Why it’s a good idea to keep on top of Windows Updates

By November 5, 2012 Technical No Comments

Our IDS has proven itself to be extremely valuable several times so far, we thought we’d share something interesting that it picked up.

What’s an IDS?

In case you’ve not come across the term “IDS” before, and seeing as we haven’t mentioned it previously, we’ll go over that first.

An Intrusion Detection System, or IDS for short, is a system that sits on a network and compares packets to a set of rules. These rules contain signatures, which are patterns that are defined to detect malicious and potentially dangerous network activity.

When our IDS detects something, it will write a line to a log file that we monitor. It does NOT capture and keep data.

We wont go into further detail about our IDS at this stage; maybe later ;)

Why you should update

But enough about the IDS, and onto what it found.

We detect millions of potentially malicious packets on a daily basis. These are your common RDP, SSH, FTP, etc. brute force attacks that numbly go through different combinations of usernames and passwords. Once in a while an alert will pop up that catches my attention.

This one was something that very much tickled my fancy (some details are redacted for anonymity):

10/xx/2012-xx:xx:xx.xxxx  [**] [1:2014383:2] ET EXPLOIT Microsoft RDP Server targetParams Exploit Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} xxx.xxx.xxx.xxx:63339 -> xxx.xxx.xxx.xxx:3389

This particular signature relates to the vulnerability discovered earlier this year in the Remote Desktop Protocol. It was identified as CVE-2012-0002 and MS12-020.

The flaw itself was caused by the way Windows handled a certain part of an RDP packet in memory. This could result in one of two things, depending on which version of Windows you’re running:

  • A blue screen of death
  • Remote code execution

This particular exploit was patched by Microsoft with an out of band update. If you’re a Windows customer with us you would have received notification that we were scheduling some emergency downtime to get it patched immediately.

While the exploit is several months old, many users and admins don’t keep their systems patched, leaving themselves vulnerable. That’s why you still see it roaming in the wild instead of dying out quickly (as it should).

Of course this machine had been patched straight away so the exploit attempt was ineffective. Our IDS was watching and caught it in the act, and we banhammered the offending IP with great prejudice.

Some fun extra reading

If you’re interested in some more of the details, these pages provide good coverage.

Leave a Reply

Looking for greater competitive advantage? We can help. Ask us how.
Before you go..
Keep up to date with Anchor! Subscribe now and receive $100 credit towards your first month's hosting on Magento Fleet or OpenCloud.

We'll keep you in the loop with news about Cloud Hosting, OpenStack, Amazon Web Services & Fleet for Magento.

Anchor will never, ever, share your information.
x
Are you an online retailer using Magento?
Trial Fleet today!

Fleet is an auto-scaling hosting platform that will save your developers significant time, allow you to move faster - and vastly improve the uptime and performance of your store.

  • Blue-green deployments minimise risk
  • Automated code deployment saves time
  • Self-service - but fully supported by Anchor
  • Auto-scaling, HA design across multiple AWS AZs
  • On-demand test/staging environments identical to production
  • Hourly billing means that you only pay for what you use