elblogg

blah, blah, blag, blog

Posts Tagged ‘sikkerhet’

w00t?

Tuesday, March 25th, 2008

Today I noticed this in my access.log:

  1. 67.19.113.154 - - [24/Mar/2008:16:02:10 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 363 "-" "-"
  2. 65.111.181.35 - - [24/Mar/2008:20:02:22 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 363 "-" "-"
  3. 67.19.113.154 - - [24/Mar/2008:20:15:38 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 363 "-" "-"
  4. 67.19.113.154 - - [25/Mar/2008:00:26:37 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 363 "-" "-"
  5. 67.19.113.154 - - [25/Mar/2008:04:37:39 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 363 "-" "-"
  6. 67.19.113.154 - - [25/Mar/2008:08:52:25 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 363 "-" "-"
  7. 67.19.113.154 - - [25/Mar/2008:13:05:07 +0100] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 363 "-" "-"

What goes on here?
All these requests fail, ofcourse, but in addition to the obvious (404), the client also doesnt supply a Host: header for their HTTP/1.1 requests

update

It is safe to assume that this is an attempt to hack me in some way, DFind is appearantly some kind of security scannerref. The same IPs are also bruteforcing some URLs (like /phpmyadmin etc..) looking for somthing fun to poke around with.

Oppgradert wordpress

Tuesday, March 25th, 2008

Jeg har nå omsider tatt meg tid til å oppgradere wordpress, og nå er det satt opp på en slik måte at det skal være rimelig enkelt å oppdatere fremover. Jeg har imidlertid i prosessen mistet alle kommentarene. Jeg har en backup av dem, så jeg skal få de inn igjen.

Årsaken til at jeg omsider fikk oppdatert wordpress var egentlig, …og dette er litt flaut… at den gamle wordpressen ble hacket. Egentlig vil jeg takke CanalDigital for at de var rask på labben, og kuttet linjen min for å redusere omfanget av skadene, selv om det var litt fortvilende der og da. Og så var det litt irriterende å få ny IP-adresse når linjen kom opp igjen

Faked secuirty patch

Thursday, July 29th, 2004

I received this mail today:

FROM: "Microsoft Corporation Public Assistance" <ozqgiilvehzsmvt_pddoeb@xwaq.com>
TO: "Customer" <>
SUBJECT: Latest Security Pack

MS Customer

this is the latest version of security update, the
"July 2004, Cumulative Patch" update which eliminates
all known security vulnerabilities affecting
MS Internet Explorer, MS Outlook and MS Outlook Express
as well as three newly discovered vulnerabilities.
Install now to maintain the security of your computer
from these vulnerabilities, the most serious of which could
allow an attacker to run executable on your computer.
This update includes the functionality of all previously released patches.

System requirements: Windows 95/98/Me/2000/NT/XP
This update applies to:
 - MS Internet Explorer, version 4.01 and later
 - MS Outlook, version 8.00 and later
 - MS Outlook Express, version 4.01 and later

Recommendation: Customers should install the patch at the earliest opportun=
ity.
How to install: Run attached file. Choose Yes on displayed dialog box.
How to use: You don't need to do anything after installing this item.

Microsoft Product Support Services and Knowledge Base articles can be found=
 on the Microsoft Technical Support web site.
http://support.microsoft.com/

For security-related information about Microsoft products, please visit the=
 Microsoft Security Advisor web site
http://www.microsoft.com/security/

Thank you for using Microsoft products.

Please do not reply to this message.
It was sent from an unmonitored e-mail address and we are unable to respond=
 to any replies.

----------------------------------------------
The names of the actual companies and products mentioned herein are the tra=
demarks of their respective owners.

This is the text/plain mime-version of the mail. It had a colorful microsoft-look-ish HTML version too.

Of course i knew this mail was a fake, furthermore gmail gave me this message:

An attachment named “pack1919.exe” was removed from this document as it constituted a security hazard. If you require this document, please contact the sender and arrange an alternate means of receiving it.

Please remember: Microsoft NEVER send security-mail if you’re not registered at their site for receiving such mail. And they NEVER ever send attatchments with it.

It seems this is a variant of the W32/Gibe@mm (W32/Gibe@mm, WORM_GIBE.A, W32/Gibe-A, I-Worm.Gibe, W32/Gibe.A@mm, Win32.Gibe.A, W32/Gibe@MM) worm. Although the name of the attachment, the greeting line and the subject of the message doesnt match the description at securityresponse