Incidents Mode:
(Page 17 of 170)  < Prev  12 13 14 15 16 17 18 19 20 21 22  Next >
Re: High volume of Mambo scans (perlb0t) 2006-05-14
Jamie Riden (jamesr europe com)
Seems to have some kind of google search code for the particular
vulnerability - haven't seen this before:

if ($funcarg =~ /^google\s+(\d+)\s+(.*)/) {^M
sendraw($IRC_cur_socket, "PRIVMSG $printl
:\002[GOOGLE]\002 Scanning for unpatched mambo for ".$1."
seconds.");^M
srand;

[ more ]  [ reply ]
High volume of Mambo scans 2006-05-13
Daniel Cid (danielcid yahoo com br) (4 replies)
Since Thursday night I'm seeing a high volume of scans
on different web servers for possibly the following
vulns:

http://secunia.com/advisories/14337/
http://www.osvdb.org/displayvuln.php?osvdb_id=10180

However, they say the problem is on function.php and
I'm seeing them on index.php. Can anyone

[ more ]  [ reply ]
Re: High volume of Mambo scans 2006-05-15
Karl Schlitt (karl dakota-st com)
Re: High volume of Mambo scans 2006-05-15
George A. Theall (theall tifaware com)
Re: High volume of Mambo scans 2006-05-14
Peter Kosinar (goober ksp sk)
Re: High volume of Mambo scans 2006-05-14
Jamie Riden (jamesr europe com)
Re: OpenNIC "attack?" 2006-05-10
msjb82 hotmail com
"We would like (if possible) just to block the bogus requests automatically and get a single message warning us that someone's infected."

The problem is, those aren't necessarily bogus requests. .glue is very much a valid domain name, I have been to several .glue domain web sites.

Mayb

[ more ]  [ reply ]
Weblog software XSS attack? 2006-05-04
Benjamin Franz (snowhare nihongo org)
Something I've started seeing in my Apache logs occasionally in the last
month and a helf are entries like these from a small number of IP
addresses (N approximately 4 addresses).

Sample entries:

82.36.86.181 - - [19/Apr/2006:19:15:26 -0700] "GET /www.hayamasa.demon.co.uk/afaq/whats-new.html HTT

[ more ]  [ reply ]
National Secret Agency of Slovak Republic 2006-04-26
Jozef Kutej (jozef kutej net)
Hello.

Our Secre Agency NBU SR, was hacked through Horde aplication framework.
They used username nbusr and password nbusr123. Root/cisco passwords
like 123456. Thay deserve what they got...

More http://blackhole.sk/node/442 but it's in slovak language with
"screen shots" at the bottom.

Jozef.

[ more ]  [ reply ]
Re: Someone scanning for new PHP issues? 2006-04-16
Sûnnet Beskerming (info beskerming com)
Jamie,

You are right that the second trap is searching for the horde
exploit. The first one you link to is for the remote code execution
exploit in the Vwar gaming clan management system, with exploit code
published publicly on 02 April 06. For reference, full sample
exploit code is here:

[ more ]  [ reply ]
Someone scanning for new PHP issues? 2006-04-16
Jamie Riden (jamesr europe com) (1 replies)
One of these might be the Horde exploit-
http://isc.sans.org/diary.php?storyid=1262 - any ideas on the other?

cheers,
Jamie

02:38:43.817967 IP compromised.com.1044 > www.example.com.www: P
0:412(412) ack 1 win 65535
0x0000: 4500 01c4 a2ac 4000 7106 5012 0ca2 a1a1 E..... (at) .q.P... (dot) . [email concealed]

[ more ]  [ reply ]
Re: Someone scanning for new PHP issues? 2006-04-16
Bojan Zdrnja (bojan zdrnja gmail com)
Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only 2006-04-12
tsteeves uvic ca (1 replies)
Take an IP from the source host network and add it as a secondary IP on the routed interface for the vlan - for the 0.10.94.27 host add "ip address 0.10.94.254 secondary" to the router. Then do a broadcast ping from the router - ping 0.10.94.255. Then show the arp cache for the vlan - show ip arp vl

[ more ]  [ reply ]
RE: Bogon IPs traffic only seen by netflow, confined within a VLAN only 2006-04-12
David Gillett (gillettdavid fhda edu) (1 replies)
Re: Bogon IPs traffic only seen by netflow, confined within a VLAN only 2006-04-13
lupe lupe-christoph de (Lupe Christoph)
RE: Bogon IPs traffic only seen by netflow, confined within a VLANonly 2006-04-11
AJ Cochenour (ajc mytcpip net) (1 replies)
Assuming CatOS on the C4506:

1. Issue the following to locate port if host may be directly connected:
'sh cam dynamic | include <Questionable Source MAC --
FF-FF-FF-FF-FF-FF>'
2. If operating within distributedswitch network issue the following
(assuming Cisco/Foundry topology):
'l2trace

[ more ]  [ reply ]
RE: Bogon IPs traffic only seen by netflow, confined within a VLANonly 2006-04-11
Nyuk Loong Kiw (Kiw safecom co nz) (1 replies)
Are all the netflow packets generated by the 4506 switch? Are you using
flowtools for netflow analysis?

From memory flows generated by cisco devices actually have the
additional interface identifier or something similar in the actual flow
packets itself, if you know which cisco interface is the 'i

[ more ]  [ reply ]
Re: Bogon IPs traffic only seen by netflow, confined within a VLANonly 2006-04-11
Stef (stefmit gmail com) (1 replies)
UPDATE:

Thanks to all who replied, and continue(d) with suggestions. We still
have not been able to isolate the problem - the attempt is now to shut
down one port at a time, and watch netflow to see when it stops (we
are waiting for each port for a 2 * cache expiration, so that we do
not risk to mo

[ more ]  [ reply ]
Re: Bogon IPs traffic only seen by netflow, confined within a VLANonly 2006-04-11
Roland Dobbins (rdobbins cisco com)
RE: Bogon IPs traffic only seen by netflow, confined within a VLANonly 2006-04-10
Pierre, Jean-Raymond (jean pierre slac stanford edu)
Combining the below from Nicolai with setting up the port in promiscuous mode and running a Network Sniffer tool would give you enough data to track it down, I would think.
-
Jean-Raymond Xavier Pierre
Scientific Computing and Computing Services
Stanford Linear Accelerator Center

-----Original Mess

[ more ]  [ reply ]
(Page 17 of 170)  < Prev  12 13 14 15 16 17 18 19 20 21 22  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus