Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

American Football Championship Shenanigans

Published: 2007-02-02
Last Updated: 2007-02-08 16:58:49 UTC
by Kevin Liston (Version: 7)
0 comment(s)
Websense Labs has reported that "the official website of Dolphin Stadium has been compromised with malicious code."  As of now (~1820 GMT 02-FEB-2007) the site still has the injected redirect, but the site hosting the malicious code is not responding.  The malicious script is reported to exploit vulnerabilities described in Microsoft Security Bulletins MS06-014 and MS07-004. has a signature available:

The first reported site has been repaired (for now?)
Other sites have been identified using some googledorking and are in the process of being informed.

McAfee has released updated signatures to detect Backdoor-DKT:
Other AV vendors should have specific signatures by now as well.


A similar (identical?) exploit is served by the following domains. At this point, the best defense (after patching) is to block these domains and monitor DNS requests for them. Infected machines will try to call home to them.,,,, was the domain used in the defacement. Thanks to the cooperation from Xin-Net, the domain is no longer resolving. But there is always a chance that it will come back.

If your website is defaced by this group: Please contact us and preserve logs.

We had '' listed here earlier. According to information from the system administrator for the site, the javascript file on that site is not malicious and just happens to have the same filename.

Updating our earlier update :-), the 3.js off the Natmags site downloads an ad.htm file which is clearly an exploit, as can be shown with a little PERL-fu to make it readable: cat ad.htm | perl -pe 's/(.)/chr(ord($1)&127)/ge'
The corresponding www.exe is no longer available on the server though (or doesn't download).
0 comment(s)

Classic phpBB vulnerability impacts phpBB-based forums

Published: 2007-02-02
Last Updated: 2007-02-02 20:10:07 UTC
by Kevin Liston (Version: 1)
0 comment(s)
It seems fairly obvious but the classic phpbb_root_path vulnerability is present in products such as: Omegaboard, Cerulean Portal System, phpBB Tweaked, Hailboards, EclipseBB and Xero Portal.  All are affected by the vulnerability exposed by having register_globals set to "on."  It appears that it is being regularly exploited as well to deface systems.
Thanks for the lead Juergen!
0 comment(s)

Friday Security Notes

Published: 2007-02-02
Last Updated: 2007-02-02 18:32:40 UTC
by Kevin Liston (Version: 2)
0 comment(s)
Just a few things to read/follow-up/keep-an-eye-on over the weekend:

Wireshark announced a few Denial of Service vulnerabilities (i.e. it sees certain traffic and crashes) yesterday:

Release notes are available:

Exploit code is available Computer Associates BrightStor ARCserve Backup LGSERVER.EXE
The targeted service listens on TCP/1900.  The example exploit sets up a shell on TCP/4444 (but that's trivial to change)
Dshield notes a bit of a peak:
Concentrated activity towards TCP/4400 is a bit less obvious.

Cisco Vulnerabilities, there were a few issues identified by Cisco this week.  Keep an eye/ear/SEC-rule out for "instability issues" on your routing infrastructure.  For current details:
0 comment(s)
Diary Archives