Sep 102012
 
Update: GoDaddy appears to make some progress getting services back online. The web site is responding again. DNS queries appear to be still timing out and logins into the site fail. (17:30 ET)
GoDaddy is currently experiencing a massive DDoS attack. Anonymous was quick to claim responsibility, but at this point, there has be no confirmation from GoDaddy. GoDaddy only stated via twitter: Status Alert: Hey, all. We're aware of the trouble people are having with our site. We're working on it.
The outage appears to affect the entire range of GoDaddy hosted services, including DNS, Websites and E-Mail. You may experience issues connecting to sites that use these services (for example our DShield.org domain is hosted with GoDaddy).
At this point, I would expect GoDaddy to keep its users up to date via it's twitter feed (http://twitter.com/GoDaddy ). I am not aware of a reachable network status page for GoDaddy.
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Sep 102012
 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Sep 082012
 
We received another piece of spam (thanks Curtis) pretending to be from the Better Business Bureau. Analysis of the file transferred (W6w8sCyj.exe) from prog.it appears to be a piece of malware (Win32/Cridex.Q) use to communicates via SSL with a CC server.



List of domains/IP to watch for and block:
ajaxworkspace.com

prog.it

la-liga.ro

ejbsa.com.ar

technerds.ca

108.178.59.12
The email looks like this:
Better Business Bureau

Start With Trust

Sat, 08 Sep 2012 01:54:02 +0700
RE: Case # 78321602 http[:]//prog.it/EH564Bf/index.html
Dear Sirs,
The Better Business Bureau has got the above mentioned complaint from one of your customers concerning their business relations with you. The details of the consumer's concern are contained in attached document. Please give attention to this case and advise us of your opinion as soon as possible. We encourage you to open the COMPLAINT REPORT to answer on this complaint.
We look forward to your prompt response.
Faithfully yours,

Ann Hegley

Dispute Counselor

Better Business Bureau
________________________________


[1] http://anubis.iseclab.org/?action=resulttask_id=15e0c40724f468154b9b07dba8a34bfa4format=html

[2] http://wepawet.iseclab.org/view.php?hash=b4817d858b4e1862c8a828c85be365b1t=1347109082type=js

[3] http://wepawet.iseclab.org/view.php?hash=06ea2fd5b8931844981d7c718ea89060t=1347109182type=js

[4] http://wepawet.iseclab.org/view.php?hash=7d629a7fea394ce0be5782de592d8f68t=1347109422type=js

[5] https://www.virustotal.com/file/126ea9ed6828a1eaa37250aa015a9f8518fdb54c8175ce87559a68eac47b9187/analysis/

[6] http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fCridex
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Sep 082012
 
If you are using Webmin within your network to administer Unix services, you should consider upgrading to the latest version 1.594 because an input validation vulnerabilities has been reported in version prior to and including 1.580. The latest version can be downloaded here or the update can be done directly in Webmin (Via menu Webmin, Webmin Configuration and Upgrade Webmin).
CVE-2012-2981 - Improper Input Validation

CVE-2012-2982 - Improper Neutralization of Special Elements used in a Command

CVE-2012-2983 - Improper Limitation of a Pathname to a Restricted Directory
[1] http://www.kb.cert.org/vuls/id/788478

[2] http://www.webmin.com/download.html

[3] http://download.webmin.com/devel/tarballs/
Note: Updated link to the latest tarball.
-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Switch to our mobile site