2008 around just a little bit longer (1 second)
A leap second will be added to the clock at 12/31/2008 23:59:59 UTC tonight. Clocks will go:
12/31/2008 23:59:58
12/31/2008 23:59:59
12/31/2008 23:59:60
01/01/2009 00:00:00
01/01/2009 00:00:01
Hopefully most IT folks will be otherwise occupied at that time and not focusing on their system clocks.
Have a Happy 1-second Delayed New Year.
David Goldsmith
Roundcube Webmail - Another Issue
Reader Nathan who sent us information about the Roundcube html2text.php vulnerability last week (see our previous diary here) has written in again about a new scan he is seeing for the "msgimport" binary included with Roundcube. Nathan writes:
In regard to the Roundcube vulnerability it appears that attackers are now actively scanning for the presence of Roundcube with a specific user agent. It may be possible to craft a mod_security or fail2ban rule to match against this user agent. Two separate users have reported the scanning as well on separate ARIN netblocks. I have seen these scans first-hand on my webserver. Scans appear to originate from 87.233.128.0/18 with specific allocation details of "Assigned to customer 504". I don't think customer 504 is very nice :)
The User-Agent is in Romanian and translates, "All my love for the devil girl". Do you have any additional information regarding this user-agent and/or the specific vulnerability relating to msgimport? This does not appear to be the same vulnerability regarding code execution in html2text.php. I don't have additional behavior from the clients in the logs due to fail2ban taking action (HTTP 403 on connections without a host-header w/immediate fail2ban). Googling shows that scanning for this vulernability appears to have started around Dec 20th.
default 87.233.139.98 - - [29/Dec/2008:15:52:57 -0600] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
default 87.233.139.98 - - [29/Dec/2008:15:52:57 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 403 226 "-" "Toata dragostea mea pentru diavola"
87.233.180.109 - - [30/Dec/2008:14:03:28 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 404 291 "-" "Toata dragostea mea pentru diavola"
Nathan, thanks for the information about the scanning and have a happy New Year.
David Goldsmith
MS08-067 Worm on the Loose
Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067.
It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a builtin dictionary. At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible. After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself. You can find examples of the domain names in the Symantec W32.Downadup.B writeup.
The general form of the URL that it generates is: http://[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d so you could configure proxy servers or IDS sensors to start looking for "/search?q=%d" to find systems on your network that may have possibly been compromised by this worm.
David Goldsmith
Thunderbird 2.0.0.19 Released
Mozilla released Thunderbird 2.0.0.19 today. The release notes are here. This release addresses a number of security issues, most of which were also in the Firefox browser fixes 3.0.5 and 2.0.0.19/2.0.0.20 earlier this month.
MFSA 2008-60 - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
MFSA 2008-61 Information stealing via loadBindingDocument
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-65 Cross-domain data theft via script redirect error message|
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-68 XSS and JavaScript privilege escalation
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago