Pwned

Red Squirrel · Post by **Red Squirrel** » Sat Jan 24, 2004 2:00 pm

someone from the UK posted malicious code in the funny picture thread. What somewhat funny is that he put it in a code tag instead of dohtml (which is disabled for newbies anyway) and it was some kind of link that forces a malicious file to request to download.

So I set him up a cute message for his IP range. Now, it does not end here, there's an entry in the log for martz trying to access the site. Kind of makes ya wonder huh.

Actually, in general my whole scada system has been very busy detecting and alerting me of suspicious activity like that. I need to reprogram it because there's so many IP rules it's getting out of hand.

Need a more organized database driven rule system.

This just comes to show how safe you all are here, from people like that.

Archived topic from Iceteks, old topic ID:1957, old post ID:16038

Chris Vogel · Post by **Chris Vogel** » Sat Jan 24, 2004 2:34 pm

Isn't this the first person to do such a thing?

Well, good thing he/she couldn't have done anything anyway since DOHTML tags were disabled for him/her...

Archived topic from Iceteks, old topic ID:1957, old post ID:16039

Red Squirrel · Post by **Red Squirrel** » Sat Jan 24, 2004 2:49 pm

Yeah, it's the first time I can recall that malicious code is posted. Most others know better. Thing is too, I had to copy and paste it for it to actually work. he tried to use javascript for some reason, instead of a normal url. I kept the post there, but edited the url out of the code.

I've been wanting to enhance the rule system, and maybe even program a AI engine to detect malicious activity, I might do that tonight, the rule part anyway, the AI thing can wait,and I don't think we need it that much anyway. I pretty much notice funny activity myself from the logs and alerts alone.

Archived topic from Iceteks, old topic ID:1957, old post ID:16041