Educause Security Discussion mailing list archives
Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers
From: Wes Young <wcyoung () BUFFALO EDU>
Date: Wed, 24 Jan 2007 19:32:03 -0500
On Wed, 2007-01-24 at 18:16 -0600, James J. Barlow wrote:
Warren, Good writeup and thanks for the info. I just have a couple things to add since what Brian Smith-Sweeney from NYU replied with is spot on to what we have seen here at NCSA.
in-case anyone's interested, a snort rule I picked up from somewhere: alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 ( sid: 1226; rev: 5; msg: "X11 xopen"; flow: established; content: "l|00 0B 00 00 00 00 00 00 00 00 00|"; reference: arachnids,395; classtype: unknown; tag: host,seconds,60;) -- Wes Young Network Security Analyst University at Buffalo ----------------------------------------------- | GnuPG Sig: | http://tinyurl.com/yfrcfu | | My Digg Profile: | http://tinyurl.com/zrc6m | | My Life: | http://tinyurl.com/dtt4e | | CPAN: | http://tinyurl.com/mujm5 | ----------------------------------------------- ...there is no spoon.
Current thread:
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Roger Safian (Jan 24)
- <Possible follow-ups>
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Brian Smith-Sweeney (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers James J. Barlow (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Wes Young (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Warren Petrofsky (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Valdis Kletnieks (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Chris Edwards (Jan 26)