McAfee Artemis/GTI File Reputation False Positive
We got a couple readers reporting false postive issues with McAffees GTI and Artemis products. According to a knowledgebase article on McAfee's site, it appears that the file reputation system is producing bad results due to a server issue [1]
From our readers:
I've seen an explosion of detections under Artemis on files I wouldn't expect. One machine is trying to delete the autorun on a U3 USB drive's emulated CD. Community.McAfee.com slowed down and went offline. I've been on hold far longer than I'd expect for support. (Michael) ------------ McAfee VirusScan is eating files again. This time it’s their GTI servers. I managed to shut off heuristics via EPO before it got out of hand. Minor OS and app damage. (John) ------------ Artemis is a file reputation checking service from McAfee included in its Virus Scan Enterprise. Today it went on the fritz for my organization around 1600 EST. It was deleting random files such as our Cisco IP Communicator and all kinds of temp files etc. McAfee sent us a notification and will be sending more info out on its SNS mailing list. Advise all turn off Artemis features for home and business users and in the meantime they shut the cloud servers down. (Travis)[1] https://kc.mcafee.com/corporate/index?page=content&id=KB78993
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
POP3 Server Brute Forcing Attempts Using Polycom Credentials
Our reader Pete submitted an interesting set of log entries from his POP3 server:
LOGIN FAILED, user=PlcmSpIp, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=plcmspip, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=ts, ip=[::ffff:117.102.119.146]
LOGIN FAILED, user=bsoft, ip=[::ffff:117.102.119.146]
The interesting part is that the attacker used usernames that are usually associated with Polycom SIP PBXs. I don't have a Polycom server handy, but if anybody has: Do they usually include a POP3 server? Or do they require POP3 accounts for these credentials?
------Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Ubuntu Forums Security Breach
Ubuntu forums are currently down because they have been breached. According to their post, "the attackers have gotten every user's local username, password, and email address from the Ubuntu Forums database." [1] They have advised their users that if they are using the same password with other services, to change their password immediately. Other services such as Ubuntu One, Launchpad and other Ubuntu/Canonical services are not affected. Their current announcement is can be read here.
Update: Ubuntu posted a post mortem on the Forums compromised that occurred last week available here. They provided a good summary on how they think the compromised occurred and what they did to clean and harden the site against further attack.
[1] http://ubuntuforums.org/announce.html
[2] http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Comments