On 05/12/2011 18:20, John Jacobs wrote:
Tim, while I do believe there is some truth in what you are saying here, I
respectfully disagree in that this tends to be a run-of-the-mill IRC bot as
evidenced by the Undernet advisory. This looks like a skiddie-de-jour attack
against PHPMyAdmin and
Reply received from vendor.
-- Forwarded message --
From: Ganesan (CEO, EPractize Labs Software) gane...@epractizelabs.com
Date: Tue, Dec 6, 2011 at 10:25 AM
Subject: RE: Backdoor in EPractize Labs Online Subscription Manager
from epractizelabs.com
To: Jan van Niekerk
Gage Bystrom wrote:
I would suggest iptables but the OP stated he doesn't own the
server and has no root access.
If I ever stated that, it means I misused my poor english for sure... I DO
have root access and I DO own the server, where the server means the *guest*
OpenVZ instance. I DID
I'm not sure if this has been said in this thread yet, but is it
possible the host O/S was compromised? I have not used OpenVZ but I
assume it's the same as Virtuozzo in the respect that you can just
'vzctl enter ctid' to get a root shell inside the container with no
password (assuming you have
Ahh I see. Then yeah I would advise using iptables to deny as much outgoing
traffic as possible and set up the chain so that all attempted traffic
statistics get logged. Back that up with denying as much incoming traffic
as possible. Then monitor for any spawning services with netstat.
Assuming
BH wrote:
I'm not sure if this has been said in this thread yet, but is it
possible the host O/S was compromised?
Nothing is impossible, security wise. However I'd talk about likelihood
instead. I own two other OpenVZ containers hosted in the same host OS. They
haven't been compromised,
http://130.89.241.130/~tjibbe/pics/karma-sometimes-assholes-get-what-they-deserve.jpg
u had it comin, kcope
AB u will be next
welcome to the age of the whitehat
___
Full-Disclosure - We believe in it.
Charter:
Has this been ACK'ed by anyone else ?? Seems that FB's Report in/Block
process breaks their own privacy stds !
http://forum.bodybuilding.com/showthread.php?t=140261733
___
Full-Disclosure - We believe in it.
Charter:
Or not...
http://vulnfactory.org/blog/2011/12/05/carrieriq-the-real-story/
On the other hand, where that l33t hacker Drew (aka xD 0x41)?
Thought he'd enlighten us with more of his awesome hacking powers on this
issue.
___
Full-Disclosure - We believe
I regularly use iftop, netstat and htop to see what is going on on my
servers.
I have found that raw information always helps the best in determining
acitve compromised systems.
Kerem
On Tue, Dec 6, 2011 at 11:55 AM, Lucio Crusca lu...@sulweb.org wrote:
BH wrote:
I'm not sure if this has
No workie.
From: full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of white powder
Sent: Tuesday, December 06, 2011 3:10 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] prosec
Pretty sure it's supposed to be:
http://de-motivational-posters.com/images/karma-sometimes-assholes-get-what-they-deserve.jpg
On Tue, Dec 6, 2011 at 10:34 AM, Thor (Hammer of God)
t...@hammerofgod.comwrote:
No workie.
** **
*From:* full-disclosure-boun...@lists.grok.org.uk [mailto:
I can confirm that this works. Ugh!
Sent from my iPhone 4
On Dec 6, 2011, at 9:41 AM, Peter Dawson slash...@gmail.com wrote:
Has this been ACK'ed by anyone else ?? Seems that FB's Report in/Block
process breaks their own privacy stds !
I just tested this and i don't get the same options as in step 5 *Help us
take action by selecting additional photos to include with your report*
On Tue, Dec 6, 2011 at 2:41 PM, Peter Dawson slash...@gmail.com wrote:
Has this been ACK'ed by anyone else ?? Seems that FB's Report in/Block
Worked for me a little while ago, but original thread (and most recent
replies) are saying it's been patched.
On Tue, Dec 6, 2011 at 9:36 AM, darway yohansen darway.lev...@gmail.comwrote:
I just tested this and i don't get the same options as in step 5 *Help
us take action by selecting
On Sat, Dec 03, 2011 at 12:14:06PM +, Alan J. Wylie wrote:
Kain, Rebecca (.) bka...@ford.com writes:
http://www.extremetech.com/computing/107427-carrier-iq-which-phones-are-infected-and-how-to-remove-it
and Julian Assange weighs in:
On 12/6/2011 12:22 PM, Georgi Guninski wrote:
looks like if a corporation does it, it is business. if a non-incorporated
entity does
it, it is a crime. -- j
Yes, sort ofv like bundling add-on crapware with software downloads... to steal
from the
other ongoing thread...
Java updates bundle
On Mon, 05 Dec 2011 13:53:21 GMT, Dan Ballance said:
Also, am I correct to think that using something like tripwire is the best
way to detect root kits properly, but that it obviously needs installing
when the box is fresh and before it has been physically connected to a
network?
tripwire
On Mon, 05 Dec 2011 19:04:02 +0100, Lucio Crusca said:
Using dd on /dev/mem and piping results through netcat it's not that
difficult, and a bit of google explains how to do it the right way, but in
my case there are two other problems:
Note that the effectiveness and safety of doing a dd
A poor man's root kit detector is to take md5sums of critical system
binaries (you'd have to redo these after patching), and keep the list on an
inaccessible media (such as a thumb drive). If you think the system is
compromised, run md5sum against those files, and you will quickly know.
You
But the problem with that is it is a mentality roughly a little more then a
decade old. What you described is a userland rootkit detector. Problem is
no one uses userland rootkits anymore! Sure there was some recent
development in managed code rootkits but it really hasn't home anywhere and
is
yeah, I can confirm that this image was served on the original url.
On Tue, Dec 6, 2011 at 5:38 PM, adam a...@papsy.net wrote:
Pretty sure it's supposed to be:
http://de-motivational-posters.com/images/karma-sometimes-assholes-get-what-they-deserve.jpg
On Tue, Dec 6, 2011 at 10:34 AM, Thor
My bad, should have said that you can't trust the md5sum tampering(since
you stated to have a static copy on the flash drive) but you couldn't trust
it since you couldn't trust the system calls.
The immediate moment you have to worry about a legit userland rootkit you
have to worry about a kernel
Don't be silly. You can run static binaries off a thumb drive without
taking the system down. And that includes md5sum. You can put everything,
including the script, on a thumb drive and be perfectly comfortable that
the results are reliable, because statically compiled binaries don't use
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2359-1 secur...@debian.org
http://www.debian.org/security/Florian Weimer
December 06, 2011
LMFAO
On Tue, Dec 6, 2011 at 1:10 PM, white powder whitepowder1...@gmail.comwrote:
http://130.89.241.130/~tjibbe/pics/karma-sometimes-assholes-get-what-they-deserve.jpg
u had it comin, kcope
AB u will be next
welcome to the age of the whitehat
On Tue, Dec 6, 2011 at 9:54 PM, Ac1d B1tch3z ac1db1tc...@gmail.com wrote:
LMFAO
On Tue, Dec 6, 2011 at 1:10 PM, white powder whitepowder1...@gmail.comwrote:
http://130.89.241.130/~tjibbe/pics/karma-sometimes-assholes-get-what-they-deserve.jpg
u had it comin, kcope
AB u will be next
hehe ye better watch out guyzzz... sheeet im patching my boxes now...
the day i see this done to AB is the day id probably giveup on any hax
tc
ps: ph33r the whitehats
On 7 December 2011 07:14, Ac1d B1tch3z ac1db1tc...@gmail.com wrote:
On Tue, Dec 6, 2011 at 9:54 PM, Ac1d B1tch3z
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Debian Security Advisory DSA-2360-1 secur...@debian.org
http://www.debian.org/security/Moritz Muehlenhoff
December 6, 2011
Those considering Tripwire I would ask they take a look at OSSEC-HIDS; the
filesystem change notification is outstanding and with inotify() support you
get immediate notification of changes. The monitoring and alerting of log
files is also exceptional. I am not affiliated with OSSEC in any
Sorry paul, Gage is right here!
Instead of silly maybe more like correct :(
On Tue, Dec 6, 2011 at 2:42 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote:
Don't be silly. You can run static binaries off a thumb drive without
taking the system down. And that includes md5sum. You can put
Sounds pretty neat to be honest. But one thing I'm wondering is that if
they have root, what's stopping them from turning that off? After all they
need root to load the modules in the first place, so if they are in a
position to want to do that, then they are in a position to turn that off.
Uhm, pretty much any software entering your system has some potential to
(being) wreck(ing) havoc, be whether it is an innocent gif file or a
potentially backdoored exe.
Still, that doesn't give me the right to shout at any software vendor
baseless assumptions that simply damages its reputation.
On Tue, 06 Dec 2011 13:20:51 PST, Gage Bystrom said:
serious pain if suddenly you needed unneutered root again. Would likely
have to take the system down to fix it. Who wants to be the guy to explain
that situation to their boss?
If the server is critical enough that you can't take it down to
Maybe I'm misreading what you said, and if so please correct me, but
whether or not the changes described were applied in the first place or not
wouldn't change the issue that if you needed root unneutered again you
would need to bring down the system. Especially if the change doesn't
really solve
On Tue, 06 Dec 2011 15:14:29 PST, Gage Bystrom said:
Maybe I'm misreading what you said, and if so please correct me, but
whether or not the changes described were applied in the first place or not
wouldn't change the issue that if you needed root unneutered again you
would need to bring down
On Tue, Dec 6, 2011 at 7:52 AM, Christian Sciberras uuf6...@gmail.com wrote:
Or not...
http://vulnfactory.org/blog/2011/12/05/carrieriq-the-real-story/
Just to play devil's advocate: this application has the potential to
do a lot of harm. Should we treat it like 'location data' from the
recent
+1. Except instead of MD5 you want to use something that isn't garbage.
On Tue, Dec 6, 2011 at 1:18 PM, Paul Schmehl pschmehl_li...@tx.rr.com wrote:
A poor man's root kit detector is to take md5sums of critical system
binaries (you'd have to redo these after patching), and keep the list on an
Sounds pretty neat to be honest. But one thing I'm wondering is that if
they have root, what's stopping them from turning that off? After all
they need root to load the modules in the first place, so if they are
in a position to want to do that, then they are in a position to turn
Well in that case it becomes fairly sane, assuming you've safeguarded
against the one of the worst case scenario like Valdis previously
mentioned. There are a handful of things I can think of however that
could still work, at which point depends on the attackers goals.
But at that point it'd be a
I'm disturbed in the first place that you want to distribute password
lists to multiple users.
I'm disturbed more so that there is no apparent cognitive dissonance
preventing you from functioning enough to have sent that email.
Someone please tell me that I'm not the only one disturbed here? And
41 matches
Mail list logo
