January 2005 - Posts

WOLF sizes up the MySQL bot / worm / spreader thing . . . a live system perspective
So it seems that there is a new MySQL bot that is spreading to Windows machines running MySQL with weak SA (or whatever MySQL's equivalent is) passwords. You can read more about it here http://news.zdnet.com/2100-1009_22-5553570.html and here: http://isc.sans.org//diary.php?date=2005-01-27 Read More...
Posted 28 January 05 12:31 by Robert_Hensing | 12 Comments   
The Blame Game - I won't go there.
So I'm getting some 'interesting' and frankly un-expected comments on my most recent 'Anatomy of . . . ' posts where I delve into examples of a hack involving certain vulnerabilities (one of which wasn't even in one of our products I'd like to point out). Read More...
Posted 27 January 05 04:33 by Robert_Hensing | 14 Comments   
Anatomy of a WINS server hack (MS04-045) . . .
Okay - so here is my analysis of a recent WINS hack a customer experienced. The customer caught this by analyzing their netflow data from their routers . . . they suddenly started sending tremendous amounts of packet love and affection to various IP's Read More...
Posted 27 January 05 02:43 by Robert_Hensing | 20 Comments   
Anatomy of a Veritas BackupExec Agent Browser hack via TCP 6101
I've gotten some really great feedback on my blog now that I'm actually blogging about incident response topics - I appreciate the feedback, keep it coming! So we here in PSS Security are tied into the security incident response community fairly well Read More...
Posted 27 January 05 12:48 by Robert_Hensing | 16 Comments   
Advanced hiding techniques: The mystery of the trojaned Winlogon.exe
So the war between the miscreants and the first responders / incident responders is just that - it's a war with casulaties (servers, workstations, work life / home life balance) and it is complete with an arms race in the form of stealthing (miscreants) Read More...
Posted 17 January 05 12:33 by Robert_Hensing | 24 Comments   
More miscreant hiding techniques and some interesting observations on the Hacker Defender rootkit . . .
My last blog post was about miscreant hiding techniques . . . unfortunately one can probably write a book devoted to some of the more popular techniques . . . I'm just going to blog from time to time about the ones my team is encountering (call it miscreant Read More...
Posted 14 January 05 02:23 by Robert_Hensing | (Comments Off)   
Miscreant hiding techniques: Would the real explorer.exe please stand up? And the relevance of 1979 when doing searches . . .
At long last - a blog post about Incident Response in the self-proclaimed 'Incident Response' blog! Before I finally crash for the night there are two things I wanted to bring to the attention of folks interested in Windows IR that my team has come across Read More...
Posted 10 January 05 11:55 by Robert_Hensing | 6 Comments   
Admin Personas - at long last . . .
Okay so this post is several months late - what can I say, I'm easily distracted and overly busy. Hopefully if you are reading this post you've already read the post on hacker personas. Having been on the PSS Security team for over three years now I've Read More...
Posted 10 January 05 11:05 by Robert_Hensing | 4 Comments   
Page view tracker