Threat Level: Infocon green
Internet Storm Center
phpbb and sql errors asp sqlserver odbc sql errors

Today´s Diary

If you have more information or corrections regarding our diary, please share.


SSH Password attacks using domain name elements as userid

Published: 2012-01-27,
Last Updated: 2012-01-27 10:08:01 UTC
by Mark Hofman (Version: 1)
Rate this diary:

1 comment(s)

A reader (Thanks Jim!) mentioned earlier today that his SSH logs were showing access attempts utilising elements of the reverse DNS name of the IP address being accessed.  For example using  isc.sans.org results in the userids isc, sans and org. This may be cause a number of hosting providers use the domain name itself as the userid for shell access for customers.  In light of the breach at dreamhost earlier this week http://blog.dreamhost.com/2012/01/21/security-update/ this may be what is going on. 

If you are noticing the same in your logs and you can share some log lines please send some in as I'd be interested in taking a peek.

Mark H

 

Keywords:
1 comment(s)
Top of page

CISCO Ironport C & M Series telnet vulnerability

Published: 2012-01-27,
Last Updated: 2012-01-27 09:52:03 UTC
by Mark Hofman (Version: 1)
Rate this diary:

0 comment(s)

In case you missed it there is a vulnerability in the CISCO Ironport telnet service. Details can be found here http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

To mitigate the risk (if you can't upgrade just yet) is to switch off telnet on the device and use SSH to manage it instead.

Mark H

Keywords: CISCO ironport
0 comment(s)
Top of page
ISC StormCast for Friday, January 27th 2012 http://isc.sans.edu/podcastdetail.html?id=2287

ISC Feature of the Week: ISC Link Back

Published: 2012-01-25,
Last Updated: 2012-01-27 03:32:10 UTC
by Adam Swanger (Version: 1)
Rate this diary:

0 comment(s)

Overview
Need to attribute information to ISC? Want to provide users with an avenue to visit the ISC site? Want to link directly to the ISC Stormcast, Infocon or other information? These methods and more are listed on out ISC Linkback Page! https://isc.sans.edu/linkback.html

Features

Note
This works as DShield also. Just view the dshield.org url http://dshield.org/linkback.html


Don't see a link you'd like to use? Suggest in the comments section below or send any questions or comments in the contact form https://isc.sans.edu/contact.html

--
Adam Swanger, Web Developer (GWEB)
Internet Storm Center (http://isc.sans.edu)

Keywords: ISC feature
0 comment(s)
Top of page

If you have more information or corrections regarding our diary, please share.

Diary Archive

DateAuthorTitle
2012-01-27 Mark Hofman CISCO Ironport C & M Series telnet vulnerability
2012-01-27 Mark Hofman SSH Password attacks using domain name elements as userid
2012-01-25 Adam Swanger ISC Feature of the Week: ISC Link Back
2012-01-25 Bojan Zdrnja pcAnywhere users – patch now!
2012-01-24 Bojan Zdrnja Is it time to get rid of NetBIOS?
2012-01-22 Johannes Ullrich Javascript DDoS Tool Analysis
2012-01-22 Lorna Hutcheson Mailbag - "Attacks"
2012-01-21 Mark Hofman The privacy hodgepodge and IP Addresses
2012-01-21 Guy Bruneau DNS Sinkhole Scripts Fixes/Update
2012-01-19 Chris Mohan WHOIS contacts are your friends
Folder Icon Complete Archive
Search Diaries:

Diary Tagslink arrow

  coldfusion     badware     sql injection attack     ironport     vulnerability     pcanywhere     obfuscation     data breach     advertising     microsoft     stratfor     bind     exploit     adobe     dns sinkhole     netbios     patch     holiday tips     adobe black tuesday     mailbag     breach     cisco     ddos     java     ssl     dns     dos     black tuesday     password security     webserver     malware     chrome     gtdl     zappos     oracle patches     exploit kit     wifi     javascript     nbns spoofing     rootkit     aspnet     vulnerabilities     opendlp     webattacks     scam     firefox     oracle     microsoft patch tuesday     wps     flex     anonymous     brute force     dnssec     windows 7     flash     patch tuesday     html5     symantec     isc     windows     win32ksys     ssh     microsoft msft patch tuesday patches prerelease     whois info     type a     quarterly     acrobat     0 day     printer     0day     spidermonkey     microsoft security bulletin advance notification     workaround     holiday greetings     stratford     nmap     tcpflow     blackhole     scripting stderr     isc feature  
site/port/ip search:

ISC Polllink arrow

Do you monitor or otherwise secure your printers in your environment?

Latest RR Paperslink arrow

Using SNORT® for intrusion detection in MODBUS TCP/IP communications

Securing Blackboard Learn on Linux

Computer Forensic Timeline Analysis with Tapestry

Using Web Application Firewall to detect and block common web application attacks

iPad Security Settings And Risk Review For iOS 4.X

World Map

world map

Trends

trend graph

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

CISCO Ironport C & M Series telnet vulnerability - by: Mark Hofman (2012-01-27)

SSH Password attacks using domain name elements as userid - by: Mark Hofman (2012-01-27)

ISC Feature of the Week: ISC Link Back - by: Adam Swanger (2012-01-25)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute