Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: A slew (well, a couple) of new vulns, more on weird DNS traffic and a mystery app - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A slew (well, a couple) of new vulns, more on weird DNS traffic and a mystery app
It looks like the 53/TCP packets being seen are 3DNS probes. Thanks to Frank Knobbe for the pointer. Here are some rules from Bleeding Snort that may be used to ignore these packets:

pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 1"; flags:S,12; dsize:24; window:2048; id:1; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001609; rev:2;)

pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 2"; flags:S,12; dsize:24; window:2048; id:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001610; rev:2;)

pass tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"F5 BIG-IP 3DNS TCP Probe 3"; flags:S,12; dsize:24; window:2048; id:3; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:misc-activity; sid:2001611; rev:2;)

There have been a couple of new vulnerabilities announced today that are worth noting-

Linux Kernel 2.6.10 / 2.4.28 Local Privilege Elevation Exploit from K-OTiK

http://www.k-otik.com/exploits/20050107.elflbl.c.php

Mozilla / Mozilla Firefox Download Dialog Source Spoofing

http://secunia.com/secunia_research/2004-15/advisory/

Secunia announced PoC for arbitrary command execution with IE+SP2:

http://secunia.com/internet_explorer_command_execution_vulnerability_test/
Analysis of the WINS worm

Steve Friedl has posted this work-in-progress of reverse engineering the WINS Trojan Horse
http://www.unixwiz.net/research/winser-a.html
We've gotten lots more reports flowing in of false positives from the MS anti-spyware tool.
Please report them to Microsoft so they can fix it. There is one that is worth mentioning-

An anonymous donor points out

"If you manually add domains to MSIE's "Restricted Zone" list or "Always Block" cookies list, then beware that Microsoft's new AntiSpyware Beta may flag these as either "High" or "Elevated" security risks, with the default action of "Remove". Don't be fooled.

For increased security, I highly recommend keeping these sites listed. Thus, change the default action of "Remove" to "Always Ignore" for these entries."
Finally, we had a query about an odd executable being found in the registry of a Windows 2003 system-

Multiple Windows 2003 systems on the same subnet have the following registry key:
HKEY_CLASSES_ROOT\exefile\shell\open\command
(Default) REG_SZ meeneemee.exe

A clean system would have:
(Default) REG_SZ "%1" %*

Every search engine I tried came back with nothing. If you have seen this or know about it, please let us know.
Toby

68 Posts

Sign Up for Free or Log In to start participating in the conversation!