Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Porn is Evil; Workarounds vs Patching; Hopster; SSH Scans; phpBB Issue; Darwin was Right

Published: 2005-04-29
Last Updated: 2005-04-29 23:43:18 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

Evil Lurks on Porn Sites. Justin sent us a link to a porn site that asks visitors to download and install an executable that contains all of the naughty photos. Boy, were we tempted to download and open that file! Being good incident handlers we remained calm and first ran the executable through one of our favorite scanners. We found it to be just what we expected, a bot variant of some sort. Watch your logs for downloads of "linda.exe" and if you see it then perhaps you got bot.

Workarounds vs Patches. Vinicius sent us a nice note reminding everybody that sometimes we can't immediately patch but that the vendor's workarounds are good security steps to take anyway. He suggests,

I think that we, in general, are too used to say "patch now",
instead of truely studing the viability of workarounds. Many times
workarounds are not exactly "workarounds", they're most times good
practices that if had already been implemented would not let the
system to be exploited even if the vulnerability is present in the
Patches prevents attacks only until next bug announce and don't
isolate the human factor of security (ok, patching is important,
but not always)

Hopster Signatures. Mike would like to know if anybody has developed any good Snort signatures for Hopster. If so, please send them to us via the contact form and we'll make them available for everybody.

SSH Scans Continue. Sebastian wrote to tell us that SSH scans continue unabated and that one of his customers lost a box to a brute force attack. Many virtual hosting companies are now disabling root logins via SSH, requiring customers to log in with an unprivileged account then su to root when needed. Good advice for anybody with an SSH service running. Find your SSH config file (/etc/sshd.config on many systems) and check to make sure this line appears:

PermitRootLogin no

ISC RSS Feed. Thanks to an anonymous reader, we found out that our RSS feed was kaput. It's back up now -

More phpBB Issues. Reg worked with a few of our handlers today to solve a recent phpBB issue with one of his servers. Something seems to be amiss with the "admin_forums.php" script and it resulted in a compromise with backdoor. We did some looking around and it seems that others have seen it too:

If you have seen anything like this, please let us know.

Darwin Was Right. For those who don't hang out on Slashdot, there is a very amusing story going around about a young hacker who tried to raid an opponent's computer after being kicked out of a chat channel. Even Paul Harvey mentioned it today in his radio show. The rest of the story is at

Have a great weekend!

Marcus H. Sachs

Handler on Duty

0 comment(s)
Diary Archives