Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-01-25 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Blackworm Notifications

Published: 2006-01-25
Last Updated: 2006-01-26 17:56:37 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
Blackworm infected machines reported to a 'counter' site the fact that they got infected. The TISF BlackWorm task force obtained the logs from this counter, and is notifying networks represented in the logs. These notifications will use a from address of "handlers@sans.org" or "Randy_Vaughn@Baylor.edu". Please e-mail jullrich\at/sans.org if you would like to obtain a list for your network, and have not received an automated e-mail.

Please include information to support that your e-mail address is associated with administering the respective networks, or a phone number to validate the information.

Update: We are getting A LOT of requests. Please do not forget to include the IP space you are interested in. Quite a number of people responded that these logs helped them identify infected systems and it likely prevented major data loss to these organizations. BIG THANKS to RCN for providing the counter logs in a timely manner. We could not provide this service without their help.

Keywords:
0 comment(s)

Cisco IOS local privilege escalation

Published: 2006-01-25
Last Updated: 2006-01-25 20:59:59 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Cisco released earlier a vulnerability note detailing a problem within some Cisco IOS versions that bypasses the command authorization offered by AAA services such as TACACS+. The bypass uses tclsh.

Why a router would need tclsh is a mystery to this handler.

--
Swa Frantzen


Keywords:
0 comment(s)

DoS exploit publicly released for Cisco Aironet AP

Published: 2006-01-25
Last Updated: 2006-01-25 20:35:38 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
An exploit was publicly released by FrSIRT for crafting the arp requests needed to exploit the vulnerability described at Cisco. As a reminder this vulnerability is related to resource exhaustion and consequently a Denial of Service condition due to arp requests.
If you have not taken measures to protect your Cisco Aironet Access Points, now would be a good time to start planning the upgrades or implement one of the workarounds in the Cisco advisory.

--
Swa Frantzen
Keywords:
0 comment(s)

FreeBSD packet filter (pf) DoS using fragments.

Published: 2006-01-25
Last Updated: 2006-01-25 18:44:53 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
FreeBSD announced a patch for a vulnerability that can trigger a kernel panic due to crafted fragments and their handling in pf(4).

Workrounds are available: do not use "scrub fragment crop" or "scrub fragment drop-ovl" in the pf.conf(5)

More information:
--
Swa Frantzen
Keywords:
0 comment(s)
Diary Archives