Re: [Full-disclosure] mac trojan in-the-wild
you'll be *prompted* for the root password, not asked to run it as root. Big difference, and one that many users do not appreciate at all. Good point. A lot has been made of the number of steps involved, but if you accept the manifest impossibility that -any- Mac user would ever fall for social engineering, it really isn't that hard to wind the garrotte round your own neck. -- David Harley AVIEN Interim Administrator: http://www.avien.org http://www.smallblue-greenworld.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] eBay redirects: next step in fake blogs and web search abuse
You try and go here: http://hushmail-901.blogspot.com/2007/11/hushmail-tryig-to-delet-contacts-in.html You get here: http://search-desc.ebay.com/hushmail_W0QQ_trksidZm37QQcatrefZC6QQfromZR10QQftsZ2QQsacatZQ2d1QQsargnZQ2d1QQsaslcZ2QQsbrftogZ1QQsofocusZunknown ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [funsec] eBay redirects: next step in fake blogs and web searchabuse
The redirect is in this from the blogspot page. No real attempt to hide it. iframe src=http://homeoflove.selfip.com/ads/ads.php?src=hushmail; width=468 height=60 scrolling=no frameborder=0/iframe selfip.com is owned by Dyndns and I guess it's used for customers with no static IP or DNS Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.eweek.com/cheap_hack/ Contributing Editor, PC Magazine [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Saturday, November 03, 2007 9:41 AM To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: [funsec] eBay redirects: next step in fake blogs and web searchabuse You try and go here: http://hushmail-901.blogspot.com/2007/11/hushmail-tryig-to-delet-contact s-in.html You get here: http://search-desc.ebay.com/hushmail_W0QQ_trksidZm37QQcatrefZC6QQfromZR1 0QQftsZ2QQsacatZQ2d1QQsargnZQ2d1QQsaslcZ2QQsbrftogZ1QQsofocusZunknown ___ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 1397-1] New mono packages fix integer overflow
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 1397-1[EMAIL PROTECTED] http://www.debian.org/security/ Moritz Muehlenhoff November 3rd, 2007 http://www.debian.org/security/faq - -- Package: mono Vulnerability : integer overflow Problem-Type : local Debian-specific: no CVE ID : CVE-2007-5197 An integer overflow in the BigInteger data type implementation has been discovred in the free .NET runtime Mono. The oldstable distribution (sarge) doesn't contain mono. For the stable distribution (etch) this problem has been fixed in version 1.2.2.1-1etch1. A powerpc build will be provided later. The unstable distribution (sid) will be fixed soon. We recommend that you upgrade your mono packages. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 4.0 alias etch - --- Source archives: http://security.debian.org/pool/updates/main/m/mono/mono_1.2.2.1-1etch1.dsc Size/MD5 checksum: 2536 690ff9b73b11712dafff48f4e573d844 http://security.debian.org/pool/updates/main/m/mono/mono_1.2.2.1-1etch1.diff.gz Size/MD5 checksum:42815 a36c23b70d5f8c5042bae441c648f52b http://security.debian.org/pool/updates/main/m/mono/mono_1.2.2.1.orig.tar.gz Size/MD5 checksum: 19979026 b67ef657b83ca26249d7b9e9c5e7da69 Architecture independent components: http://security.debian.org/pool/updates/main/m/mono/libmono-accessibility1.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:20926 d02d121b86ea13531199e1786e73d1c3 http://security.debian.org/pool/updates/main/m/mono/libmono-accessibility2.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:20856 e0e9b75f711cb831d6348ccc9b2e7c07 http://security.debian.org/pool/updates/main/m/mono/libmono-bytefx0.7.6.1-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:88810 f9d42b9343e99e77ad20709bb8372b51 http://security.debian.org/pool/updates/main/m/mono/libmono-bytefx0.7.6.2-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:88862 685c943b6d6a7adf5038985c08b5 http://security.debian.org/pool/updates/main/m/mono/libmono-c5-1.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum: 223620 878f83d238af926295a8fa6afe8df3e0 http://security.debian.org/pool/updates/main/m/mono/libmono-cairo1.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:46194 9ec684d4784404eaa6d35ff0d3444311 http://security.debian.org/pool/updates/main/m/mono/libmono-cairo2.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:46008 e7aa7d9c6fd374cfd0b1633525928c7a http://security.debian.org/pool/updates/main/m/mono/libmono-corlib1.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum: 1796690 e2d33d239a6d10e7ff936a0d8d99c428 http://security.debian.org/pool/updates/main/m/mono/libmono-corlib2.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum: 2042898 03abdd8d7dc89bb7042b50a963736b34 http://security.debian.org/pool/updates/main/m/mono/libmono-cscompmgd7.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:24964 c2efe20fe8ca262dbb9528f8d074f01c http://security.debian.org/pool/updates/main/m/mono/libmono-cscompmgd8.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:25184 0269e6ecb0c42331bf0b84027c365016 http://security.debian.org/pool/updates/main/m/mono/libmono-data-tds1.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:63412 a438a4bdd6c8d67724d78c7575ba http://security.debian.org/pool/updates/main/m/mono/libmono-data-tds2.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum:66572 8d0383577fab9fda56fb3a591cf3f4bb http://security.debian.org/pool/updates/main/m/mono/libmono-firebirdsql1.7-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum: 288208 a618ebd6f6be362e742e13c40b9ac645 http://security.debian.org/pool/updates/main/m/mono/libmono-ldap1.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum: 209962 7ff6bc9fe2f8edbb71860156f005a85e http://security.debian.org/pool/updates/main/m/mono/libmono-ldap2.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum: 209924 520f9d0b7f504e996a768173bbbe702f http://security.debian.org/pool/updates/main/m/mono/libmono-microsoft-build2.0-cil_1.2.2.1-1etch1_all.deb Size/MD5 checksum: 207936 f7033604ac795332aee7dca7eaffab7b
[Full-disclosure] Bank Of America Vulnerable
Dear SF, I am writing this to inform the public that bank of America's two step authentication is fundamentally flawed. The user at there website will enter a user name then tell there systems which state it originates from but the next step is flawed. The server connects you to a secret challenge where it gives a question like Whats your mothers maiden name? but if you were to answer Joni it lets you in. On step 1 of this authentication you answer Jon i or Jni it lets you in, I found a couple times the server did not mind a letter missing as long as the beginning is kept the same; Also moving the word or letters with spaces allows entrance. This is a common vulnerability in fact the Point Of Sale at the company I work for allows 3 letters of your password to be entered and it usually authenticates because it isn't strict on how precise you enter the password as long as it appears to be the original password. Superuser of Socal gr33ts to 23.org, Uber Tron Da Hacker ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SF-Shoutbox 1.2.1 = 1.4 HTML/JS Injection Vulnerability
- || WWW.SMASH-THE-STACK.NET || - || ADVISORY: SF-Shoutbox 1.2.1 = 1.4 HTML/JS Injection Vulnerability _ || 0x00: ABOUT ME || 0x01: DATELINE || 0x02: INFORMATION || 0x03: EXPLOITATION || 0x04: GOOGLE DORK || 0x05: RISK LEVEL _ || 0x00: ABOUT ME Author: SkyOut Date: November 2007 Contact: skyout[-at-]smash-the-stack[-dot-]net Website: www.smash-the-stack.net _ || 0x01: DATELINE 2007-11-02: Bug found 2007-11-03: Advisory released || 0x02: INFORMATION The Shoutbox software provided by Script-Fun.de is vulnerable to HTML and JavaScript injection. It is possible to execute code or manipulate the whole page. The fields for Name and Shout are not sanitized and therefore both can be manipulated with malicious content. _ || 0x03: EXPLOITATION No exploit is needed to test this vulnerability. You just need a working web browser. 1: HTML Injection Go to the main page of the Shoutbox software, normally located at main.php and input HTML code into the Name and/or Shout field. To make the whole shouts being overlayed by your website you simple put meta http-equiv=refresh content=0; URL=http://example.com/; into the field(s)! 2: JavaScript Injection Go to the main page of the Shoutbox software, normally located at main.php and input the needed JavaScript code into the Name and/or Shout field. For example a simple popup could be constructed by inputting scriptalert(XSS);/script ... If you manipulate both fields the code will be executed twice. The more often you do this, the more often the code will be executed. || 0x04: GOOGLE DORK intext:SF-Shoutbox ___ || 0x05: RISK LEVEL I would consider this a low critical vulnerability as this software is not widely used. Nevertheless in bad cases an attacker could manipulate different sites to show up his page, which then could try to attack the users browser with common exploits, similar to IFrame injection. ! Happy Hacking ! THE END ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bank Of America Vulnerable
On 11/3/07, Jamal Al-Aseer [EMAIL PROTECTED] wrote: Dear SF, I am writing this to inform the public that bank of America's two step authentication is fundamentally flawed. The user at there website will enter a user name then tell there systems which state it originates from but the next step is flawed. The server connects you to a secret challenge where it gives a question like Whats your mothers maiden name? but if you were to answer Joni it lets you in. On step 1 of this authentication you answer Jon i or Jni it lets you in, I found a couple times the server did not mind a letter missing as long as the beginning is kept the same; Also moving the word or letters with spaces allows entrance. This is a common vulnerability in fact the Point Of Sale at the company I work for allows 3 letters of your password to be entered and it usually authenticates because it isn't strict on how precise you enter the password as long as it appears to be the original password. Superuser of Socal And the 3rd step... you know, the actual Password. Is that a loose password as well? It looks like it is just the challenge question that allows this loose matching. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] stop cross posting
hi, can everyone stop cross posting? its the same people on all the mailing lists, there is absolutely no reason for cross posting. you know who you are, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] IDS logs showing outgoing packets on port 80
In our IDS logs, I notice many outgoing packets coming from port 80 (HTTP). These packets are coming from client PCs. What may be happening? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Suspicious URL in IDS
Is the following URL valid? http://[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Suspicious URL in IDS
On 03 Nov 07, at 16:24, Kelly Robinson wrote: Is the following URL valid? http://[EMAIL PROTECTED] Technically, yes. (It specifies that the client is to authenticate to www.sitenameremoved.ru with the username www.address.com.) It's often used in phishing attempts, though, as a sufficiently long username can be used to obscure the actual hostname and path. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] stop cross posting
On 11/3/07, worried security [EMAIL PROTECTED] wrote: hi, can everyone stop cross posting? its the same people on all the mailing lists, there is absolutely no reason for cross posting. Sorry about that n3td3v, won't happen again. I would hate to annoy you like that. -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] IDS logs showing outgoing packets on port 80
On 11/3/07, Kelly Robinson [EMAIL PROTECTED] wrote: In our IDS logs, I notice many outgoing packets coming from port 80 (HTTP). These packets are coming from client PCs. What may be happening? If they are replies to an incoming packet, then they are running a web server. If they are not replies to an incoming packet, they are most likely infected and trying to evade IDS detection by using a standard port (80) for CC -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Chris-chan Christian Chandler
http://www.encyclopediadramatica.com/Chris-chan Story of My Current Days By. Christian W. Chandler. October 18, 2004 Updated: August 14, 2006 Four Score and over Three Years Ago, I, Christian Weston Chandler, have been currently experiencing my own Lonesome and Sad Depression. This is due to the following conditions: 1. I am a Frustrated Virgin 2. I need a pretty 18-(my current age)-year old, Boyfriend-Free Girl. 3. I am very shy in approaching the girls, for I FEAR that they are all already paired up with some JERK (a MAN, other than myself, CWC, and my father, Robert Franklin Chandler, Jr.), which I've dubbed the fear, Noviophobia, after the Spanish word for Boyfriend. L Where did it start? I started when my life-long friend, Sarah Hammer, a very pretty girl, was taken away from me by this Magician Jerk, Wes Iseli. At first, I was naive about their relationship. Later on, in Spring of 2003, I tried to pick up a girl in a class I was taking at Piedmont Virginia Community College, but she told me right-off, that SHE HAD A BOYFRIEND! And it was like that with every other girl who I talked to since then. Thus, I developed my Noviophobia (mentioned above). Since my fear-development, I realized that I needed to attract a BOYFRIEND-FREE Girl, by any means necessary, with limited resources. I was afraid to even say Hi to any girl, so I made a simple sign that stated, I am a (my age then)-Year Old, Single Male, seeking an 18-(my age then)-Year Old, Single Female Companion. I had the sign placed next to me, with an arrow pointing at me, and of course, I stood, or sat, next to the sign. Not only was I not able to attract any girls, but some Bullies (Men and Old Woman) did not approve my method of attraction. Also, I feel that they perceived me as a sweet, weak person, which I was then, but I am much, much saltier now. So that female dog, Mary Lee Walsh, tore up my sign; it SHATTERED my heart. But I kept on trying to attract, in the name of LOVE and TRUST! This brings us to today. Recently, I was suspended from PVCC, for trying to attract a Boyfriend-Free Girl. Then I got HANDCUFFED by the JERKOPS of the Fashion Square Shopping Center, and kicked out, for trying to attract a Boyfriend-Free Girl (I did not go to Jail). And I am currently still trying to attract a BF-Free Girl, without a sign, at the campus of the University of Virginia (of which I am not enrolled in). Though I do park in a in a garage, and I pay for the time I use in my Love Quest (which I am having much LESS success there). So, I ask you, with my own song lyric: Tell me why, I'm stuck in a Sad, Lonely Cage. Tell me why, I so need a cute girl my age. Tell me why, I ain't ever wanna hear you say, I HAVE A BOYFRIEND. As for Wes, I blame all of these happenings on him. If he had not taken my life-long friend away from me, I might have a Pretty Girlfriend today. And I would not have had to set out on endeavoring LOVE QUEST! Since, October, 2004, I've learned new, disturbing things. Like that having the sign next to, on or around me, represents, in a Body-Language way, shows that I may have some sort of mental condition, or that I was seeking a girl, only for Hanky-Panky. Of which is not true at all; I need a Girlfriend, Solely for LOVE and TRUST! Also, as of early November, I was reemitted into the Fashion Square Shopping Center, and since Mid-December, I totally left the UVA as an Attraction Location. I realized that I have no problem conversing with girls (as in Instant Message), but to approach a girl is much, much tougher for me. Also, I've learned from Wes that Sarah left him, and got herself paired up with another JERK (of which I later learned that his name was William). And I am not sure how to get in touch with her now. I've also figured out some NEW methods of attraction: pacing back-and-forth while watching a GBAVideo on either my Game Boy Advance SP or my Nintendo DS. I did manage to catch the attention of some girls, but they were all already paired-up with a JERK, or otherwise were updatable, due to their religion. But I did get a hug or two. I also started singing random songs from memory now and then. It was not as successful as the GBAVideo. I also started listening to my GBAJukebox MP3 Player and sang along when I felt like it (I had the GBAJukebox inserted into my Nintendo DS, that had a removable, more appropriate sign attached to it, in my hand). Also, I did manage to get a FREE Personal Ad in the April, 2005 issue of Nintendo Power magazine, but who really reads the personals anyway? I also displayed my best artwork in either my hand, or next to me; still not many reactions. One day in March, 2005, I now go to Fashion Square, on Tuesdays, Thursdays, and Saturdays, with my Nintendo DS, GBAVideos, GBAJukebox, my