On Tue, 8 Jan 2002, leon wrote: > I have been reading this list for a couple of years now and I just > got done reading hacker's challenge. Great book (hi to everyone who > contributed and reads this list, I know David D is one of them). The > book is quite unique in how it goes about presenting itself. > Basically it is 20 challenges (here is what happened, here are the > logs, and here are some questions). At the end of the book are the > solutions (how a security professional figured out xy and most > importantly z). I'm up to about chapter 9. Very interesting book, and probably of interest to the readers of this list. > months. So I ask upon you incidents list (ye who have SO MUCH more > experience then I) do systems being compromised by zero day exploits > really happen (I am sure they happen but I am really curious as to > the frequency and how a professional goes about dealing with a never > seen before exploit.) As you stated, the vast majority of attacks out there are for older vulnerabilities. I can give a few anecdotal examples of 0-day. (In most cases, it's an unknown exploit, not an unknown vulnerability.) - The snmpXdmid exploit. Search the Incidents archives for "Carko". Someone found a binary exploit for the snmpXdmid Solaris hole on a compromised machine. We analyzed the binary. As part of the investigative work, I found evidence for at least 4, and possibly 5, unpublished snmpXdmid exploits in the wild. Unpublished means they didn't appear on the usual mailing lists, no on public websites. - The .htr worm. The guys at eEye were given a copy of a worm that exploited the .htr IIS hole. This was supposedly before the hole was known publically (true 0-day?) and is supposed to have been a precursor to CodeRed (shows some similarities.) Don't know why the worm wasn't more "successful". - There have been several "leaked" exploits, which have been discussed here and on Bugtraq. hese include a TESO telnet exploit, and one or two SSH CRC32 exploits. And of course, before Bugtraq was prevelant, all exploits that made it around were "private", stolen, etc... Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 21:41:56 PST