Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

2008 around just a little bit longer (1 second)

Published: 2008-12-31
Last Updated: 2008-12-31 23:08:01 UTC
by David Goldsmith (Version: 1)
1 comment(s)

A leap second will be added to the clock at 12/31/2008 23:59:59 UTC tonight.  Clocks will go:

12/31/2008 23:59:58
12/31/2008 23:59:59
12/31/2008 23:59:60
01/01/2009 00:00:00
01/01/2009 00:00:01

Hopefully most IT folks will be otherwise occupied at that time and not focusing on their system clocks.

Have a Happy 1-second Delayed New Year.

David Goldsmith

Keywords:
1 comment(s)

Roundcube Webmail - Another Issue

Published: 2008-12-31
Last Updated: 2008-12-31 15:27:29 UTC
by David Goldsmith (Version: 1)
0 comment(s)

Reader Nathan who sent us information about the Roundcube html2text.php vulnerability last week (see our previous diary here) has written in again about a new scan he is seeing for the "msgimport" binary included with Roundcube.  Nathan writes:

In regard to the Roundcube vulnerability it appears that attackers are now actively scanning for the presence of Roundcube with a specific user agent. It may be possible to craft a mod_security or fail2ban rule to match against this user agent. Two separate users have reported the scanning as well on separate ARIN netblocks. I have seen these scans first-hand on my webserver. Scans appear to originate from 87.233.128.0/18 with specific allocation details of "Assigned to customer 504". I don't think customer 504 is very nice :)

The User-Agent is in Romanian and translates, "All my love for the devil girl". Do you have any additional information regarding this user-agent and/or the specific vulnerability relating to msgimport? This does not appear to be the same vulnerability regarding code execution in html2text.php. I don't have additional behavior from the clients in the logs due to fail2ban taking action (HTTP 403 on connections without a host-header w/immediate fail2ban). Googling shows that scanning for this vulernability appears to have started around Dec 20th.

default 87.233.139.98 - - [29/Dec/2008:15:52:57 -0600] "GET HTTP/1.1 HTTP/1.1" 400 226 "-" "Toata dragostea mea pentru diavola"
default 87.233.139.98 - - [29/Dec/2008:15:52:57 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 403 226 "-" "Toata dragostea mea pentru diavola"

87.233.180.109 - - [30/Dec/2008:14:03:28 -0600] "GET /roundcube//bin/msgimport HTTP/1.1" 404 291 "-" "Toata dragostea mea pentru diavola"

Nathan, thanks for the information about the scanning and have a happy New Year.

David Goldsmith

 

Keywords:
0 comment(s)

MS08-067 Worm on the Loose

Published: 2008-12-31
Last Updated: 2008-12-31 14:26:41 UTC
by David Goldsmith (Version: 1)
3 comment(s)

Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067

It does various things to install and hide itself on the infected computer.  It removes any System Restore points that the user has set and disables the Windows Update Service.  It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a builtin dictionary.  At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible.  After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself.  You can find examples of the domain names in the Symantec W32.Downadup.B writeup.

The general form of the URL that it generates is: http://[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d so you could configure proxy servers or IDS sensors to start looking for "/search?q=%d" to find systems on your network that may have possibly been compromised by this worm.

David Goldsmith

Keywords:
3 comment(s)

Thunderbird 2.0.0.19 Released

Published: 2008-12-31
Last Updated: 2008-12-31 04:45:11 UTC
by David Goldsmith (Version: 1)
0 comment(s)

Mozilla released Thunderbird 2.0.0.19 today.  The release notes are here.  This release addresses a number of security issues, most of which were also in the Firefox browser fixes 3.0.5 and 2.0.0.19/2.0.0.20 earlier this month.

  MFSA 2008-60 - Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
  MFSA 2008-61 Information stealing via loadBindingDocument
  MFSA 2008-64 XMLHttpRequest 302 response disclosure
  MFSA 2008-65 Cross-domain data theft via script redirect error message|
  MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
  MFSA 2008-67 Escaped null characters ignored by CSS parser
  MFSA 2008-68 XSS and JavaScript privilege escalation


0 comment(s)
Diary Archives