[Dshield] Target list acquisition? Pre-deployment preparation ?

Russell Washington russ.washington at vaultsentry.com
Fri Nov 8 19:42:02 GMT 2002


The Cobalt-specific exploit may well be unpatched servers.  Cobalt boxes run
a tweaked version of Red Hat, but they've been modified under the hood to
the point (perl-scripted to blazes) that unless you're seriously
experienced, trying to throw in the latest version of Apache from will
probably hurt the box's "Cobalt functionality" big time.  So you wait for a
patch to show up from Sun and...

You get the idea.

Also, Cobalt boxes were favored targets at one point in time (2000?), don't
recall the details, but they could be looking for exploits from that era.

-----Original Message-----
From: Ed Truitt [mailto:ed.truitt at etee2k.net] 
Sent: Friday, November 08, 2002 9:41 AM
To: list at dshield.org
Subject: Re: [Dshield] Target list acquisition? Pre-deployment preparation?


I've seen CR before, and in fact I did have some in the logs.  These probes
aren't part of a CR attempt, they are coming in by themselves (not with any
other requests.)  I was providing them at Johannes' request, I think he is
looking for source IPs for this particular scan activity.

The other one I mentioned was interesting, because apparently they are
looking for a specific type of box (a Sun Cobalt RAQ server appliance), and
I am just curious if anyone knows of an exploit specific to this type of
server.

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.  Also, if you
send me UCE, I reserve the right to post your spew on my Web site, with the
appropriate color commentary, so that others may have a good laugh at your
expense."

----- Original Message -----
From: "Jansen, Lise" <Lise.Jansen at qunara.com>
To: <list at dshield.org>
Sent: Friday, November 08, 2002 8:13 AM
Subject: RE: [Dshield] Target list acquisition? Pre-deployment preparation?


> Looks to me that it could be a Code Red attemp, the script.exe attemp 
> let
me believe that it is a code red variant of some sort.
>
> You could have a look at the following link, it provides a sample log 
> of a
code red attack.
>
> http://www.bsdhost.net/
>
> Lise J.
>
> -----Original Message-----
> From: Ed Truitt [mailto:ed.truitt at etee2k.net]
> Sent: Friday, November 08, 2002 8:25 AM
> To: list at dshield.org
> Subject: Re: [Dshield] Target list acquisition? Pre-deployment 
> preparation?
>
>
> Here are some entries I found:
[snip]

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list