October Patch Tuesday Preview (CVE-2013-3893 patch coming!)
So far, we got pre-announcements from Microsoft and Adobe.
Microsoft promises 8 bulletins, split evenly between critical and important. The critical bulletins affect Windows, Internet Explorer and the .Net framework, while the important bulletins affect Office and Silverlight.
So this sounds like an average, very client heavy patch Tuesday. On the server end, only Sharepoint server (again) and Office Server are affected.
Important: The cumulative IE update included will include a patch for CVE-2013-3893, the currently un-patched but exploited vulnerability in Internet Explorer. This bulletin should be applied as soon as possible once released.
For details, see http://technet.microsoft.com/en-us/security/bulletin/ms13-oct
Adobe pre-announced only one patch for Acrobat and PDF Reader. For details see http://blogs.adobe.com/psirt/2013/10/prenotification-upcoming-security-updates-for-adobe-reader-and-acrobat-apsb13-25.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
CSAM: Web Honeypot Logs
Today's logs come from a honeypot. The fun part about honeypots is that you don't have to worry about filtering out "normal" logs. Usually I check the honeypot for anything new and interesting first, then look on my real web server to figure out if I see similar attacks. In the real web server, these attack would otherwise drown in the noise.
SSL Conection to a web server not supporting SSL
Invalid method in request \x80w\x01\x03\x01
The first few bytes of the request are interpreted as the method of the request. If SSL is used by the client, but the server "doesn't get it", then the server will just log the first few bytes of the SSL message. In this case, this was \x80w\x01\x03\x01
Odd URLs
File does not exist: /var/www/HNAP1
Frequently you will find attack scripts that try to "hunt" for a particular vulnerability, wether or not you even have the application installed. This is in part behind our 404 project. Above, the attacker looked for "HNAP1", which appears to be vulnerable in some routers (see http://www.cathaycenturies.com/blog/?p=643 for more details about this particular vulnerability.
Odd User Agents
Mozilla/3.0 (compatible; Indy Library) Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij
The first one "Indy Libary" is a standard library used in many web attack tools. The second one is old favorite nmap and the last one is Havij, a script kiddie SQL injection tool (not seeing it as much as I used to). In pretty much all cases it is easy to change the user agent, but most attackers don't bother to.
Sometimes the user agent string itself is the attack. like in this log:
"GET /rssfeed.xml HTTP/1.1" 200 5162 "-" "><script>alert('XSSUserAgent')</script>" "-"
The attacker may hope that the user agent is echoed back to the administrator as part of an admin interface.
Standard SQL Injection Strings
GET /diary.php?storyid=999999.9+union+all+select+0x31303235343830303536-- GET /diary.php?storyid=1480%27 GET /diary.php?storyid=1480+and+1%3D1
Many SQL injection attack tools use similar techniques. The examples above are from Havij. Typically the attacker will try to insted single quotes (%27) or try to issue UNION requests with random parameters to be able to identify any data that may come back. For the union requests, you will see the attack starting with one column and work its way up as the attacker attempts to figure out how many columns your query returns.
Cross Site Scripting
here is a typical XSS attempt:
GET /diary.html?storyid=\"><script>alert(13377331)</script> HTTP/1.0"
Not much obfuscation here. Just a pretty plain XSS attempt.
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago