Handler on Duty: Johannes Ullrich
Threat Level: green
Jim Clausing Diaries
- Security related Docker containers
- Tool update: mac-robber.py and le-hex-to-ip.py
- New tool: linux-pkgs.sh
- Tool updates: le-hex-to-ip.py and sigs.py
- Wireshark updates
- Wireshark releases 2 updates in one day. Mac users especially will want the latest.
- New tool: le-hex-to-ip.py
- Check out a couple of my older posts
- Wireshark 4.0.2 and 3.6.10 released
- Is this traffic bAD?
- Update: mac-robber.py
- Strange goings on with port 37
- Wireshark 3.4.6 (and 3.2.14) released
- So where did those Satori attacks come from?
- More weirdness on TCP port 26
- Analysis Dridex Dropper, IoC extraction (guest diary)
- Setting up the Dshield honeypot and tcp-honeypot.py
- Stackstrings, type 2
- Seriously, SHA3 where art thou?
- Attack traffic on TCP port 9673
- Next up, what's up with TCP port 26?
- What's up with TCP 853 (DNS over TLS)?
- Buffer overflows found in libpcap and tcpdump
- A few Ghidra tips for IDA users, part 4 - function call graphs
- A few Ghidra tips for IDA users, part 3 - conversion, labels, and comments
- A few Ghidra tips for IDA users, part 2 - strings and parameters
- A few Ghidra tips for IDA users, part 1 - the decompiler/unreachable code
- A few Ghidra tips for IDA users, part 0 - automatic comments for API call parameters
- A strange spam
- Quickie: Using radare2 to disassemble shellcode
- Followup to IPv6 brute force and IPv6 blocking
- Are you watching for brute force attacks on IPv6?
- What is going on with port 3333?
- Forensic use of mount --bind
- New tool: mac-robber.py
- WTF tcp port 81
- New tool: sigs.py
- Quick and dirty generic listener
- New tool: docker-mount.py
- Guest Diary: Linux Capabilities - A friend and foe
- Forensicating Docker, Part 1
- Novel method for slowing down Locky on Samba server using fail2ban
- More updates to kippo-log2db
- Scanning for Fortinet ssh backdoor
- VMware security update
- Update to kippo-log2db.pl
- Odd new ssh scanning, possibly for D-Link devices
- OpenVPN server DoS vulnerability fixed
- Microsoft November out-of-cycle patch MS14-068
- SSDEEP update
- UDP port 1900 DDoS traffic
- Unusual CRL traffic?
- New tool: kippo-log2db.pl
- Those strange e-mails with URLs in them can lead to Android malware
- New Apache web server release
- Apple updates iOS and Apple TV
- Updated dumpdns.pl
- What were you doing 25 years ago (yesterday)?
- So what passwords are those ssh scanners trying?
- Is there an epidemic of typo squatting?
- IPv6 Focus Month: Guest Diary: Matthew Newton - IPv6 Cat Feeder - Turning those extra bits into bytes, literally
- IPv6 Focus Month at the Internet Storm Center
- And the Java 0-days just keep on coming
- Oracle quitely releases Java 7u13 early
- Cuckoo 0.5 is out and the world didn't end
- Another month another password disclosure breach
- Skype account hijack vulnerability fixed
- Microsoft November 2012 Black Tuesday Update - Overview
- An analysis of the Yahoo! passwords
- Potential leak of 6.5+ million LinkedIn password hashes
- BIND 9 Update - DoS or information disclosure vulnerability
- Firefox, Thunderbird, and Seamonkey Security Updates
- Tool updates and Win 8
- New automated sandbox for Android malware
- Chrome to stop checking Certificate Revocation List (CRL)?
- Book Review: Practical Packet Analysis, 2nd ed
- Critical Control 6 - Maintenance, Monitoring, and Analysis of Security Audit Logs
- VMware Advisory - UDF file system handling
- Cisco Advisories - FWSM, ASA, and NAC
- Are your tools ready for IPv6? (part 2)
- Are your tools ready for IPv6? (part 1)
- Apple Security Updates 2011-004
- April 2011 Microsoft Black Tuesday Summary
- Apple updates Java
- March 2011 Microsoft Black Tuesday Summary
- What's up with port 8881?
- Updates to a couple of Sysinternals tools
- Help with odd port scans
- Tools updates - Oct 2010
- Cyber Security Awareness Month - Day 20 - Securing Mobile Devices
- August 2010 Micrsoft Black Tuesday Summary
- Free/inexpensive tools for monitoring systems/networks
- July 2010 Microsoft Black Tuesday Summary
- VMware Studio Security Update
- Forensic challenge results
- Wireshark SMB file extraction plug-in
- We are experiencing e-mail issues
- Teredo request for packets
- Memory Analysis - time to move beyond XP
- WordPress iframe injection?
- Apple Security Update 2010-001
- The IE saga continues, out-of-cycle patch coming soon
- 49Gbps DDoS, IPv4 exhaustion, and DNSSEC, oh my!
- Forensic challenges
- Updates to my GREM Gold scripts and a new script
- Microsoft Updates requiring reboot
- Tool updates
- A couple more tools
- Apple Updates
- OSSEC version 2.2 available
- Seclists.org is finally back
- Request for packets
- Tools for extracting files from pcaps
- New and updated cheat sheets
- New Volatility plugins
- Stego in TCP retransmissions
- More new volatility plugins
- NTPD autokey vulnerability
- Wireshark-1.0.8 released
- More tools for (US) Memorial Day
- A packet challenge and how I solved it
- Conficker Working Group site down
- Wireshark 1.0.7 released
- Cool combination of tools
- Followup from last shift and some research to do.
- The continuing IE saga - workarounds
- Critical update to Adobe AIR
- Finding stealth injected DLLs
- How are you coming with that IPv6 migration?
- A new cheat sheet and a contest
- Some recently updated tools
- New Firefoxen out
- Novell eDirectory advisory
- Day 6 - Network-based Intrusion Detection Systems
- Firefox 3.0.3 will be out probably tomorrow
- More on tools/resources/blogs
- Lessons learned from the Palin (and other) account hijacks
- WebEx ActiveX buffer overflow
- Another MS update that may have escaped notice
- OMFW 2008 reflections
- Joomla user password reset vulnerability being actively exploited
- And you thought the DNS issue was an old one...
- Handling the load
- Updates to some of our favorite tools
- Another little script I threw together
- The scoop on the spike in UDP port 7 traffic
- Followup to "What's going on..."
- Firefox 2.0.0.15 is out
- What's going on with these ports? Got packets?
- Followup to 'How do you monitor your website?'
- Emergingthreats.net and ThePlanet
- So, how do you monitor your website?
- Followup to Flash/swf stories
- Disaster donation scams continue
- OSSEC 1.5 released
- More on automated exploit generation
- Some interesting reading for a snowy Saturday
- US Daylight Savings Time starts this weekend
- Microsoft Black Tuesday Advanced Notification
- Wireshark 0.99.8 released
- Firefox 2.0.0.12 is out
- 12, count 'em 12 Microsoft Bulletins coming Tuesday
- Exploiting the admin process
- From the mailbag, December 3rd edition
- WSUS issues?
- OpenSSL bulletin
- Cyber Security Awareness Tip #12: Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)
- Python script for packer identification
- Apple iPhone update 1.1.1
- AOL changes the free anti-virus they distribute
- Next week's Microsoft patches
- name-services.com DoS
- SANSFIRE 2007 wrap up, part 1
- Interesting new tool
- Other miscellaneous stuff I've come across recently
- Apple TV security update
- Followup to packet tools story
- New PHP releases
- Cisco PIX/ASA DHCP relay agent vulnerability
- Packet tools
- Pidgin 2.0 (previously gaim) released, victim of its own success?
- Is WEP dead yet? Should it be?
- telnetd deja vu, this time it is Kerberos 5 telnetd
- Various Vista Concerns
- Yahoo mail problems
- Weekend grab bag
- Firefox 2.0.0.2 released
- New Samba release fixes security issues
- More on dealing with image spam
- OSSEC turns (v)1.0
- Dealing with images in your spam
- Cacti remote code and SQL injection vulnerability
- What should I do with these gift cards?
- Port 32000 spike, got packets?
- Archiving the snort tips
- Yahoo Messenger critical update
- MS06-075: csrss local privilege escalation (CVE-2006-5585)
- What will the big security stories of 2007 be?
- nmap-4.20 released
- Microsoft December advance patch notification
- GnuPG new versions-upgrade now
- MS06-071: MSXML Core Services
- MS06-069: Adobe Flash Player
- MS06-068: Microsoft Agent
- sinFP-2.03 release
- NetSol Worldnic DNS server issues
- Reader's tip of the day: ratios vs. raw counts
- Back to green, but the exploits are still running wild
- OpenSSH 4.4 (and 4.4p1) released
- MS06-049 re-release
- Issues with e-mail notifier
- Rant-of-the-day: on the dangers of orphaned software (the dark side of open source)
- Log analysis follow up
- Happy birthday, disk drive
- A few preliminary log analysis thoughts
- New feature at isc.sans.org
- Log Analysis tips?
- * MS06-042 reissue
- SquirrelMail 1.4.8 released
- ClamAV versions up to 0.88.3 DoS
- Fedora Core 4 goes into maintenance mode, FC1 and FC2 end-of-life
- Tip of the Day: Read e-mail in plain text (as God intended) :)
- Firefox 1.5.0.6 release imminent
- Thanx to our readers
- Opera 9 long href PoC
- Opera 9.0 released
- Farewell 6Bone
- Firefox and Thunderbird 1.5.0.4 released
- F-Secure web console buffer overflow
- Spamming as 'terror' tactic
- Spaf on reexamining
- SANS Top 20 Spring Update
- Opera updates, too
- Horde exploit attempts in the wild
- IE exploit on the loose, going to yellow
- McAfee DAT 4715 clean up tool available
- A TCP/IP mystery (solved)
- So, when is a security advisory, not a security advisory?
- The 866-PC-SAFETY poll
- New variant of mambo exploit making the rounds
- Problems with MS patch KB913446 (for the IGMP issue, MS06-007)
- Periodic reminder of best practices for cleaning up after infection.
- More on Blackmal/Grew/Nyxem (file deletion payload)
- Exploits in the wild for several PHP-based web apps
- Help us out with a Christmas story
- Update on the SUS issues
- * VMWare vulnerability announced and fixed
- Symantec AV RAR library vulnerability
- Computerized elections, some thoughts
- Odd behavior after MS-SQL scan
- What I'm reading today
- DHCP OS Fingerprinting
- More on hunting rogue access points
- IT Help for Katrina victims; More Katrina Malware; Gas shortage hoax e-mail; MS05-043 exploits in the wild?; Scanning for old Cisco vulnerabilities
- PnP Worm out; More on the current Veritas vuln; Microsoft Update and Win 2K3 w/o SP1; new gaim version
- New IE Exploit PoC; phpBB notes; new book
- ZoneAlarm shutdown problem update, MS Black Tuesday
- German Spam (concise version); MS05-021 and Snort Signatures; Is it a security problem?
- Tax Day and recovering from San Diego; Oracle patches; IRC spam worm
- Shamrocks and March Madness; Perl bots; MS05-004 update
- Happy Valentine's Day; ARCserve probes?; OWA issue; new Opera version
- Corrected: From the mailbag
- Thoughts on VoIP, Holiday recommended reading
- Random thoughts for a quiet Sunday
- Aftermath of Microsoft's October Bulletins, more bots, and Linux rootkits
- Mixed bag for a quiet Sunday
- Updated(2): Checkpoint VPN-1 ASN.1 vulnerability, RADIUS and wireless, reminder about home routers
- Updated: IWAP_WWW account on compromised IIS servers
- (Updated) Additional info on yesterday's Linksys item, the importance of patching
- Update: Sasser.d to start the work week, clean up tools may not be adequate
- Combined exploits of MS vulnerabilities, port 1981 increase
- More agobot/phatbot/polybot variants, cPanel resetpass exploit
- Updated: Bagle C Virus. New Vulnerability in RealSecure and BlackIce Products, Solaris 8 and 9 passwd(1) bulletin, WinZip flaw, IE cross-frame scripting issue
- More on MS04-007
- Updated: Security bulletins from Sun, more Dameware