Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Possibility for disaster?; Preparing for a storm

Published: 2005-07-03
Last Updated: 2005-07-03 20:20:08 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Late edition

Possibility for disaster?



At the Internet Storm Center, we sometimes see dark clouds gathering on the horizon. Sometimes it doesn't come to a real storm, sometimes it does. Unlike the real storm centers we don't have mathematical models to help in our predictions just yet. Main problem is that it would mean we'd have to predict human nature.

This weekend we're seeing one of these possible storms. It's still too unsubstantial to actually call it a storm but the ingredients for the recipe of disaster might be present.

As a first ingredient we have the probing and even at least one worm/botnet on the loose attacking unpatched phpBB installations. Probes we see on patched phpBB boards range from trying the highlight bug to trying to run "uname -a". Attacks on unpatched boards are more varied in nature so far. Add to that the PHP XML_RPC bugs and the unix based web server world is clearly under attack this weekend.

As a second ingredient we see the 0-day exploits and the lack of a real patch from Microsoft for the javaprxy.dll . This makes the most popular browser potentially seriously vulnerable as this exploit matures.

The final ingredient is timing: in the US it's Independence Day tomorrow, which most probably only leaves a skeleton staff at key places. And which means some of the bad guys out there might seize the opportunity to do their evil with fewer defenders on the line.

We're looking for your opinion, will it mix and brew into a storm or not?

Preparing for the storm



At the ISC we're not convinced it will come to a storm. Considering the reactions we got from you so far are mostly pointing to a storm, action might be the right thing to call for.

As with any real storm, there are things one can do, even on short notice.

A quick overview:

- patch phpBB, even if you cannot do the full upgrade, the critical part of the patch is only one line that you need to change now. Find the one line here: .

- patch XML_RPC: "pear upgrade XML_RPC" should do the trick, or visit
site for more details.

- use the workarounds from Microsoft's
. Take special care to apply the suggested actions. Alternatively some sites will prefer to switch browsers to those that cannot do ActiveX to start with.

As always the more publicity this gets and the more action is taken the less likely it becomes the storm will actually happen. That's the drawback of our self defeating prophecy.

It does feel a bit like crying wolf, but taking precautions cannot hurt.



--

Swa Frantzen
Keywords:
0 comment(s)
Diary Archives