Hackin9
[ANNOUNCE][CVE-2016-0779] Apache TomEE 1.7.4 and 7.0.0-M3 releases
 
[slackware-security] seamonkey (SSA:2016-075-02)
 
[slackware-security] git (SSA:2016-075-01)
 

I am currently seeing a lot of requests against my honeypot like the following:

----------POST /smoke/ 1.1Content-Type: application/x-www-form-urlencoded InfoPath.2)Host: [server ip address]Content-Length: 72Connection: Keep-AliveCache-Control: no-cache#nhDMzQ1lB3v5iK^MiUE]Fzt @[email protected]

----------------------

The payload is random, and note the missing HTTP part in the protocol version. (but not all requests are missing that part).

Any idea what this could be about? I cant find any specific tool associated with the smokeq!1V
l

POST /smoke/ HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: application/x-www-form-urlencoded rv:11.0) like GeckoContent-Length: 102Host: [server ip address]g~D{./cANBa(0I_/ otqVC tE_

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Defense in depth -- the Microsoft way (part 39): vulnerabilities, please meet the bar for security servicing
 

Enlarge / If you're a gamer (or anyone else), this is not a screen you want to see. (credit: Bromium Labs)

Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.

The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when "Angler," a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.

According to a separate blog post from Trustwave's SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.

Read 7 remaining paragraphs | Comments

 
[security bulletin] HPSBGN03556 rev.1 - ArcSight ESM and ESM Express, Remote Arbitrary File Download, Local Arbitrary Command Execution
 
Re: oss-2016-15: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid USB device descriptors (iowarrior driver)
 
Re: oss-2016-13: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid USB device descriptors (powermate driver)
 
Re: oss-2016-18: Multiple Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid USB device descriptors (ati_remote2 driver)
 
Re: oss-2016-17: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes (multiple free) on invalid USB device descriptors (snd-usb-audio driver)
 
Re: OS-S 2016-12 Linux digi_acceleport Nullpointer Dereference
 
Re: OS-S 2016-11 Linux wacom multiple Nullpointer Dereferences
 
Re: OS-S 2016-08 Linux mct_u232 Nullpointer Dereference
 

th ago, Johannes releaseda beta version of a DShield sensor for the Raspberry Pi. The Pi is a cool computer to run such kind of tools but you must have a spare one and it requires extra cables andpower (ok, not so much). Building and maintaining a virtual machine for an application with low requirements in CPU, memory and bandwidth is a bit overkill. Why not use a container?">">I re-used Johanness installation script, restricted the installation to the bare minimum. The goal is just to run a cowrie instance and enable the DShield output module. To report collected data to DShield, you need an account.">"> # git clone https://github.com/xme/dshield-docker# cd dshield-docker# docker build -t dshield/honeypot"> # cat _END_ env.txtDSHIELD_UID=xxxxxDSHIELD_APIKEY=xxxxxDSHIELD_EMAIL=xxxxx_END_# docker run -d -p 2222:2222 env=env.txt restart=always ">Xavier Mertens
ISC Handler - Freelance Security Consultant
PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
[security bulletin] HPSBMU03377 rev.2 - HP Release Control running RC4, Remote Disclosure of Information
 
[security bulletin] HPSBGN03373 rev.2 - HP Release Control running TLS, Remote Disclosure of Information
 
Internet Storm Center Infocon Status