[Emerging-Sigs] Suspect Digital Alpha UA...

waldo kitty wkitty42 at windstream.net
Sat Oct 2 15:44:55 EDT 2010

On 10/2/2010 12:40, Martin Holste wrote:
> I think this sig, as well as other sigs for super-old platforms will
> be valuable not only for spotting fake UA's, but also for alerting
> admins to boxes that have been forgotten about for thousands of years
> (ok, maybe thousands of days).

agreed... i don't know if i made it known in my first post in this thread but i 
found this UA /because/ it was being used to consistently try to beat a path 
into my forums... it is pretty obvious that they're up to something when they 
try to register the same name numerous times in a matter of seconds... even more 
obvious when they do the register thing and then immediately attempt to post a 
message within the same second or after only a few... *especially* on a forum 
that requires confirmation and authentication :lol:

> What are the chances the box that is actually an Alpha is actually
> patched?

i dunno... i've thought about possibly hunting one down... it might make a nice 
friend for the System36 that over here holding up one end of this custom 
desk/workbench ;)

there's also the question of what are the chances that the box is really an 
Alpha? one person has responded that they do have an Alpha but it is running a 
different OS which was one consideration i had for leaving the entire UA string 
in the rules that i posted :)

> I would personally welcome more sigs like this for a poor-man's network
> discovery tool. They would obviously need some thresholding and maybe
> should be disabled by default, but I can definitely see how they could
> be useful.

i figure since they are helpful to me, they should be helpful to others as 
well... as i find these UAs that are consistently doing activities like 
described above, i research them to try to determine if creating a UA sig is 
worth it or if it is too common a UA and one that is still in widespread use 
performing normal browsing activities... stopping forum spammers based simply on 
UA is only going to work for so long, though...

> --Martin
> On Fri, Oct 1, 2010 at 9:35 PM, waldo kitty<wkitty42 at windstream.net>  wrote:
>> On 10/1/2010 17:13, Michael Scheidell wrote:
>>>    On 10/1/10 4:51 PM, Matthew Jonkman wrote:
>>>>   alert tcp $EXTERNAL_NET any ->  $HOME_NET $HTTP_PORTS
>>>>   (msg:"LOCAL.RULES Suspect
>>>>   Inbound AlphaServer UA"; flow:to_server,established; content:"|0d
>>>>   0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 4.01\; Digital
>>>>   AlphaServer 1000A
>>>>   4/233\; Windows NT\; Powered By 64-Bit Alpha Processor)|0d 0a|"; nocase;
>>>>   classtype:trojan-activity; sid:1005004; rev:1;)
>>> it they ARE, its a sure bet they haven't been patched in a LONG time.
>>> (I had a dec alpha 1000A. can't remember how long ago. was a great box).
>> i bet! especially considering the comment from that one site i quoted... that
>> comment being that they couldn't use that browser to apply the next updates to
>> it... sheesh, what will m$ think of next? :lol:
>>> but I doubt anyone.. wait .. I wonder if these might be running in
>>> Iranian power plants?
>> ROTFLMAO!!! if they are, they are really in trouble over there... today, i saw
>> one of these UAs, the only one, actually attempt to visit my gallery instead of
>> trying to infiltrate my forums... needless to say, it didn't get anywhere :P

More information about the Emerging-sigs mailing list