Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Upswing UDP/7100

Published: 2008-03-04
Last Updated: 2008-03-05 18:05:36 UTC
by Adrien de Beaupre (Version: 3)
0 comment(s)

An observant reader noticed a fairly dramatic upswing in scanning for UDP/7100. This port is noted as being the X Font service.

More recent graph can be seen here.

Got packets? Got theory? Got sploit? Got malware?

Adrien de Beaupré

Update 1:
Solaris worm/bot?

Update 2:

The X Font Service runs on TCP.

0 comment(s)

One explanation for

Published: 2008-03-04
Last Updated: 2008-03-04 18:51:53 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

Simon wrote in with the following:

Just a note to let you know that I've seen the occasional bit of targeted two-part malware that uses an apparent loopback URL, explaining the URL in

Part one of the malware rewrote the LMHOSTS file so that the URL resolved to a malicious address. Part two then directed probed users to that URL; users who hadn't fallen for the first part got a bad link (and didn't realise the implications), while users who fell for the first part picked up malware. The site in question (now down) used a frameset to attack the usual laundry list of browser flaws, while displaying localhost. This results in the error message in IE6 looking very similar between compromised and non-compromised hosts.

Further, when the second part got sent down to us for analysis, it wasn't immediately recognised as a serious threat; how dangerous can be? It was only when we discovered the changes to LMHOSTS that we realised we were in trouble.

Thanks Simon!

Adrien de Beaupré

0 comment(s)

How and when to contact the Internet Storm Center

Published: 2008-03-04
Last Updated: 2008-03-04 17:44:20 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)

One of the best ways to contact us is via our 'Contact Us' page here. Please feel free to upload documents, logs, malware, packets, or other files of interest. We operate 24/7 and have volunteers from around the planet. We do attempt to reply to email we receive. When we do, please cc the handlers email address to keep everyone in the loop. Replies with the same subject line will also keep tracking numbers in place making thread review simpler.

We at the Internet Storm Center tend to receive a fair amount of email. The messages fall into a number of categories, the list is not all inclusive.

Things we LOVE to hear, in some way related to InfoSec:

- Intel about new or emerging threats.
- Anything new or unknown.
- Information about ongoing incidents, with as much detail as possible.
- Follow-up on diaries or emails with additional details, suggestions, theories etc...
- New or evolving malware.
- Interesting packets.
- Phishing sites and takedown requests.
- Outages, particularly if you can tell us why it went down.
- New tools or technieques.
- Generally interesting security related stuff.
- Humor.
- Kudos.
- Have I mentioned interesting stuff?

Things we don't know what to do with:

- Hello, is this the helpdesk for the entire Internet?
- Requests for a full refund (BTW the Internet Storm Center is free).
- Marketing or PR types complaining about something we wrote about their product, without providing any verifiable factual content.
- Really strange messages that defy description.
- Spam, yes our inbox receives spam. Talk about a good way to get blackholed or filtered.


- Email that should go to SANS addresses, such as for course related questions. Although we do forward them on there is a delay in getting a response.

Before you send us anything falling into the second category take a moment to reflect on what we do here at the Internet Storm Center, and the fact that we are an international and rather diverse (if not eclectic) group of volunteers. You may want to check out our 'About us' page here. In short, we are a bunch of security geeks that give up their time to write about issues we see as being relevant. Not all diary entries are relevant to all readers, such as this one.

Bottom line is that we want to know if a anyone sees something new and it appears to be security related.  The best thing we provide is fusion of incidents reported by people (rather than by computers) and the ability to rapidly publish a set of ideas and analysis.  Packets are always good, plus malware. Also websites hosting new or particularly evil malware (scripts, etc...)

Anything sent in is treated with the highest confidentiality, we do respect the labels and restrictions placed on disclosure of your employer, email address, name, or content.

One last note, it is worth mentioning that we would rather not discourage email, quite the contrary. If in doubt please feel to let us know what is going on. We really could not do our jobs without input from you. Thanks for letting me vent.

Adrien de Beaupré

0 comment(s)
Diary Archives