|
|
Written by Matt Jonkman
|
|
Thursday, 03 April 2008 |
|
Put three new signatures up regarding UPnP. No new exploit or vulnerability, but we're seeing malware samples that are going straight to the local router on TCP UPnP port 2555. This is unusual, normal UPnP starts with UDP port 1900 to do discovery. http://doc.emergingthreats.net/2008092 This sig will find Internal to Internal UPnP requests on port 2555. These are legal, but not normal. If you see this on a non-home network it's likely something you'll want to follow up on if you weren't doing it on purpose. http://doc.emergingthreats.net/2008093 This is similar to above, but for requests coming from outside to your perimeter or internal net. This is never a good thing to have happening, and with recent issues of routers coming out of the box with external administration enabled, you'll want to know about these. http://doc.emergingthreats.net/2008094 Similar here, from outside to your local net, but the TCP port 2555 version. This is not a normal discovery protocol, someone's trying to access your systems. Definitely needs attention! Please report any issues! Matt |
|
Last Updated ( Thursday, 03 April 2008 )
|
|
|
Written by Matt Jonkman
|
|
Wednesday, 26 March 2008 |
|
Nginx ( http://nginx.net/ ) is a good http server and proxy. used in a lot of places for legitimate things. Unfortunately it's used most often in hosting or redirecting for malicious sites. I've added sig 2008054 to catch these. This doesn't necessarily mean 100% that traffic is hostile, but it's worth checking into. As always please report any issues! UPDATE: The existing sigs didn't work, too many legitimate sites using nginx. Have added two signatures to catch modified server version strings that are more likely to be hostile. 2008064 and 2008065. |
|
Last Updated ( Friday, 28 March 2008 )
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 13 - 16 of 48 |
