MS05-019/Win2k3 SP1 Update Troubleshooting
More information is available regarding incompatibilities and gotchas after applying this update:
BIND4/BIND8 Unsuitable for Forwarder Use
If a nameserver -- any nameserver, whether BIND or otherwise -- is
configured to use forwarders, then none of the the target forwarders
can be running BIND4 or BIND8. Upgrade all nameservers used as forwarders to BIND9 . There is a current, wide scale Kashpureff-style DNS cache corruption attack which depends on BIND4 and BIND8 as forwarders targets.
Very useful BIND security matrix illustrating what issues affect which versions of BIND:
Also be sure to check out the fine template from Team CYMRU:
Thanks to Paul Vixie and others for re-articulating the forwarding issue more succinctly
TCP Port 9999 spike?
A number of spike reports for this port in recent days. Anyone have a good capture?
UPDATE:It has been suggested that the spike may be related to the proof of concept exploit for MS05-020 referenced below. Does anyone have any data to back that up?
We have also had numerous folks mail in pointers to the MySQL MaxDB Webtool exploit (from cybertronic) which also references port 9999 as well as some firewall deny logs for port 9999, but no traffic captures. The mystery continues......
Thanks to everyone for supporting distributed data collection and analysis effort.
Our friends in Europe who are seeing the port 9999 spike have pointed out they are seeing an immediate connection attempt to port 4444 afterwards which lends credibility to this spike being related to the MaxDB Webtool exploit.
TCPDump Buffer Overflows
Privilege separation is your friend:
MS05-020 POC Exploit Released by FrSIRT
As detailed here: http://www.frsirt.com/english/advisories/2005/0340
Spitzer Sues Intermix over Spyware
Anyone have a good location bar spellchecker? If it doesn't check against a dictionary it could at least check against a database of sites previously visited.
If I typed google.com correctly 999 times correctly in the past its likely thats what I wanted this time I typed goofgle[dot]com
Apr 29th 2005
|Thread locked Subscribe||
Apr 29th 2005
1 decade ago