8 total posts
Handlers Diary May 6th 2004 - Updated May 7th 2004 03:45 UTC
/ Reading Logs / More Phishing / TCP 135, Welchia and Lovgate / Sasser slowing / Egress Filtering and You /
Reading Your Logs Pays Off
Chas Tomlin, a sysadmin and programmer for the University of Southampton noticed some odd entries in his web logs and forwarded it to the ISC for analysis. Examination showed that an attack based on the do_brk exploit (http://secunia.com/advisories/10328/ ) was attempted and failed. Systems shown to be vulnerable to this attack have the following kernels:
2.4.20-18.9 as shipped with RedHat 9.0
2.4.22 with grsecurity patch
Please make sure your systems are patched and/or upgraded as needed.
Another eBay Phishing Scam
Anthony Congiano a helpdesk administrator alerted the ISC earlier today to another attempt at Phishing information from eBay users. The e-mail in question tells the recipient that their account has been used "to make fake bids" and "you are required to verify your eBay account by following the link below." The scam is designed to collect E-Bay member names, user names, passwords and credit card information. eBay, and the web host have been notified.
Port 135 Spikes, Lovgate and Welchia
Symantec: Sasser, Netsky Work Of Same Hacker
After analyzing Netsky.ac and Sasser, Symantec researchers Friday concluded that it was almost certain the worms were written by the same hacker(s).
"The probability that they were written by the same person is very high," said Alfred Huger, senior director of engineering with Symantec's response team. "And if the same person or group didn't actually write both, they certainly shared [source] code."
Hotmail suffers morning outage
A "networking issue" on Friday locked out millions of Microsoft's Hotmail e-mail users for more than three hours, but the service has since been restored.
A Microsoft spokeswoman said the company first discovered the problem at 6:30 a.m. Pacific time and "fully restored" service by 9:50 a.m. The spokeswoman said no customer data was lost during the outage. She declined to offer further details about the nature of the problem.
During the outage, attempts to log in were met with a message, saying: "This server is too busy." Since the Hotmail home page did appear, the company had advised customers to try logging in again
MS mounts covert anti-piracy op
In line with its efforts to fight software piracy, Microsoft Corp. has hired Bare Associates to send secret investigators to 400 computer retailers in Belgium. The investigation showed that, although none of the retailers installed unauthorized versions of software on computers themselves, 25% encouraged users to buy pirated software - a small number, about 8%, even provided buyers with instructions on where to get such software. The investigation will continue and offenders could face legal action.
Hotmail chain letter still tops hoax list
The Hotmail chain letter is the top e-mail hoax on the Internet for the nine month running, according to anti-virus vendor Sophos. The Hotmail chain letter, which was first discovered in December 1999, warns na
Bagle worms continue mutating
Anti-virus vendor Sophos is warning Internet users about a new variant of the prolific Bagle worm. Sophos has received "many reports" of Bagle-AB in the wild. The new Bagle variant arrives via e-mail with a variety of subject lines, scans systems for e-mail addresses to mail itself to, and attempts to turn off security and anti-virus programs on an infected machine. When the malicious Bagle attachment is executed, users are shown a fake error message, 'Can't find a viewer associated with the file'.
Check Point urges VPN software upgrade to close hole
Check Point Software Technologies Ltd. is warning customers about a vulnerability in the ISAKMP (Internet Security Association & Key Management Protocol) that could allow the execution of malicious code on a vulnerable machine. Customers that have upgraded to the latest versions of Check Point's VPN (virtual private network) software (VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56) or that do not use remote access or gateway VPNs are not affected by the flaw. Everyone else is urged to upgrade immediately. Check Point is not aware of any organization that has been affected by the vulnerability so far.