ALD, [ Aditya Lalit Deshmukh ] wrote:
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity adviser Richard Clarke
But I really like good coffee. Is that so wrong? lol
so u must be drinking some kind of
Err, Pegasus Mail :) (a free POP3 client)
Seriously..! When I get some time I plan to add the exe and zip
filters to SpamPal, which is a free Windows-based anti-spam POP3
proxy that supports multiline regular expressions. It has some virus-
specific base-64 sigs, but does not currently have
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SCO Security Advisory
Subject:UnixWare 7.1.3up : tcpdump several vulnerabilities in tcpdump.
Advisory number:
I am in over my head technically on this. I just want to know if this is
suspicious or normal. In MS Outlook, received unsolicited email that
displayed the following link highlighted within the text of the message:
www.vault.com source=a href=www.vault.comwww.vault.com/abr
However, when I
Dear Readers:
You may have heard of this application before. Here's a few excerpts from
the chronicles of comersus shopping cart:
1.) http://secunia.com/advisories/12026/
Thomas Ryan, XSS
2.) http://www.net-security.org/vuln.php?id=3559
Thomas
Hi,
Does anyone have any more information than
http://www.checkpoint.com/techsupport/alerts/asn1.html
Cheers,
Matt
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
The funny thing is I was the manager of an Italian family owned coffee shop
for 4 years. Then I worked for a local roaster for about a year and a half.
That coffee is real as far as I know..but it is in the range of 100 dollars
a pound. Jamaican Blue Mountain is one of the most expensive - around
In my not so humble opinion, Cryptomer has been doing a good job of
finding
interesting things and outting them up for Publice View. MI6 really is
kind of
irritated by them..
I think the folks who favour the "Induce Act" and stuff like that are
floating stories
and stuff like that. It is a
We are currently experiencing problems with the mail server that handles
the list. Please be patient over the next few days while we work to
resolve the issue. Please expect some delays as we are working on
repairing the problems.
Thanks
Len
___
One of the boxes at work actually got rooted through a successful
attempt at the account test. They later proceeded to get root through
a local exploit. This box was badly unpdated.
log entries..
Jul 12 22:26:51 server sshd[12868]: Accepted password for test from
130.15.15.239 port 1954 ssh2
Jul
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
__
SCO Security Advisory
Subject:OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities
in Sendmail
Advisory number:
This would be a useful tool. Is there a way to tell what zone IE is using
when it runs scripts in pages? For instance,
if I put the following in a .htm file and save to my desktop and attempt to
run. It throws a permission denied error on the objShell.Help() line.
Shouldn't this be running in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory [ERRATA UPDATE]GLSA 200407-21:02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
On Thu, 29 Jul 2004, Kurt Lieber wrote:
Affected packages
=
---
Package / Vulnerable / Unaffected
---
On Tue, July 27, 2004 9:48 pm, ALD, [ Aditya Lalit Deshmukh ] said:
i would like to know from all ie auditing folks if there is a simple way
to understand in which zone a scripts
(vbscript,jscript,hta) are executed.
depends from where they were loaded ! if loaded from a website then they
Hmmm - I have also been getting those login attemps, but thought them to
be harmless. Maybe they are not *that* harmless, though... Today I
managed to get my hands on a machine that was originating such login
attempts. I must admit I am far from being a linux security expert, but
this is what I've
[SCRIPT] d = window.open().document;
d.write("x"); d.body.innerHTML = "STYLE@;/*";
[/SCRIPT]
Every once in awhile one will get a person who will trip across things
that are
kind of the worlds open secrets and he will sort of freak about it.
Anyone who
has worked in a real security environment will know these things are
kept far
from such open things as the internet. I think what he
Hi list,
setting up a honeypot, I was able to identify some of the activity
associated with these login attempts.
after the honeypot's been probed for guest and test login, I had someone
login as test and fetch some tools from websites to use them on the
honeypot.
tools were fetched from some
I've tested the exploit on my Slack 10 box, OpenSSH_3.8.1p1, from my machine.
The tcpdump output follows:
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
22:38:56.177625 IP (tos 0x0, ttl 61, id 64319, offset 0, flags [DF], length:
60) 82.77.45.170.35528
By the way, you have to be root to use ss:
[EMAIL PROTECTED]:~/ssh$ ./go.sh 82.77.45
scanning network 82.77.*.*
usec: 3, burst packets 50
using inteface eth0
ERROR: UID != 0
Intr-un mail de pe data de Thursday 29 July 2004 19:38, Stefan Janecek
povestea:
Hmmm - I have also been getting
On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek [EMAIL PROTECTED] said:
This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
Matt,
The ISS X-Force database has a write-up and links to other sites:
http://xforce.iss.net/xforce/alerts/id/178
-Matt
On Thu, 29 Jul 2004 13:16:55 +0100, Matt Foster
[EMAIL PROTECTED] wrote:
Hi,
Does anyone have any more information than
doesnt make any sense
That way you should have root on the first box to start exploiting others,
kind of weird.
smells like rootkit downloader to me.
Anybody willing to make a strace of this program ??
Max
--
Linux garaged 2.6.7-rc3-mm2 #2 Sat Jun 19 15:43:32 CDT 2004 i686 Intel(R)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200407-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Wich shouldn't be so hard because there also idiots here and a lot of
Windows-Users...
does that imply that windows users are worse than idiots ? :)
No, we are just a bit lame :)
This is mainly due to WYSIWYG and other nicities...
TCS
___
Hey Juan, hopefully you don't have the test user on your ssh server anymore.
You just gave the IP address, port and username =)
-Todd
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Juan Carlos
Navea
Sent: Thursday, July 29, 2004 8:38 AM
To: [EMAIL
What I find interesting is that the file vuln.txt contained a list of
IP addresses that seem to have been exploited. I tryed to login to one
of them with user/pass test:test
[EMAIL PROTECTED] ssh $ ssh 161.53.223.3 -l test
Password:
Linux zagreb 2.4.26-grsec #1 SMP Thu Apr 15 17:27:27 CEST 2004
you can decompile using REC.
http://www.backerstreet.com/rec/rec.htm
Andrei Galca-Vasiliu wrote:
By the way, you have to be root to use ss:
[EMAIL PROTECTED]:~/ssh$ ./go.sh 82.77.45
scanning network 82.77.*.*
usec: 3, burst packets 50
using inteface eth0
ERROR: UID != 0
Intr-un mail de pe data
This all looks very similair to the couple year old ssh1 hack, I recall
some of these same files and binaries I think from that old hack, but,
this looks like someone took an old hack and tried to rework it as a brute
forcer for poorly setup systems.
Thanks,
Ron DuFresne
On Thu, 29 Jul 2004,
Can you post the tcpdump file ??
I would be useful to make snort sigs, if nothing is detected on replay
Max
--
Linux garaged 2.6.7-rc3-mm2 #2 Sat Jun 19 15:43:32 CDT 2004 i686 Intel(R)
Pentium(R) 4 CPU 2.80GHz GenuineIntel GNU/Linux
-BEGIN GEEK CODE BLOCK-
Version: 3.12
GS/S d- s:
JFYI of anyone interested:
On Nanog a short time back, most of the list there decided that CWS couldn't
easily be removed. I first stumbled across it maybe around the start of July
and have had many instances of it, since, in many places.
Adaware does bugger-all to remove it. Spybot recognised
Do I take it that these things are just trying to log in using some
guessed password(s) ? Out of interest, do we have any idea what these
opportunistic passwords might be ?
___
Full-Disclosure - We believe in it.
Charter:
Try CWShredder too!
-Original Message-
From: Gregh [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 29, 2004 5:46 PM
To: Disclosure Full
Subject: [Full-Disclosure] Cool Web Search
JFYI of anyone interested:
On Nanog a short time back, most of the list there decided that CWS couldn't
- Original Message -
From: Richard Golodner [EMAIL PROTECTED]
To: 'Gregh' [EMAIL PROTECTED]; Disclosure Full
[EMAIL PROTECTED]
Sent: Friday, July 30, 2004 8:51 AM
Subject: RE: [Full-Disclosure] Cool Web Search
Try CWShredder too!
I did. Regardless of what it says, CWShredder doesn't
Here's a
detailed description of what's going wrong with [STYLE]@;/* The
problem is the unterminated comment "/*"; IE computes the length of the
comment for a memcpy opperation by substracting the end pointer form
the start pointer. The comment starts behind "/*" and should end at "*/",
Max Valdez wrote:
doesnt make any sense
That way you should have root on the first box to start exploiting others,
kind of weird.
smells like rootkit downloader to me.
Anybody willing to make a strace of this program ??
Max
A previous poster mentioned that after exploiting a test/test or
On 29 Jul 2004, at 16:23, Ali Campbell wrote:
Do I take it that these things are just trying to log in using some
guessed password(s) ? Out of interest, do we have any idea what these
opportunistic passwords might be ?
At least two of them are guest:guest and test:test. I'd guess that
root:root
Stefan Janecek wrote:
This does not seem to be a stupid brute force attack, as there is only
one login attempt per user. Could it be that the tool tries to exploit
some vulnerability in the sshd, and just tries to look harmless by using
'test' and 'guest' as usernames?
The compromised machine was
On Wednesday 28 July 2004 16:10, [EMAIL PROTECTED]
allegedly wrote:
_
_
SCO Security Advisory
Subject: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple
Vulnerabilities in Sendmail
The creator of CWShredder claims the newest versions of CWS are very
stealthy and I believe he as stopped updating the program. Therefore
CWShredder isn't the best for the newest. But as far as I understood things
(from other mailing list and forum post), HiJackThis wasn't removing them
100%
Thank you very much. I don't get into the details but now I know a little
bit more to help me evaluate what I do see.
regards,
ST
-Original Message-
From: Kristian Lyngstøl [mailto:[EMAIL PROTECTED]
Sent: Thursday, July 29, 2004 2:03 PM
To: [EMAIL PROTECTED]
Subject: Re: outbind in MS
DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability
==
Original Release Date: 2004-07-29
Author: Ruben Molina (a.k.a fradiavolo)
Email: [EMAIL PROTECTED]
!!! VIVA COLOMBIA !!!
1. Systems affected:
On Friday, July 30, 2004 1:03 AM [GMT+1=CET],
[EMAIL PROTECTED]
[EMAIL PROTECTED] écrivait:
So, for those of you who don't think Nanog is full of Gods of
Correctness,
if you are having probs with removal of CWS, get HiJackThis, let it scan
and
then you will see, sticking out like a wart on
- Original Message -
From: JacK [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 30, 2004 10:20 AM
Subject: Re: [Full-Disclosure] Cool Web Search
On Friday, July 30, 2004 1:03 AM [GMT+1=CET],
[EMAIL PROTECTED]
[EMAIL PROTECTED] crivait:
So, for those of you who don't
Try a deltree /y c:\that usually does the trick.
-KF
Todd Towles wrote:
The creator of CWShredder claims the newest versions of CWS are very
stealthy and I believe he as stopped updating the program. Therefore
CWShredder isn't the best for the newest. But as far as I understood things
(from
Hey all,
CHX (http://www.idrci.net/idrci_tryit2.htm) seems to
be a very nice piece of software. Anyone tried it in
real life? After toying with it for a couple of hours,
I really don't understand how come it's still just a
(relatively) obscure application. Any comments re. its
usage? any known
On Thu, 2004-07-29 at 17:07, George Capehart wrote:
Subject:OpenServer 5.0.6 OpenServer 5.0.7 : Multiple
Vulnerabilities in Sendmail Advisory number:SCOSA-2004.11
Issue date: 2004 July 28
This advisory was issued on March 29, 2003. That was /*sixteen*/
48 matches
Mail list logo