(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

This isnt really new. But two readers submitted logs like this today. So I figured it is time for a reminder.

If you see requests like this in your weblogs:

a.b.c.d - - [04/Oct/2016:14:57:34 +0000] \x16\x03\x02\x00\xDC\x01\x00\x00\xD8\x03\x02SC[\x90\x9D\x9Br\x0B\xBC\x0C\xBC+\x92\xA8H\x97\xCF\xBD9\x04\xCC\x16 400 166 - -

The reason is almost always an SSL request sent to a non SSL server. In particular if you are running a web server on a port other then port 80 (e.g. 8080 or 8000), you will see attackers trying to scan your server assuming that it is running SSL.

To decode the byte sequence above:

\x16 - This indicates a handshake. Typically, connections start with a client hello.
\x03\x02 - the SSL/TLS version. In this case cutting edge TLS 1.1 (0x03 0x01 is TLS 1.0)
\x00\0xDC - the length of the message. 0xDC = 220 Bytes.
\x01 - indeed.. a client hello (server hello would be 2)
\x00\x00\xD8 - the length of the client hello part of the message ( 216 Bytes)
\x03\x02 - SSL/TLS version again
SC[\x90 - four byte time stamp (only non-printable characters use the \x encoding. So this translates to 0x53 0x43 0x5B 0x90
followed by some random bytes...

You will find various versions of this, depending on the SSL/TLS version used, the number of ciphers offered and the like.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Enlarge / Reduce, reuse, recycle those hacks. (credit: Ildar Sagdejev )

WikiLeaks celebrated its tenth anniversary today by teasing a release of documents that would damage presidential candidate Hillary Clinton. But when Julian Assange failed to release anything new, the individual who refers to himself as Guccifer 2.0 posted what he claimed were files from the Clinton Foundation's servers.

"Many of you have been waiting for this, some even asked me to do it," Guccifer 2.0, or whoever is posting under that name, wrote in a blog post. "So, this is the moment. I hacked the Clinton Foundation server and downloaded hundreds of thousands of docs and donors' databases. Hillary Clinton and her staff don't even bother about the information security. It was just a matter of time to gain access to the Clinton Foundation server." Ars contacted Guccifer 2.0, or whomever runs his Twitter account. He claimed the files came directly from the Clinton Foundation server—but declined to say how he got access to them ("I prefer to keep it to me yet").

However, a review by Ars found that the files are clearly not from the Clinton Foundation. While some of the individual files contain real data, much of it came from other breaches Guccifer 2.0 has claimed credit for at the Democratic National Committee and the Democratic Congressional Campaign Committee—hacks that researchers and officials have tied to "threat groups" connected to the Russian Government. Other data could have been aggregated from public information, while some appears to be fabricated as propaganda. Aside from some DNC payroll data, and lease documents for some Democratic Party field offices, most of the documents in the dump were originally authored either at the DCCC or by people working for the DCCC on their personal computers.

Read 6 remaining paragraphs | Comments

 
IBM Business Process Manager Advanced CVE-2016-5901 Unspecified Cross Site Scripting Vulnerability
 
INDAS Web SCADA CVE-2016-8343 Directory Traversal Vulnerability
 
Multiple Beckhoff Products Multiple Security Bypass Vulnerabilities
 
Dell EMC vApp Manager Multiple Arbitrary Command Execution Vulnerabilities
 
Mozilla Firefox Multiple Security Vulnerabilities
 
IBM Sterling Secure Proxy Configuration Manager CVE-2016-6023 Directory Traversal Vulnerability
 
Dell EMC Unisphere for VMAX XML External Entity Information Disclosure Vulnerability
 
Xen CVE-2016-7777 Security Bypass Vulnerability
 

(credit: David Ramos/Bloomberg via Getty Images)

According to a new report by Reuters citing anonymous former employees, in 2015, Yahoo covertly built a secret “custom software program to search all of its customers' incoming emails for specific information.”

Reuters noted that Yahoo “complied with a classified US government directive, scanning hundreds of millions of Yahoo Mail accounts at the behest of the National Security Agency or FBI, said two former employees and a third person apprised of the events.” It is not clear what data, if any, was handed over.

Presuming that the report is correct, it would represent essentially the digital equivalent of a general warrant—which is forbidden by the Fourth Amendment, as Electronic Frontier Foundation lawyer Andrew Crocker noted on Twitter.

Read 10 remaining paragraphs | Comments

 
ESA-2016-121: EMC Unisphere for VMAX and Solutions Enabler Virtual Appliances Multiple Vulnerabilities
 
ESA-2016-063: EMC Replication Manager and Network Module for Microsoft Remote Code Execution Vulnerability
 
Joomla! Huge-IT Catalog Extension CVE-2016-1000125 SQL Injection Vulnerability
 
ImageMagick 'MagickCore/profile.c' Memory Corruption Vulnerability
 
Sophos UTM Multiple Local Information Disclosure Vulnerabilities
 
Linux Kernel CVE-2016-5342 Local Heap Buffer Overflow Vulnerability
 
Linux Kernel CVE-2016-2059 Local Privilege Escalation Vulnerability
 
Serimux SSH Console Switch v2.4 - Multiple Cross Site Vulnerabilities
 
Linux Kernel CVE-2016-5344 Multiple Integer Overflow Vulnerabilities
 
AuraDVD Ripper Professional v1.6.3 - DLL Hijacking Exploit
 
Google Android CVE-2016-3930 Remote Privilege Escalation Vulnerability
 
Google Android Framework Listener CVE-2016-3921 Privilege Escalation Vulnerability
 
Google Android CVE-2016-3928 Remote Privilege Escalation Vulnerability
 
Linux Kernel 'lib/asn1_decoder.c' Local Memory Corruption Vulnerability
 
Google Android Mediaserver CVE-2016-3924 Information Disclosure Vulnerability
 
Google Android CVE-2016-3882 Local Denial of Service Vulnerability
 
Google Android GPS CVE-2016-5348 Denial of Service Vulnerability
 
Google Android Camera Service Multiple Privilege Escalation Vulnerabilities
 
Google Android CVE-2016-3925 Denial of Service Vulnerability
 
Google Android CVE-2016-3908 Local Privilege Escalation Vulnerability
 
TeempIp XSS Cookie Theft
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status