My next class:

more https scanning reports

Published: 2004-07-18. Last Updated: 2004-07-19 13:26:41 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)
More HTTPS Scanning Reports

We did receive more packet captures registering scans for the SSL-PCT
exploit. It still appears like the THC exploit is used and additional
code is downloaded to the affected systems via tftp.

Problems With MS04-022

One reader reported problems installing MS04-022. This is in particular
of interest as an exploit for this vulnerability is already public. As
usual, we do advice to carefully test patches. The report we received
indicates that tasked scheduled with the task scheduler did no longer
execute. A sample error message:


0x8004130f: No account information could be found

in the Task Scheduler security database for the

task indicated.


Port 2003

A possible command channel / remote shell has been found on port 2003 in a
specific network. No widespread use of this port has been registered.

Host Based IDS for Windows

Frequently, users ask how to make sure that a system has not been compromissed, or how to determine for sure the scope of a compromise. Host based intrusion
detection systems are a good way to detect altered binaries. For Linux, a
wide range of free and commercial systems exist (AIDE, tripwire, SNARE), which
will catalog system files and save cryptographically secured checksums. We
would like to hear what users are recommending for Windows systems.

(Update: A few users commented that GFI Languard is available for Windows
http://www.sans.org/rr/papers/index.php?id=1396 )
------------

Johannes Ullrich, jullrich _AT_ sans.org
Keywords:
0 comment(s)
My next class:

Comments


Diary Archives