Re: [Full-disclosure] iiScan - Full-function web application security scanning platform for free
Code please! On Jan 5, 2010, at 1:49 PM, mrx wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I too would like an invitation code. Thank you regards mrx Guilherme Scombatti wrote: Yes, I want an invite code to test On Tue, Jan 5, 2010 at 2:37 PM, McGhee, Eddie eddie.mcg...@ncr.com wrote: Hi. where can we receive a invite code to test? -- *From:* full-disclosure-boun...@lists.grok.org.uk [mailto: full-disclosure-boun...@lists.grok.org.uk] *On Behalf Of *iiScan support *Sent:* 05 January 2010 02:33 *To:* full-disclosure@lists.grok.org.uk *Subject:* [Full-disclosure] iiScan - Full-function web application security scanning platform for free Dear all friends: iiScan is pleased to announce our new gerneration of Web Application Security Evalution Platform which is totally FREE. It provides web security as a service through the Cloud, no installation of hardware or software is needed. Here is some description: i) New generation of web application security evaluation platform iiScan provide a cloud-computing based security service which focus on web application security. With iiScan, you can get your web application assessed by iiScan expert and the only thing you have to do is clicking the START botton. After that, a report contained all details of vulnerabilities or risks of your website will be sent to your mailbox. Then you can fix it and make your website safer. ii) iiScan can detect and test most Web Vulnerabilities without manual intervention : SQL injection Cross Site Scripting (XSS) File Upload Vulnerability Information Leakage Insecure Direct Object References Buffer overflow Path Traversal OS Commanding Session Fixation XPath Injection …… iii) Rich Statements The statements we offered include abundant informations. You can find all the details about every vulnerabilities and fix it with our suggestion. We also provide report for web develop and testing engineer. iv) Easy to use There is no longer technical research which difficult to comprehend and no process of configuration items. Through iiScan,you are the security expert of web application security. And you can finish the security assessment of web application deeply and thoroughly through only several clicks. v) Absolute free Security as a basic service should be provided free,so we firmly believe that the security industry needs revolution. As a new free service provider , we build the domestic first and only assessment platform of security assignment of web application which full functions are free. In the iiScan platform,the basic policy of scanning is absolute free. We hope our work can help you. More information please visit http://www.iiScan.com/ Demo video can be found here http://www.iiscan.com/help/manual Sincerely NOSEC iiScan support team supp...@iiscan.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBS0OJobIvn8UFHWSmAQJunwf/aTFSbS4bCbZcagB/kjVRShcvcvicEXhR qVs+NNSfSWVKQjmMWScr876jEct2G+UC/clgjAJ6VU4lWBrOtyd0NojI2p8Sit1L 4pID6RKO03GwS6t2b+i8jO2xn8els7ZTNlN5HOQdprkej0h7pn0LDeey7eiwz8EN 2HknuNDr5dWz35s5YIU7xhQZv75AWfWcVfeAgAHDIDvxXGYWAMBzSxWKdCdgaghO sh9oLF5/BZ42SjMx+b20SwwU8/agxaGOvWlZlWX+TDy8cDZQtoacnES/MZ9rSUnp 5Bi6WcwdgcOryiw+1fEeh8pCeSOBgjA1pl5z5o9vuwbwsRQ8LvrtpQ== =T4X5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Antisec for lulz - exposed (anti-sec.com)
So it seems that the blackhat world suffers from the same ailments as the whitehat world. There are ninjas few and far, but most of the hackers are just a bunch of kids that think they're zerocool. Its the ones that you never hear about that scare me. On Jan 2, 2010, at 6:10 AM, Gichuki John Chuksjonia wrote: One of the amazing thing about these hackers calling them antisec didn't have real hardening on their servers. Most of their servers had direct public ip on their Interfaces and even their user management was crappy. I remember when i heard of antisec i thot these guys were real gurus with more than 10 years of experience, but after the fake sshd and fake attacks, and DDOS that meant nothing and now all is lulz, i cant help but rofl. ./Chuks On 1/2/10, Jeff Blaum jblau...@gmail.com wrote: It still does not change the fact that you (Glafkos) are a cock, and that astalavista is (and was) always a shit stain of a website. J On Thu, Dec 31, 2009 at 9:38 AM, Glafkos Charalambous i...@infosec.org.ukwrote: . | \ * ./ . * * * . -=* LULZ! *=- . .* * * . /* .\ | . _ _ ( ) ( ) | |_| | _ _ _ __ __ _ | _ | /'_` )( '_`\ ( '_`\ ( ) ( ) | | | |( (_| || (_) )| (_) )| (_) | (_) (_)`\__,_)| ,__/'| ,__/'`\__, | | || |( )_| | (_)(_)`\___/' _ _ _ _ ( ) ( )( ) ( ) | `\| | __ _ _ _ `\`\_/'/'__ _ _ _ __ | , ` | /'__`\( ) ( ) ( )`\ /'/'__`\ /'_` )( '__) | |`\ |( ___/| \_/ \_/ | | |( ___/( (_| || | (_) (_)`\)`\___x___/' (_)`\)`\__,_)(_) anti-sec.com . | \ * ./ . * * * . -=* RAWR! *=- . .* * * . /* .\ | . http://www.anti-sec.com http://pastebin.com/f12f6f9c0 http://pastebin.mozilla.org/694145 http://pastebin.ca/1733192 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosig...@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] AntiSec Lamers Exposed
Oh c'mon nobody is going to chastise me for this? What's going on here? What's wrong with this list? Is this the real FD? Even anti-sec is quiet... On Jul 28, 2009, at 9:12 PM, Adriel T. Desautels wrote: I love it when the CC is off the screen... On Jul 28, 2009, at 9:08 PM, Adriel T. Desautels wrote: Hey, I sent you an email earlier. I have quite a bit of information to share with you regarding these peeps. Either give me a call or shoot me an email and we can do some work with each-other. On Jul 28, 2009, at 6:52 PM, antisec exposed wrote: Hmm, he thinks he is untouchable because he cant think of any hackers in Saudi being arrested. Also he thinks his ip doesn't matter cause he may have used a proxy in his hacking. Well I suppose taking credit for it over and over and over like it is your life's achievement doesn't matter eh? Let's face it antisec, you are LAME. No one gives a shit about your cause. The only noteworthy hack you have done is imageshack which will also be your undoing. Let;s do a lil recap of your so great achievements. -astalavista.com - lame spammy site with dead forum, who gives a shit? And secondly who even took them seriously in the first place? No one. That's who. -ssanz - Who the fuck is ssanz? Some kid running a server management company from his laptop? Who the hell even heard of him much less took his site and services seriously? Wow, you sure have changed the world with this hack, how dare some 15 year old kid advertise secure server management. You really taught the rest of us a lesson. -secureservertech - jesus fucking christ, has anyone even seen this site? A shitty no name hosting company with a shitty template monster template offering secure web hosting. You got to be kidding me, yet another company no one has heard of much less take anything they say seriously. What another great achievement there, you really are changing things, Gee the entire internet depended on them for secure web hosting. /sarcasm -infosec.org.uk - yet another no name security site/security expert no one gives a shit about. All of your fine select targets shows you are just a bunch of kiddies who happened to get a a few good exploits which you no doubt did not write. If you really wanted to teach us all a lesson and punish anyone who dare advocates security why not go after someone we have all actually heard of? like securityfocus, synmatec, etc? Im sure everyone knows the answer - you just simply arent able to. Kids like you pop up ever few years and get swatted down like the lil flies you are. Within a month I guarantee you and your hrdev buddies will be arrested. Keep on thinking you are untouchable, you are not. -- How Strong is Your Score? Click here to see yours for $0! By FreeCreditReport.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] AntiSec Lamers Exposed
Hey, I sent you an email earlier. I have quite a bit of information to share with you regarding these peeps. Either give me a call or shoot me an email and we can do some work with each-other. On Jul 28, 2009, at 6:52 PM, antisec exposed wrote: Hmm, he thinks he is untouchable because he cant think of any hackers in Saudi being arrested. Also he thinks his ip doesn't matter cause he may have used a proxy in his hacking. Well I suppose taking credit for it over and over and over like it is your life's achievement doesn't matter eh? Let's face it antisec, you are LAME. No one gives a shit about your cause. The only noteworthy hack you have done is imageshack which will also be your undoing. Let;s do a lil recap of your so great achievements. -astalavista.com - lame spammy site with dead forum, who gives a shit? And secondly who even took them seriously in the first place? No one. That's who. -ssanz - Who the fuck is ssanz? Some kid running a server management company from his laptop? Who the hell even heard of him much less took his site and services seriously? Wow, you sure have changed the world with this hack, how dare some 15 year old kid advertise secure server management. You really taught the rest of us a lesson. -secureservertech - jesus fucking christ, has anyone even seen this site? A shitty no name hosting company with a shitty template monster template offering secure web hosting. You got to be kidding me, yet another company no one has heard of much less take anything they say seriously. What another great achievement there, you really are changing things, Gee the entire internet depended on them for secure web hosting. /sarcasm -infosec.org.uk - yet another no name security site/security expert no one gives a shit about. All of your fine select targets shows you are just a bunch of kiddies who happened to get a a few good exploits which you no doubt did not write. If you really wanted to teach us all a lesson and punish anyone who dare advocates security why not go after someone we have all actually heard of? like securityfocus, synmatec, etc? Im sure everyone knows the answer - you just simply arent able to. Kids like you pop up ever few years and get swatted down like the lil flies you are. Within a month I guarantee you and your hrdev buddies will be arrested. Keep on thinking you are untouchable, you are not. -- How Strong is Your Score? Click here to see yours for $0! By FreeCreditReport.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] AntiSec Lamers Exposed
I love it when the CC is off the screen... On Jul 28, 2009, at 9:08 PM, Adriel T. Desautels wrote: Hey, I sent you an email earlier. I have quite a bit of information to share with you regarding these peeps. Either give me a call or shoot me an email and we can do some work with each-other. On Jul 28, 2009, at 6:52 PM, antisec exposed wrote: Hmm, he thinks he is untouchable because he cant think of any hackers in Saudi being arrested. Also he thinks his ip doesn't matter cause he may have used a proxy in his hacking. Well I suppose taking credit for it over and over and over like it is your life's achievement doesn't matter eh? Let's face it antisec, you are LAME. No one gives a shit about your cause. The only noteworthy hack you have done is imageshack which will also be your undoing. Let;s do a lil recap of your so great achievements. -astalavista.com - lame spammy site with dead forum, who gives a shit? And secondly who even took them seriously in the first place? No one. That's who. -ssanz - Who the fuck is ssanz? Some kid running a server management company from his laptop? Who the hell even heard of him much less took his site and services seriously? Wow, you sure have changed the world with this hack, how dare some 15 year old kid advertise secure server management. You really taught the rest of us a lesson. -secureservertech - jesus fucking christ, has anyone even seen this site? A shitty no name hosting company with a shitty template monster template offering secure web hosting. You got to be kidding me, yet another company no one has heard of much less take anything they say seriously. What another great achievement there, you really are changing things, Gee the entire internet depended on them for secure web hosting. /sarcasm -infosec.org.uk - yet another no name security site/security expert no one gives a shit about. All of your fine select targets shows you are just a bunch of kiddies who happened to get a a few good exploits which you no doubt did not write. If you really wanted to teach us all a lesson and punish anyone who dare advocates security why not go after someone we have all actually heard of? like securityfocus, synmatec, etc? Im sure everyone knows the answer - you just simply arent able to. Kids like you pop up ever few years and get swatted down like the lil flies you are. Within a month I guarantee you and your hrdev buddies will be arrested. Keep on thinking you are untouchable, you are not. -- How Strong is Your Score? Click here to see yours for $0! By FreeCreditReport.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] SNOsoft - GLOsoft - BLOsoft - Awesome!
SNOsoft - Blosoft - GLOsoft - Awesome! Normally we wouldn't give an iota of attention to trolls, but there's always the exception to the rule. The past two advisories that we (Netragard/SNOsoft) released have been followed up by a troll publishing hilarious spoofs of those advisories. So far the spoofs they've released can be found here and are called BloSoft and GloSoft. We're actually proud (and flattered) that these trolls think that we're important enough to spoof because that's a testament to our success as a security company. To us, its sort of like being the target subject for a Saturday Night Live skit. So for the first time ever, thank you to the troll whoever you are! http://snosoft.blogspot.com/2009/06/snosoft-blosoft-glosoft-awesome.html Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] [SCADASEC] 11. Re: SCADA Security - Software fee's
: http://news.infracritical.com/mailman/listinfo/scadasec To review our usage policy, please visit: http://www.infracritical.com/usage-scadasec.html Simon Smith simon_li...@snosoft.com -- Subscribe to our blog http://snosoft.blogspot.com ___ To unsubscribe from this mailing list, please visit: http://news.infracritical.com/mailman/listinfo/scadasec To review our usage policy, please visit: http://www.infracritical.com/usage-scadasec.html -- Making no mistakes is what establishes the certainty of victory, for it means conquering an enemy that is already defeated. - Sun Tzu ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
That is awesome! I am going to add that to the blog post :) On Feb 13, 2009, at 5:41 AM, Michael Painter wrote: - Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Facebook from a hackers perspective
Sounds to me like you have a crush on Eric Loki Hines. On Feb 13, 2009, at 10:12 AM, bobby.mug...@hushmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear ATD, Because most of the targeted employees were male between the ages of 20 and 40 we decided that it would be best to become a very attractive 28 year old female. Your transgender technical attack was pioneered and perfected in 2008 by information security expert Eric Loki Hines - why are you taking credit for a lesser version of his groundbreaking work, and insisting on originality? 1. Eric Loki Hines is a security expert and presents at BlackHat http://www.blackhat.com/html/win-usa-01/win-usa-01- speakers.html#Loki 2. Eric Loki Hines updates his linkedin profile http://www.linkedin.com/in/alissaknight 3. Alissa Knight starts softcore pornography site http://www.alissaknight.com 4. Snosoft claims to have invented social engineering. Please give credit where credit is due. I await your response with masterfully baited breath. - -bm On Fri, 13 Feb 2009 09:45:42 -0500 Adriel T. Desautels ad_li...@netragard.com wrote: That is awesome! I am going to add that to the blog post :) On Feb 13, 2009, at 5:41 AM, Michael Painter wrote: - Original Message - From: Adriel T. Desautels Sent: Thursday, February 12, 2009 6:23 AM Subject: Facebook from a hackers perspective Lets start off by talking about the internet and identity. The internet is a shapeless world where identities are not only dynamic but can't ever be verified with certainty. As a result, its easily possible to be one person one moment, then another person the next moment. This is particularly true when using internet based social networking sites like Facebook (and the rest). http://www.unc.edu/depts/jomc/academics/dri/idog.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Charset: UTF8 Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 3.0 wpwEAQMCAAYFAkmVjc4ACgkQhNp8gzZx3sjtogP7BH0DqiXnpd2uJd23WzCb5ywr6DdL rsRcTuR1UExC7LKNnBcEDbcxyO+w+uygxBV2EpoQvi81WQEnTqUOsBuDNCKctNy/L8X7 Lbj76e3u+lx0KcVYwZcl+lPUlVswjV3xuiqMQHcpy3XyMdyqcMsQa2oW0prUXgLjrl/J lW2CbzA= =agYk -END PGP SIGNATURE- -- Thinking of a life with religion? Click here to find a religious school near you. http://tagline.hushmail.com/fc/PnY6qxulxoTwAKHGR31YqHEvinrD0DrkWQo0LWV2XOLex2vtyVhFc/ Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Facebook from a hackers perspective
that it would be best to become a very attractive 28 year old female. We found a fitting photograph by searching google images and used that photograph for our fake Facebook profile. We also populated the profile with information about our experiences at work by using combined stories that we collected from real employee facebook profiles. Upon completion we joined the group that our customer's facebook group. Joining wasn't an issue and our request was approved in a matter of hours. Within twenty minutes of being accepted as group members, legitimate customer employees began requesting our friendship. In addition to inbound requests we made hundreds of outbound requests. Our friends list grew very quickly and included managers, executives, secretaries, interns, and even contractors. After having collected a few hundred friends, we began chatting. Our conversations were based on work related issues that we were able to collect from legitimate employee profiles. After a period of three days of conversing and sharing links, we posted our specially crafted link to our facebook profile. The title of the link was Omitted have you seen this I think we got hacked! Sure enough, people started clicking on the link and verifying their credentials. Ironically, the first set of credentials that we got belonged to the person that hired us in the first place. We used those credentials to access the web-vpn which in turn gave us access to the network. As it turns out those credentials also allowed us to access the majority of systems on the network including the Active Directory server, the mainframe, pump control systems, the checkpoint firewall console, etc. It was game over, the Facebook hack worked yet again. During testing we did evaluate the customer's entire infrastructure, but the results of the evaluation have been left out of this post for clarity. We also provided our customer with a solution that was unique to them to counter the Social Network threat. They've since implemented the solution and have reported on 4 other social penetration attempts since early 2008. The threat that Social Networks bring to the table affects every business and the described method of attack has an extraordinarily high success rate. Please leave your comments on the blog. Adriel T. Desautels ad_li...@netragard.com -- Subscribe to our blog http://snosoft.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Well, After over 100,000 alerts each with very different payloads the traffic stopped. I do have a list of all of the dropped packets from my firewall as well and it appears that it was hitting 3 IP addresses which are public facing, not just one. The weird part, is that two of those three aren't even live. So I think that this may have been noise from a different attack... I'd be very interested in decoding the payloads for some of these. Anyone here have any tools to do such a decode? I'd rather not do it manual if at all possible. [EMAIL PROTECTED] wrote: On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said: Although the port 0 in this case is a red herring and irrelevant. Port 0 itself when used with TCP/UDP (not ICMP!) can actually be used on the Internet. A while back I modified netcat and my linux kernel so that it would allow usage of port 0 and was able to connect to a remote machine via TCP with that port and communicate fine. Of course, the poor security geek who see a TCP SYN from port 0 to port 0, and then a SYN+ACK reply back, will be going WTF??!? for the rest of the day. :) (Another good one to induce head-scratching is anything that does RFC1644-style T/TCP. Anytime you see a packet go by in one direction with SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;) data on it... ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Also, I failed to mention that they came in bursts of 3 every 5 minutes on the dot. Adriel T. Desautels wrote: Well, After over 100,000 alerts each with very different payloads the traffic stopped. I do have a list of all of the dropped packets from my firewall as well and it appears that it was hitting 3 IP addresses which are public facing, not just one. The weird part, is that two of those three aren't even live. So I think that this may have been noise from a different attack... I'd be very interested in decoding the payloads for some of these. Anyone here have any tools to do such a decode? I'd rather not do it manual if at all possible. [EMAIL PROTECTED] wrote: On Wed, 16 Aug 2006 12:33:13 BST, Barrie Dempster said: Although the port 0 in this case is a red herring and irrelevant. Port 0 itself when used with TCP/UDP (not ICMP!) can actually be used on the Internet. A while back I modified netcat and my linux kernel so that it would allow usage of port 0 and was able to connect to a remote machine via TCP with that port and communicate fine. Of course, the poor security geek who see a TCP SYN from port 0 to port 0, and then a SYN+ACK reply back, will be going WTF??!? for the rest of the day. :) (Another good one to induce head-scratching is anything that does RFC1644-style T/TCP. Anytime you see a packet go by in one direction with SYN/FIN *and* data, and the reply has SYN/ACK/FIN and data.. ;) data on it... ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ICMP Destination Unreachable Port Unreachable
Hi List, I've been receiving this traffic for a while from the same IP address. Does anyone have any idea what type of traffic this might be. Neither the source IP or the target IP have any ports associated with them in this event. Any ideas would be appreciated. I haven't looked into this extensively, figured I'd ask the list first. Event: ICMP Destination Unreachable Port Unreachable Category: misc-activity Level: 3 Sensor: IDS-1 (1) Date / Time: 08/15/2006 13:22:33 Module: Event ID: 5769 Original Event ID: 5723 Source: 82.246.252.214 : 0 Destination: x.x.x.49 : 0 -- Payload Length: 145 000 : 00 00 00 00 45 00 00 8D 30 55 00 00 6D 11 03 B2 E...0U..m... 010 : 46 5B 83 31 52 F6 FC D6 3F 65 0A 25 00 79 2D E3 F[.1R...?e.%.y-. 020 : 7F 70 02 30 F0 EF 5B 4A A8 5A A2 E0 22 C7 26 F9 p.0..[J.Z..quot;.amp;. 030 : 09 C7 E7 11 CC E6 03 24 64 92 0C D1 75 B4 4C 36 ...$d...u.L6 040 : 4B 1D F7 97 DC B8 A2 59 9D E2 81 E0 1B 5C 56 E7 K..Y.\V. 050 : E9 86 F5 F1 89 A8 E3 77 56 D5 8D B6 69 C9 FD 3F ...wV...i..? 060 : D2 76 94 0B 54 AF 8F 79 52 4D 05 50 34 19 5F BE .v..T..yRM.P4._. 070 : 29 F5 48 EE 19 0C 10 5B C7 66 A2 A4 1A D8 D3 29 ).H[.f.) 080 : 74 42 C5 37 B0 3F 92 B7 1C 32 F2 14 55 FC 68 02 tB.7.?...2..U.h. 090 : B8. -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Well, There's something to the traffic that I am seeing. The payloads are always changing and contain significantly different data. One of the payloads was packed full of X'es, the other was packed full of |'s. Check it out. Event: ICMP Destination Unreachable Port Unreachable Category: misc-activity Level: 3 Sensor: IDS-1 (1) Date / Time: 08/15/2006 14:14:41 Module: xxx Event ID: 5907 Original Event ID: 5864 Source: 82.246.252.214 : 0 Destination: xx.xx.xx.50 : 0 -- Payload Length: 152 000 : 00 00 00 00 45 00 00 9C 46 64 40 00 EE 11 2C 92 [EMAIL PROTECTED],. 010 : 46 5B 83 32 52 F6 FC D6 00 35 A4 10 00 88 2B 28 F[.2R5+( 020 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 030 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 040 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 050 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 060 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 070 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 080 : 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 090 : 58 58 58 58 58 58 58 58 -- Dude VanWinkle wrote: On 8/15/06, Julio Cesar Fort [EMAIL PROTECTED] wrote: Dude VanWinkle, snip - Looks to me like they are using port 0. http://www.grc.com/port_0.htm -JP *NEVER TRUST* Steve Gibson. I bet he smokes crack. See http://attrition.org/errata/charlatan.html#gibson for more details. thanks for the tip! Still, I cant seem to help but think there is something to this port 0 thingy http://www.networkpenetration.com/port0.html snip 3. Port 0 OS Fingerprinting --- As port 0 is reserverd for special use as stated in RFC 1700. Coupled with the fact that this port number is reassigned by the OS, no traffic should flow over the internet using this port. As the specifics are not clear different OS's have differnet ways of handling traffic using port 0 thus they can be fingerprinted. I guess that is just a reaction to traffic and not actual traffic via port 0, but still nifty info -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Darren, I did notice what type of packet it was and I also know what the packet signifies. The issue that I am having is that there has never been any outbound UDP activity to the host that is replying to this network. The payloads of the ICMP packets are a bit weird too, containing either X'es or |'s or encoded strings. What I am trying to figure out is if anyone here recognizes these types of payloads and knows what could be generating them? so just to be clear... I want info about the payload not about ICMP! Darren Bounds wrote: Dude, In case you've failed to notice, this is an ICMP port unreachable message. It's sent in response to a UDP packet destined for an unavailable UDP port. The port '0' referenced in the event source/destination is meaningless as ICMP doesn't use source and destination ports (it is always '0'). The payload of the ICMP unreachable message contains original IP header (of the initial UDP packet) and at least 64 bits (8 bytes) of original data datagram. The size of data echoed will vary depending on the implementation. On 8/15/06, Dude VanWinkle [EMAIL PROTECTED] wrote: On 8/15/06, Julio Cesar Fort [EMAIL PROTECTED] wrote: Dude VanWinkle, snip - Looks to me like they are using port 0. http://www.grc.com/port_0.htm -JP *NEVER TRUST* Steve Gibson. I bet he smokes crack. See http://attrition.org/errata/charlatan.html#gibson for more details. thanks for the tip! Still, I cant seem to help but think there is something to this port 0 thingy http://www.networkpenetration.com/port0.html snip 3. Port 0 OS Fingerprinting --- As port 0 is reserverd for special use as stated in RFC 1700. Coupled with the fact that this port number is reassigned by the OS, no traffic should flow over the internet using this port. As the specifics are not clear different OS's have differnet ways of handling traffic using port 0 thus they can be fingerprinted. I guess that is just a reaction to traffic and not actual traffic via port 0, but still nifty info -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Darren, my apologies. ;] Darren Bounds wrote: Adriel, I was replying to Dude VanWinkle, who's been chasing down the src/dst port 0 unnecessarily. On 8/15/06, Adriel T. Desautels [EMAIL PROTECTED] wrote: Darren, I did notice what type of packet it was and I also know what the packet signifies. The issue that I am having is that there has never been any outbound UDP activity to the host that is replying to this network. The payloads of the ICMP packets are a bit weird too, containing either X'es or |'s or encoded strings. What I am trying to figure out is if anyone here recognizes these types of payloads and knows what could be generating them? so just to be clear... I want info about the payload not about ICMP! Darren Bounds wrote: Dude, In case you've failed to notice, this is an ICMP port unreachable message. It's sent in response to a UDP packet destined for an unavailable UDP port. The port '0' referenced in the event source/destination is meaningless as ICMP doesn't use source and destination ports (it is always '0'). The payload of the ICMP unreachable message contains original IP header (of the initial UDP packet) and at least 64 bits (8 bytes) of original data datagram. The size of data echoed will vary depending on the implementation. On 8/15/06, Dude VanWinkle [EMAIL PROTECTED] wrote: On 8/15/06, Julio Cesar Fort [EMAIL PROTECTED] wrote: Dude VanWinkle, snip - Looks to me like they are using port 0. http://www.grc.com/port_0.htm -JP *NEVER TRUST* Steve Gibson. I bet he smokes crack. See http://attrition.org/errata/charlatan.html#gibson for more details. thanks for the tip! Still, I cant seem to help but think there is something to this port 0 thingy http://www.networkpenetration.com/port0.html snip 3. Port 0 OS Fingerprinting --- As port 0 is reserverd for special use as stated in RFC 1700. Coupled with the fact that this port number is reassigned by the OS, no traffic should flow over the internet using this port. As the specifics are not clear different OS's have differnet ways of handling traffic using port 0 thus they can be fingerprinted. I guess that is just a reaction to traffic and not actual traffic via port 0, but still nifty info -JP ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
Darren, My responses are below: Darren Bounds wrote: I'm confused about a couple things: 1) You say you knew the nature of the packet yet in your original message you stated Neither the source IP or the target IP have any ports associated with them in this event. Any ideas would be appreciated.. I wasn't very clear was I, my apologies again. I understand that ICMP packets have no port per-sae. The ideas that I was interested in were with regards to the payload of the packets. In the same email I also mention that I haven't looked through this very extensively, I was crammed with other work. ;] - The packet you dumped was an ICMP port unreachable. There will never be a port associated with an ICMP packet. right. - ICMP unreachable messages contain a payload with the IP header of the packet generating the error and at least 64 bits (8 bytes) of original data datagram. There are ports associated with UDP and therefore inspection of the embedded UDP packet tells you quite a bit. i.e. It was using ports 16229 and 2597 as source and destination. Right, someone said the same thing earlier (maybe it was you). I've taken the l iberty of blocking any traffic going to all of the IP addresses which are involved in this particular incident. Likewise I've also blocked any traffic for those IP addresses going to the affected network. Yet, the traffic keeps coming to the affected network. I did run a sniffer for a while and I saw no traffic leaving the affected network headed for the IP addresses in question, yet they continue to send traffic back to the affected network. The two IP addresses are in Amsterdam and they are still sending the ICMP packets with the interesting payloads. I'm wondering if anyone can identify what generated those payloads. Has anyone seen similar payloads before? The two offending IP's are: 81.99.46.113 and 82.246.252.214 2) You * out the first 3 octets of the destination IP address in the event but leave the IP address in the ICMP payload (70.91.131.49). Why? \ Force of habit. ;] -- Thanks, Darren Bounds On 8/15/06, Adriel T. Desautels [EMAIL PROTECTED] wrote: Darren, I did notice what type of packet it was and I also know what the packet signifies. The issue that I am having is that there has never been any outbound UDP activity to the host that is replying to this network. The payloads of the ICMP packets are a bit weird too, containing either X'es or |'s or encoded strings. What I am trying to figure out is if anyone here recognizes these types of payloads and knows what could be generating them? so just to be clear... I want info about the payload not about ICMP! -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Re: ICMP Destination Unreachable Port Unreachable
starting to think that, there's an awful lot of traffic tho. [EMAIL PROTECTED] wrote: On Tue, 15 Aug 2006 18:53:09 EDT, Adriel T. Desautels said: Darren, I did notice what type of packet it was and I also know what the packet signifies. The issue that I am having is that there has never been any outbound UDP activity to the host that is replying to this network. Backscatter reply to a spoofed packet source address? -- Regards, Adriel T. Desautels SNOsoft Research Team Office: 617-924-4510 || Mobile : 857-636-8882 -- Vulnerability Research and Exploit Development BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Files keep appearing
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Stephen, I can help you if you are interested. Let me know. Stephen Johnson wrote: I keep having a phishing website appear on my web server. They keep showing up in a Resources folder of one of the sites that I host. I have gone through the logs and I am not seeing any connections. I deleted the files this morning and this evening they re-appeared ? no connections were made on my server during that period of time. Also, there are no cron jobs that I noticed that looked out of the ordinary. I am running MySQL, PHP, Apache2 on a debian linux server. Any thoughts? -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ - -- Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. || http://www.netragard.com PGP KEY ID : 0x7B6F2284 - We make IT secure. *** NOTICE *** Please do not email sensitive information to this email address using clear text email. Please encrypt all sensitive information prior to transmission. To obtain my PGP key please browse to the URL below. http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x7B6F2284 *** NOTICE *** -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iD8DBQFEf8Bd4fEyMUBMiWwRAl7NAKDd7I80knmnpmXPPYmMdIZ4knOAvwCgjN4q 2Pfq3T+vcHxMUsBmSCIL1dM= =u5/I -END PGP SIGNATURE- BullGuard Anti-virus has scanned this e-mail and found it clean. Try BullGuard for free: www.bullguard.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/