Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers
From: Wes Young <wcyoung () BUFFALO EDU>
Date: Wed, 24 Jan 2007 19:32:03 -0500

On Wed, 2007-01-24 at 18:16 -0600, James J. Barlow wrote:
Warren,

Good writeup and thanks for the info.  I just have a couple things to
add since what Brian Smith-Sweeney from NYU replied with is spot on to
what we have seen here at NCSA.

in-case anyone's interested, a snort rule I picked up from somewhere:

alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 ( sid: 1226; rev: 5; msg:
"X11 xopen"; flow: established; content: "l|00 0B 00 00 00 00 00 00 00
00 00|"; reference: arachnids,395; classtype: unknown; tag:
host,seconds,60;)

--
Wes Young
Network Security Analyst
University at Buffalo
 -----------------------------------------------
| GnuPG Sig:        | http://tinyurl.com/yfrcfu |
| My Digg Profile:  | http://tinyurl.com/zrc6m  |
| My Life:          | http://tinyurl.com/dtt4e  |
| CPAN:             | http://tinyurl.com/mujm5  |
 -----------------------------------------------


...there is no spoon.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]