Sunday P & Q; Happy Birthday OpenSSH; RBOT Snort Sig; Bacula

Published: 2005-06-05
Last Updated: 2005-06-06 03:18:03 UTC
by Dave Brookshire (Version: 1)
0 comment(s)
The Peace and Quiet of a Sunday Afternoon, OpenSSH is a toddler, an RBOT Snort Signature submitted by one of our readers, and a plug for a very useful open source project...

Sunday Shifts are Great



It has been a quiet weekend so far, so here's a few things to entertain your brain:

Reading Materials--

Dogs of War: Securing Microsoft Groupware Environments with Unix (Parts 1&2)
http://www.securityfocus.com/infocus/1770
http://www.securityfocus.com/infocus/1772




Port Knocking: Beyond the Basics (from the SANS Reading Room, by Dawn Isabel)
http://www.sans.org/rr/whitepapers/sysadmin/1634.php




Eye Candy...really some simply amazing photography-- http://gilad.deviantart.com/gallery/




Interesting Sites I Stumbled On--
http://www.e2ksecurity.com/

http://www.dir.state.tx.us/security/reading/

Happy Birthday OpenSSH



As posted to Slashdot...OpenSSH turns 5 today. It's just a toddler, but an important tool in every security professional's bag. Cake and ice cream for everyone!!!

http://it.slashdot.org/article.pl?sid=05/06/05/1440222&tid=172&tid=93

Useful Software Plug



I've been going through some hassles with our tape back system at work, and came upon an open source project called Bacula. It's great--has a lot in common with Amanda and Veritas. It takes a little getting used to, but it really is fantastic. It overcomes some of the shortcomings of Amanda (like being able to span volumes) and costs a lot less (as in nothing) than Veritas. I was really impressed and feel it's plug worthy.

You're all doing some kind of backups, no? ;) If not, check out Bacula. Even if you are, check out Bacula!

http://www.bacula.org/

RBOT Snort Sig



Correction: Shirkdog submitted that he's observed RBOT triggering this existing snort signature.


alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY
WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|";
pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646;
classtype:web-application-attack; sid:100000122; rev:1;)



[**] [1:100000122:1] COMMUNITY WEB-MISC mod_jrun overflow attempt [**]
[Classification: Web Application Attack] [Priority: 1]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0646]
[Xref => http://www.securityfocus.com/bid/11245]
Event ID: 6 Event Reference: 6
06/05/05-06:49:21.665909 69.211.111.208:1502 -> x.x.x.x:80
TCP TTL:110 TOS:0x20 ID:64107 IpLen:20 DgmLen:1492 DF
***A**** Seq: 0x202A8FC Ack: 0x584837AA Win: 0xFF3C TcpLen: 20
47 45 54 20 2F 20 48 54 54 50 2F 31 2E 30 0D 0A GET / HTTP/1.0..
48 6F 73 74 3A 20 XX XX 2E XX XX XX 2E XX XX XX Host: XX.XXX.XXX
2E XX XX XX 0D 0A 41 75 74 68 6F 72 69 7A 61 74 .XXX..Authorizat
69 6F 6E 3A 20 4E 65 67 6F 74 69 61 74 65 20 59 ion: Negotiate Y
49 49 51 65 67 59 47 4B 77 59 42 42 51 55 43 6F IIQegYGKwYBBQUCo
49 49 51 62 6A 43 43 45 47 71 68 67 68 42 6D 49 IIQbjCCEGqhghBmI
34 49 51 59 67 4F 43 42 41 45 41 51 55 46 42 51 4IQYgOCBAEAQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQUFBQ
55 46 42 51 55 46 42 51 55 46 42 51 UFBQUFBQUFBQ


--------------------------------

Dave Brookshire

SANS Handler-on-Duty
Keywords:
0 comment(s)

Comments


Diary Archives