SV: [Full-disclosure] msgina.dll
I haven't messed with GINA programming myself, but this will probably help you get some basic understanding of it : http://www.codeproject.com/useritems/GINA_SPY.asp Jan Fra: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] På vegne af khaalelSendt: 21. februar 2006 17:03Til: full-disclosure@lists.grok.org.ukEmne: [Full-disclosure] msgina.dll Hi everyboy,I have to modify the winlogon process for a school project (in order to use a smartcard : I bought some goldcards and javacards). After some time with Google, I find msgina.dll ( http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/msgina.mspx) but I don't know how to modify it (I'm a linux and bsd hacker, windows working is a world I visit rarely...). Did someone already work with this dll?? I'm looking for some code examples, some tutorials, some help to know how to use a smartcard and not login/password at startup... Thanks... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] to start a career in security is ccsp(ciscocertified security professional) good enough?
CCSP is a decent place to start, you could take some of the courses and not just the exams, that will get you nowhere I think (technically), other than just getting the certification, try and get your hands dirty first, I personally spent 4 or 5 years in the industry doing security related setups, firewalls, ids, vpn, hips and so on before going to take the CCSP, and I only did it so my company could achieve Cisco Gold Partner Status, and not really to be able to use it in a technical manner, since I already knew the stuff covered in most of the tests. Also remember, that since this is a Cisco certification, a lot of the stuff will be cisco related and specific and some of the basics of vpn/ids/firewalling will apply to many different vendors products. I feel that CISSP is not really the same “track” as CCSP, it has more todo with security practice and overview, methods of analyzing and identifying security issues rather than actual configuration of security equipment. Just my 2 cents Regards Jan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joel Jose Sent: 7. december 2005 04:03 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] to start a career in security is ccsp(ciscocertified security professional) good enough? i am a undergraduate student. will get a btech ie BS in computer science degree in 2007. to start a path in security is ccsp good enough? the more advanced ones like cissp either need experience or are just too expensive... those certifications can come along the way.. but to start a career is ccsp ok?... most others dont have the learning centers in india. i hope that a ccsp will land me a job after graduation.. like a part time. AND i can pursue my ms in artificial intelligence... so i will be a security professional as well as an ai practitioner.. i have interest in both.i plan to settle abroad.. may be usa or eu -- As soon as men decide that all means are permitted to fight an evil, then their good becomes indistinguishable from the evil that they set out to daestroy. - Christopher Dawson, The Judgment of Nations ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Most common keystroke loggers?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick FitzGerald Sent: 3. december 2005 00:22 To: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Most common keystroke loggers? Jan Nielsen to me to Jan: > >Obviously, then, your book does not include the phrase "Halting > >Problem"... > > Sorry, I don't follow you there, you mean that the scan would halt the > system ? fair enough, I don't think any method of scanning a target is > fool-proof, no matter how its done. >Ahh, no... > http://en.wikipedia.org/wiki/Halting_problem Good to know, i did not know that this dilemma had a name :-) >It would be _nice_ to do that, but it is an equally fraught problem. >After all, even if you could entirely reliably programmatically >determine that the users's system was compromised, you cannot trust any >response from the system, or that any message you try to send to them >to alert them to this will not be intercepted by some warez put on the >system as a result of the compromise... Good point, I guess I am glad I am not trying to design this system. > ... a > textmessage/SMS might be wiser. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Most common keystroke loggers?
> That question opens up a whole lotta other questions, really depends on > what you hope to achieve by doing authentication via a compromised system. > In my book you should instead try to detect a compromised system and deny > them access if they are indeed compromised, ... >Obviously, then, your book does not include the phrase "Halting >Problem"... Sorry, I don't follow you there, you mean that the scan would halt the system ? fair enough, I don't think any method of scanning a target is fool-proof, no matter how its done. > ... that would be in the end-users > best interest I think (and of course report your findings to the users > mailbox or something, don't tell the hacker that you detected his > keylogger :-) >And what machines do you think users are most likely to check their >mail from? Thanks for pointing that out, but you would wan't to somehow relay to the person not gaining access, why they are not getting in though, a textmessage/SMS might be wiser. >And, of course, your suggestion raises a primacy issue -- if you >actually did detect the user's machine was compromised before they >logged in and thus prevented allowing the login by not allowing the >login dialog to be displayed or somesuch (thereby saving the user >compromising yet more of their data), how in the heck do you know where >to send the warning mail? >Hm... Methinks you should think more before responding. Again, somehow they need to know, i don't have any ideas that can't be intercepted on a compromised system, other than SMS/textmessage or something. Regards, Jan >Regards, >Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Most common keystroke loggers?
That question opens up a whole lotta other questions, really depends on what you hope to achieve by doing authentication via a compromised system. In my book you should instead try to detect a compromised system and deny them access if they are indeed compromised, that would be in the end-users best interest I think (and of course report your findings to the users mailbox or something, don't tell the hacker that you detected his keylogger :-) Keyloggers come in quite a few different shapes and sizes, and just detecting the most common ones is not really that future-proof, tomorrow someone will develop another way of hooking into the keyboard buffer, or some other way you never thought of yourself. However the most common ones today would be the ones hooking into the windows api (not that hard to detect) and the screen capture ones I think (a bit more difficult) But that really raises the question : is keylogging really the only thing constituting a compromised system ? Answer : NO, many other types of software could make your system compromised, so what you need to think about is : what do I want to protect/enforce/check : - The endusers login information, so as it can't be stolen or re-used ? - The integrity of the transactions, has someone changed the info on its way from the input into the application to the website ? - The identity of the person behind the keyboard, is the user who you think he is ? That might help you in deciding what stuff you need to develop/implement. Hope this helps a bit :-) Jan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Shannon Johnston Sent: 1. december 2005 18:25 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Most common keystroke loggers? Hi All, I'm looking for input on what you all believe the most common keystroke loggers are. I've been challenged to write an authentication method (for a web site) that can be secure while using a compromised system. Thanks, Shannon ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Suggestion for IDS
Hi Pauk Can i ask what you were doing that a pix could not handle nat wise ? just wondering since I have done very extensive and complex nat'ing in pix'es from 506's up to 535's without any performance problems. Jan -Original Message- From: Paul Schmehl [mailto:[EMAIL PROTECTED] Sent: 28. september 2005 17:49 To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Suggestion for IDS --On Wednesday, September 28, 2005 11:37:38 -0400 [EMAIL PROTECTED] wrote: > On Wed, 28 Sep 2005 07:01:34 EDT, "J. Oquendo" said: > >> While I do agree with the statement made "Quite frankly, anybody who >> already has a PIX installed and wants to install an IPS needs to quantify >> *exactly* what protection the PIX is failing to provide before they go >> shopping for anything" to a degree, I also disagree with that statement >> since it eludes to the thinking that solely a PIX will save your ass. It >> won't, nor will any other firewall, nor will any other product combined >> with any OTHER product and so on. > > Obviously, the original poster isn't thinking that a PIX will save their > ass, because they're in the market for something in addition :) > > They should be figuring out *why* they need more protection (quite > frankly, for many places, a *properly configured and maintained* PIX is > quite sufficient), Not only was the PIX (for us) not sufficient, it wasn't robust enough. We're ditching our PIXes for OpenBSD and pf. If you NAT a lot, PIX can't handle the load. It also isn't flexible enough. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Cisco IOS hacked?
So was anybody know if this was just a bag of hot air or what ?, i would think this would have gotten more attention in the community if something like a cross-platform worm for cisco devices was designed. Jan -Original Message- From: ciscoioshehehe [mailto:[EMAIL PROTECTED] Sent: 19. september 2005 08:52 To: full-disclosure@lists.grok.org.uk Cc: bugtraq@Securityfocus.com Subject: [Full-disclosure] Cisco IOS hacked? today news on SecurityLab.ru (only in russian): http://www.securitylab.ru/news/240415.php * break CRC on CISCO IOS * Desgin Mechanism of cross-platform worm for IOS device. * Run IRC server on 2600 CISCO. * Found more vulnerabilities in EIGRP protocol. and some more... Online translate from Russian: http://www.translate.ru/url/tran_url.asp?lang=ru&url=http%3A%2F%2Fwww.se curitylab.ru%2Fnews%2F240415.php&direction=re&template=General&cp1=NO&cp 2=NO&autotranslate=on&transliterate=on&psubmit2.x=45&psubmit2.y=17 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] RE: Example firewall script
I think the rules explained here are not intended to be actual rules in a firewall, but more of a way to explain what is secure and what is not, correct me if im wrong. Oh and btw, acl's ARE used in CBAC (cisco ios fw) they are just a tad more intelligently created than in a regular acl. Jan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 27. august 2005 18:42 To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] RE: Example firewall script = ORIGINAL MESSAGE: - Date: Sat, 27 Aug 2005 From: "Exibar" Subject: Example firewall script >The absolute worse Firewal rule >you can have: > > Allow ANY ANY > >The best: > > Deny ANY ANY = REPLY: --- Actually, that's not true. I would agree that as a general rule of thumb you should have a deny statement at the end of every ACL. In fact, Cisco places an implicit DENY ANY ANY at the end of their ACL's automatically. However, Access Control Lists are not firewalls. Yes, we use them as firewalls, but that's not what they are. ACL's ARE TRAFFIC SHAPING DEVICES. As traffic shaping devices, they can be used for security, but they are also used for management purposes. For instance; many Autonomous Systems are multi-homed. There are decisions to be made about how traffic will flow in and out of the AS. You also have to decide if you wish to be a transit AS or not. ACLs are the tool that you use to control your traffic. While an ACL being used as a security device should have a deny statement at the end, proper construction of the ACL is more about following the proper construction rules. This is actually a huge subject, far too big for an individual e-mail to a list. But there are some basic rules to keep in mind: ACL's analyze traffic from top to bottom, so keep your most specific entries at the top, with more general entries near the bottom; and do your "permits" before your "denys". That means you deal with hosts first, then subnets, then networks, and at each level you have your permit statements before your deny statements. The reason for this is because once a packet matches a line, it's dealt with right then and there. You don't want to have a packet thrown away just before a line that would have permitted it. There are also issues of what KIND of ACL to use and where to place them; Inbound or Outbound. In terms of the original question, the only difference between a "good" line item or a "bad" line item is whether or not the syntax is correct. The only difference between a "good" ACL and a "bad" ACL is whether or not it's structure is properly designed and whether or not it's placed in the proper location. This subject REALLY calls for a book, not an e-mail response. I've said very little in this post and look at all the room it took up. ++ mail2web - Check your email from the web at http://mail2web.com/ . ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Zotob Worm Remover
Todd, i would have to disagree with you on this issue, patching in my book is not any kind of definite answer to these types of problems, endpoint behaviour security is something that I lean more towards. This would enable you to define a set of generic behavioural patterns for processes running on your machine, and would be a much better defence against things you don't know about yet. I myself have an agent with a few basic O/S rules like : - No application may write other applications memory space - No application may inject code into other programs (dll hooks and such) - No application may access system functions from code executing in data or stack space - No application may capture keystrokes This does quite abit to protect my laptop from unknown attacks, since in my findings, this is the way most (if not all) attacks enter a host. I would tell you what software I use but that would make this more of a sales bulletin than an actual security related opinion. just my 2 cents Jan -Original Message- From: Todd Towles [mailto:[EMAIL PROTECTED] Sent: 22. august 2005 22:22 To: Ron DuFresne Cc: full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Zotob Worm Remover This is correct for the first day, maybe two. Then unpatched laptops leave the corporate network, hit the internet outside the firewall and then bring the worm back right to the heart of the network the very next day, bypassing the firewall all together. Firewall is just one step..it isn't a solve all. Patching would be the only way to stop this threat in all vectors. That was my point. If you aren't blocking 445 on the border of your network, you have must worse problems with Zotob. > -Original Message- > From: Ron DuFresne [mailto:[EMAIL PROTECTED] > Sent: Monday, August 22, 2005 3:15 PM > To: Todd Towles > Cc: n3td3v; full-disclosure@lists.grok.org.uk > Subject: RE: [Full-disclosure] Zotob Worm Remover > > On Mon, 22 Aug 2005, Todd Towles wrote: > > > Wireless really isn't a issue. You can get a worm from a > cat 5 as easy > > as you can from wireless. The problem was they weren't patched. Why > > weren't they patched? Perhaps Change policy slowed them > down, perhaps > > it was the fear of broken programs..perhaps it was the QA group..it > > doesn't really matter. They go the worm because they were > not patched. > > And because they didn't properly filter port 445 is my understanding. > Unpatched systems behind FW's that fliter 445 were untouched. > > Thanks, > > Ron DuFresne > -- > "Sometimes you get the blues because your baby leaves you. > Sometimes you get'em 'cause she comes back." --B.B. King > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Disney Down?
I have been running the virus on my vmware xp sp1 with a software package on it called Cisco Security Agent, sort of a HIDS package which I basically have set up to log all system events to file/api/memory/network functions without blocking them. For those who are interested the log is here : http://www.boyakasha.dk/virusevents.log Regards Jan -Original Message- From: Jan Nielsen [mailto:[EMAIL PROTECTED] Sent: 17. august 2005 17:36 To: 'full-disclosure@lists.grok.org.uk' Subject: RE: [Full-disclosure] Disney Down? I was at a customer today with this problem, initially their network was acting up and some ppl, couldn't logon to the servers in the morning. We found the file "kilo.exe" on some machines that apparently had not been patched, one thing I noticed while running this file on a vmware xp sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128 and logs in to it with password : 146751dhzx Then it sets a few commands : JOIN #100+ MODE #100+ +nts Which for an RBOT virus in itself is nothing special, but I noticed one thing in my sniffer trace that got me a bit worried, this is a packet sent from the infected pc to the irc server : 00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00 ..S+).g...E. 0010 00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc [EMAIL PROTECTED] 0020 d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18 .1... "..[P. 0030 3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31 ?1PRIVMSG #1 0040 30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a 00+ :[.NTScan.]: 0050 20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d Weakpassword... 0060 0a . Anyone know what this could be ? Regards Jan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 17. august 2005 00:54 To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Disney Down? MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe) Trend Micro: WORM_RBOT.CBQ - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO T.CBQ Symantec: Win32.Zotob.E McAfee: exploit-dcomrpc Kaspersky: Net-Worm.Win32.Small.d This is what is on CNN right now. -Original Message- From: [EMAIL PROTECTED] on behalf of David Wilde Sent: Tue 8/16/2005 5:13 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Disney Down? A buddy of mine who's fiance works for Disney just told me that they have sent everyone home for the day. When I say everyone I mean, Disney Land, Disney World, Disney Corporate, etc... He's not sure what the virus is called but it's apparently very nasty. Anyone have any more info on this? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Disney Down?
Yes i noticed that, what i am wondering is if the msg sent is to indicate that the local user password is weak in some way ? does anyone know this ntscan util ? is it maybe a part of the RBOT design or something, I have run it thorough IDA 4.8 dissasembler and the function imported correspond to the ones I have seen, so I don't think there are any unpleasant surprises hidden withen the program, but still it would be nice to know if this somehow is compromising some credentials on the customers installed base ? Jan -Original Message- From: John Smith [mailto:[EMAIL PROTECTED] Sent: 17. august 2005 17:41 To: Jan Nielsen Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Disney Down? I joined said IRC channel, and the topic is ".ntscan 100 120 -a -b" so it appears to be joining the channel and getting paramaters for this "ntscan program" --M Jan Nielsen wrote: > I was at a customer today with this problem, initially their network was > acting up and some ppl, couldn't logon to the servers in the morning. > We found the file "kilo.exe" on some machines that apparently had not > been patched, one thing I noticed while running this file on a vmware xp > sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128 > and logs in to it with password : 146751dhzx > Then it sets a few commands : > > JOIN #100+ > MODE #100+ +nts > > Which for an RBOT virus in itself is nothing special, but I noticed one > thing in my sniffer trace that got me a bit worried, this is a packet > sent from the infected pc to the irc server : > > 00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00 ..S+).g...E. > 0010 00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc [EMAIL PROTECTED] > 0020 d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18 .1... "..[P. > 0030 3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31 ?1PRIVMSG #1 > 0040 30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a 00+ :[.NTScan.]: > 0050 20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d Weakpassword... > 0060 0a . > > Anyone know what this could be ? > > Regards > Jan > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: 17. august 2005 00:54 > To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk > Subject: RE: [Full-disclosure] Disney Down? > > MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe) > > Trend Micro: WORM_RBOT.CBQ - > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO > T.CBQ > Symantec: Win32.Zotob.E > McAfee: exploit-dcomrpc > Kaspersky: Net-Worm.Win32.Small.d > > This is what is on CNN right now. > > -Original Message- > From: [EMAIL PROTECTED] on behalf of David Wilde > Sent: Tue 8/16/2005 5:13 PM > To: full-disclosure@lists.grok.org.uk > Subject: [Full-disclosure] Disney Down? > > A buddy of mine who's fiance works for Disney just told me that they > have sent everyone home for the day. When I say everyone I mean, > Disney Land, Disney World, Disney Corporate, etc... He's not sure > what the virus is called but it's apparently very nasty. Anyone have > any more info on this? > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Disney Down?
I was at a customer today with this problem, initially their network was acting up and some ppl, couldn't logon to the servers in the morning. We found the file "kilo.exe" on some machines that apparently had not been patched, one thing I noticed while running this file on a vmware xp sp1 is that it connects to on irc server @ 61.220.217.49 on port 4128 and logs in to it with password : 146751dhzx Then it sets a few commands : JOIN #100+ MODE #100+ +nts Which for an RBOT virus in itself is nothing special, but I noticed one thing in my sniffer trace that got me a bit worried, this is a packet sent from the infected pc to the irc server : 00 06 53 2b f8 b1 00 0c 29 ce 67 a3 08 00 45 00 ..S+).g...E. 0010 00 53 a0 9b 40 00 80 06 1e 46 c0 a8 64 0d 3d dc [EMAIL PROTECTED] 0020 d9 31 07 13 10 20 22 0c d2 5b 13 95 d8 ee 50 18 .1... "..[P. 0030 3f 31 fe 93 00 00 50 52 49 56 4d 53 47 20 23 31 ?1PRIVMSG #1 0040 30 30 2b 20 3a 5b 02 4e 54 53 63 61 6e 02 5d 3a 00+ :[.NTScan.]: 0050 20 57 65 61 6b 70 61 73 73 77 6f 72 64 2e 2e 0d Weakpassword... 0060 0a . Anyone know what this could be ? Regards Jan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 17. august 2005 00:54 To: [EMAIL PROTECTED]; full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] Disney Down? MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe) Trend Micro: WORM_RBOT.CBQ - http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO T.CBQ Symantec: Win32.Zotob.E McAfee: exploit-dcomrpc Kaspersky: Net-Worm.Win32.Small.d This is what is on CNN right now. -Original Message- From: [EMAIL PROTECTED] on behalf of David Wilde Sent: Tue 8/16/2005 5:13 PM To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] Disney Down? A buddy of mine who's fiance works for Disney just told me that they have sent everyone home for the day. When I say everyone I mean, Disney Land, Disney World, Disney Corporate, etc... He's not sure what the virus is called but it's apparently very nasty. Anyone have any more info on this? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Virus Outbreak Attacking MS05-039 WIN2K
Perhaps the next phase of the virus is a phishing attack to get people to go to a local webserver initiated by the virus to capture login/credentials from those site ? Jan -Original Message- From: Andrew Smith [mailto:[EMAIL PROTECTED]] Sent: 15. august 2005 17:27 To: Mike Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] Virus Outbreak Attacking MS05-039 WIN2K Can anyone explain why this virus chooses to block ebay, amazon and paypal? This seems foolish if the intention is to remain on the compromised host un-noticed. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/