, tripwire, SNARE), which
will catalog system files and save cryptographically secured checksums. We
would like to hear what users are recommending for Windows systems.
(Update: A few users commented that GFI Languard is available for Windows
Johannes Ullrich, jullrich _AT_ sans.orgI will be teaching next: Intrusion Detection In-Depth - SANS London July 2019
Jul 19th 2004
1 decade ago