|
Written by Matt Jonkman
|
|
Thursday, 28 August 2008 |
|
http://voices.washingtonpost.com/securityfix/2008/08/report_slams_us_host_as_major.html
ET in the Post, the research data based on what we all collect as a community.
--Snip--
Several noted security researchers are releasing a report today that stems from many months of investigating malicious activity emanating from Atrivo's customers. Security experts say that Atrivo, also known as "Intercage," has long been a major source of spyware, adware, viruses and fake anti-virus products.
The report is an exhaustive and well-researched analysis of Atrivo and its operations. Some of the statistics on active exploits cited in that report come from data sets I commissioned during my own investigation of Atrivo and later shared with Jart Armin, the principal author of the report and curator of the blog hostexploit.com.
--Snip--
Goo article and a good paper, not just because we're all in it. You can go directly there at:
http://www.hostexploit.com/
http://hostexploit.com/index.php?option=com_content&view=article&id=11&Itemid=17
These nets that aren't already will go into our known compromised list shortly as well, another good reason to use those rulesets.
Matt
|
|
Last Updated ( Thursday, 28 August 2008 )
|
|
|
Written by Matt Jonkman
|
|
Wednesday, 27 August 2008 |
Thanks to Jim Mcquaid for a major update in the RBN networks ruleset. He's been hard at work following their dns trail.
The current ruleset reflects a few removed ranges that RBN has apparently left, and a number of new ones, notably many new in Russian IP space. So be sure to update your rulesets there soon.
Thanks Jim! Great work!
|
|
|
Written by Matt Jonkman
|
|
Monday, 25 August 2008 |
|
Adam sent these sigs in, he points out that you can remotely enable xp_cmdshell even if it's disabled. I was not aware of that.
Sigs to catch the attempt to enable it. The second sig looks like it may FP, but going to give it a shot since the traffic is TO http servers only.
#by Adam Pointon at sentinelsecurity.com.au alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET EXPLOIT SQL sp_configure - configuration change"; flow:to_server,established; content:"s|00|p|00|_|00|c|00|o|00|n|00|f|00|i|00|g|00|u|00|r|00|e|00|"; nocase; classtype:attempted-user; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; sid:2008517; rev:1;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT SQL sp_configure attempt"; flow:to_server,established; content:"sp_configure"; nocase; reference:url,msdn.microsoft.com/en-us/library/ms190693.aspx; classtype:attempted-user; sid:2008518; rev:1;)
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 1 - 4 of 81 |
