--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
://www.lurhq.com/grams.html
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
, eEye says that the dunzip32.dll overflow is an issue
for XP, yet I am unable to find dunzip32.dll on a stock XP SP1 system.
Is it possible that the eEye release and the MS04-034 bulletin are
talking about two separate issues?
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http
server.exe
2004/08/29 - 2004/08/30 nortoanavap.exe
2004/08/29 - 2004/09/02 syswin32.exe
2004/08/30 - 2004/09/02 rsvc32.exe
2004/08/30 - 2004/09/02 vsmons.exe
2004/08/31 - 2004/08/31 winsrv.exe
2004/09/02 - 2004/09/02 sslwina.exe
2004/09/02 - 2004/09/02 winxpini.exe
-Joe
--
Joe Stewart, GCIH
with the same exe name.
I've also seen other Rbot variants using a similar registry key name.
Kaspersky does a pretty good job of spotting unknown Rbot variants with
a generic signature Backdoor.Rbot.gen.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com
served by the IIS server, including image files. This isn't a new
vector, it's just a side-effect. More information at http://isc.sans.org/
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full-Disclosure - We believe
for a while
now, and now it looks as if he/she has upgraded to the latest IE
exploit.
http://vil.nai.com/vil/content/v_100939.htm describes an older variant.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full
are found it will use whatever address it finds.
If no address is returned it will use 127.0.0.1. So, yes, it does scan
and infect private network ranges.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full-Disclosure
On Friday 23 April 2004 5:27 am, Tomokazu Suzuki wrote:
Joe Stewart wrote:
Scans port 135 for MS03-039 DCOM2 vulnerability
Scans port 139 for MS03-049 Workstation vulnerability
Scans port 1433 for weak MSSQL administrator passwords
Scans port 2082 for CPanel vulnerability (OSVDB ID: 4205
successful
exploits, but mostly LsaSrv crashes will result.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
wrote it :)
http://www.lurhq.com/ethics.html
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
On Friday 30 January 2004 12:02 pm, Clairmont, Jan wrote:
First there is nothing in your analysis that excludes an embedded
forth interpreter or code,
Yes, but there IS an embedded pong game written in ADA. Can you prove
there isn't? How about the fact that Juari already admitted there was
to three-quarters
of the time.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
not appear to
function properly.
It functions perfectly, but it's not a command shell. It gives the
author the ability to either upload and execute a file, or uninstall
the worm.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com
is to flood the remote host with
ICMP and HTTP traffic.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
are complete.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
think they are immune to this or any other
hostile object tags just because they have that patch. Everyone running
IE should disable active scripting if they want to avoid these little
surprises.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com
. It sends the email address
provided to it by the infected user.
The bounces you are getting may be actual first-generation Swen
messages, as a phony bounce message is one of the many formats it
generates.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http
of the recent DDoS attacks on spam
blackhole lists.
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
/tcpUDP), and the
windows tftp client doesn't seem to offer any means of specifying a port to
connect to?
Is this some kind of password protected backdoor ?
No, it's a reverse shell. Telnet to the port and enter the following 2 lines
to see how it works:
Microsoft Windows
system32
-Joe
--
Joe
Trojan Site Download
Request; content:|5c bf 01 29 ca 62 eb f1|; dsize:8;
reference:url,www.lurhq.com/sobig-e.html; classtype:trojan-activity;
sid:121; rev:1;)
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com
On Sat, 23 Aug 2003 18:53:13 -0500, Jerry Heidtke wrote:
I've been unable to find, anywhere, the list of servers that Sobig.e
tries to contact.
Here is the list of master servers from Sobig.e:
129.244.36.194
203.252.75.45
209.34.8.147
217.228.235.145
217.230.224.66
218.146.139.246
they have observed the same behavior. And only
one packet is necessary, no matter which port you send it to. I've been
successful at spoofing a bogus source IP address in the packets generating
the popups as well.
-Joe
--
Joe Stewart, GCIH
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com
.
-Joe
--
Joe Stewart, GCIH
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
not going to be able to track the state of a so-called stateless protocol
and it could indeed cause collateral damage if blocked statelessly. Thus
blocking can only be done effectively at the host or stateful firewall level,
so I have updated the advisory to reflect this.
-Joe
--
Joe Stewart
created a trojan to try and match the described behavior/traffic with winsize
55808. Probably someone's idea of a joke on the infosec community. The files
ISS describe match the files Intrusec described, so why does ISS/X-Force feel
that Stumbler is the true source of the traffic?
-Joe
--
Joe
26 matches
Mail list logo