Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VMWare updates

Published: 2014-06-25
Last Updated: 2014-06-25 04:37:11 UTC
by Mark Hofman (Version: 1)
0 comment(s)

A new update has been released http://www.vmware.com/security/advisories/VMSA-2014-0007.html  It addresses some struts issues.  

http://www.vmware.com/security/advisories/VMSA-2014-0006.html has also been updated (this was the OpenSSL update).  

M

Keywords:
0 comment(s)

Do you have some DNS requests/replies you could share?

Published: 2014-06-25
Last Updated: 2014-06-25 02:03:20 UTC
by Mark Hofman (Version: 1)
2 comment(s)

Looking at DNS traffic it looks like it has been a busy month, but traffic seems to have dropped off. 


port 53 as a target has dropped off and during June there was an increase in traffic with a source port of 53. Something that we've seen on various IDS.  We either see one of two types of packets.  A request for any for a particular domain with the packet size set to 65535 and a spoofed source IP (i.e. the target).  So that accounts for the traffic to port 53.  

The second types of requests we see is from port 53.  Typically with a random source ports and typically to a number of servers in the target network.  The only thing that changes is often the queryid.  So these are likely attempts to poison the cache.  

The third type we see are DNS requests to check for open resolvers and a final type of query we see a lot of are DNS queries with HTTP elements in the traffic.  

There are a few things I'm interested in.  What caused the drop off for port 53 as the target.  What DNS queries are you seeing targetting your environment?  and if you can share, I'd be interested in the actual request itself.  

Regards

Mark H

Keywords:
2 comment(s)
ISC StormCast for Wednesday, June 25th 2014 http://isc.sans.edu/podcastdetail.html?id=4037

Spam, talk about false advertising

Published: 2014-06-25
Last Updated: 2014-06-25 01:38:00 UTC
by Mark Hofman (Version: 1)
1 comment(s)

SPAM SPAM SPAM,  It never fails to entertain.  

Like most of you I get my fair share of SPAM and like a number of you I will happily click links (not a recommendation) and follow the little yellow brick road to whatever malware or "sales" opportunity presents itself.  This one was just a bit more random than others I've received lately.  


A quote for a home security system, great I need one of those the dog is just not interested in chasing away strangers that walk up to the house.  Following the link I end up on the following page, after a redirect from the libbean page. 

Ok, not quite the home security system I was hoping for,  but I like a game as much as the next guy.  Unfortunately hitting the "download for free" button I didn't get the promised flappy birds, but ended up here instead.

 

Now I don't know if Vox software is just a random landing or the SPAM run was commissioned. If the latter there are organisations that have no problem with using SPAM for "legitimate" advertising or they are just not aware.  Not quite sure which is worse.  

So every now and then SPAM does have some entertainment value, at least to me, didn't get my home security system I was promised though, nor fun game to play, ah well. 

Cheers

Mark H

Keywords:
1 comment(s)
Diary Archives