Re: [Full-disclosure] Files keep appearing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, I can help you if you are interested. Let me know. Stephen Johnson wrote: I keep having a phishing website appear on my web server. They keep showing up in a Resources folder of one of the sites that I host. I have gone through the logs and I am not seeing any connections. I deleted the files this morning and this evening they re-appeared ? no connections were made on my server during that period of time. Also, there are no cron jobs that I noticed that looked out of the ordinary. I am running MySQL, PHP, Apache2 on a debian linux server. Any thoughts? -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. || http://www.netragard.com PGP KEY ID : 0x7B6F2284 - We make IT secure. *** NOTICE *** Please do not email sensitive information to this email address using clear text email. Please encrypt all sensitive information prior to transmission. To obtain my PGP key please browse to the URL below. http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x7B6F2284 *** NOTICE *** -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iD8DBQFEf8Bd4fEyMUBMiWwRAl7NAKDd7I80knmnpmXPPYmMdIZ4knOAvwCgjN4q 2Pfq3T+vcHxMUsBmSCIL1dM= =u5/I -END PGP SIGNATURE- BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1086-1] New xmcd packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1086-1[EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze June 2nd, 2006 http://www.debian.org/security/faq - -- Package: xmcd Vulnerability : design flaw Problem type : local Debian-specific: no CVE ID : CVE-2006-2542 Debian Bug : 366816 The xmcdconfig creates directories world-writeable allowing local users to fill the /usr and /var partition and hence cause a denial of service. This problem has been half-fixed since version 2.3-1. For the old stable distribution (woody) this problem has been fixed in version 2.6-14woody1. For the stable distribution (sarge) this problem has been fixed in version 2.6-17sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.6-18. We recommend that you upgrade your xmcd package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given at the end of this advisory: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.dsc Size/MD5 checksum: 619 42038224877b80e57969e82e14a6ee5a http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1.diff.gz Size/MD5 checksum:19169 3144b9f7dc78b1a0a668eff06ded3b08 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6.orig.tar.gz Size/MD5 checksum: 553934 ce3208e21d8e37059e44ce9310d08f5f Alpha architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_alpha.deb Size/MD5 checksum:65648 d4beba33b15cdef57c315666e9dbeaf3 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_alpha.deb Size/MD5 checksum: 458520 da2013cefff5009ed770397ea7cf23fe ARM architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_arm.deb Size/MD5 checksum:60464 2a9f06c9a2f888ea56ac62bdfe2eb05e http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_arm.deb Size/MD5 checksum: 378038 932f832766a947aac29d9b40f2f8a026 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_i386.deb Size/MD5 checksum:58970 506435aef6b9a12c0715e73dea67eefd http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_i386.deb Size/MD5 checksum: 324960 2eba0f70812dada62ec2fb3f3b054318 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_ia64.deb Size/MD5 checksum:66140 6d3eff9fdf1d9c6052c9554bc4dd584a http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_ia64.deb Size/MD5 checksum: 543700 dce5ff73c754b4425fe642117a52f5fa HP Precision architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_hppa.deb Size/MD5 checksum:60954 f48d59a10a2891bdb1842da42fe0b0f4 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_hppa.deb Size/MD5 checksum: 406294 2b12245768fce9c5f57cc4a8818ea1be Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_m68k.deb Size/MD5 checksum:58890 ce57236e978ed6310d23cf1cfede3224 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_m68k.deb Size/MD5 checksum: 309832 0de1924af1c4981505849da8e6b8c7af Big endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mips.deb Size/MD5 checksum:61476 8a4dcea7adbfb4a1c3294a2622e05d15 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mips.deb Size/MD5 checksum: 377170 91d622c19970fe0dcda24f63e85c7350 Little endian MIPS architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_mipsel.deb Size/MD5 checksum:61436 27eaa3e4c2365f2e4b49c526acc3df00 http://security.debian.org/pool/updates/main/x/xmcd/xmcd_2.6-14woody1_mipsel.deb Size/MD5 checksum: 378122 c9b63596911f83c72a4c9b7fbd01abf0 PowerPC architecture: http://security.debian.org/pool/updates/main/x/xmcd/cddb_2.6-14woody1_powerpc.deb Size/MD5 checksum:60998 74e9b62e02f69db4dfedab57100904dd
Re: [Full-disclosure] scanning
In some states in the US it is illegal to do it even if you do have permision. That is if you are not a licensed Private Invenstigator. In Georiga for instance it is a misdemeanor and about to become a felony if you do any kinds of foresnic invenstigation without being a Private Investigator whether you have permision or not. And people have been sued in Civil court over it. It's already in some states and spreading. http://www.securityfocus.com/columnists/399/1 http://www.legis.state.ga.us/legis/2005_06/fulltext/hb1259.htm and Here is a linkabout the case where the person was sued http://www.securityfocus.com/columnists/167 Ducki3 On 6/1/06, Nightfall Nightfall [EMAIL PROTECTED] wrote: Is it illegal if I perform a vulnerability scan on a site withoutpermission from the owner? How about a simple port scan? thanks.. ___Full-Disclosure - We believe in it.Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
I agree with you David. The amount of times I have e-mailed abuse@ of a netblock letting them know that one of their boxes has been rooted and some little kiddie is doing brute force dictionary attacks against SSH for example (with logs). Haven't got one reply yet! Additionally, all those attempts you see in your apache log files, 9/10 times they are worms. But then again, there are some stupid kiddies who will try IIS exploits on a *unix box. Blacklist all .br/.kr/.jp/.cn IPs on your firewall already is what I say. -- c0redump - Original Message - From: David Alanis To: Dixon, Wayne ; full-disclosure@lists.grok.org.uk Sent: Friday, June 02, 2006 2:34 AM Subject: RE: [Full-disclosure] scanning Depends on the Jurisdiction... However If I found out that it was my site, I'd have to debate on whether or not to sue your ass... But that's just me... You would not sue anyone. Thats just saying that you would sue anyone under the sun trying to ping or go after some bot trying to scan your Apache box for IIS 5 vulnerabilities. My point is, even if you did realize someone was actively scanning your host, there would be nothing you could do, I think it would be too time consuming. Yet your question still stands. Is it legal or illegal? David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nightfall Nightfall Sent: Thursday, June 01, 2006 7:54 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] scanning Is it illegal if I perform a vulnerability scan on a site without permission from the owner? How about a simple port scan? thanks.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Great Spirits Have Always Encountered Violent Opposition From Mediocre Minds - Einstein Cuanta estupidez en tan poco cerebro! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
Blacklist all .br/.kr/.jp/.cn IPs on your firewall already is what I say. That would work for your home computer, but on a business server not a very bright idea. Is it illegal if I perform a vulnerability scan on a site without permission from the owner? How about a simple port scan? thanks.. As far as i know (and i'm very sure about that), vulnerability scans are illegal in most countries, at least in those that have computer laws. Especially if you use something like CoreImpact or Canvas, since they actively exploit a vulnerability, resulting in illegal access to the System. A simple port scan however, is most likely not illegal, since all it does is see what public services a server may offer. I never heard of a single case where someone got sued for a simple port scan. -sk http://www.groundzero-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Fw: [Full-disclosure] scanning
Vulnerability test is not port scan. It could involve attempt to penetrate or even penetration ofthe website through a vulnerable server script for instance. In this particular case, we don't know what RA 8792 in the Philippines says and/or what Tridel Technologies, Inc did. But in general, port scan is supposed to be only checking which TCP/IP ports are open for connection without going through the entire process of connection. There is no question of penetration. How could any authority prosecute this legitimately? If I, by mistake, attempt a connection to a site, could I be in legal trouble? How many portsconstitute port scanning? - Original Message -From: Nightfall Nightfall [EMAIL PROTECTED]To: full-disclosure@lists.grok.org.ukSent: Friday, June 02, 2006 1:26 AMSubject: Re: [Full-disclosure] scanning On 6/2/06, Simon Smith [EMAIL PROTECTED] wrote: Guys, It is not illegal to port-scan a target IP with or without authorization. It would be impossible to prosecute someone because they portscanned you. Hell, it would be near impossible to prosecute someone who ran nessus against you but never penetrated your systems. From expereince, the FBI only takes interest in crimes that cause roughly $50,000.00 in damage or more. If you are below that mark or if they are too busy... you won't get jack unless you pay for it. David Alanis wrote: Depends on the Jurisdiction... However If I found out that it was my site, I'd have to debate on whether or not to sue your ass... Butthat's just me... You would not sue anyone. Thats just saying that you would sue anyoneunder the sun trying to ping or go after some bot trying to scan your Apachebox for IIS 5 vulnerabilities. My point is, even if you did realize someone was actively scanning your host, there would be nothing you could do, Ithink it would be too time consuming. Yet your question still stands. Is itlegal or illegal? David -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Nightfall Nightfall Sent: Thursday, June 01, 2006 7:54 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] scanning Is it illegal if I perform a vulnerability scan on a site without permission from the owner? How about a simple port scan? thanks.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Great Spirits Have Always Encountered Violent Opposition FromMediocre Minds - Einstein Cuanta estupidez en tan poco cerebro! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I brought up this topic coz of these incident -http://www.pinoytechblog.com/archives/tridel-settles-with-inq7net-on-vulnerability-test-suit . I was wondering if they were justified in suing the perpetrator who did the vulnerability scan on their network. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
e in your country. Sometimes, if a computer system is affected too much by a port scan, one can argue that the port scan was, in fact, a denial-of-service (DoS) attack, which is usually an offense. GroundZero Security wrote: Blacklist all .br/.kr/.jp/.cn IPs on your firewall already is what I say. That would work for your home computer, but on a business server not a very bright idea. Is it illegal if I perform a vulnerability scan on a site without permission from the owner? How about a simple port scan? thanks.. As far as i know (and i'm very sure about that), vulnerability scans are illegal in most countries, at least in those that have computer laws. Especially if you use something like CoreImpact or Canvas, since they actively exploit a vulnerability, resulting in illegal access to the System. A simple port scan however, is most likely not illegal, since all it does is see what public services a server may offer. I never heard of a single case where someone got sued for a simple port scan. -sk http://www.groundzero-security.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ __ NOD32 1.1575 (20060602) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com begin:vcard fn:Arnaud Dovi / Ind. Security Researcher n:Dovi;Arnaud email;internet:[EMAIL PROTECTED] tel;work:Independent Security Researcher version:2.1 end:vcard ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
[EMAIL PROTECTED] escribió: That is why the definition of “damage” is so important. If there is no impairment to the integrity and availability of the network, then there is no crime. So, It's seems that portscanning is not a crime but, what if I scan a network and sell/trade/lend the results to some guy that will cause that impairment to the network? Is it a crime to sell such information? Regards ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] HI
hi folks cya ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Microsoft Windows Live OneCare Zero-Day
Hi, Discovered Regards, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: Fw: [Full-disclosure] scanning
According to theregister.co.uk: Cuthbert is accused of attempting a directory traversal attack on the donate.bt.com site which handles credit card payments on behalf of the Disasters Emergency Committee. ( http://www.theregister.co.uk/2005/10/05/dec_case/)and After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories ( http://www.theregister.co.uk/2005/10/11/tsunami_hacker_followup/). This is legal hair-splitting.Yes, you are right. Who knows whether the judges would consider port scanning just as bad as illegally attempt of securing access to a computer (as defined in the UK Computer Misuse Act 1990 ( c.18)). - Original Message - From: Drew Masters [EMAIL PROTECTED] To: full-disclosure@lists.grok.org.uk Sent: Friday, June 02, 2006 9:33 AM Subject: Re: Fw: [Full-disclosure] scanning It's worth looking into the Daniel Cuthbert case in the UK. Drew On 02/06/06, Lawrence Tang [EMAIL PROTECTED] wrote: Vulnerability test is not port scan. It could involve attempt to penetrate or even penetration of the website through a vulnerable server script for instance. In this particular case, we don't know what RA 8792 in the Philippines says and/or what Tridel Technologies, Inc did. But in general, port scan is supposed to be only checking which TCP/IP ports are open for connection without going through the entire process of connection. There is no question of penetration. How could any authority prosecute this legitimately? If I, by mistake, attempt a connection to a site, could I be in legal trouble? How many ports constitute port scanning? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VulnSale: Windows Vista Exploit
[EMAIL PROTECTED] escribió: No, I have not been interviewed. I am the fag that you gave a blow job too last night in that truckstop bathroom. Maybe you have to work full-time on it. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Live OneCare Zero-Day
WOW ! you discovered Microsoft Windows Live OneCare ?! I hope you soon discover your 18-th birthday Javor Ninov aka DrFrancky http://securitydot.net n3td3v wrote: Hi, Discovered Regards, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] n3td3v agenda revealed
Intro: We, the n3td3v group have come up with a good way to disturbute our recently discovered zero-day vulnerability and exploit code. How: Everytime you sign up to the n3td3v group you recieve a welcome message per unique e-mail address. Scoop: We plan to periodically release zero-day via the google group welcome message, no longer are we using full-disclosure to reveal our dark secret(s). Additionally: If Microsoft can make money from their own vulnerabilities via OneCare then we can exploit the google groups welcome message by releasing zero-day on the welcome message. Furthermore: We will post a message on Full-Disclosure mailing list which will directly or indirectly indicate a presence that our welcome message has zero-day web link. However, our welcome message will only ever have zero-day web link when we notify the security community that a special welcome message is available. What this means to you: Free Zero-Day for vendors Microsoft, Yahoo and Google. (our prime targets!) What it means for us: More members on our news group than ring-of-fire. Regards: n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v agenda revealed
On Fri, Jun 02, 2006 at 05:16:59PM +0100, n3td3v wrote: We, the n3td3v group have come up with a good way to disturbute our That is an excellent typo. -- The early bird gets the worm, but it's the second mouse that gets the cheese - Steven Wright ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
On Fri, 02 Jun 2006 17:05:26 +0200, =?windows-1252?Q?Marcos_Ag=FCero?= said: [EMAIL PROTECTED] escribió: That is why the definition of damage is so important. If there is no impairment to the integrity and availability of the network, then there is no crime. So, It's seems that portscanning is not a crime but, what if I scan a network and sell/trade/lend the results to some guy that will cause that impairment to the network? Is it a crime to sell such information? At least in the US, it's a slam dunk, and one of the primary ways that hackers get taken down (quite possibly as many as under 1030(a)(5) which covers actually hacking in yourself). 18 USC 1030 (a)(6): (6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if: (A) such trafficking affects interstate or foreign commerce; or (B) such computer is used by or for the Government of the United States; [1] passwords or similar information. If it's info that lets the guy hack in, like the box is vulernable to MS06-229, you're probably in trouble. There's more than a few script kiddies now walking around with a criminal record because they got caught copying files of Windows password hashes around so they could run a password cracker on them. pgps91MEwbVPL.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v agenda revealed
see inline. ON 6/2/06 N3TD3V [EMAIL PROTECTED]11! OMG WROT3 INTRO W3 DA N3TD3V GROUP HAEV COMA UP WIT A GOD WAY 2 DISTURBUTE OUR R3CENTLY DISCOVARED Z3RO-DAY VULN3RABILITY AND 3XPLOIT COD3 !111!!1 WTF HOW EV3RYTIEM U SIGN UP 2 TEH N3TD3V GROUP U R3CEIV3 A WELCOMA MESAEG PER UNIQUE E-MALE ADRAS 111!!!1 OMG WTF SCOP WE PLAN 2 PERIODICALY R3LEAES Z3RO-DAY VIA TEH GOGL3 GROUP W3LCOME MASAEG NO LONGER R WE USNG FUL-DISCLOSURE 2 RAVAAL OUR DARK SECR3T(S) !11!! OMG ADITIONALY IF MICROSOFT CAN MAEK MONAY FROM THERE OWN VULNERABILITEIS VIA ONACAER TH3N W3 CAN AXPLOIT TEH GOGL3 GROUPS W3LCOM3 M3SAEG BY REL3ASNG ZERO-DAY ON DA WELCOME MESAEG !1!! OMG WTF LOL FURTHERMOR3 W3 WIL POST A MESAEG ON FUL-DISCLOSURE MALENG LIST WHICH WIL DIERCTLY OR INDIERCTLY INDICAET A PRESENCE TAHT OUR WELCOM3 MASAEG HAS Z3RO-DAY W3B LINK111!!111 OMG WTF LOL HOWAVER OUR WELCOME M3SAEG WIL ONLY EVER HAEV ZARO-DAY W3B LINK WH3N W3 NOTIFY DA SACURITY COMUNITY TAHT A SPECIAL WALCOMA MESAEG IS AVALEABLE 111!! OMG WTF WUT THIS M3ANS 2 U FRE ZERO-DAY FOR V3NDORS MICROSOFT YAHO AND GOGLE!1!111!1 OMG (OUR PRIEM TARGATS) !1!!!1 OMG WTF WUT IT M3ANS FOR US MOR3 MEMBRS ON OUR NEWS GROUP THAN RNG-OF-FIER 111!11! WTF RAGARDS N3TD3V FUL-DISCLOSURE - WE BLEIVE IN IT 11!1!! OMG WTF CHART3R HTP/LISTSGROKORGUK/FUL-DISCLOSURE-CHARTERHTML !!1 OMG HOSTED AND SPONSORAD BY SECUNIA - HTP/SACUNIACOM/ !11 WTF Artist: gOLd1e Lpokin' cha1n On 12/11/05, n3td3v [EMAIL PROTECTED] wrote: Son: sony DOn't hack PEop|e HackerZ Do LyricZ: Co/\/\e oUt wi7h ypur Ha|\|ds on yoUr Hea@ TURn thE [EMAIL PROTECTED] /\/\usic off and step awaY frpm ~|~He ZT3reo put the h/-\cking a1bum dOwn, LeaVE [V]c h4^^meR al0ne - tur|\| |t oF4 Wha~|~? ZOny do|\|'T H4cK peopl3, h/-\CkErs do A$k any po11Tician /-\|\|@ hE'll tEl1 you i7's trUe I7's ^ FacT, Music makes you Vio1ent L|ke Micha3l Jacks0n 7Elling lIttle t|[V]my to |3e 5il3n7 YO|_| |)oN't believe mE, here'S my HyPe p4fEr /\/\e tHe ReCoRd and I'l1 sHOw you thE tYPe oF cyber crI^^inaL thiS r/-\p Zh|t !$ brEeding It's @ fact [EMAIL PROTECTED] /\/\C HAmmer lEft mE blEedin Va|\|i|la Ice /\/\ade my MoTheR Z/-\Y, __ If i stuck wi~|~h 'UB40' tHEn ! \/\/oulda beEn 1n l0ve But | d1DN't, | G07 i|\|volve@ Cypress phucking |-|i1l tAuGht me to mAKE a FucK|ng boMb So I sT4Rted, I 8ouGht Another taPe Th3 mOb boys snappe@ [V]e, my coc| and |3alls /-\che So rEmembeR Scrip7 kID$ til| the heaD doUblEZ uP $ONy doN'~|~ hAcK people, it's just hac|ers [chor|_|s] Sony doN't hacK pEople, HackERs d0 Sum[V]on the poliCe WOop wpop Woop soNy dpn't hack peoP|_E, HacKEr5 |)o Summpn the police woop \/\/oop Woop So|\|Y don'7 hack p3oPle, HackErZ |)o ! see|\| it in ^ doc|_|[V]ent4ry oN 8BC 2 hacked To deAth outside hyper Value GuNz blazIng like [V]1chaEl Caine in Zu|_U 6unners st/-\71stics Are sOmetimEs [EMAIL PROTECTED] The Typ3 of cr|[V]inal haCKi|\|g |s 8reed||\|g Shot |n ~|~he cHesT |\|0 pne here $7opped the b|[EMAIL PROTECTED] 2-4 7o base 0\/eR, @re you rEceiVing? REmE/\/\ber r4p trAckZ 1n '87 scot7 ~|~HE lo7s up 1N hip-h0p he4ven |3igg|e and [EMAIL PROTECTED] R.I.P. E\/eN _|AM master [EMAIL PROTECTED]'s In t|-|e cEmetEry [ChOrUs] Sony doN't haC| pEop|_e, hACkerZ d0 Su^^/\/\on 7hE police w0op WoOp WOOp Sony @on't h4cK peOplE, haCkeRs do SummoN the po1icE woop wOop Woop Sony d0n'T |-|ac| PeopLe, h/-\ckerz do |'m a fUCkinG hacker and I ^^ighT H4ck yo|_| ^s a hack3r i'/\/\ ~|~eacHin' YOu a les5on @K-47 Is a S/\/\ith an@ WEston Just say No, just likE $AM[V]o bUl|etProoF vesT, two 6uns and ammo HIp-Hop Gangst/-\ Tr1pping Ev3n Em1nem'Z into P|s7o1 whipping S0l|d CrEW to1d We're the ones P. d1dDy, _|. Lo in a ni6HtClub wITH a gUN Heard sn0op Dogg now wantz to buS7 a C/-\p SonY D0n't hack people, |7's juZt hackeRZ One, twO - yo, face mY shoe My namE's Mike bal1s anD I'm co^^1ng t|-|rOu6h cybEr crimEs, stabbin' /-\Nd bUrGa1aRizAt|on !s on the RiZE all /-\cross thE nat|on ~|~|-|e Zafety'z oFf @Nd The PiStol'S @imed 7He YarDIEs @n|) thE Mafia a|\/\/ayz get bl4med PO1i7Ici/-\n's @shAm3d, a|\|D They H4ve|\|'T g0t a cl|_|e [EMAIL PROTECTED] 1s [V]Ore D3/-\dly tH4n fuck1nG KuNg-fu [CHoruz] Sony Don't |-|ac| people, hac|ers do SU^^[V]on ~|~He p0lice woop Wp0p Wp0P SONy don't haC| people, hackerz do Summ0n TH3 pol1ce Wo0p WoOp WoOp zony d0n't |-|ack people, Hackerz DO From bristol ZoO to BQ I wann/-\ Hack, I wanna Hack heARd i~|~ In a soNg, noW I'm in7p cyb3r criMe It's a $ign of ~|~he t1mes li|e Princ3 Changing hiS naMe You 6ptta have a $hoOter to |3e In the haCk game Like 'Michael Lown' abou7 to St0p Sony don'~|~ hAck p3oplE, |t's juSt hack1NG [Choru$] SoNy don't HacK pEople, hackErS |)O Summon thE poLice \/\/o0p Woop wopp zony doN't hack pe0p|_e, hackeRs Do S|_|mm0|\| the police Woop wpOp wp0P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Files keep appearing
Title: Files keep appearing Hi Have you taken a look from the outside as it were, at the website that is hosted above the /Resources directory where they keep appearing? Are they being uploaded through some insecure feature the webdevelopers have bolted onto the page, upload your CV / Docs kind of thing? That would look like legit site traffic in your connection logs. Any.pl / ,php / .asp scriptsin or around that directorydo they log the filenames? It could be that the site itself is insecure presenting the phisher a way in despite running a fully patched server. The original site could even be a smokescreen in which to hide the phishing pages... no connections were made on my server Remember if your webserver has been compromised through a known vuln or 0daythe logs could be lying. Regards Colin - Original Message - From: Stephen Johnson To: Untitled Sent: Friday, June 02, 2006 5:08 AM Subject: [Full-disclosure] Files keep appearing I keep having a phishing website appear on my web server. They keep showing up in a Resources folder of one of the sites that I host. I have gone through the logs and I am not seeing any connections. I deleted the files this morning and this evening they re-appeared no connections were made on my server during that period of time. Also, there are no cron jobs that I noticed that looked out of the ordinary. I am running MySQL, PHP, Apache2 on a debian linux server. Any thoughts? -- Stephen Johnson ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v agenda revealed
On Fri, 02 Jun 2006 17:16:59 BST, n3td3v said: What it means for us: More members on our news group than ring-of-fire. No, what it means is a lot of throw-away accounts that will join, snarf the zero-day, and *maybe* unsub. If you want more members, why don't you just do: for i = 1 to zillions do; bogus_user = ; for j = 1 to 12 do; bogus_user = bogus_user || $rand_letter; done; subscribe(bogus_user); done; Needing more members sounds suspiciously like needing more inches on your member. And subscribing bogus members is like wanking - both will make it bigger if you're doing it right. pgpDweFZ5QfqV.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] n3td3v agenda revealed
On 6/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: If you want more members, why don't you just do: for i = 1 to zillions do; bogus_user = ; for j = 1 to 12 do; bogus_user = bogus_user || $rand_letter; done; subscribe(bogus_user); done; I hate hackers who use ||, its cringe worthy :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Live OneCare Zero-Day
On 6/2/06, j w [EMAIL PROTECTED] wrote: how do i sign up for your list? Thanks Hi, If you were an international hacker you wouldn't be asking this, please unsubscribe Regards, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
There have been people charged wtih less in the past. So depending on where you live get permission. On Thu, 01 Jun 2006 18:28:24 -0700 [EMAIL PROTECTED] wrote: Phrased differently - do you really want to gamble spending the next 3-5 with a big hairy dude named Bubba? Leave your mom out of this. Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Files keep appearing
You've been owned On Thu, 01 Jun 2006 21:08:54 -0700 Stephen Johnson [EMAIL PROTECTED] wrote: I keep having a phishing website appear on my web server. They keep showing up in a Resources folder of one of the sites that I host. I have gone through the logs and I am not seeing any connections. I deleted the files this morning and this evening they re-appeared no connections were made on my server during that period of time. Also, there are no cron jobs that I noticed that looked out of the ordinary. I am running MySQL, PHP, Apache2 on a debian linux server. Any thoughts? -- Stephen Johnson -- Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Live OneCare Zero-Day
OMG!!! Someone actually wants to sign up for your little list and you're giving them crap and insults just a few messages ago you were bribing people to join your list by offering free zero-day exploit code to anyone that would sign up. make up your mind... stop trolling leave the list and stay on your own. Ex - Original Message - From: n3td3v [EMAIL PROTECTED] To: j w [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Sent: Friday, June 02, 2006 1:29 PM Subject: Re: [Full-disclosure] Microsoft Windows Live OneCare Zero-Day On 6/2/06, j w [EMAIL PROTECTED] wrote: how do i sign up for your list? Thanks Hi, If you were an international hacker you wouldn't be asking this, please unsubscribe Regards, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DRUPAL-SA-2006-005] Drupal 4.6.7 / 4.7.1 fixes SQL injection issue
Drupal security advisory DRUPAL-SA-2006-005 Advisory ID:DRUPAL-SA-2006-005 Project:Drupal core Date: 2006-05-24 Security risk: highly critical Impact: Drupal core Where: from remote Vulnerability: SQL injection Description --- A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer. This problem represents a critical security vulnerability and should be patched or upgraded immediately. Versions affected - All Drupal versions before 4.6.7 and 4.7.1. Solution If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7. If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1. Contact --- The security contact for Drupal can be reached at [EMAIL PROTECTED] or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DRUPAL-SA-2006-006] Drupal 4.6.7 / 4.7.1 fixes arbitrary file execution issue
Drupal security advisory DRUPAL-SA-2006-006 Advisory ID:DRUPAL-SA-2006-006 Project:Drupal core Date: 2006-05-24 Security risk: highly critical Impact: Drupal core Where: from remote Vulnerability: Execution of arbitrary files Description --- Certain -- alas, typical -- configurations of Apache allow execution of carefully named arbitrary scripts in the files directory. Drupal now will attempt to automatically create a .htaccess file in your files directory to protect you. Versions affected - All Drupal versions before 4.6.7 and also Drupal 4.7.0. Solution If you are running Drupal 4.6.x then upgrade to Drupal 4.6.7. If you are running Drupal 4.7.0 then upgrade to Drupal 4.7.1. Make sure you have a .htaccess in your files dir and it contains this line: SetHandler This_is_a_Drupal_security_line_do_not_remove Contact --- The security contact for Drupal can be reached at [EMAIL PROTECTED] or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [DRUPAL-SA-2006-007] Drupal 4.6.8 / 4.7.2 fixes arbitrary file execution issue
Drupal security advisory DRUPAL-SA-2006-007 Advisory ID:DRUPAL-SA-2006-007 Project:Drupal core and any web app that allows user uploads Date: 2006-06-01 Security risk: highly critical Impact: Drupal core Where: from remote Vulnerability: Execution of arbitrary files Description --- Recently, the Drupal security team was informed of a potential exploit that would allow untrusted code to be executed upon a successful request by a malicious user. If a dynamic script with multiple extensions such as file.php.pps or file.sh.txt is uploaded and then accessed from a web browser under certain common Apache configurations, it will cause the script inside to be executed. We deemed this exploit critical and released Drupal 4.6.7 and 4.7.1 six hours after the report was filed. The fix was to create a .htaccess file to remove all dynamic script handlers, such as PHP, from the files directory. After continuous review, however, we've found that the fix will not work in certain Apache configurations, for example those for whom .htaccess FileInfo overrides are disabled. We are thus releasing 4.6.8 and 4.7.2 with a more robust .htaccess fix, as well as a Drupal core solution to the issue which will work under all configurations. The new behavior of Drupal's upload.module is to rename all uploaded files with multiple, non-numeric, and non-whitelisted extensions by any other user than the administrator. For example: file.php.pps this is a long file.name.txt becomes: file.php_.pps this is a long file.name_.txt Please note that the particular Apache configurations under which this exploit is possible will affect ANY web application on the server which allows uploads to web-accessible directories, not just Drupal. The Drupal security team has also contacted other projects, such as WordPress, about this issue and new versions of their software have either already been released, or are forthcoming. 4.7.2 also fixes a potential XSS bug with upload.module. Versions affected - All Drupal versions before 4.6.8 and before Drupal 4.7.2. Solution If you are running Drupal 4.6.x then upgrade to Drupal 4.6.8. If you are running Drupal 4.7.x then upgrade to Drupal 4.7.2. To patch Drupal 4.6.7 use the http://drupal.org/files/sa-2006-007/4.6.7.patch. To patch Drupal 4.7.1 use the http://drupal.org/files/sa-2006-007/4.7.1.patch. Reported By --- DRUPAL-SA-2006-06 issue: Lourens Veen XSS vulnerability in upload.module: Karoly Negyesi Contact --- The security contact for Drupal can be reached at [EMAIL PROTECTED] or using the form at http://drupal.org/contact. More information is available from http://drupal.org/security or from our security RSS feed http://drupal.org/security/rss.xml. // Uwe Hermann, on behalf of the Drupal Security Team. -- Uwe Hermann http://www.hermann-uwe.de http://www.it-services-uh.de | http://www.crazy-hacks.org http://www.holsham-traders.de | http://www.unmaintained-free-software.org signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] rPSA-2006-0091-1 firefox thunderbird
rPath Security Advisory: 2006-0091-1 Published: 2006-06-02 Products: rPath Linux 1 Rating: Major Exposure Level Classification: Local User Deterministic Vulnerability Updated Versions: firefox=/[EMAIL PROTECTED]:devel//1/1.5.0.4-1-0.1 thunderbird=/[EMAIL PROTECTED]:devel//1/1.5.0.4-1-0.1 References: http://issues.rpath.com/browse/RPL-398 http://issues.rpath.com/browse/RPL-341 http://www.mozilla.com/firefox/releases/1.5.0.4.html http://www.mozilla.com/thunderbird/releases/1.5.0.4.html http://www.mozilla.org/security/announce/2006/mfsa2006-31.html http://www.mozilla.org/security/announce/2006/mfsa2006-32.html http://www.mozilla.org/security/announce/2006/mfsa2006-33.html http://www.mozilla.org/security/announce/2006/mfsa2006-34.html http://www.mozilla.org/security/announce/2006/mfsa2006-35.html http://www.mozilla.org/security/announce/2006/mfsa2006-36.html http://www.mozilla.org/security/announce/2006/mfsa2006-37.html http://www.mozilla.org/security/announce/2006/mfsa2006-38.html http://www.mozilla.org/security/announce/2006/mfsa2006-39.html http://www.mozilla.org/security/announce/2006/mfsa2006-40.html http://www.mozilla.org/security/announce/2006/mfsa2006-41.html http://www.mozilla.org/security/announce/2006/mfsa2006-42.html http://www.mozilla.org/security/announce/2006/mfsa2006-43.html Description: Previous versions of the firefox browser and thunderbird mail user agent have multiple vulnerabilities, some of which allow remote servers to compromise user accounts. The firefox browser is the default browser on rPath Linux, and all users are strongly recommended to update firefox and thunderbird as soon as possible. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
re : [Full-disclosure] n3td3v agenda revealed
LOL Intro:We, the n3td3v group have come up with a good way to disturbute ourrecently discovered zero-day vulnerability and exploit code. How: [snip] What this means to you:Free Zero-Day for vendors Microsoft, Yahoo and Google. (our prime targets!) What it means for us:More members on our news group than ring-of-fire.Regards:n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] scanning
Nightfall Nightfall wrote: Is it illegal if I perform a vulnerability scan on a site without permission from the owner? How about a simple port scan? thanks.. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ For research probably no. A lot of this stuff hangs on intent. When we ground away on computer crime legislation we tried to keep innocent acts from being criminalized. So in general things done out of curiosity are pretty safe. However be squeaky clean. If your house/apartment and disk drive are littered with destroy the established powers literature then you are close to the ham sandwhich that can get indicted. If it is funn of gee whiz this tech stuff is neat and let's go and explore then you look like a ham sandwhich and more like a chiccken salad sandwhich or better yet a tofu surprise sandwhich which are much hader to indict.. This is all said in kind of analogical fun jest but as they say many a true word is said in jest. Havbe Fun, Sends Steve ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Tool Release - Tor Blocker
It has come to our attention that the majority of tor users are not
actually from china but are rather malicious hackers that (ab)use it to
keep their anonymity. We have released a tool to stop users from
utilizing this tool to protect their
identity from prosecution by a designated systems administrator.
Otherwise this puts the administrator in responsibility for any
malicious actions
caused by said user. Forensics is left with a tor exit
node.
Recently our servers were hacked by a tor user and we were unable to
prosecute due to not being able to trace the source as the user was
using this malicious piece of software to keep his/her anonymity.
To mitigate most tor attackers we've written an apache module designed
to give tor users a 403 error when visiting a specific website. We
suggest all administrators whom do not wish a malicious tor user to
visit and possibly deface their website to enable the usage of this
module. This may not get all attackers, but hopefully it raises the
security bar just a little bit more to safeguard ourselves from hackers.
Thanks.
Jason Areff
CISSP, A+, MCSE, Security+
--
security through obscurity isnt security
--CODE:/* MOD_DETOR*/ //blocks tor users from apache 2 server#include http_config.h#include httpd.hstatic void mod_detor_register_hooks(apr_pool_t *p);
int mod_detor_method_handler(request_rec *rec);module AP_MODULE_DECLARE_DATA detor_module = {STANDARD20_MODULE_STUFF,NULL, NULL, NULL, NULL, NULL, mod_detor_register_hooks };static void mod_detor_register_hooks(apr_pool_t *p) {
ap_hook_handler (mod_detor_method_handler, NULL, NULL, APR_HOOK_FIRST);}int mod_detor_method_handler (request_rec * rec) {conn_rec *connection = rec-connection;const char *internetaddress = con-remote_ip;
char *listof33[] = {62.178.28.11, 83.65.91.110, 86.59.21.38,
202.173.141.155,69.70.237.137, 209.172.34.176, 66.11.179.38,
216.239.78.246,198.161.91.196, 72.0.207.216,
139.142.184.213, 64.229.250.110,72.60.167.126, 24.36.132.185,
70.68.168.93, 84.73.12.12,80.242.195.68, 84.72.104.77
, 62.2.174.20, 211.94.188.225,166.111.249.39,
218.58.83.2, 218.72.40.145, 219.142.175.208,222.28.80.131,
147.251.52.140, 81.0.225.179, 213.220.233.15,
85.178.229.8, 84.58.246.2, 80.143.198.147, 80.190.241.118,
89.52.64.107, 85.214.38.21, 81.169.130.130, 83.171.170.169,
62.75.129.201, 217.160.177.118, 213.61.151.217,
89.58.21.142,217.172.187.46, 81.169.136.161, 213.239.202.232,
62.75.222.205,84.16.234.153, 212.12.60.181, 84.167.55.157
, 62.75.171.154,85.25.132.119, 217.190.228.18,
212.112.231.83, 213.133.99.185,85.176.201.130, 212.112.241.137,
131.188.185.41, 84.175.229.31,217.187.160.148,
87.123.81.89, 212.112.235.83, 213.39.133.132,85.176.92.87,
212.114.250.252, 217.160.220.28, 213.239.211.148,
217.20.117.240, 80.190.250.139, 212.112.241.159, 217.224.170.117,
212.112.242.21, 212.112.228.2, 217.160.108.109,
81.169.176.178,212.99.205.46, 85.31.186.86, 85.10.240.250,
84.141.183.62,84.56.199.101, 87.106.2.7, 217.160.142.69,
84.163.168.232,213.239.217.146, 84.177.160.152, 62.75.151.195,
81.169.176.135,85.214.29.61, 85.179.0.63, 85.31.187.90
, 212.202.233.2,134.130.58.205, 81.169.132.19,
212.88.142.147, 212.168.190.8,141.76.46.90, 80.237.203.179,
193.28.225.8, 88.198.253.18,85.214.44.126, 217.160.95.117
, 62.75.149.130, 84.44.156.17,81.169.180.180,
85.14.216.20, 80.190.242.122, 212.112.242.159,84.16.235.143,
80.237.160.201, 83.171.188.170, 217.84.3.39,80.190.251.24
, 87.123.114.110, 194.95.224.201, 80.244.242.127,
87.106.34.45, 87.122.3.11, 83.171.173.229, 85.10.194.117,
217.160.132.150, 217.79.181.118, 212.60.156.94,213.239.212.45,
62.75.240.77, 217.172.183.219, 85.16.8.132, 85.14.220.126
,84.184.85.208, 85.31.186.61, 217.172.49.89,
213.203.214.130,81.169.178.215, 212.112.242.89, 85.214.29.234,
213.239.194.175,85.14.216.207, 84.172.97.158,
82.82.64.68, 195.71.99.214,80.143.172.132, 217.20.118.52,
217.160.170.132, 84.56.64.207,213.146.114.96, 81.169.174.124,
88.73.69.206, 84.156.61.231,84.60.118.102, 88.198.0.177
, 129.187.150.131, 85.178.108.140,217.160.109.40,
85.176.106.4, 84.19.182.23, 62.75.185.15,84.57.89.186,
81.169.158.102, 83.73.91.126, 62.243.85.164,85.57.137.206,
63.246.145.70, 85.84.204.128, 84.77.51.149,85.77.12.12,
80.223.105.208, 85.134.2.139, 82.141.90.19,80.186.67.109,
85.76.189.225, 193.184.9.66, 84.249.227.96,84.34.133.217,
82.128.216.214, 85.76.78.8, 84.230.221.101,212.246.66.120,
80.222.75.74, 217.119.47.6, 82.128.214.254,144.120.8.219,
81.56.58.94, 213.41.166.51, 82.228.48.220,213.41.242.132,
82.227.178.224, 81.56.123.123, 81.56.27.175,86.210.52.95,
82.231.59.44, 83.214.47.135, 82.227.61.106,82.67.175.80,
82.240.188.187, 82.225.238.47, 88.121.142.36,82.67.125.23,
81.57.158.21, 82.252.150.50, 212.56.108.4,86.142.8.187,
84.9.189.25, 83.245.82.184, 81.5.172.97,195.62.29.176,
217.155.230.230, 85.210.2.142, 193.110.91.7,62.17.252.166,
62.121.31.116, 83.223.108.108, 87.80.96.52,213.228.241.143,
83.245.15.87,
Re: [Full-disclosure] Tool Release - Tor Blocker
Umm what about the new ip addresses that are added to the tor network?
http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?sortbw=1addr=1textonly=1
This wouldn't really be a complete fix.
/str0ke
On 6/2/06, Jason Areff [EMAIL PROTECTED] wrote:
It has come to our attention that the majority of tor users are not actually
from china but are rather malicious hackers that (ab)use it to keep their
anonymity. We have released a tool to stop users from utilizing this tool to
protect their identity from prosecution by a designated systems
administrator. Otherwise this puts the administrator in responsibility for
any malicious actions caused by said user. Forensics is left with a tor exit
node.
Recently our servers were hacked by a tor user and we were unable to
prosecute due to not being able to trace the source as the user was using
this malicious piece of software to keep his/her anonymity.
To mitigate most tor attackers we've written an apache module designed to
give tor users a 403 error when visiting a specific website. We suggest all
administrators whom do not wish a malicious tor user to visit and possibly
deface their website to enable the usage of this module. This may not get
all attackers, but hopefully it raises the security bar just a little bit
more to safeguard ourselves from hackers.
Thanks.
Jason Areff
CISSP, A+, MCSE, Security+
--
security through obscurity isnt security
--
CODE:
/* MOD_DETOR
*/
//blocks tor users from apache 2 server
#include http_config.h
#include httpd.h
static void mod_detor_register_hooks(apr_pool_t *p);
int mod_detor_method_handler(request_rec *rec);
module AP_MODULE_DECLARE_DATA detor_module = {
STANDARD20_MODULE_STUFF,NULL, NULL, NULL, NULL, NULL,
mod_detor_register_hooks };
static void mod_detor_register_hooks(apr_pool_t *p) {
ap_hook_handler (mod_detor_method_handler, NULL, NULL, APR_HOOK_FIRST);}
int mod_detor_method_handler (request_rec * rec) {
conn_rec *connection = rec-connection;
const char *internetaddress = con-remote_ip;
char *listof33[] = {
62.178.28.11, 83.65.91.110, 86.59.21.38, 202.173.141.155,
69.70.237.137, 209.172.34.176, 66.11.179.38, 216.239.78.246,
198.161.91.196, 72.0.207.216, 139.142.184.213, 64.229.250.110,
72.60.167.126, 24.36.132.185, 70.68.168.93, 84.73.12.12,
80.242.195.68, 84.72.104.77 , 62.2.174.20, 211.94.188.225,
166.111.249.39, 218.58.83.2, 218.72.40.145, 219.142.175.208,
222.28.80.131, 147.251.52.140, 81.0.225.179, 213.220.233.15,
85.178.229.8, 84.58.246.2, 80.143.198.147, 80.190.241.118,
89.52.64.107, 85.214.38.21, 81.169.130.130, 83.171.170.169,
62.75.129.201, 217.160.177.118, 213.61.151.217, 89.58.21.142,
217.172.187.46, 81.169.136.161, 213.239.202.232, 62.75.222.205,
84.16.234.153, 212.12.60.181, 84.167.55.157 , 62.75.171.154,
85.25.132.119, 217.190.228.18, 212.112.231.83, 213.133.99.185,
85.176.201.130, 212.112.241.137, 131.188.185.41, 84.175.229.31,
217.187.160.148, 87.123.81.89, 212.112.235.83, 213.39.133.132,
85.176.92.87, 212.114.250.252, 217.160.220.28, 213.239.211.148,
217.20.117.240, 80.190.250.139, 212.112.241.159, 217.224.170.117,
212.112.242.21, 212.112.228.2, 217.160.108.109, 81.169.176.178,
212.99.205.46, 85.31.186.86, 85.10.240.250, 84.141.183.62,
84.56.199.101, 87.106.2.7, 217.160.142.69, 84.163.168.232,
213.239.217.146, 84.177.160.152, 62.75.151.195, 81.169.176.135,
85.214.29.61, 85.179.0.63, 85.31.187.90 , 212.202.233.2,
134.130.58.205, 81.169.132.19, 212.88.142.147, 212.168.190.8,
141.76.46.90, 80.237.203.179, 193.28.225.8, 88.198.253.18,
85.214.44.126, 217.160.95.117 , 62.75.149.130, 84.44.156.17,
81.169.180.180, 85.14.216.20, 80.190.242.122, 212.112.242.159,
84.16.235.143, 80.237.160.201, 83.171.188.170, 217.84.3.39,
80.190.251.24 , 87.123.114.110, 194.95.224.201, 80.244.242.127,
87.106.34.45, 87.122.3.11, 83.171.173.229, 85.10.194.117,
217.160.132.150, 217.79.181.118, 212.60.156.94,213.239.212.45,
62.75.240.77, 217.172.183.219, 85.16.8.132, 85.14.220.126 ,
84.184.85.208, 85.31.186.61, 217.172.49.89, 213.203.214.130,
81.169.178.215, 212.112.242.89, 85.214.29.234, 213.239.194.175,
85.14.216.207, 84.172.97.158, 82.82.64.68, 195.71.99.214,
80.143.172.132, 217.20.118.52, 217.160.170.132, 84.56.64.207,
213.146.114.96, 81.169.174.124, 88.73.69.206, 84.156.61.231,
84.60.118.102, 88.198.0.177 , 129.187.150.131, 85.178.108.140,
217.160.109.40, 85.176.106.4, 84.19.182.23, 62.75.185.15,
84.57.89.186, 81.169.158.102, 83.73.91.126, 62.243.85.164,
85.57.137.206, 63.246.145.70, 85.84.204.128, 84.77.51.149,
85.77.12.12, 80.223.105.208, 85.134.2.139, 82.141.90.19,
80.186.67.109, 85.76.189.225, 193.184.9.66, 84.249.227.96,
84.34.133.217, 82.128.216.214, 85.76.78.8, 84.230.221.101,
212.246.66.120, 80.222.75.74, 217.119.47.6, 82.128.214.254,
144.120.8.219, 81.56.58.94, 213.41.166.51, 82.228.48.220,
213.41.242.132, 82.227.178.224, 81.56.123.123, 81.56.27.175,
86.210.52.95, 82.231.59.44, 83.214.47.135, 82.227.61.106,
82.67.175.80,
Re: [Full-disclosure] Tool Release - Tor Blocker
You could add exit nodes to the C module and re-insert it. Or you could convert it to perl and have it rip the IPs off of that site. This is version 1 of our tool release.Jason AreffCISSP, A+, MCSE, Security+
--security through obscurity isnt security--On 6/3/06, str0ke [EMAIL PROTECTED]
wrote:Umm what about the new ip addresses that are added to the tor network?
http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?sortbw=1addr=1textonly=1This wouldn't really be a complete fix.
/str0keOn 6/2/06, Jason Areff [EMAIL PROTECTED] wrote: It has come to our attention that the majority of tor users are not actually from china but are rather malicious hackers that (ab)use it to keep their
anonymity. We have released a tool to stop users from utilizing this tool to protect their identity from prosecution by a designated systems administrator. Otherwise this puts the administrator in responsibility for
any malicious actions caused by said user. Forensics is left with a tor exit node.Recently our servers were hacked by a tor user and we were unable to prosecute due to not being able to trace the source as the user was using
this malicious piece of software to keep his/her anonymity.To mitigate most tor attackers we've written an apache module designed to give tor users a 403 error when visiting a specific website.We suggest all
administrators whom do not wish a malicious tor user to visit and possibly deface their website to enable the usage of this module. This may not get all attackers, but hopefully it raises the security bar just a little bit
more to safeguard ourselves from hackers.Thanks.Jason AreffCISSP, A+, MCSE, Security+--security through obscurity isnt security
-- CODE: /* MOD_DETOR */ //blocks tor users from apache 2 server #include http_config.h
#include httpd.h static void mod_detor_register_hooks(apr_pool_t *p); int mod_detor_method_handler(request_rec *rec); module AP_MODULE_DECLARE_DATA detor_module = {
STANDARD20_MODULE_STUFF,NULL, NULL, NULL, NULL, NULL, mod_detor_register_hooks }; static void mod_detor_register_hooks(apr_pool_t *p) { ap_hook_handler (mod_detor_method_handler, NULL, NULL, APR_HOOK_FIRST);}
int mod_detor_method_handler (request_rec * rec) { conn_rec *connection = rec-connection; const char *internetaddress = con-remote_ip; char *listof33[] = {
62.178.28.11, 83.65.91.110, 86.59.21.38, 202.173.141.155,
69.70.237.137, 209.172.34.176, 66.11.179.38, 216.239.78.246
, 198.161.91.196, 72.0.207.216, 139.142.184.213,
64.229.250.110, 72.60.167.126, 24.36.132.185, 70.68.168.93,
84.73.12.12, 80.242.195.68, 84.72.104.77 , 62.2.174.20
, 211.94.188.225, 166.111.249.39, 218.58.83.2,
218.72.40.145, 219.142.175.208, 222.28.80.131, 147.251.52.140,
81.0.225.179, 213.220.233.15, 85.178.229.8,
84.58.246.2, 80.143.198.147, 80.190.241.118, 89.52.64.107,
85.214.38.21, 81.169.130.130, 83.171.170.169,
62.75.129.201, 217.160.177.118, 213.61.151.217, 89.58.21.142,
217.172.187.46, 81.169.136.161, 213.239.202.232,
62.75.222.205, 84.16.234.153, 212.12.60.181, 84.167.55.157 ,
62.75.171.154, 85.25.132.119, 217.190.228.18,
212.112.231.83, 213.133.99.185, 85.176.201.130, 212.112.241.137,
131.188.185.41, 84.175.229.31, 217.187.160.148,
87.123.81.89, 212.112.235.83, 213.39.133.132, 85.176.92.87,
212.114.250.252, 217.160.220.28, 213.239.211.148,
217.20.117.240, 80.190.250.139, 212.112.241.159, 217.224.170.117,
212.112.242.21, 212.112.228.2, 217.160.108.109,
81.169.176.178, 212.99.205.46, 85.31.186.86, 85.10.240.250,
84.141.183.62, 84.56.199.101, 87.106.2.7, 217.160.142.69
, 84.163.168.232, 213.239.217.146, 84.177.160.152,
62.75.151.195, 81.169.176.135, 85.214.29.61,
85.179.0.63, 85.31.187.90 , 212.202.233.2, 134.130.58.205,
81.169.132.19, 212.88.142.147, 212.168.190.8,
141.76.46.90, 80.237.203.179, 193.28.225.8, 88.198.253.18,
85.214.44.126, 217.160.95.117 , 62.75.149.130, 84.44.156.17
, 81.169.180.180, 85.14.216.20, 80.190.242.122,
212.112.242.159, 84.16.235.143, 80.237.160.201, 83.171.188.170,
217.84.3.39, 80.190.251.24 , 87.123.114.110,
194.95.224.201, 80.244.242.127, 87.106.34.45, 87.122.3.11,
83.171.173.229, 85.10.194.117, 217.160.132.150,
217.79.181.118, 212.60.156.94,213.239.212.45, 62.75.240.77,
217.172.183.219, 85.16.8.132, 85.14.220.126 ,
84.184.85.208, 85.31.186.61, 217.172.49.89, 213.203.214.130,
81.169.178.215, 212.112.242.89, 85.214.29.234,
213.239.194.175, 85.14.216.207, 84.172.97.158, 82.82.64.68,
195.71.99.214, 80.143.172.132, 217.20.118.52,
217.160.170.132, 84.56.64.207, 213.146.114.96, 81.169.174.124,
88.73.69.206, 84.156.61.231, 84.60.118.102,
88.198.0.177 , 129.187.150.131, 85.178.108.140, 217.160.109.40,
85.176.106.4, 84.19.182.23, 62.75.185.15, 84.57.89.186
, 81.169.158.102, 83.73.91.126, 62.243.85.164,
85.57.137.206, 63.246.145.70, 85.84.204.128, 84.77.51.149,
85.77.12.12, 80.223.105.208, 85.134.2.139, 82.141.90.19
, 80.186.67.109, 85.76.189.225, 193.184.9.66,
84.249.227.96,
Re: [Full-disclosure] Tool Release - Tor Blocker
On Sat, 03 Jun 2006 00:21:49 EDT, Jason Areff said:
--
security through obscurity isnt security
--
Yes... And as the people who got addresses in the 69/8 address block
that *used* to be bogon space, security through bitrotted filters isn't
security either...
char *listof33[] = {
62.178.28.11, 83.65.91.110, 86.59.21.38, 202.173.141.155,
69.70.237.137, 209.172.34.176, 66.11.179.38, 216.239.78.246,
For bonus points, estimate the amount of time before addresses on
this list become invalid because they're not Tor nodes, and Tor nodes
get created that aren't on this list.
This list is going to bitrot really fast, and needs a way to be easily
updated by the people who install it.
And with some 400 entries on the list, it would be nice performance
wise if it used a sorted list and a binary search, so that for the vast
majority of cases, you'd be done in 9 or 10 interations rather than 400.
And if it gets to 1000 exit nodes, it will only add one more interation. ;)
pgpbuxgeQQVzv.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Tool Release - Tor Blocker
On Fri, 02 Jun 2006 23:47:38 CDT, str0ke said: Umm what about the new ip addresses that are added to the tor network? http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?sortbw=1addr=1textonly=1 Ahh.. there we go. Now a wget of that every once in a while, and a little bit of Perl kung-foo to build an 'addrs.h' file that gets #include'ed and then rebuild the module, and we're getting closer. ;) (And don't forget to throw out any alleged exit addresses in your own address space, and any other addresses you really don't want to block. It's embarassing when a clever hacker uses your own security routines to DoS you ;) pgp1w57uEknsi.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] blocking tor is not the right way forward. It may just be the right way backward.
its not just fair game. we had discussed it in tor irc chan. ok so you just made a apache mod for the black list. tor always did and always do allow anyone to block tor users if they please. but the easiness which tor gives for the blocking must not be overused to deny tor communications even for legitimate purposes(definition vague). hopefully the blacklists,apache mods.. and other methods ofblocking tor are not default enabled. And hopefully the security cookbooks and other HOWTO's dont come with a default recommendation to enable these tor blocking modules. The admin needs to be educated about tor. Ideally he must be able to decide for himself the balance betrween anonimity and performance. He should be empowered to take his own decision. An educated and well informed decision. Remember if privacy is outlawed, only outlaws will have privacy.. and hackers have better ways to protect their privacy.. but as of today.. legitimate users dont have that luxury.. tor is thier most practical hope. joel.-- As soon as men decide that all means are permitted to fight anevil, then their good becomes indistinguishable from the evilthat they set out to destroy.- Christopher Dawson, The Judgment of Nations ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Blocking Tor is not the right way forward. It may just be the right way backward.
Forget hackers versus 'freedom', etc. for a moment. I'm trying to figure out why a server or firewall administrator would subject themselves to semi-dynamic rules by using a resource like http://serifos.eecs.harvard.edu/cgi-bin/exit.pl?textonly=1 in the first place. Lets see... wait for the first time ~that site~ gets compromised and you pull a nice list of address space for major ISPs. Or when Tor servers are run on/NAT at the border and the IPs are the same as a major 'legitimate' proxies. Or you pull a poisoned DNS record and don't see that site at all but get a nicely planted fake list. Yeah, a majority of 'abusers' aren't going to go to great length but then again that majority aren't the people you're worried about in the first place. I say if you have the excess energy audit code, fuzz, install application protocol proxies, etc. and don't bother with blacklists. -Ali ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
