[Snort-sigs] Bleedingsnort.com Daily Update

Matt Jonkman matt at ...2436...
Fri Jan 28 09:44:52 EST 2005


Things should be good with the box. Are you getting 69.44.153.29 for 
it's IP?

I'm not aware of any outage or downtime with it.

Matt

John Hally wrote:

>Anyone else having trouble getting to bleedingsnort.com?  I get a good
>resolve for it, but get timeouts both in brower and ping from multiple
>locations.
>
>???
>-----Original Message-----
>From: snort-sigs-admin at lists.sourceforge.net
>[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of
>bleeding at ...2727...
>Sent: Thursday, January 27, 2005 8:00 PM
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] Bleedingsnort.com Daily Update
>
>
>[***] Results from Oinkmaster started Thu Jan 27 20:00:03 2005 [***]
>
>[+++]          Added rules:          [+++]
>
>     -> Added to bleeding-virus.rules (4):
>        alert udp $HOME_NET any -> any 53 (msg:"BLEEDING-EDGE MySQL bot DNS
>lookup"; content:"|06|zmoker|06|dns2go|03|com"; nocase;
>classtype:trojan-activity;
>reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001688; rev:3;)
>        alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg:"BLEEDING-EDGE
>Potential MySQL bot scanning for SQL server"; flags:S,12;
>classtype:trojan-activity;
>reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001689; rev:2;)
>        alert tcp $HOME_NET any -> $EXTERNAL_NET 5002:5003
>(msg:"BLEEDING-EDGE Potential MySQL bot connecting to IRC server";
>flags:S,12; classtype:trojan-activity;
>reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001690; rev:2;)
>        alert udp $HOME_NET any -> any 53 (msg:"BLEEDING-EDGE MySQL bot DNS
>lookup"; content:"landingzone"; nocase; classtype:trojan-activity;
>reference:url,isc.sans.org/diary.php?date=2005-01-27; sid:2001687; rev:3;)
>
>[///]     Modified active rules:     [///]
>
>     -> Modified active in bleeding-exploit.rules (1):
>        old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80
>(msg:"BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt";
>flow:established,from_client; uricontent:"/awstats.pl?configdir=";
>reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php;
>reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabi
>lities&flashstatus=false; classtype:web-application-attack;sid:2001686;
>rev:5;)
>        new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
>(msg:"BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt";
>flow:established,from_client; uricontent:"/awstats.pl?configdir=";
>reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php;
>reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabi
>lities&flashstatus=false; classtype:web-application-attack;sid:2001686;
>rev:6;)
>
>[+++]      Added non-rule lines:     [+++]
>
>     -> Added to bleeding-sid-msg.map (4):
>        2001687 || BLEEDING-EDGE MySQL bot DNS lookup ||
>url,isc.sans.org/diary.php?date=2005-01-27
>        2001688 || BLEEDING-EDGE MySQL bot DNS lookup ||
>url,isc.sans.org/diary.php?date=2005-01-27
>        2001689 || BLEEDING-EDGE Potential MySQL bot scanning for SQL server
>|| url,isc.sans.org/diary.php?date=2005-01-27
>        2001690 || BLEEDING-EDGE Potential MySQL bot connecting to IRC
>server || url,isc.sans.org/diary.php?date=2005-01-27
>
>     -> Added to bleeding-virus.rules (1):
>        # Very crude first draft of rule to detect MySQL worm
>
>[*] Added files: [*]
>    None.
>
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
>Tool for open source databases. Create drag-&-drop reports. Save time
>by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
>Download a FREE copy at http://www.intelliview.com/go/osdn_nl
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  
>

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential 
and intended solely for the intended recipient. Any use, 
distribution, transmittal or retransmittal of information 
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.  
If you are not the intended recipient, please contact the sender 
and delete all copies.





More information about the Snort-sigs mailing list