Combined exploits of MS vulnerabilities, port 1981 increase
Possible combined exploits of MS vulnerabilities
It has been a very quiet day, but we are hearing rumors of possible "super" exploits that may target several of the vulnerabilities announced by Microsoft on Tuesday. We've been contacted by an individual who have have been infected such an exploit, but investigation of this is still underway.
Increase in port 1981 activity
There has been an increase in scanning activity targetting port 1981 (possibly Bowl or Shockrave trojan activity, perhaps not) over the last 10 days or so. If anyone has captured any of this activity, we'd like to see the captures.
Yet another signature for sslbomb
We have yet another signature for the sslbomb exploit, some of the earlier ones have been prone to a fair amount of false positives. We'd be interested in how well any of these signatures are working.
-------------------------------
Jim Clausing, handler on duty
It has been a very quiet day, but we are hearing rumors of possible "super" exploits that may target several of the vulnerabilities announced by Microsoft on Tuesday. We've been contacted by an individual who have have been infected such an exploit, but investigation of this is still underway.
Increase in port 1981 activity
There has been an increase in scanning activity targetting port 1981 (possibly Bowl or Shockrave trojan activity, perhaps not) over the last 10 days or so. If anyone has captured any of this activity, we'd like to see the captures.
Yet another signature for sslbomb
We have yet another signature for the sslbomb exploit, some of the earlier ones have been prone to a fair amount of false positives. We'd be interested in how well any of these signatures are working.
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 ( \
msg: "handlers - alpha - SSL DoS Short Client Handshake"; \
content: "|0d06 092a 8648 86f7 0d01 0104 0500 3081|"; depth: 64; \
content: "|0b30|"; distance: 2; \
content: "|0355|"; distance: 2; \
sid: 1090006; rev: 1;)
-------------------------------
Jim Clausing, handler on duty
Keywords:
0 comment(s)
My next class:
LINUX Incident Response and Threat Hunting | Online | US Eastern | Jan 29th - Feb 3rd 2025 |
×
Diary Archives
Comments