Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: IE URL Bug; Phishing Attacks; Port 6129 Remains High; Proper Incident Response SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IE URL Bug; Phishing Attacks; Port 6129 Remains High; Proper Incident Response
IE URL Bug

On the recent released of IE URL Bug [1], Microsoft has not yet released an official patch for this vulnerability. However, Microsoft has published an article on steps that you can take to help identify and to help protect yourself from spoofed websites and malicious hyperlinks.
http://support.microsoft.com/?id=833786

It discusses steps you can take to help protect yourself from spoofed Web sites and malicious hyperlinks, including how to identify the URL of the current web page.

Phishing Attacks

There is an increasing trend in phishing attacks where a malicious attack will set up a website with malicious hyperlinks (exploiting the IE URL bug) and lure people to the malicious website (commonly technique is via email from a trusted source) and trick you to reveal your personal information such as credit card number, PIN and password. A recent one is the Earthlink case (http://isc.sans.org/diary.html?date=2003-12-21).

There is a good website that archive some of the known phishing attacks:
http://www.antiphishing.org/phishing_archive.htm

Port 6129 Remains High

Since 20 Dec 03, we see a spike in port 6129 (http://isc.sans.org/diary.html?date=2003-12-21). The scan on port 6129 remains to be high. This could be due to the recent dameware exploit.

http://isc.incidents.org/port_details.html?port=6129

Proper Incident Response

During this festive seasons, it is common that hackers will take this opportunity to break into systems. Should your systems unfortunately be compromised, proper incident response should be followed.

The following links will provide useful tips on proper incident handling/response.

http://www.fedcirc.gov/incidentResponse/index.html

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

http://www.sans.org/rr/catindex.php?cat_id=27

http://www.cert.org/tech_tips/

https://store.sans.org/store_item.php?item=62


[References]:

1. http://www.zapthedingbat.com/security/ex01/vun1.htm

2. http://support.microsoft.com/?id=833786

3. http://www.microsoft.com/security/incident/spoof.asp

4. http://www.antiphishing.org/phishing_archive.htm

5. http://xforce.iss.net/xforce/alerts/id/159

6. http://isc.sans.org/diary.html?date=2003-12-21

7. http://www.fedcirc.gov/incidentResponse/index.html

8. http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

9. http://www.sans.org/rr/catindex.php?cat_id=27

10. http://www.cert.org/tech_tips/

11. https://store.sans.org/store_item.php?item=62

Kevin

32 Posts

Sign Up for Free or Log In to start participating in the conversation!