Slashdot Mirror

I DID do the same thing, just last week. Try this: go to https://isc.incidents.org/port.html?port=54988 with firefox. You will get the following message: isc.incidents.org uses an invalid security certificate. The certificate is only valid for the following names: *.sans.org , sans.org (Error code: ssl_error_bad_cert_domain) Now, we ALL know that isc.org is operated by SANS, ... so why don't they fix their certificate?

I'm assuming you are part of APEWS since you pretty much recited verbatim what's in their rather useless FAQ? While they may run spamtraps, it has already been proven by SANS that they DO COLLECT DATA from other sources and use that to construct their blocklists. I would go read the SANS diary post. You can not defend them by claiming they use only spam traps when it has been proven they do not. If (and that's a big if) someone on an MCI data circuit (or any hot for that matter) was the problem, there is nothing stopping APEWS from listing only the IP block registered to the offender, as that info is readily available from ARIN. To list the entire MCI block, comprised of thousands of companies, is beyond stupid. As SANS pointed out, they are also listing the entire AT&T network. They took a /32 listings SANS had at http://isc.incidents.org/ipsascii.html and rolled it up to /17s. You think blocking 32,000 hosts in responce to a single IP address being listed somewhere else is helping anything? MCI is not the problem, as you say. APEWS and people who rely on it are the problem. The list is not the least bit accurate and whoever runs it doesn't seem to want to take responsibility for their bad practices. It's garbage, period.

Firstly, you check with your local IT department.

If no IT, check with SANS mailing list or cve.mitre.org for general characteristics

If you were leet enough to run an IPS/in-line SNORT, check your PCAP trace against the SNORT signatures.

If you got debugging skills, break the code down

If you done em all, contact the incident handlers over at http://isc.incidents.org/ with your 15-page dissertation.

Once done, your hat has gotten whiter.

That's why there are documents like this:
Windows XP: Surviving the First Day:
http://isc.incidents.org/presentations/xpsurvivalg uide.pdf
Unfortunately the defaults and negligible documentation that come with
a typical "home" XP system, most users will get onto the Internet
and get infected by various malware long before they even get their
first set of patches/updates downloaded and installed.

This has not been accepted as a story, and is of ciritical importance to OSX users. From SANS' incidnets'org page:

Reports of multiple OS X vulnerabilities with PoC (NEW)
Published: 2006-04-21,
Last Updated: 2006-04-21 19:46:40 UTC by Adrien de Beaupre (Version: 1)

Multiple vulnerabilities have been reported in Apple Mac OS X and applications. Proof of Concept code has already been posted along with the information regarding the vulnerabilities. At this time no patches or workarounds appear to be available for the majority of the vulnerabilities. The impact is Denial of Service or arbitrary code executed remotely, and severity is highly critical.

Links to advisories:

Apple OS X 10.4.5 .tiff "LZWDecodeVector ()" Heap Overflow
http://www.security-protocols.com/sp-x24-advisory. php

Apple OS X BOM ArchiveHelper .zip Heap Overflow
http://www.security-protocols.com/sp-x25-advisory. php

Apple OS X Safari 2.0.3 Multiple Vulnerabilities
http://www.security-protocols.com/sp-x26-advisory. php

Apple OS X 10.4.6 "ReadBMP ()" .bmp Heap Overflow
http://www.security-protocols.com/sp-x27-advisory. php

Apple OS X 10.4.6 "CFAllocatorAllocate ()" .gif Heap Overflow
http://www.security-protocols.com/sp-x28-advisory. php

Apple OS X 10.4.6 .tiff "_cg_TIFFSetField ()" DoS
http://www.security-protocols.com/sp-x29-advisory. php

Apple OS X 10.4.6 .tiff "PredictorVSetField ()" Heap Overflow
http://www.security-protocols.com/sp-x30-advisory. php

Mod htis up as a public service.

This was patched over a week ago, http://www.incidents.org/diary.php?date=2006-01-31 (bottom).
The time from exploit to patch was very fast.
better then the length it takes other software developers to release a patch..
http://www.eeye.com/html/research/upcoming/index.h tml

The SANS community broke this news yesterday on the DShield listserv... Check out Incidents.org for the current news concerning it. As well as the ongoing investigation.

The ISC would like to go out on a limb and predict that the Internet will not vaporize into a cloud of nothingness this Thursday, but if it does, it's been our pleasure to help stave off its inevitable annihilation this long.

See also this VMyths posting to theFull Disclosure mailing list

Welcome to the wonderful world of SSH brute-forcing.
I get several of these a week.

Please read the following ISC diary for more info:
http://www.incidents.org/diary.php?date=2004-07-28
(Under the header "More ssh password brute forcing")

On a more serious note that is really irritating the hell out of me right now, what is wrong with RoadRunner's abuse department? I sent an IRCd log that clearly shows someone attempting to circumvent a k:line by using open proxies (which is against their TOS-- circumvention of network security) and the response they send me back is that they "don't monitor traffic" and "you should consider using one of the many available commercial products to restrict access to the Internet from or to your computer". Like they didn't even read the damn letter I sent.

There was something posted on the ISC a while back about this. I've been noticing similar attempts on a few of my systems with the same pattern.
http://isc.incidents.org/diary.php?date=2004-07-28

Yeah, this is exactly what we want to do to virus writers - give them recognition and a "ranking". Jesus Christ on a pogo stick. It's bad enough that they feel the need to "compete" against other virus writers for some internet version of "street cred" but now we're fucking ranking them? How long until people start writing viruses just to "get points" on some chart somewhere? Christ, you people have no logic whatsoever. Oh give me a break. I guess it's better to supress the fact that one man may be responsible for 70% of virus traffic. We'll all be better off, because people will stop writing viruses right? As you inanely already mentioned they already are competing amongst themselves for street cred. And to answer your question, yes we are ranking them but it's not like we're "now fucking ranking them" we have been for a long time. It's called the Internet Storm Center. You really should find something else to rant about.

Why do you say "security holes" as if they are not real? I guess these guys and many others are making them up? Oh, and no, I do not have that email since it was not a real email, but a "feedback" form on thier site. Basically just send a bunch of links to some of the IE security holes and ask them why in they world would they force you to use such an insecure browser. Then send a link to Mozilla/Firefox and ask them to please just to make sure that their site is standards compliant so you can use the browser of your choice on the OS of your choice.

One reader (thanks, Ben!) submitted a list of files found on his compromised IIS server. The files he sent us included: Code snippits.doc iis6xx.dll (multiple copies, where xx varies) iis7yy.dll (multiple copies, where yy varies) Download_Ject_Symantec.doc ipaddress.txt issue.csv ads.vbs agent.exe ftpcmd.txt security_log.rtf

From isc.incidents.org:

"The ISC site gets slashdotted

"If you are encountering intermittent problems connecting to our site, it is because we got slashdotted. These connectivity problems are not directly related to the Akamai outage, but are the result of a large number of visitors accessing our site today. Thanks for being patient while waiting for the ISC site to load. [emphasis added]"

Not directly related to the Akamai outage? And they think why on Earth have we bloody slashdotted them in the first place if not because of the very Akamai outage and their coverage therof?! This is related as directly as it gets:

1. Akamai goes down
2. ISC covers it
3. ???
4. We slashdot them with our unimaginable beowulf cluster of browsers like there was no tommorow in Soviet Russia et cetera

Don't they know Slashdot?! Kids...

we might as well crash isc.incidents.org

This is a very ambicious and laudable project. I remember reading about it a year ago ar so, but it looks like it's matured a lot since then.

Since we now get to combat multi-headed worms, it's fitting that we now have a multi-headed IDS to work with.

well get a capture & send to SANS

The UK National Infrastructure Security Co-Ordination Centre (NISCC) released a vulnerability advisory today on issues in the TCP protocol. Aka More info on vuln...

Looks like MD5 Can save your router...

Installed a snort rule this morning using:

alert udp any 4000:5000 -> any any (msg:"Witty Initial Traffic";
content:"|29202020202020696e73657274207 76974747920 6d6573736167652068657265|";re\v:1;)

Found via http://isc.incidents.org/diary.html?date=2004-03-2 0.

After running it for about 10 minutes and seeing 1,000's of matches, I decided it was better to delete the rule since it was logging to a MySQL database for fear of overloading the disk, and go back to bed.

I questioned the 50,000 to 75,000 number as it seemed totally bogus and unrelated to the number of source IPs I'm seeing scanning my two class Cs. How can I see 10-15 different source IPs every 5-10 minutes if only 50,000 computers are infected worldwide?

ISC and dshield are showing the number of sources scanning port 3127 building up at an alarming rate. The number of sources seems to be increasing by about 2000 every 10 minutes, which is much more in line with the number of sources I'm seeing scanning my backwater.

Not flaming here, but you may be comparing apples to oranges. You are complaining that /. reports every active Microsoft worm while it is out there, actively infecting multiple computers, but does not report every vulnerability affecting Linux machines. Slashdot doesn't tend to report new vulnerabilities affecting Windows, unless it comes as something spectacular, such as 6 high risk holes announced at once.

If you're reading security sites, then you're "doing it right", and that's what you need to focus on. You. I run Jay's IPTables Firewall. I occasionally check LinuxSecurity, but instead I usually visit their Packetstorm mirror and try out some of the latest exploits against my various machines just to see if I'm vulnerable. I also check CERT weekly, NIPC's Cybernotes biweekly, D-Shield and Incidents.org biweekly, and update Nessus and check my firewall biweekly. I don't have any open ports, so I rarely check for updated Snort rules. I do check my MRTG reports about once a day to see if an inordinately high amount of traffic is flowing through my firewall. There's so much that everyone should do all the time, that there's hardly enough time to complain about how much focus a web site places on reporting one OS'es actively exploited holes vs another OS'es potential vulnerabilities. In the time to read this, you could have been reviewing the Top 75 security tools and seeing where they fit in your environment, even if your environment is your house.

xpsurvivalguide.pdf

What is your definition of "recently"? Apparently it's about two years.

• Klez.E was first sighted in January 2002
• Some Nimda variants did it in September 2001

The level of increase in the amount of scanning this thing is producing is amazing. According to the ISC Storm Center, this thing is now accounting for almost 80% of all inbound reports.

At the non-profit where I work we saw just five scans in the firewall logs from Sunday. Today's logs show well over 500 scans in a five hour period. While a larger site admin may think this is a trivial amount, the only comaprable level of activity we've had that was similar in the past was Code Red related.

Admittedly, I have only perused the draft, but it does appear to be another attempt to prevent large companies from being "outed" when they choose to release software that is not ready or is poorly designed. Bugtraq, the Internet Storm Center and the Insecure.org Mailing List Archive do a fine job of lighting a fire under the responsible buttocks when necessary.

I have yet to hear of a posting to one of these lists that could be considered responsible for actual "trouble".

I would assume that if someone were planning on taking advantage of a vulnerability, they would look for one that hasn't yet made it to these lists.

I'll grant Slammer was like that.

But the second WebDAV exploit was not patchable before it was out in the open. Heck, it's only been out a few DAYS!

The new JScript bug is even newer than that.

Both these bugs are currently listed on the Internet Storm Center as pressing issues.

(-pi, Circular)

This worm has been on the radar for over a week now. The Internet Storm Center noticed a dramatic increase in port 445 traffic, and the fit really hit the shan on saturday/sunday (depending on where you live). Someone finally managed to get a specimin of this thing analyzed, and it's by far the biggest thing since Slammer.

Consider how little it's actually spread - we should be happy Windows is no longer vulnerable to the single-character-password flaw. Now, if only we could explain to Microsoft that it should be very, VERY difficult for the home user to share their filesystem over tcp/ip (read: world-readable), we might be able to stop these annoying little buggers. Well, at least for a few weeks :)

It is unfortunate that users often pick weak passwords. One of the student Win2K servers we run at our university got hacked because a remote attacker guessed a local password (=$username). However, we did learn one thing from the experience - we (or rather, I) firewalled our LAN from the internet behind a linux box. It could have been a BSD box, or a Linksys router -- who cares. This is kind of OT anyway.

I firmly believe that the more heterogeneous we keep the mix of systems running on the internet, the more resilient the internet will be to any type of attack. It's like an ecological system in which different beasts catch different bugs -- but hardly ever do they all catch the same bug in the same way, at the same time. Now isn't that smart? I really think the United States and other concerned countries should invest in encouraging diversity of computer systems in order to reduce general vulnerability to a 'cyberterrorism' or whatever attacks.

In either case, to see how our Internet is currently faring check out the Internet Storm Center. Increased probes from this worm were immediately visible on the site. Also worth a read is McAfee's details on this worm.

A high-ranking White House official with a predisposition for overreacting and fascist rulemaking has blamed the ready availability of instructions for snow-guns on the internet, and has asked that so-called weathermen stop presenting contradictory explanations for these terrorist incidents. The same official also insisted that anyone that discounts his theory is practicing poor science and harming the US's ability to combat terrorism wherever he sees it.

Factions such as the Weather Underground and the Internet Storm Center are high on his list of targeted terrorist groups.

Despite the BBC having a story on this (the first place I learned of it: I had a looong lie-in this morning, er, afternoon) that incidents.org which collates scanning activity worldwide has "status: green" showing with a small note that "some scanning by new SQL Server worm causing some slowdowns" - not exactly apocalyptic, huh? And here in the UK (My ISP) everything looks fine. Slashdot's faster than usual if anything... sounds like a storm in a teacup to me.

Over at the InternetStormCenter they have been reporting a spike of port 53 traffic lately. I know port 53 is for DNS traffic but it doesn't *have* to be and virtually every firewall is going to let the traffic pass. Things that make you go Hmmmm.

I like the part about cooperation. Hackers do it for years successfully, while network administrators prefer to sit in their closets under tin-foil hats hoping to preotect themself with obscurity.

Systems to share already exist. Just check the "Internet Storm Center" and DShield for a place to exchange logs and ideas.

When will someone build a pr0n distribution system based on this worm?

Seems a bit more detailed.

Here is the alert:

published: 2002-09-13
OpenSSL, the collection of libraries and programs used by many popular
programs, has had a number of security problems recently. It looks like
the problems are not over yet.

It has been discussed on several mailing lists, that aside from the
exploit known for openssl 0.9.6d, there are exploits available for
even the most recent version (0.9.6g).

As a precaution, we recommend to disable programs that use openssl as
much as possible. The exploits available so far focus on apache, which
is probably the most common exposed service that is using openssl.
As a precaution, we recommend disabling SSLv2, if you have to run an
Apache server with mod_ssl enabled. The magic configuration lines
are:

SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LO W:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL

One of the openssl apache exploits was found to install a DDOS agent
called 'bugtraq.c'. It uses port 2002 to communicate and can be used
to launch a variety of DDOS attacks. This program uses UDP packets on
port 2002 to communicate, not necessarily to attack.

- //cow
cow's go muu~

The more important point is one still pretty much undebatable by empirical evidence:

Closed-source, proprietary systems possess the means to hide their deficiencies for as long as possible.

If a cracker discovers a hole in closed-source software, and exploits that hole, the vendor (read: Micro$oft..) can easily ignore the issue until enough evidence accumulates in public forums that a problem *does* exist.

As a recent example of this, see the Handler's Diary entries about the recent M$ SQL vulnerabilities.

This vulnerability was confirmed by a group of dedicated security people who had nothing to go on but what they could see happening in packet traces, after noticing an odd increase in traffic on tcp:1433.

If they had had source code available, the process might have been much quicker...

t_t_b

According to this survey ofglobal and asian internet-connected systems the US/Can have 181M systems online vs 33M in china.

do the math: Current stats from the ISS say the ratio of systems is about the same as the reatio of attack traffic.

Attack traffic: CN=42291 / US 222907 = .1897

Connected sys's: cn=33M / us=181M = .1823

From following incidents.org and my own experience I'd say that .cn has a rep more becuase when you deal with an attack from asia in general the problems of contacting the admins to notify / etc are much more difficult.

My own experiences have been mixed, Contacting site owners in asia has been more spotty than for US/EC sites, and in the event of something serious its a lot more expensive to pick up the 'phone and call china to discuss a problem.

arin.net, ripe.net, apnic.net all work well for tracking down system owners, but the contact problems across continents remain.

While I do not support fining people who deploy sloppy software, or software with numerous security holes, I would like to see an interest-free software certification board formed strictly with security in mind. Such a board would not only certify software based on its code, but also the vendor's attitude towards security in general (designing security-friendly code, not feature-friendly code), and also its follow-up support (immediately addressing issues, releasing patches, etc.).

Another thing that would help GREATLY would be to push this up to an international level. We can do all we want to make the USA a happy-happy, joy-joy internet environment, but
it
don't
mean
jack.
The internet is GLOBAL, and as such the most effective solutions will be those developed at an international level. Push for a communications subcommittee in the UN to address international incidents. Apply pressure to foreign countries that are lax in cracking down on data security-related issues. France is currently one major target of complaints with the HUGE amount of scans that companies have seen from wanadoo.fr, yet neither the ISP nor the government seems concerned about it. Incidents.org has corroborated this traffic, and it is legit.

To summarize my comments: we need a way to globalize both data security issues and resolutions, as well as a certification board to offer a level of comfort to consumers that products won't be full of security holes. There are many other issues facing us out there, however I believe these two would be a HUGE step in the right direction and set the precedent for other issues to be addressed.

While I do not support fining people who deploy sloppy software, or software with numerous security holes, I would like to see an interest-free software certification board formed strictly with security in mind. Such a board would not only certify software based on its code, but also the vendor's attitude towards security in general (designing security-friendly code, not feature-friendly code), and also its follow-up support (immediately addressing issues, releasing patches, etc.).

Another thing that would help GREATLY would be to push this up to an international level. We can do all we want to make the USA a happy-happy, joy-joy internet environment, but
it
don't
mean
jack.
The internet is GLOBAL, and as such the most effective solutions will be those developed at an international level. Push for a communications subcommittee in the UN to address international incidents. Apply pressure to foreign countries that are lax in cracking down on data security-related issues. France is currently one major target of complaints with the HUGE amount of scans that companies have seen from wanadoo.fr, yet neither the ISP nor the government seems concerned about it. Incidents.org has corroborated this traffic, and it is legit.

To summarize my comments: we need a way to globalize both data security issues and resolutions, as well as a certification board to offer a level of comfort to consumers that products won't be full of security holes. There are many other issues facing us out there, however I believe these two would be a HUGE step in the right direction and set the precedent for other issues to be addressed.

According to an an article on incidents.org, this vulnerability was originally noticed back in April, but at the time was not believed to be exploitable. Scary thought huh? You can view the article here.

DShield.org and SANS Incidents are a couple sites that come to mind.

Hey, I posted info about this more than a month ago... Here are the articles I linked to: Heise News Ticker and the posting at incidents.org in which Tom Liston first introduced his idea...

here's your answer

Stupid fucking filters!

Heres what I was just about to submit:

LaBrea - The Tarpit: Keep your friends close, your enemies closer.
- -
With the recent proliferation in worms (Code Red, Sircam, Nimda, etc) beyond either switching to a more secure? webserver or keeping up to date with the patches for your own and hoping that others do the same; approaches to actively dealing the problem have been limited. One can try to either contact the administrator[s] of the machines infected or take a slight more risky proactive approach. 'LaBrea' - The Tarpit offers proof of concept? for an interesting open source approach.
Linux today, Wired and Linuxsecurity have covered this developing project, more information is available from Hackbusters here, here, here, here, here, or here.
- -
Im off to sulk. :)

These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails...

...The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file...

Nowhere on the link you provided does it specify which versions of IE are affected. Indeed, I'm fairly certain that IE6 is *not* affected (or at least requires the user to respond to a dialog box before it will run .eml or .exe files). Moreover, I'm fairly sure that MS has patches for these vulnerabilities in IE5.

On the other hand, I believe that IE4 *is* vulnerable to at least the .eml bug.

The best site to track this incident IMO (incidents.org) now has a pretty good picture of what's going on from a technical perspective.

A short summary:

The Nimda worm is now known to propogate four ways:

(1) An IIS vulnerability propagation mechanism where the worm attempts to exploit a large number of IIS vulnerabilities to gain control of a victim IIS server. Once in control, the worm uses tftp to fetch its code in a file called Admin.dll from the attacking server.

(2) Email propogation. The worm harvests email addresses from the address book and potentially the web browser history and sends itself to all addresses as an attachment called readme.exe. These executables are automatically executed if the receipient who opens (or previews) the email is running Internet Explorer 5 or 6. Note that the worm may spoof the source address on the emails.

(3) When a web server is infected, the worm replaces all web pages on the server with a binary encoded as a wav file, which can infect each client that connects to the server. The wav file is called readme.eml. Microsoft Internet Explorer 5.0 and higher will automatically execute the malicious file.

(4) The worm is network aware and propagates via open shares. It will propagate to shares that are accessible to username guest with no password.

See: www.incidents.org/react/nimda.php for the full details.

- YASP (Yet Another Security Professional) who is fighting this pretty heavily at work - nothing here infected, of course, but the traffic itself is threatening to become a pretty nice distributed DOS - our Internet Router (a decently-hefty CSCO 6500-series) is sitting at ~60% processor utilization.

The attacks look a lot like the DoS.Storm worm that appeared on the scene June 2001. Either it's a new outbreak of DoS.Storm, or a modified version

Symantic has info on DoS.Storm here
SANS incidents.org has more details here

That should answer your question.

Those 220,000 new webservers that were just counted this month...

By Incidents.org

Code Red was really MS's way of getting a boost in the server market. Stand up and be counted, IIS servers, 100 threads at a time...

The rest of us applied the patch supplied by Microsoft more than a month before CR came out...

And were still vulnerable until we disabled URL forwarding.

The Microsoft patch alone is not useful. You are still at risk. See Incidents home page

I'm so sick of people blaming Microsoft. The released a patch well before Code Red. Get over it.

Microsoft STILL hasn't released a patch that makes their webserver secure and allows URL forwarding. Their patch has its own security hole !!

Blame Microsoft, or simply use Internet server software that is secure. All mine is written by Dan Bernstein :)

http://www.incidents.org/diary/august2001.php#801 courtesy of incidents.org