Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2007-07-06 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Do you want to play a game...?

Published: 2007-07-06
Last Updated: 2007-07-07 21:55:29 UTC
by Tom Liston (Version: 2)
0 comment(s)

No... it's not called "Global Thermonuclear War"... although that's a fun game too...

This game is called "What Are the Kidz Doing On Port 5151?"

Lookie here:  http://isc.sans.org/port.html?port=5151

And, to top that off, we've seen peaks of interest in port 5151 in the past:

February, April, and August 2004
April, July, and December 2005
February and September of 2006

To play, simply click here and tell us what you think.  Better still, set up a netcat listener and tell us what you find (or what finds you...)

Update: (by Kevin "Not Tom" Liston)

Daniel's Darknet (everyone should have one) spotted only backscatter from what appeared to be a Denial of service ( or possibly a brute-force attack) targeting a Chinese IP on ports 80, 110, and 389 (HTTP, POP3, and LDAP respectively.)  I checked my darknet and on 28-JUN-2007 I spooted similar activity targeting another Chinese IP.

Timothy, and other's have reported that netcat listeners have turned up no results.  This implies that the scans are simply that: scans only for port TCP/5151.

Darren provides a potential "why" to our "who/what/where/when/why/how" construct with his link to an exploit targeting ESRI's ArcSDE which involves a buffer overflow on a service listening on TCP/5151.  This happened to have been released 26-JUN-2007.  The timing of events seems compelling.  The published exploit doesn't check for headers, it simply opens the port and sprays.

 

Keywords:
0 comment(s)

Yahoo down

Published: 2007-07-06
Last Updated: 2007-07-07 20:44:01 UTC
by Johannes Ullrich (Version: 3)
0 comment(s)

A couple of readers alerted us that http://www.yahoo.com appears to be down. At this point, we have no idea why or if this is at all security related. But it does indeed look like Yahoo! is down

Update: Looks like Yahoo! is fine again. We had some suggestions that this may be related to routing issues within the Verizon network. But no details or confirmations at this point. Other Yahoo services like Yahoo IM were affected as well.

Update: For Yahoo!'s own coverage click here
For Netcraft's pretty picture click here

Keywords:
0 comment(s)

Putting the ED in .EDU

Published: 2007-07-06
Last Updated: 2007-07-06 18:49:31 UTC
by Tom Liston (Version: 1)
0 comment(s)

So, you're a low-life piece of Internet vermin, and, like all low-life pieces of Internet vermin you find yourself faced with a dilemma: How are you gonna lend an aura of respectability to your scummy online "pharmacy" service?  Better still, how are you going to make your "pharma" site stand out from all the others?  How are you going to "optimize" the search engine placement for your pill slinging service?

What better place from which to push your ED drugs than... well... .edu?

Try this Google search. 

Interestin', eh?

Looks to me like somebody's been doing a mass hack of .edu sites and setting up web pages to push Cialis, Viagra, and... uh... well... porn.

Sex and drugs.  Now all we need is some rock and roll...

----------------------------------------------------------------

Tom Liston : Intelguardians - Handler on Duty

Keywords:
0 comment(s)

Incoming!!!

Published: 2007-07-06
Last Updated: 2007-07-06 15:40:10 UTC
by Tom Liston (Version: 1)
0 comment(s)

In old black and white war movies, just when you're hoping that things will calm down a bit so the hero can kick back with the rest of his platoon, grab a smoke, and relax for a few minutes... some joker yells "Incoming!" and the shelling begins again.  Just how *does* that guy know when the enemy is going to start shooting again?  I really think someone should question his loyalty...

Anyway... in that great tradition, Microsoft announced that next Tuesday's regularly scheduled patch-a-thon will be brought to you by the letter "C" as in "Critical":  Three critical updates (one for Office/Excel, one for the Windows OS, and one for the .NET framework), each one potentially delivering remote code execution goodness right to your desktop.

Accompanying those three will be be a duet of "Important" patches (one for Office/Publisher and one for XP Pro) and a niggling little "Moderate" problem in Vista.

Duck and cover, gang... duck and cover.

Keywords:
0 comment(s)
Diary Archives