Threat Level: Infocon green
Internet Storm Center
phpbb and sql errors asp sqlserver odbc sql errors

Today´s Diary

If you have more information or corrections regarding our diary, please share.


SSH Password attacks using domain name elements as userid

Published: 2012-01-27,
Last Updated: 2012-01-27 10:08:01 UTC
by Mark Hofman (Version: 1)
Rate this diary:

1 comment(s)

A reader (Thanks Jim!) mentioned earlier today that his SSH logs were showing access attempts utilising elements of the reverse DNS name of the IP address being accessed.  For example using  isc.sans.org results in the userids isc, sans and org. This may be cause a number of hosting providers use the domain name itself as the userid for shell access for customers.  In light of the breach at dreamhost earlier this week http://blog.dreamhost.com/2012/01/21/security-update/ this may be what is going on. 

If you are noticing the same in your logs and you can share some log lines please send some in as I'd be interested in taking a peek.

Mark H

 

Keywords:
1 comment(s)
Top of page

CISCO Ironport C & M Series telnet vulnerability

Published: 2012-01-27,
Last Updated: 2012-01-27 09:52:03 UTC
by Mark Hofman (Version: 1)
Rate this diary:

0 comment(s)

In case you missed it there is a vulnerability in the CISCO Ironport telnet service. Details can be found here http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120126-ironport

To mitigate the risk (if you can't upgrade just yet) is to switch off telnet on the device and use SSH to manage it instead.

Mark H

Keywords: CISCO ironport
0 comment(s)
Top of page
ISC StormCast for Friday, January 27th 2012 http://isc.sans.edu/podcastdetail.html?id=2287

ISC Feature of the Week: ISC Link Back

Published: 2012-01-25,
Last Updated: 2012-01-27 03:32:10 UTC
by Adam Swanger (Version: 1)
Rate this diary:

0 comment(s)

Overview
Need to attribute information to ISC? Want to provide users with an avenue to visit the ISC site? Want to link directly to the ISC Stormcast, Infocon or other information? These methods and more are listed on out ISC Linkback Page! https://isc.sans.edu/linkback.html

Features

Note
This works as DShield also. Just view the dshield.org url http://dshield.org/linkback.html


Don't see a link you'd like to use? Suggest in the comments section below or send any questions or comments in the contact form https://isc.sans.edu/contact.html

--
Adam Swanger, Web Developer (GWEB)
Internet Storm Center (http://isc.sans.edu)

Keywords: ISC feature
0 comment(s)
Top of page

If you have more information or corrections regarding our diary, please share.

Diary Archive

DateAuthorTitle
2012-01-27 Mark Hofman CISCO Ironport C & M Series telnet vulnerability
2012-01-27 Mark Hofman SSH Password attacks using domain name elements as userid
2012-01-25 Adam Swanger ISC Feature of the Week: ISC Link Back
2012-01-25 Bojan Zdrnja pcAnywhere users – patch now!
2012-01-24 Bojan Zdrnja Is it time to get rid of NetBIOS?
2012-01-22 Johannes Ullrich Javascript DDoS Tool Analysis
2012-01-22 Lorna Hutcheson Mailbag - "Attacks"
2012-01-21 Mark Hofman The privacy hodgepodge and IP Addresses
2012-01-21 Guy Bruneau DNS Sinkhole Scripts Fixes/Update
2012-01-19 Chris Mohan WHOIS contacts are your friends
Folder Icon Complete Archive
Search Diaries:

Diary Tagslink arrow

  wifi     stratford     webserver     malware     firefox     nmap     java     pcanywhere     windows 7     javascript     isc     coldfusion     printer     holiday tips     dns     anonymous     gtdl     type a     flex     netbios     vulnerability     badware     whois info     scam     flash     sql injection attack     aspnet     wps     rootkit     data breach     quarterly     scripting stderr     tcpflow     0 day     vulnerabilities     zappos     exploit kit     ssh     dos     cisco     oracle     microsoft     password security     blackhole     dnssec     microsoft patch tuesday     mailbag     stratfor     adobe black tuesday     black tuesday     brute force     patch     webattacks     patch tuesday     chrome     ironport     opendlp     microsoft security bulletin advance notification     microsoft msft patch tuesday patches prerelease     breach     html5     0day     acrobat     oracle patches     exploit     adobe     workaround     ddos     symantec     nbns spoofing     advertising     spidermonkey     win32ksys     holiday greetings     isc feature     dns sinkhole     ssl     obfuscation     windows     bind  
site/port/ip search:

ISC Polllink arrow

Do you monitor or otherwise secure your printers in your environment?

Latest RR Paperslink arrow

Using SNORT® for intrusion detection in MODBUS TCP/IP communications

Securing Blackboard Learn on Linux

Computer Forensic Timeline Analysis with Tapestry

Using Web Application Firewall to detect and block common web application attacks

iPad Security Settings And Risk Review For iOS 4.X

World Map

world map

Trends

trend graph

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

CISCO Ironport C & M Series telnet vulnerability - by: Mark Hofman (2012-01-27)

SSH Password attacks using domain name elements as userid - by: Mark Hofman (2012-01-27)

ISC Feature of the Week: ISC Link Back - by: Adam Swanger (2012-01-25)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute