Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

We're Phull... Article about Bank Fraud. Google Strangeness. SSH Probe Reveals Big-Time Hack.

Published: 2005-07-19
Last Updated: 2005-07-20 00:18:54 UTC
by Ed Skoudis (Version: 1)
0 comment(s)

No more ph.


Thanks for all of the ph words from yesterday. We're full now, so please don't send any more.

If you want to see the creativity of your fellow readers, check out their ph-word suggestions from . But, again, no more, thank you.



Internet Fraud Article


If you want some news, check out
about the costs of on-line theft to banks in Australia, sent to us by alert reader Malcolm Murray.



Google Strangeness


Nathan, an observant reader, pointed out some unusual Google issues today. Seems that, in some browsers, when you do a Google search, your search results actually include a link back to Google, which then forwards your browser to your intended search target. Nathan mentions:




>> Searching on TCPMP yields several results.

>> In the 9th result, look at the

>> URL:

>>
http://www.google.com/url?sa=U&start=9&q=http://mytreo.net/news/archives/000496.php&e=10053



That?s interesting... You click on a search result in Google, which sends you right back to Google, which forwards you to another URL. I couldn?t reproduce this on Apple Safari or my fully patched WinXP SP2 box with IE 6. Mike Poor couldn?t reproduce it on Lynx. But, we did see this behavior on a fully patched Win2K Pro box with IE 6. It appears to be some Javascript that?s pulling this off, perhaps allowing the omnipresent Google eye to capture even more data about what we?re up to? but don?t worry? their is: ?Don?t Be Evil.?

SSH Probing Reveals Big-Time Probs


Another alert reader sent in a message about yet another SSH userID and password-guessing scan that showed up in his logs. ?Yawn,? I?m sure you?re thinking. But wait? there?s more. Turns out, this scan was coming from a pretty sensitive institution with pretty sensitive information. The reader said he was concerned about compromise of such a place, which made fellow-handler Kyle Haugsness urge me to contact them. I phone the organization whose server was used to launch the scan. At first, they thought it was just an unimportant file server that had been hacked and used as a launch point for further attacks on other sites? But, before long, they realized it was a massively important server in their environment! We worked with them to handle that issue, but we all need to keep in mind ? It?s absolutely crucial to have a strong handle on your asset inventory. Know what your organization has connected to the Internet, and watch those boxes carefully!




In this particular case, the bad guys had activated sshd so they could get strongly encrypted access to the machine. If you ever have a system that doesn?t have an sshd running, and then one suddenly starts up, please investigate immediately. I?m not saying that sshd is bad. It?s an extremely useful tool in managing your systems securely. However, if you don?t use it, but then see it start running mysteriously, look into it immediately.




So, in the end, what started out as a yawner was really a fascinating (albeit somewhat scary) case.




Further Reports of Exploits Against MS05-037


A reader desiring anonymity told us that he?s seen some exploits of his systems by malicious websites using Microsoft Internet Explorer Javaprxy.DLL COM Object Instantiation Heap Overflow Vulnerability (described in MS Security Bulletin MS05-037) to install malware. Looks like we better step up that patch rate, since this one could be a big problem.




Over and out?

--Ed Skoudis

Intelguardians

ed (at) intelguardians.com
Keywords:
0 comment(s)
Diary Archives