I'n Blog 之萬象真藏

Published: 2008-05-11,
Last Updated: 2008-05-11 21:48:56 UTC
by David Goldsmith (Version: 1)
We received a report from Mike this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob.  If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now.  The major portion of the sites seem to be running phpBB forum software.
If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites.  Internal clients that have connected may need some cleanup work.  Another preventive step would be to blacklist these two URLs.

2008 年 05 月 12 日 – 11:24:05 ezTravel易遊網網站被發現存在XSS(Cross-Site Scripting)安全漏洞，到目前為止，尚未修復。(Credit: 天罣) 跨站腳本攻擊(XSS)：駭客利用網站上允許使用者輸入 字元或字串的欄位插入HTML與Script語言，造成其他正常使用者在觀看網頁的同時，瀏覽器會主動下載並執行部份惡意的程式碼，或被暗地裡導入到惡意 的網站，而受到某種型態的影響。如今大部份的網站都強調所謂與使用者互動的功能，加入許多允許使用者輸入字串的欄位，如：留言板、討論區、查詢欄位等；有 些互動的功能能將使用者輸入的字串存入後端資料庫，如果駭客輸入某些含有攻擊式的語言，一旦使用者進入此頁面時，因執行未預期的動作而將遭受某種程度的威 脅。

2008 年 05 月 12 日 – 14:05:30 全 球網際網路內容安全領導廠商趨勢科技今日指出，全球遭灰色程式及犯罪程式感染的電腦已高達 72.5 %！此項統計為透過線上掃毒軟體HouseCall 針對包含台灣、澳洲、中國、美國等二十個國家及地區的291,084 台電腦進行掃瞄 (註一)，結果顯示各類不懷好意的灰色程式早已攻佔其中，並且被植入廣告程式 (Adware) 的比例更高居 38.6 %，跟六個月前的統計數字相較，為四類灰色程式中唯一上揚的一項，突顯透過植入廣告程式來獲利的手法已成為駭客圖利的另一種管道。
詳細內容按此

http://www.networksecurityjournal.com/features/open-source-security-tools-applications-resources-041007/
以開源碼為基礎的安全工具，分別有郵件、病毒防護、網頁工具、防火牆、網路監控、Intrusion Detection System(IDS)、虛擬網路、無線網路、加密等。

2008 年 05 月 07 日 – 00:55:55 精誠資訊網站又被XSSed發現存在XSS(Cross-Site Scripting)安全漏洞，到目前為止，尚未修復 (之前的解決方案，只是將首頁的搜尋頁面拿到，實際上，並沒有修補XSS漏洞 )。

2008 年 05 月 07 日 – 10:24:38 中華軟協資安促進會網站被XSSed發現存在XSS(Cross-Site Scripting)安全漏洞，到目前為止，尚未修復。(Credit: 天罣)

Published: 2008-05-06,
Last Updated: 2008-05-06 21:11:52 UTC
by John Bambenek (Version: 1)
A loyal ISC reader, Rob, wrote in to point us at what looks to be a SQL Injection worm that is on the loose.  From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier.  Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites.  It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well.
The details, the script source that is injected into webpages is hxxp://winzipices.cn/#.js (where # is 1-5).  This, in turn, points to a cooresponding asp page on the same server.  (i.e. hxxp://winzipices.cn/#.asp).  This in turn points back to the exploits.  Either from the cnzz.com domain or the 51.la domain.  The cnzz.com (hxxp://s141.cnzz.com) domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now.  hxxp://www.51.la just points to 51la.ajiang.net which has a short TTL, but only one IP is serving it.

Published: 2008-05-06,
Last Updated: 2008-05-06 20:10:06 UTC
by John Bambenek (Version: 1)
Microsoft, it appears, has just released Windows XP Service Pack 3.  For the most part, it is a bundle of all the updates since Service Pack 2, but there are some key differences.  First, the big gotcha:
If you are an IE 6 user, SP3 will simply updated your IE 6 installation.  You will continue to be able to upgrade to IE 7 as an option.

Published: 2008-05-06,
Last Updated: 2008-05-06 20:05:51 UTC
by Marcus Sachs (Version: 1)
While a day does not go by without many public announcements of vulnerabilities in consumer and business software, it is rather rare when we hear about something wrong with software that is used to monitor or control industrial systems.  Commonly called SCADA (Supervisory Control And Data Acquisition) or PCS (Process Control System), these are the systems that monitor and operate oil and gas refineries, large manufacturing plants, assembly lines, railroads, electrical grids, and countless other industrial processes.
Core Security announced yesterday that there is a Denial of Service vulnerability in the Invensys Wonderware InTouch SuiteLink service running in Windows operating systems, specifically slssvc.exe. According to Core, this vulnerability "could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario."

2008 年 05 月 04 日 – 10:44:13 注意：請各位幫忙通知他們，謝謝。 麗嬰房媽咪旗下部落格被植入惡意連結，此惡意程式為 TSPY_ONLINEG.IA (竊取帳號與密碼之木馬)，，最近有瀏覽這個網頁的網友，請要盡速檢查自己的電腦是否有中毒的情形 (旗下幾乎所有網友的部落格皆有問題，很糟糕，應該很多網友中毒)。(Credit: Google)