Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Exploiting the admin process SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Exploiting the admin process

Today has been a rather slow day at the Internet Storm Center.  Perhaps some folks in the US actually got Martin Luther King, Jr. Day off from work (or maybe not).  We got e-mail from Jim and Gordon though that got me thinking.  Jim e-mailed to report what he thought were (and may well be) spoofed referrer strings showing up in his weblogs.  His concern was that some of these referrers might host malware, so an admin who was diligently monitoring their logs, might get infected when trying to follow-up on how users found their website.  Gordon reported some unexpected behavior from Kiwi Syslog Daemon which was being used to collect logs from a Sonicwall setup.  He noted that the firewall was showing outbound NetBIOS attempts to China (fortunately being blocked by the firewall) from the Windows machine collecting the logs.  It turns out that the Kiwi Syslog Daemon that he was using was attempting to lookup the names (reverse lookups) of the machines that were hitting the firewall first by DNS and then by NetBIOS (a feature that can apparently be disabled in v 8.3.6 BETA).  Again, this brought to mind the possibility that a responsible admin monitoring logs as they ought to, could have that very diligence used against them.  I recall some time back an attack where folks were targeting, I think, one of the Apache log analyzers by crafting some of the data that gets logged (exact details escape me a the moment, I'll update the story with a link if I remember the details).  I'm not aware of this class of attacks being used widely these days, but I figured since it was slow, I'd ask our readers if they have seen any other attacks like this that actually target the diligent admin and what types of defenses do you (or should you) take to protect against them?  The handlers kicked around a few thoughts among ourselves today and I'll include them with reader response in a followup story.

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Live Online Europe February 2022 Volume 1


423 Posts
ISC Handler
Jan 21st 2008
I had similar entries in my Apache log. They were failed pages with references to some site that ended in "/.web/a.gif?/". If anyone wants more of the log, let me know.

Sign Up for Free or Log In to start participating in the conversation!