Re: [Full-disclosure] Austin Decking 512-385-5334 Austindecking wholesale
>From the original header: Received: from [194.24.158.16] by web58409.mail.re3.yahoo.com via HTTP; Tue, 14 Nov 2006 00:46:24 PST Date: Tue, 14 Nov 2006 00:46:24 -0800 (PST) From: William Stanley <[EMAIL PROTECTED]> To: full-disclosure@lists.grok.org.uk 194.24.158.16 is not lumbermax.com, its a box in Austria. If I was a spammer, it would be easy to sub a known blacklisted spammer to try and hide my point of origin. "William Stanley" is the real spammer and he used a box in Austria or "William Stanley" has nothing to do with this and someone else used a box in Austria. Always look for the source. Since the 194.24.158.16 address is recorded in the header by the webmail yahoo box, I would probably say the 194.24.158.16 address is not forged. That is the originating address of this email. Dont believe anything else below it unless you actually sent it. It can be forged. And did you scan lumbermax.org from inside archbishop alter high school? If so, be very careful about doing that. The high school administration may not appreciate you scanning a legit company from inside their domain. And dont explore any of the open ports from inside the high school. But then again, you are listed as the high schools network engineer, so I guess you would be the point of contact if lumbermax.com has an issue, correct? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Swafford Sent: Tuesday, November 14, 2006 9:07 AM To: full-disclosure@lists.grok.org.uk; William Stanley Subject: Re: [Full-disclosure] Austin Decking 512-385-5334 Austindecking wholesale Golden... NMAP shows the following (lumbermax.com): 21/TCP - OPEN - FTP 22/TCP - OPEN - SSH 25/TCP - OPEN - SMTP 53/TCP - OPEN - DOMAIN 80/TCP - OPEN - HTTP 110/TCP - OPEN - POP3 111/TCP - OPEN - RPCBIND 135/TCP - FILTERED - MSRPC 137/TCP - FILTERED - NETBIOS-NS 138/TCP - FILTERED - NETBIOS-DGM 139/TCP - FILTERED - NETBIOS-SSN 143/TCP - OPEN - IMAP 443/TCP - OPEN - HTTPS 445/TCP - FILTERED - MICROSOFT-DS 593/TCP - FILTERED - HTTP-RPC-EPMAP 631/TCP - OPEN - IPP 3306/TCP - OPEN - MYSQL - Running Apache 2.052 (so there's some exploitable flaws here as current ver is 2.059). Its running on a CENTOS box and the apache error says the domain is LYFE-CARD.com - The SMTP services are Sendmail 8.13.1 David A. Swafford, Network Engineer Information Technology Team Archbishop Alter High School EC-Council Certified Ethical Hacker A Cisco Systems, Inc., Certified Network Associate (CCNA) and a CompTIA Network+ and Security+ Certified Professional ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] ISA Server 2004 Log Manipulation
3 days at 600 per second non stop = 86400 sec/day * 600 = 51 840 000 attempts. after 51.8 million tries, the product was able to inject the numbers 1,2,3 into a parameter into a log that many see as non-critical. and it looks like you tried 1,2,3,4 but it only did 1,2,3. c'mon. log manipulation should mean more than that, shouldnt it? h. beSIRT wrote: Discovered by: Noam Rathaus using the beSTORM fuzzer. Reported to vendor: December, 2005. Vendor response: Microsoft does not consider this issue to be a security vulnerability. Public release date: 4th of May, 2006. Advisory URL: http://www.beyondsecurity.com/besirt/advisories/042006-001-ISA-LM.txt Introduction There is a Log Manipulation vulnerability in Microsoft ISA Server 2004, which when exploited will enable a malicious user to manipulate the Destination Host parameter of the log file. Technical Details - By sending the following request to the server: GET / HTTP/1.0 Host: %01%02%03%04 Transfer-Encoding: whatever We were able to insert arbitrary characters, in this case the ASCII characters 1, 2, 3 (respectively) into the Destination Host parameter of the log file. This has been found after 3 days of running the beSTORM fuzzer at 600+ Sessions per Second while monitoring the ISA Server log file for problems. About ISA Server 2004 - "Microsoft Internet Security and Acceleration (ISA) Server 2004 is the advanced stateful packet and application-layer inspection firewall, virtual private network (VPN), and Web cache solution that enables enterprise customers to easily maximize existing information technology (IT) investments by improving network security and performance." Product URL: http://www.microsoft.com/isaserver/default.mspx -- beSIRT - Beyond Security's Incident Response Team [EMAIL PROTECTED] www.BeyondSecurity.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] A Move to Remove
you may not agree or like n3td3v, but the right to post regardless of content belongs to everyone. the right to filter also belongs to everyone. let n3td3v be. Edward Pearson wrote: Guys, Please don't turn this into spam/flame/troll. This is a quick note to say, would all those who'd like n3td3v (the worlds greatest hacker and legend in his own mind) to unsubscribe from this list, and not post again, please make it known. Thanks Ed ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
