Seems to have some kind of google search code for the particular
vulnerability - haven't seen this before:

if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {^M
sendraw($IRC_cur_socket, "PRIVMSG $printl
:\002[GOOGLE]\002 Scanning for unpatched mambo for ".$1."
seconds.");^M
srand;

[ more ]  [ reply ]

Since Thursday night I'm seeing a high volume of scans
on different web servers for possibly the following
vulns:

http://secunia.com/advisories/14337/
http://www.osvdb.org/displayvuln.php?osvdb_id=10180

However, they say the problem is on function.php and
I'm seeing them on index.php. Can anyone

[ more ]  [ reply ]

"We would like (if possible) just to block the bogus requests automatically and get a single message warning us that someone's infected."

The problem is, those aren't necessarily bogus requests. .glue is very much a valid domain name, I have been to several .glue domain web sites.

Mayb

[ more ]  [ reply ]

Something I've started seeing in my Apache logs occasionally in the last
month and a helf are entries like these from a small number of IP
addresses (N approximately 4 addresses).

Sample entries:

82.36.86.181 - - [19/Apr/2006:19:15:26 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTT

[ more ]  [ reply ]

Hello.

Our Secre Agency NBU SR, was hacked through Horde aplication framework.
They used username nbusr and password nbusr123. Root/cisco passwords
like 123456. Thay deserve what they got...

More http://blackhole.sk/node/442 but it's in slovak language with
"screen shots" at the bottom.

Jozef.

[ more ]  [ reply ]

Jamie,

You are right that the second trap is searching for the horde
exploit. The first one you link to is for the remote code execution
exploit in the Vwar gaming clan management system, with exploit code
published publicly on 02 April 06. For reference, full sample
exploit code is here:

[ more ]  [ reply ]

One of these might be the Horde exploit-
http://isc.sans.org/diary.php?storyid=1262 - any ideas on the other?

cheers,
Jamie

02:38:43.817967 IP compromised.com.1044 > www.example.com.www: P
0:412(412) ack 1 win 65535
0x0000: 4500 01c4 a2ac 4000 7106 5012 0ca2 a1a1 E..... (at) .q.P... (dot) . [email concealed]

[ more ]  [ reply ]

Take an IP from the source host network and add it as a secondary IP on the routed interface for the vlan - for the 0.10.94.27 host add "ip address 0.10.94.254 secondary" to the router. Then do a broadcast ping from the router - ping 0.10.94.255. Then show the arp cache for the vlan - show ip arp vl

[ more ]  [ reply ]

Assuming CatOS on the C4506:

1. Issue the following to locate port if host may be directly connected:
'sh cam dynamic | include <Questionable Source MAC --
FF-FF-FF-FF-FF-FF>'
2. If operating within distributedswitch network issue the following
(assuming Cisco/Foundry topology):
'l2trace

[ more ]  [ reply ]

Are all the netflow packets generated by the 4506 switch? Are you using
flowtools for netflow analysis?

From memory flows generated by cisco devices actually have the
additional interface identifier or something similar in the actual flow
packets itself, if you know which cisco interface is the 'i

[ more ]  [ reply ]

UPDATE:

Thanks to all who replied, and continue(d) with suggestions. We still
have not been able to isolate the problem - the attempt is now to shut
down one port at a time, and watch netflow to see when it stops (we
are waiting for each port for a 2 * cache expiration, so that we do
not risk to mo

[ more ]  [ reply ]

Combining the below from Nicolai with setting up the port in promiscuous mode and running a Network Sniffer tool would give you enough data to track it down, I would think.
-
Jean-Raymond Xavier Pierre
Scientific Computing and Computing Services
Stanford Linear Accelerator Center

-----Original Mess

[ more ]  [ reply ]