Login   |   Secure Purdue > News

STEAM-CIRT Observations and Trends Summary for March 2006

The month of March saw no new major virus outbreaks, and indeed Mailhub anti-virus blocking statistics indicate that email-born viruses have declined during March. In addition, there were no significant IT Incidents despite the disclosure of several critical vulnerabilities in Sendmail [1], Internet Explorer [2], and Veritas Backup Exec software [3, 4].

Indeed, the month of March would be considered unremarkable in terms of Incident Response, were it not for an increase in X11 scanning and snooping. As a result of this activity, the STEAM-CIRT re-released an updated version [5] of its January 2006 advisory [6] regarding X11 snooping activity. The STEAM-CIRT also began monitoring X11 traffic across the West Lafayette campus border on March 15th to detect unexpected increases in incoming tcp/6000 traffic that might indicate an attack. The following graph shows approximately 17 peaks (orange) of incoming X11 traffic. The majority of these peaks can likely be attributed to the scanning of Purdue IP space for “snoopable” X-Windows servers or successful snooping of vulnerable X-Windows servers.

(Note: the time period covered by this graph spans from March 15th through March 31st, 2006.)

As a follow-up to the February 2006 Monthly summary, the STEAM-CIRT reported that there had been an increase in unauthorized access activities via “vulnerabilities exploited in various web applications”. This trend has continued through March and is not suspected to decrease in the near future.

[1] http://www.frsirt.com/english/advisories/2006/1049

[2] http://secunia.com/advisories/18680/

[3] http://seer.support.veritas.com/docs/282255.htm

[4] http://seer.support.veritas.com/docs/282254.htm

[5] http://www.purdue.edu/securepurdue/steam/newsDetail.cfm?NewsID=41

[6] http://www.purdue.edu/securepurdue/steam/newsDetail.cfm?NewsID=37

Posted by Matthew Wirges on April 06, 2006, in Handlers Log.