LOLOLOLOL On Fri, 08 Jun 2007 11:52:21 -0400 evilrabbi <[EMAIL PROTECTED]> wrote: >ok.. > >On 6/8/07, M. B. Jr. <[EMAIL PROTECTED]> wrote: >> cool, >> HD Moore started a thread, >> >> yeah, lets reply the more we can!!! >> >> >> On 6/6/07, Kradorex Xeron <[EMAIL PROTECTED]> wrote: >> > >> > On Wednesday 06 June 2007 09:47, H D Moore wrote: >> > > Hello, >> > > >> > > Some friends and I were putting together a contact list for >the folks >> > > attending the Defcon conference this year in Las Vegas. My >friend sent >> > > out an email, with a large CC list, asking people to respond >if they >> > > planned on attending. The email was addressed to quite a few >people, >> > with >> > > one of them being David Maynor. Unfortunately, his old >SecureWorks >> > > address was used, not his current address with ErrattaSec. >> > > >> > > Since one of the messages sent to the group contained a URL >to our phone >> > > numbers and names, I got paranoid and decided to determine >whether >> > > SecureWorks was still reading email addressed to David >Maynor. I sent an >> > > email to David's old SecureWorks address, with a subject >line promising >> > > 0-day, and a link to a non-public URL on the metasploit.com >web server >> > > (via SSL). Twelve hours later, someone from a Comcast cable >modem in >> > > Atlanta tried to access the link, and this someone was >(confirmed) not >> > > David. SecureWorks is based in Atlanta. All times are CDT. >> > > >> > > I sent the following message last night at 7:02pm. >> > > >> > > --- >> > > From: H D Moore <hdm[at]metasploit.com> >> > > To: David Maynor <dmaynor[at]secureworks.com> >> > > Subject: Zero-day I promised >> > > Date: Tue, 5 Jun 2007 19:02:11 -0500 >> > > User-Agent: KMail/1.9.3 >> > > MIME-Version: 1.0 >> > > Content-Type: text/plain; >> > > charset="us-ascii" >> > > Content-Transfer-Encoding: 7bit >> > > Content-Disposition: inline >> > > Message-Id: <200706051902.11544.hdm[at]metasploit.com> >> > > Status: RO >> > > X-Status: RSC >> > > >> > > https://metasploit.com/maynor.tar.gz >> > > --- >> > > >> > > Approximately 12 hours later, the following request shows up >in my >> > Apache >> > > log file. It looks like someone at SecureWorks is reading >email >> > addressed >> > > to David and tried to access the link I sent: >> > > >> > > 71.59.27.152 - - [05/Jun/2007:19:16:42 -0500] "GET >/maynor.tar.gz >> > > HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS >X; en) >> > > AppleWebKit/419 (KHTML, like Gecko) Safari/419.3" >> > > >> > > This address resolves to: >> > > c-71-59-27-152.hsd1.ga.comcast.net >> > > >> > > The whois information is just the standard Comcast block >boilerplate. >> > > >> > > --- >> > > >> > > Is this illegal? I could see reading email addressed to him >being within >> > > the bounds of the law, but it seems like trying to download >the "0day" >> > > link crosses the line. >> > > >> > > Illegal or not, this is still pretty damned shady. >> > > >> > > Bastards. >> > > >> > > -HD >> > >> > I will seldom touch on the legal side but I have a possible >scenario: >> > >> > -- If David is no longer at that address, it could be said >that his mail >> > account was taken down and the mail sent ended up in a >possible "catch >> > all" >> > box, perhaps someone at SecureWorks was looking through the >said catchall >> > mailbox for any interesting mail sent to the secureworks.com >domain (i.e. >> > to >> > old employees) - It's quite common for companies and >organizations to >> > monitor >> > former employee mailboxes in the event anyone that doesn't >have any new >> > contact information to be able to still get somewhere with the >old >> > address. >> > And them being a security organization, maybe they proceeded >to >> > investigate >> > the link sent. >> > >> > >> > > >> > > _______________________________________________ >> > > Full-Disclosure - We believe in it. >> > > Charter: http://lists.grok.org.uk/full-disclosure- >charter.html >> > > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> > _______________________________________________ >> > Full-Disclosure - We believe in it. >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> > Hosted and sponsored by Secunia - http://secunia.com/ >> > >> >> >> >> -- >> Marcio Barbado, Jr. >> ============== >> ============== >> > > >-- >-- h0 h0 h0 -- >www.nopsled.net > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/
-- Click here for huge discounts on tradeshow supplies - special offer http://tagline.hushmail.com/fc/CAaCXv1Q4Qsh3luDdkKlFffuyGfsLobw/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
