SANS ISC: Porn is Evil; Workarounds vs Patching; Hopster; SSH Scans; phpBB Issue; Darwin was Right

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Evil Lurks on Porn Sites. Justin sent us a link to a porn site that asks visitors to download and install an executable that contains all of the naughty photos. Boy, were we tempted to download and open that file! Being good incident handlers we remained calm and first ran the executable through one of our favorite scanners. We found it to be just what we expected, a bot variant of some sort. Watch your logs for downloads of "linda.exe" and if you see it then perhaps you got bot.




Workarounds vs Patches. Vinicius sent us a nice note reminding everybody that sometimes we can't immediately patch but that the vendor's workarounds are good security steps to take anyway. He suggests,

I think that we, in general, are too used to say "patch now",

instead of truely studing the viability of workarounds. Many times 

workarounds are not exactly "workarounds", they're most times good 

practices that if had already been implemented would not let the 

system to be exploited even if the vulnerability is present in the 

software.

Patches prevents attacks only until next bug announce and don't 

isolate the human factor of security (ok, patching is important, 

but not always)

Hopster Signatures. Mike would like to know if anybody has developed any good Snort signatures for Hopster. If so, please send them to us via the contact form and we'll make them available for everybody.




SSH Scans Continue. Sebastian wrote to tell us that SSH scans continue unabated and that one of his customers lost a box to a brute force attack. Many virtual hosting companies are now disabling root logins via SSH, requiring customers to log in with an unprivileged account then su to root when needed. Good advice for anybody with an SSH service running. Find your SSH config file (/etc/sshd.config on many systems) and check to make sure this line appears:

PermitRootLogin          no  

ISC RSS Feed. Thanks to an anonymous reader, we found out that our RSS feed was kaput. It's back up now - http://iscxml.sans.org/rssfeed.xml




More phpBB Issues. Reg worked with a few of our handlers today to solve a recent phpBB issue with one of his servers. Something seems to be amiss with the "admin_forums.php" script and it resulted in a compromise with backdoor. We did some looking around and it seems that others have seen it too:
http://www.securityfocus.com/archive/1/396744

http://www.phpbb.com/phpBB/viewtopic.php?t=285815

If you have seen anything like this, please let us know.




Darwin Was Right. For those who don't hang out on Slashdot, there is a very amusing story going around about a young hacker who tried to raid an opponent's computer after being kicked out of a chat channel. Even Paul Harvey mentioned it today in his radio show. The rest of the story is at
http://www.totalillusions.net/forum/index.php?showtopic=328&st=0




Have a great weekend!




Marcus H. Sachs

Handler on Duty