|
 |
Terradon Communications Group Computer Security Incident Response Welcome to Terradon Communications Group's Computer Security Incident Response Center. This site will be a source of information for TCG managed security customers as well as a general security resource This site will maintain a running incident handler's diary which should provide a decent running history of the security landscape for networks located in West Virginia and around the country. Latest Incidents and Responses keith.morgan@terradon.com 2006-11-29 17:00:00 Blocking the spammers day! I've been blocking quite a few spammers. Most of these spammers exist as botnet zombie hosts (hacked computers under the control of one or a few hackers) which are ordered to send out spam from hundreds of hosts at once. In many cases, I'm blocking thier entire host networks to avoid future attacks when the spammer just changes his IP address recieved from his ISP. Today alone, on just one customer firewall, we've blocked 32,959 probes from networks and hosts previously identified as hacked or malicious systems, or systems who reside on networks rife with compromised / malicious systems. keith.morgan@terradon.com 2006-11-27 12:40:49 Turkey didn't slow the hackers down... It's been a busy Thanksgiving week. We had thousands of ssh scans from an Italian IP address. This is actually a bit unusual. The Italians aren't world renowned for having cesspools for networks. Oh well, the Italian IP was blocked. Ciao! We were also forced to block some very large Chinese network blocks. I don't believe I've ever seen a legitimate packet from China or Korea in my entire career. These particular blocks were the result of volumous spam and ftp brute force attempts. The PHP scans continue. The only thing new on that front was an increase in attacks against PHPbb. The PHPbb vulnerabilities have been numerous, but they're also somewhat old. These scans looked like a worm. If I were a betting man, I'd bet there's a new worm running around exploiting vulnerable PHPbb sites. (For the record, there are a ton of them) Probably the most interesting thing over the thanksgiving week was a small, but sneaky set of scans from a Romanian network. Unlike Italy, Romania is definitely well known for being an internet cesspool. "Hacking is Really Cool, All the Kids Are Doing It!" seems to be the mantra over there. Normally Romanian scans are overt and noisy. These were sneaky and quiet. We're watching, though. keith.morgan@terradon.com 2006-11-15 15:32:28 Some old, Some new. Let's get through the old first. Lots of php exploit attempts floating around out there. Lots of frontpage exploit attempts hitting customer networks as well. And there's been a huge resurgence of SSH scans. And that's the summary of the old. Here's a summary of the new: We've detected IDS evasion techniques on several customer networks. What's interesting about these, is that the evasion techniques did not involve the delivery of exploit payloads. They involved the delivery of spam. Apparently spammers are jumping on the tiny packet fragmentation bandwagon in an attempt to evade antispam gateways. I found this very interesting. Your anti-spam vendor should too. keith.morgan@terradon.com 2006-11-09 14:56:55 FTP and PHP If you have world-facing FTP servers, you'd better make sure the users have strong passwords, else you'll wind up hosting warez, porn, and music by the truckload pretty quickly. If you must have world facing FTP servers, don't allow any of the users to write data to them. Eventually, a warez bot or kiddie will get lucky, guess the password, and you'll be serving stolen software to the whole world. Better options would be to use sftp so that your legitimate user passwords aren't sniffed on the wire. But that won't help you if your users have weak passwords to begin with. Just as an idea of the scope, we're seeing tens of thousands of brute force attempts per day on customer systems. Use strong passwords folks. PHP script attacks continue. The vast majority of them appear to be canned scans or scripts. I haven't seen any so far this week that look like hand-crafted attempts. However, having said this, if you value the data on any servers running php, you might want to have a third-party code security audit. Additionally, there was a recent vulnerability announcement on php4, so if you're running it, upgrade. |
Recent Entries
May 2008April 2008 March 2008 February 2008 January 2008 December 2007 Incident Response
Report an incidentContact Us Security Resources
CERT Coordination CenterInternet Storm Center Security Focus |
|
|
 |
|
Current IPS activity
|
|
|
CURRENT TCP ALERTS TRACKED: 210 CURRENT UDP ALERTS TRACKED: 17 CURRENT ICMP ALERTS TRACKED: 29 |
|
 |
|
|
Copyright © 2001 Terradon Communications Group, LLC.