Re: [Full-Disclosure] Windows Registry Analzyer
http://www.sysinternals.com/ntw2k/source/regmon.shtml Check out all their stuff - filemon is the cousin app for watching file systems. On Thu, 3 Mar 2005 10:35:49 -0500, Danny [EMAIL PROTECTED] wrote: Anyone know of any free tools to analyze what changes have been made to a Windows 2000/XP registry? Thanks, ...D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I thought Microsoft were releasing new security patches today (11 Jan 2005)?
On Tue, 11 Jan 2005 15:13:45 -, Mike Diack [EMAIL PROTECTED] wrote: Where are they? Mike ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html My experience has been that the 2nd tuesday of the month patch drop occurs late in the day or evening, Eastern Standard Time. Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable
On Sat, 8 Jan 2005 10:12:23 -0600, RandallM [EMAIL PROTECTED] wrote: I don't think it's going to be free. While doing a small amount of research on the spyware community I found this text string in the GianttAntiSpywareUpdater.exe: Doesn't the fact that the executable's name contains a company that no longer exists (Giant) indicate that perhaps this BETA software will undergo some changes before its full release as a Microsoft product? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] TCP Port 42 port scans? What the heck over...
http://isc.sans.org/port_details.php?port=42repax=1tarax=2srcax=2percent=Ndays=70Redraw= Shows a fairly large spike over the weekend. 42 is used for WINS (MS's netbios name server) replication, and recently the Immunitysec folks found an exploitable bug in the WINS service. Still, given how few people one would expect to have that port accessible through a firewall, or just how low the percentage of windows servers running WINS is, it is somewhat of a strange target if it is indeed an attempted WINS exploit. Matt On Mon, 13 Dec 2004 06:46:38 -0700, James Lay [EMAIL PROTECTED] wrote: Here they be. ODD. Anyone else seeing this? Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.1 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web1 drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.18.1 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.4 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 workbox kernel: IN=eth0 OUT= MAC=00:60:97:a5:76:36:00:10:7b:90:bc:30:08:00 SRC=131.252.116.141 DST=10.1.200.10 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.7 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: X12 drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.14 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Web netrecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.19.2 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Htpedi drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.17 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 Dec 13 06:41:49 gateway kernel: Edirecall drops:IN=br0 OUT=br0 PHYSIN=eth1 PHYSOUT=eth0 SRC=131.252.116.141 DST=10.1.20.12 LEN=40 TOS=0x00 PREC=0x00 TTL=116 ID=57370 DF PROTO=TCP SPT=6000 DPT=42 WINDOW=65535 RES=0x00 SYN URGP=0 James Lay Network Manager/Security Officer AmeriBen Solutions/IEC Group Deo Gloria!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Just out - KB839645 - wonder what this fixes?
http://www.microsoft.com/technet/security/bulletin/MS04-024.mspx On Tue, 13 Jul 2004 18:05:31 +0100, Randal, Phil [EMAIL PROTECTED] wrote: From the install log on an XP box: Copied file: C:\WINDOWS\System32\fldrclnr.dll Copied file: C:\WINDOWS\System32\shell32.dll Copied file: C:\WINDOWS\System32\shlwapi.dll Copied file: C:\WINDOWS\System32\sxs.dll Copied file: C:\WINDOWS\System32\DllCache\shlwapi.dll Copied file: C:\WINDOWS\System32\xpsp2res.dll Copied file: C:\WINDOWS\System32\DllCache\xpsp2res.dll Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] PIX vs CheckPoint
On Tue, 29 Jun 2004 16:57:42 -0700 (PDT), Gary E. Miller [EMAIL PROTECTED] wrote: I agree, except for one small problem. Don't you still have to delete ALL the filter rules, and reenter them ALL to change the order of the rules? last I checked there was no insert before, insert at top sort of options. Just insert at end. This and other features can really slow down the otherwise decent CLI. PIX OS 6.2 (IIRC) introduced a feature for line editing: access list ostiguy line 15... should enter this line as line 15 in the acl. no access list ostiguy line 12 should delete line 12 of the acl. Another bad thing about the PIX CLI is that is looks a lot like the IOS CLI, but has lots of subtle differences that will byte you when you least expect it. RGDS GARY I can't think of an instance where this is a bad thing, as generally, the pix is more forgiving than IOS, as all the show commands work in a PIXen's configuration mode. ostiguy ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html