|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: WINS CLient Service
From: Ziots, Edward (EZiots
Lifespan.org)
Date: Mon Dec 08 2003 - 13:54:52 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I got my solution,
NO need to keep posting
EZ
Edward Ziots
Windows NT/Citrix Administrator
Lifespan Network Services
MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network +
eziotslifespan.org
Cell:401-639-3505
Pager:401-350-5284
**********************
Confidentiality Notice
**********************
The information transmitted in this e-mail is intended only for the person
or entity to which it is addressed and may contain confidential and/or
privileged information. Any review, retransmission, dissemination or other
use of or taking of any action in reliance upon this information by persons
or entities other than the intended recipient is prohibited.
If you received this e-mail in error, please contact the sender and delete
the e-mail and any attached material immediately. Thank you.
-----Original Message-----
From: Gilmore, Corey (DPC) [mailto:Corey_Gilmoredpc.senate.gov]
Sent: Monday, December 08, 2003 2:42 PM
To: Ziots, Edward; incidentssecurityfocus.com
Subject: RE: WINS CLient Service
If you're asking about the files in %system%\wins, they're installed by
Welchia/Nachia. You'll find them on any infected PC, workstation or
server.
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm
.html#technicaldetails
You can remove them with the removal tool,
http://www.symantec.com/avcenter/FixWelch.exe
> -----Original Message-----
> From: Ziots, Edward [mailto:EZiotsLifespan.org]
> Sent: Monday, December 08, 2003 9:17 AM
> To: 'incidentssecurityfocus.com'
> Subject: RE: WINS CLient Service
>
> Has anyone seen a virus/worm or misconfiguration load the WINS Client
> > Service on a Win2k Server? In all the servers I have built I have
> > never
> seen
> > this service, it basically had a dllhost.exe and
> svchost.exe copy in
> > the c:\winnt\system32\wins directory, and svchost.exe was a renamed
> > copy of tftp.exe, and dllhost.exe had a alternative stream
> of nc.exe in it.
> >
> > If anyone has run into this before let me know what solutions you
> > might
> have
> > found,
> >
> >
> > Edward Ziots
> > Windows NT/Citrix Administrator
> > Lifespan Network Services
> > MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziotslifespan.org
> > Cell:401-639-3505
> > Pager:401-350-5284
>
> Edward Ziots
> Windows NT/Citrix Administrator
> Lifespan Network Services
> MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziotslifespan.org
> Cell:401-639-3505
> Pager:401-350-5284
>
> **********************
> Confidentiality Notice
> **********************
> The information transmitted in this e-mail is intended only
> for the person or entity to which it is addressed and may
> contain confidential and/or privileged information. Any
> review, retransmission, dissemination or other use of or
> taking of any action in reliance upon this information by
> persons or entities other than the intended recipient is prohibited.
> If you received this e-mail in error, please contact the
> sender and delete the e-mail and any attached material
> immediately. Thank you.
>
>
>
>
>
> -----Original Message-----
> From: David Ahmad [mailto:dasecurityfocus.com]
> Sent: Friday, December 05, 2003 5:05 PM
> To: Ziots, Edward
> Subject: Re: WINS CLient Service
>
>
>
> Please post this to the INCIDENTS mailing list
> <incidentssecurityfocus.com>.
>
> On Fri, Dec 05, 2003 at 05:19:59PM -0500, Ziots, Edward wrote:
> > Has anyone seen a virus/worm or misconfiguration load the
> WINS Client
> > Service on a Win2k Server? In all the servers I have built I have
> > never
> seen
> > this service, it basically had a dllhost.exe and
> svchost.exe copy in
> > the c:\winnt\system32\wins directory, and svchost.exe was a renamed
> > copy of tftp.exe, and dllhost.exe had a alternative stream
> of nc.exe in it.
> >
> > If anyone has run into this before let me know what solutions you
> > might
> have
> > found,
> >
> >
> > Edward Ziots
> > Windows NT/Citrix Administrator
> > Lifespan Network Services
> > MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziotslifespan.org
> > Cell:401-639-3505
> > Pager:401-350-5284
> >
> > **********************
> > Confidentiality Notice
> > **********************
> > The information transmitted in this e-mail is intended only for the
> > person or entity to which it is addressed and may contain
> confidential
> > and/or privileged information. Any review, retransmission,
> > dissemination or other use of or taking of any action in
> reliance upon
> > this information by
> persons
> > or entities other than the intended recipient is prohibited.
> > If you received this e-mail in error, please contact the sender and
> > delete the e-mail and any attached material immediately. Thank you.
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Greg Meehan [mailto:GMeehanLifeTimeFitness.com]
> > Sent: Friday, December 05, 2003 3:05 PM
> > To: 3APA3A; Mr. P.Taylor
> > Cc: aleph1securityfocus.com; bugtraqsecurityfocus.com
> > Subject: RE: Websense Blocked Sites XSS
> >
> >
> >
> > FYI: You can use a customized block page in /custom that does not
> > display the URL, such as creating a "Sorry, This URL is
> Blocked" page
> > with your company's logo. Heck, you can also just edit the
> > "master.html" block page
> in
> > the /default dir to remove the URL displayed field.
> >
> > -Greg
> >
> > -----Original Message-----
> > From: 3APA3A [mailto:3APA3ASECURITY.NNOV.RU]
> > Sent: Friday, December 05, 2003 7:09 AM
> > To: Mr. P.Taylor
> > Cc: aleph1securityfocus.com; bugtraqsecurityfocus.com
> > Subject: Re: Websense Blocked Sites XSS
> >
> >
> > Dear Mr. P.Taylor,
> >
> > It runs error message in context of blocked site. Now lets try to
> > find out possible impacts:
> >
> > 1. It's possible to run javascript on the user host
> in context
> > of blocked site. But it's most likely blocked site is not in
> > list of trusted web sites on user's host, so it's
> impossible to get
> > something different from running same script on another webpage.
> >
> > 2. It possible to steal cookie, submit some forms, etc, on
> blocked site.
> > But site is blocked. So, it's impossible to steal something or
> > submit something to this site.
> >
> > Conclusion: there is no security impact
> >
> > Post Conclusion: Guys, it's perfect you can find all these XSS/CSS
> > bugs in John Doe's guest books, Read-Doc-from-CDRom
> servers, etc. But
> > please think about _security_ impact before submitting
> this to
> > _security_ related lists.
> >
> > --Wednesday, December 3, 2003, 7:35:39 PM, you wrote to
> > dhubbardwebsense.com:
> >
> >
> > MPT> Websense Blocked Sites XSS
> >
> > MPT> Risk: High
> >
> > MPT> Product: Websense Enterprise v4.3.0 - v5.1 (Maybe
> others we only
> > MPT> tested this version)
> >
> > MPT> Product URL: http://www.websense.com
> >
> > MPT> Found By: PeterT - petertimagine-sw.com
> >
> > MPT> Problem:
> > MPT> When Websense blocks a web site, it returns a web page to the
> > MPT> browser stating that the site has been blocked. This error
> > MPT> message contains the URL
> > which
> > MPT> was
> > MPT> requested. Websense does not do any validation or
> encoding of the
> > MPT> URL
> > before
> > MPT> returning it in the error message. This allows an attacker to
> > MPT> supply
> a
> > URL
> > MPT> that
> > MPT> contains script <JavaScript, ActiveX, VB). This script
> will run
> > MPT> in
> the
> > MPT> context
> > MPT> of a server in the trusted domain and combined with other IE
> > MPT> flaws
> can
> > have
> > MPT> serious consequences.
> >
> > MPT> We have marked this as a High risk because we believe that
> > MPT> allowing attackers to run arbitrary programs on your
> desktop at
> > MPT> will, is a serious
> > problem.
> >
> >
> > MPT> Proof of Concept:
> > MPT> A URL like
> > MPT> http://BlockedSite?<SCRIPT>alert('hello')</SCRIPT>
> will run script.
> >
> > MPT> Resolution:
> > MPT> The vendor has come out with a patch. Notified on Nov 29, 2003.
> >
> > MPT> Thanks to Websense for fixing this issue.
> >
> > MPT> Disclaimer:
> > MPT> Standard disclaimer applies. The opinions expressed in this
> > MPT> advisory
> > are
> > MPT> our own and not of any company. The information within this
> > MPT> advisory
> > may
> > MPT> change without notice. Use of this information constitutes
> > MPT> acceptance
> > for
> > MPT> use in an AS IS condition. There are no warranties
> with regard to
> this
> > MPT> information. In no event shall the author be liable for any
> > MPT> damages whatsoever arising out of or in connection
> with the use
> > MPT> or spread of
> > this
> > MPT> information. Any use of this information is at the
> user's own risk.
> >
> >
> >
> > --
> > ~/ZARAZA
> > ??? ????? ???? ?????, ? ???????? ??? ???? ??? ????, ?????
> ?? ?????? ? ?
> ???
> > ????????. (????)
>
> --
> David Mirza Ahmad
> Symantec
>
> PGP: 0x26005712
> 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
> --
> The battle for the past is for the future.
> We must be the winners of the memory war.
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
>
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]