INCIDENTS

Traditionally people affected by a security incidents were faced with limited choices for reporting these happenings. Typical choices were possibly reporting to a local incident handling team (if any existed), CERT, law enforcement or random mailing lists which did not specifically deal with incident reporting. Time has shown such choices fail to communicate this important information in a timely fashion to others that may be potentially affected.

The INCIDENTS mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information.

0 Administrivia

0.1 Charter
0.1.1 What is INCIDENTS?
0.1.2 What is appropiate content?
0.1.3 What is inappropiate content?
0.1.4 Is the list moderated?
0.1.5 Who are the moderators?

0.2 List Management
0.2.1 How do I subscribe?
0.2.2 How do I unsubscribe?
0.2.3 How do I disable mail delivery temporarily?
0.2.4 Is the list available in a digest format?
0.2.5 How do I subscribe to the digest?
0.2.6 How do I unsubscribe from the digest?
0.2.7 I seem to not be able to unsubscribe. What is going on?
0.2.8 Can you add a tag like "[INCIDENTS]" to the subject line of each message?

0.3 Incident Information
0.3.1 What services use port number 'X'?
0.3.2 What is this ADMROCKS directory I've found on my machine?
0.3.3 What are these addresses in the 169.254.0.0/16 range I am seeing?
0.3.4 What are these DNS queries for VERSION.BIND I keep seeing?
0.3.5 What is this traffic I am seeing to ports 22/udp or 5632/udp?



0 Administrivia
0.1 Charter
0.1.1 What is INCIDENTS?

Traditionally people affected by a security incidents were faced with limited choices for reporting these happenings. Typical choices were possibly reporting to a local incident handling team (if any existed), CERT, law enforcement or random mailing lists which did not specifically deal with incident reporting. Time has shown such choices fail to communicate this important information in a timely fashion to others that may be potentially affected.

The INCIDENTS mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information.

0.1.2 What is appropiate content?

Please follow the below guidelines on what kind of information should be posted to the INCIDENTS list:

0.1.3 What is inappropiate content?

0.1.4 Is the list moderated?

Yes.

0.1.5 Who are the moderators?

Jesse Gough and Josh Talbot. You can reach Jesse at jgough@securityfocus.com and Josh at modincidents@securityfocus.com.

0.2 List Management
0.2.1 How do I subscribe?

Send an e-mail message to incidents-subscribe@securityfocus.com. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

0.2.2 How do I unsubscribe?

Send an e-mail message to incidents-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

If your email address has changed email listadmin@securityfocus.com and ask to be manually removed.

0.2.3 How do I disable mail delivery temporarily?

Unsubscribe from the list and resubscribe to start receiving mailing list traffic again.

0.2.4 Is the list available in a digest format?

Yes. The digest generated once a day.

0.2.5 How do I subscribe to the digest?

Send an e-mail message to incidents-digest-subscribe@securityfocus.com. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

0.2.6 How do I unsubscribe from the digest?

Send an e-mail message to incidents-digest-unsubscribe@securityfocus.com from the subscribed address. The contents of the subject or message body do not matter. You will receive a confirmation request message to which you will have to answer.

0.2.7 I seem to not be able to unsubscribe. What is going on?

You are probably subscribed from a different address than that from which you are sending commands to the list from. Either send email from the appropriate address or email listadmin@securityfocus.com to be unsubscribed manually.

0.2.8 Can you add a tag like "[INCIDENTS]" to the subject line of each message?

Not at this time.

0.3 Incident Information
0.3.1 What services use port number 'X'?

To find out what service or appication use some network port number visit some of this web pages:

0.3.2 What is this ADMROCKS directory I've found on my machine?

Finding a directory called ADMROCKS on your host is a sign someone has broken into it via a BIND exploit. This directory is created by the exploit "t666" from the hacker group ADM. The program exploits a vulnerability on the BIND name server (BUGTRAQ ID 788). The exploit is targeted at Linux systems. This vulnerability is being actively exploited. There have been numerous reports of people finding this directory on their machines.

0.3.3 What are these addresses in the 169.254.0.0/16 range I am seeing?

The IPv4 address range 169.254.0.0/16 is reserved for link-local connectivity. A DHCP client that cannot communicate with a DHCP server will select an unused address in the link-local range for itself. This allows hosts on the same local network without a DHCP server to communicate between themselves.

This behaviour can be disabled via a new DHCP option documented in RFC 2563.

If you find link-local addresses in your firewall logs, your are probably seeing stray traffic from a DHCP client.

0.3.4 What are these DNS queries for VERSION.BIND I keep seeing?

These DNS queries can sometimes be used to find out if a DNS server is running the BIND name server software and what version. It can be used by intruders to better target their attacks.

These queries are also used by F5 Networks' 3-DNS distributed load balancing product (versions 2.1 or later) to determine the "closest" server to some host.

0.3.5 What is this traffic I am seeing to ports 22/udp or 5632/udp?

PCanywhere an "IP discovery protocol" to find other PCAnywhere servers on the local segment, where the assumption is that the local segment is all IP addresses between "xxx.xxx.xxx.1" to "xxx.xxx.xxx.254" (i.e. the local class C allocation). Thus, cable-modem and DSL users will often see connections to this port from other people that have PCAnywhere installed.


Privacy Statement
Copyright 2006, SecurityFocus