Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Is hurricane Wilma affecting you?

Published: 2005-10-24
Last Updated: 2005-10-24 21:29:18 UTC
by Patrick Nolan (Version: 2)
0 comment(s)
Update - Verio has a updated Network Status page addressing their hurricane Wilma issues.

We've had one report about DNS resolution failures with verio.net in Boca Raton that may have been caused by hurricane Wilma. If you're aware of any other problem reports/information please let us know and it will be correlated and posted here.

We've recently received an additional report that mentioned "I've not been able to reach any of my sites hosted there since about 0830 EDT. " Thanks Fred!

Keywords:
0 comment(s)

UDP traffic to port 50368

Published: 2005-10-24
Last Updated: 2005-10-24 17:39:34 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
A reader (Bill) reported that he is seeing a substantial increase of UDP port 50368 traffic getting blocked by the firewall. The traffic appears to originate from Europe, and uses numerous source ports (but many of them are "well known").

Here a quick sample of sources and source ports
87.122.209.173/11069
81.219.217.70/9204
83.77.212.239/1037
172.212.40.49/8080
84.161.4.133/9086
82.251.45.191/10030
24.0.235.178/49308
83.40.83.84/11112
66.172.60.201/7871

No idea what's causing that. We have almost no other traffic to this port in our database. If you see any outbound traffic like that, let us know.


Keywords:
0 comment(s)

deja vu - "25 new unpackers added in one week"

Published: 2005-10-24
Last Updated: 2005-10-24 17:08:27 UTC
by Patrick Nolan (Version: 1)
0 comment(s)
"25 new unpackers added in one week"

Yup, that's 25 new unpackers in one week, and there's other "deja vu" data at Kaspersky.

And Websense published a whitepaper of the "JS/Wonka" encoding technique.
Keywords:
0 comment(s)

A new botnet - Mocbot

Published: 2005-10-24
Last Updated: 2005-10-24 09:40:09 UTC
by Deborah Hale (Version: 1)
0 comment(s)
A new botnet is making the rounds. And guess who was the first to notify us.  Our very own Handler Patrick Nolan.  He even beat our primary informant, Juha-Matti.  Way to go Patrick.

This botnet client has been spread using the MS05-047 vulnerability, continues their entry.

http://www.f-secure.com/weblog/

http://www.f-secure.com/weblog/archives/archive-102005.html#00000685

http://www.f-secure.com/v-descs/mocbot.shtml

McAfee has information at:

http://vil.nai.com/vil/content/v_136637.htm

This is a heads up for some since botnet owners are using it to further exploit networks they already have a presence on. If you haven't already patched - you may want to do so now.

(Update):
According to McAfee and F-Secure, they have amended that this botnet is exploiting MS05-039 instead of MS05-047.
Keywords:
0 comment(s)

Exploit circulating for newly patched Oracle bug

Published: 2005-10-24
Last Updated: 2005-10-24 01:13:13 UTC
by Deborah Hale (Version: 3)
0 comment(s)
We also received an email from our very own handler Koon Yaw Tan with a link to an article at Computer World regarding an exploit circulating for the Oracle Bug.

http://www.computerworld.com/securitytopics/security/story/0,10801,105615,00.html

Those of you who use Oracle may want to take a look at the article and consider getting your systems patched.

 
Keywords:
0 comment(s)

Stopping Spam by Extrusion Detection

Published: 2005-10-24
Last Updated: 2005-10-24 01:11:43 UTC
by Deborah Hale (Version: 2)
0 comment(s)
It was somewhat quiet day on the Internet today as far as the bad guys go.  We did however receive some really good emails in the mailbag with interesting tid-bits.  One that I particularly liked was one sent to us by one of our faithful readers, Chris Edwards.  He was commenting on spam filtering and included a link to an article at:
http://www.cl.cam.ac.uk/~rnc1/extrusion.pdf

This is an excellent article by Richard Clayton, University of Cambridge in the UK.  I am very intrigued by the information that was supplied in this article.  Richard has provided some very helpful tips.  Thanks Chris for bringing this to our attention.


Keywords:
0 comment(s)
Diary Archives