funsec mailing list archives
Re: Question for the group
From: xyberpix <xyberpix () xyberpix com>
Date: Thu, 16 Feb 2006 23:07:57 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1I dunno so much about books and periodicals, but I bet you've got a load of 'puters over there that would make a nice addition to a botnet.
Get login credentials working on the proxy, and then you may have a valid login somewhere else on your network.
Could be wrong though? Hope so... xyberpix Blog: http://blogs.securiteam.com On 11 Feb 2006, at 21:42, Paul Schmehl wrote:
Recently we discovered that some message boards in China were posting the urls for web proxies at various universities, along with "login credentials". In our case that meant the url and a sixteen digit number that represented our "Comet Card" IDs, smart cards that we issue to every student, staff and faculty member when they arrive.It wasn't long before someone wrote a script that automated the process of logging in to the exProxy server in order to generate a list of valid IDs.In the meantime, I was in discussions with the library and explained to them that the sixteen digit numbers weren't sufficient and they needed security. As a stopgap measure, they added a second "credential", the user's last name.Now we're seeing scripted attacks cycling through our directory (last name only) and then attempting each of those last names along with a valid id, in an effort to generate a list of valid "login" combinations.Here's the question I have. We were just notified by another university that they had detected bots on *their* network running the above script against our proxy. According to their security officer (whom I know is competent), these bots were infected with breplibot.Is this something new? And why the hell do they want to grab books and periodicals? Can they sell them?(I know what the solution to the library's problem is. I just have to get them to accept that what I told them early on is the only answer - tie in to our LDAP auth system short term, and use CAS once it's implemented.)Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD9QXO2VKEoIQBZwkRAnCrAKCIS1CGY9EF/SZsPi7Q84cKL24ScgCfTBZH VJXFeqSfNwrTCpKO2POzxz8= =XDcb -----END PGP SIGNATURE----- _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Question for the group Paul Schmehl (Feb 11)
- Re: Question for the group Blue Boar (Feb 11)
- Re: Question for the group Paul Schmehl (Feb 11)
- Re: Question for the group Blue Boar (Feb 11)
- Re: Question for the group Paul Schmehl (Feb 11)
- Re: Question for the group TheGesus (Feb 12)
- Re: Question for the group Paul Schmehl (Feb 12)
- Re: Question for the group xyberpix (Feb 16)
- <Possible follow-ups>
- Re: Question for the group Fergie (Feb 11)
- Re: Question for the group Blue Boar (Feb 11)