Educause Security Discussion mailing list archives

Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers

From: Wes Young <wcyoung () BUFFALO EDU>
Date: Wed, 24 Jan 2007 19:32:03 -0500

On Wed, 2007-01-24 at 18:16 -0600, James J. Barlow wrote:

Warren,

Good writeup and thanks for the info.  I just have a couple things to
add since what Brian Smith-Sweeney from NYU replied with is spot on to
what we have seen here at NCSA.


in-case anyone's interested, a snort rule I picked up from somewhere:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 ( sid: 1226; rev: 5; msg:
"X11 xopen"; flow: established; content: "l|00 0B 00 00 00 00 00 00 00
00 00|"; reference: arachnids,395; classtype: unknown; tag:
host,seconds,60;)

--
Wes Young
Network Security Analyst
University at Buffalo
 -----------------------------------------------
| GnuPG Sig:        | http://tinyurl.com/yfrcfu |
| My Digg Profile:  | http://tinyurl.com/zrc6m  |
| My Life:          | http://tinyurl.com/dtt4e  |
| CPAN:             | http://tinyurl.com/mujm5  |
 -----------------------------------------------


...there is no spoon.

Current thread:

Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Roger Safian (Jan 24)
- <Possible follow-ups>
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Brian Smith-Sweeney (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers James J. Barlow (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Wes Young (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Warren Petrofsky (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Valdis Kletnieks (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Chris Edwards (Jan 26)