Re: [Full-disclosure] what is this?
On Jan 18, 2008 5:44 PM, Fredrick Diggle <[EMAIL PROTECTED]> wrote: > Hear that H.D.? While analyzing security for UT Dallas Paul came to > the conclusion that you suck... Do you really think HDMoore gives a crap what you say or Paul from Dallas says? Get a f***ing grip and stop trying to raise tensions onto the list to provoke high profile hackers to get involved in your jail bait. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Hear that H.D.? While analyzing security for UT Dallas Paul came to the conclusion that you suck... On Jan 17, 2008 5:32 PM, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On Thursday, January 17, 2008 15:16:30 -0600 Fredrick Diggle > <[EMAIL PROTECTED]> wrote: > > > Seems to Fredrick Diggle that if you are any good at your job you > > should be thanking the sheltered research corner for keeping you in > > mustache wax. > > That's about the funniest thing I've ever read. If every researcher on the > planet died tomorrow, it wouldn't change the attack matrix one bit. We'd > still > get hammered with the same crap we get hammered with now. We just wouldn't > have to put up with all the snarky "up smarter than you" crap from > "researchers". > > Besides, the intelligent ones are on this list anyway. They're busy actually > *doing* research. > > -- > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > > ___ > > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
--On Thursday, January 17, 2008 15:16:30 -0600 Fredrick Diggle <[EMAIL PROTECTED]> wrote: > Seems to Fredrick Diggle that if you are any good at your job you > should be thanking the sheltered research corner for keeping you in > mustache wax. That's about the funniest thing I've ever read. If every researcher on the planet died tomorrow, it wouldn't change the attack matrix one bit. We'd still get hammered with the same crap we get hammered with now. We just wouldn't have to put up with all the snarky "up smarter than you" crap from "researchers". Besides, the intelligent ones are on this list anyway. They're busy actually *doing* research. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Wed, 16 Jan 2008 23:44:19 -0300, damncon said: > your comments are so fucking shitty, the articles you write are so > fucking useless (Web Server Botnets and Server Farms as Attack > Platforms), DONT YOU GET FUCKING TIRED OF ALWAYS TALKING ABOUT THE > SAME BLABLABLA BOTNETDDOSRFI SHIT? One of my co-workers has a rubber stamp that says "I told you about this in 19__", which is still seeing use. Quite frankly, many of us in the security industry get *tired* of always talking about the "same blah blah shit". It's why I stopped contributing to the SANS/FBI Top 20 list every year - industry-wide, the *same exact problems* were still the biggest issues. But it's very much the lose-lose proposition - if we keep talking about the *same* issues, we're flamed about it, and when we try to raise awareness of an actual *new* issue, we're accused of grandstanding. Also, you have to remember that in many cases, we need to get the attention of Corporate Suits - and unless it gets said forty-leven times, they don't notice. pgpocrptkQ3ci.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Thu, 17 Jan 2008 15:16:30 CST, Fredrick Diggle said: > mustache wax. If you inform your clients of the realistic risks > involved then you also must realize that very few researchers are > actually finding the types of bugs which keep your clients scared > enough to hire you I'm not worried about being unemployed - there's literally a quarter acre of raised-floor server room across the hallway, and plenty to keep our crew of sysadmins busy for years to come. If I end up spending less time doing security, that just means I'll have more time to work on other things like performance monitoring and tuning, backups (when you have enough disk that your *incremental* backups run to several terabytes a night, it's decidedly non-trivial), network storage, and other fun stuff... pgpvUUJNwGiXI.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Seems to Fredrick Diggle that if you are any good at your job you should be thanking the sheltered research corner for keeping you in mustache wax. If you inform your clients of the realistic risks involved then you also must realize that very few researchers are actually finding the types of bugs which keep your clients scared enough to hire you o.0. Fredrick Diggle thinks you owe someone an apology. Also, we should all put a description of our jobs on here like Valdis has so graciously started. That way we will all know who we are dealing with. Fredrick Diggle will start. Fredrick's job is to primarily clean the primate cages but also he is allowed to feed the chimps, train the babies to do backflips for grapes (monkeys love grapes), and teach the older ones to search for web vulns (The zoo doesn't know but he is building an army of monkey hackers). Sometimes he is also asked to brush the hippopotamus' teeth but Fredrick tends to get angry and throw things when he is forced to do that because no matter how much you brush you just can't get rid of the smell (interesting fact: hippos have bad breathe). YAY! On Jan 17, 2008 2:36 PM, <[EMAIL PROTECTED]> wrote: > On Wed, 16 Jan 2008 20:41:21 CST, reepex said: > > > woah paul are you talking about stuff you do not know about again? [1] You > > like to butt in on conversations. and how do you that this virus has been > > put in virustotal, maybe it is new? Most people with decent RE skill ( > > unlike you and gadi ), > > It might come as quite the shock to you in your sheltered corner of the > security community, but many of us have jobs and roles in the community that > don't directly involve either creating exploits or doing RE. For instance, > I will cheerfully admit that I suck at writing exploits, and I'm not the > world expert on RE. On the other hand, that's OK, because that's not my > job. My job is to answer questions like "What is our exposure if somebody > has an exploit for bug #19345" and "What can we do to minimize the damage if > somebody in the VP's office gets hit with the FooBar trojan?" and other > similar "How do we keep our 30,000 users out of trouble?" questions. > And to answer those sorts of questions doesn't take a lot of writing/RE > knowledge, but it *does* require understanding things like "escalating > privilege" (if attacker has X, can they get to Y?), auditing (how do we > know if an attacker did or didn't get Y), deployment issues (how > do you get 30,000 users to patch against something, when you don't have > administrative control over their boxes), and social engineering (what you > resort to when you can't find other ways to get the users to patch :) > and social engineering. > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Wed, 16 Jan 2008 20:41:21 CST, reepex said: > woah paul are you talking about stuff you do not know about again? [1] You > like to butt in on conversations. and how do you that this virus has been > put in virustotal, maybe it is new? Most people with decent RE skill ( > unlike you and gadi ), It might come as quite the shock to you in your sheltered corner of the security community, but many of us have jobs and roles in the community that don't directly involve either creating exploits or doing RE. For instance, I will cheerfully admit that I suck at writing exploits, and I'm not the world expert on RE. On the other hand, that's OK, because that's not my job. My job is to answer questions like "What is our exposure if somebody has an exploit for bug #19345" and "What can we do to minimize the damage if somebody in the VP's office gets hit with the FooBar trojan?" and other similar "How do we keep our 30,000 users out of trouble?" questions. And to answer those sorts of questions doesn't take a lot of writing/RE knowledge, but it *does* require understanding things like "escalating privilege" (if attacker has X, can they get to Y?), auditing (how do we know if an attacker did or didn't get Y), deployment issues (how do you get 30,000 users to patch against something, when you don't have administrative control over their boxes), and social engineering (what you resort to when you can't find other ways to get the users to patch :) and social engineering. pgpmx7Ze9knFB.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
and what exactly does gadi evron know and what .. original research ... has he ever done? and your second paragraph makes no sense, and is not related to the topic - you sound like paul at utdallas On 1/16/08, scott <[EMAIL PROTECTED]> wrote: > > Not to mention that Gadi Evron knows more than all of these wanna-be's > put together! > > I guess the new world order of cyberpunks is just really intolerant of > ideas that are outside the realm of neat tools and other people writing > their exploits for them,so that the sheer act of learning something new > turns them off. :-( > > Lord Help InfoSec, >Scott > > > > Tremaine Lea wrote: > > Probably because Gadi is at least close to on topic whether the majority > > of readers appreciate the posts or not. > > > > > > > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 STFU you utterly pointless little creature. If you have nothing constructive, edifying or humorous to impart, stop wasting oxygen. The world is better off if there are no more of your diseased tribe, so for the love of God, please don't breed. >your comments are so fucking shitty, the articles you write are so >fucking useless (Web Server Botnets and Server Farms as Attack >Platforms), DONT YOU GET FUCKING TIRED OF ALWAYS TALKING ABOUT THE >SAME BLABLABLA BOTNETDDOSRFI SHIT? > >disregards, fattyfagget > >___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkePCgAACgkQBGNKW24YMAdRIAP/bWz48Ir67nGQxZ4RLt4YW9NAE80W DPXMuIkdcWpoa/xJ5C/NMRdtBmxI/hleDmgEEDxQCpMM2/Wxoszsn9nangf2Mr/rfF4z 6uzcLE97Bt/cuklUFoeYAhlLb2YuD6Dr2390m4zEBoFNBKZHuteXLYi6CI+As7kjzgbZ g6+V4Ig= =kLT1 -END PGP SIGNATURE- -- Love Music? Get a degree in Musical Education. Click Here. http://tagline.hushmail.com/fc/Ioyw6h4fQxIkoianAjhBS1tATWvuYsEwTycFTE72igWd00oQhvF37K/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Not to mention that Gadi Evron knows more than all of these wanna-be's put together! I guess the new world order of cyberpunks is just really intolerant of ideas that are outside the realm of neat tools and other people writing their exploits for them,so that the sheer act of learning something new turns them off. :-( Lord Help InfoSec, Scott Tremaine Lea wrote: Probably because Gadi is at least close to on topic whether the majority of readers appreciate the posts or not. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Probably because Gadi is at least close to on topic whether the majority of readers appreciate the posts or not. -- Tremaine Lea Network Security Consultant Intrepid ACL "Paranoia for hire" On Wed, 2008-01-16 at 20:19 -0600, reepex wrote: > On Jan 14, 2008 3:46 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > I did not look at the malware, but it is pretty obvious you > have been > compromised. > > Because you do not have the skill necesary to do so. > > Linking also to my original article here: > http://blogs.securiteam.com/index.php/archives/815 > > blah blah i have nothing useful to say but I am going to spam my blog > that no one reads. > > Why do we let gadi spam but bitch about the guy spamming to defend his > business? > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ signature.asc Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
your comments are so fucking shitty, the articles you write are so fucking useless (Web Server Botnets and Server Farms as Attack Platforms), DONT YOU GET FUCKING TIRED OF ALWAYS TALKING ABOUT THE SAME BLABLABLA BOTNETDDOSRFI SHIT? disregards, fattyfagget ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
woah paul are you talking about stuff you do not know about again? [1] You like to butt in on conversations. and how do you that this virus has been put in virustotal, maybe it is new? Most people with decent RE skill ( unlike you and gadi ), would take the virus apart themsevles to see what it is doing [1] http://archives.neohapsis.com/archives/fulldisclosure/2007-11/0018.html Here paul calls out comp sci majors and when I took his bet he backed down saying it was a joke. Seems paul likes to run his mouth about nothing. On Jan 16, 2008 8:26 PM, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On January 16, 2008 8:19:52 PM -0600 reepex <[EMAIL PROTECTED]> wrote: > > > On Jan 14, 2008 3:46 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > > > >> I did not look at the malware, but it is pretty obvious you have been > >> compromised. > > > > Because you do not have the skill necesary to do so. > > > > Yeah, right. It takes real l33t ski11z to submit a file to Virustotal and > find out what it is. And uber l33t ski11z to figure out that the > javascript on his website is downloading the infection to site visitors. > > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Jan 17, 2008 2:26 AM, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On January 16, 2008 8:19:52 PM -0600 reepex <[EMAIL PROTECTED]> wrote: > > > On Jan 14, 2008 3:46 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > > > >> I did not look at the malware, but it is pretty obvious you have been > >> compromised. > > > > Because you do not have the skill necesary to do so. > > > > Yeah, right. It takes real l33t ski11z to submit a file to Virustotal and > find out what it is. And uber l33t ski11z to figure out that the > javascript on his website is downloading the infection to site visitors. what you mean gadi evron has sk1llz? we're doomed. regardz, n3td3v ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
--On January 16, 2008 8:19:52 PM -0600 reepex <[EMAIL PROTECTED]> wrote: > On Jan 14, 2008 3:46 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > >> I did not look at the malware, but it is pretty obvious you have been >> compromised. > > Because you do not have the skill necesary to do so. > Yeah, right. It takes real l33t ski11z to submit a file to Virustotal and find out what it is. And uber l33t ski11z to figure out that the javascript on his website is downloading the infection to site visitors. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Jan 14, 2008 3:46 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > I did not look at the malware, but it is pretty obvious you have been > compromised. Because you do not have the skill necesary to do so. > Linking also to my original article here: > http://blogs.securiteam.com/index.php/archives/815 > blah blah i have nothing useful to say but I am going to spam my blog that no one reads. Why do we let gadi spam but bitch about the guy spamming to defend his business? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >No, he's Nick Fitzgerald, one of the foremost experts in the world >on malware, Dear Paul, sorry for the delay in answering to your e-mail but Hermione and I were attending an important class here at Hogwarts. Anyway, now I’m completely at your disposal. I wanna believe in your words and I had an idea, I shall trust you. You and your friend Gadi have one day to prove what you are asserting (yes, you can help him, if you want). Write a 60-words technical analysis about this malware and send it to the list. In case you can also use the technical comments already spreaded to the list or in teh internet (well, excepted the one from our great ph.d. at monkey.org or 3APA3A will own him again, kthx). Show that you aren’t just drones, who spend the days downloading e- mails and posting shit everywhere, to everyone’s boredom. This is your chance, the last one. Regards, Harry Potter -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkeOFywACgkQPpltNbWHYodH2gP/XscRv9QHLVIwd/+1btXwwWkm/M+I 3kiy2FAGAPbMoZM26xPnGiH3Yr89JsI3CVXNIRYOQ6tCztIWt2bUun1WO90CnglFIREz Fbo6nALiOxvQ2jIxsqcus9XvG0e6GufZeompSiWc4JL4Z3pNOU4EiYb1turGOresoDq3 LR4MxIM= =JqO2 -END PGP SIGNATURE- -- Online Stock Trading - Straightforward pricing. Powerful tools. Click here! http://tagline.hushmail.com/fc/Ioyw6h4dPYx37wOXnajy6LSNt8ZkZFM0twckkbPHmuyUpVk6AcLLsc/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Mr. worthless security, > stop replying to gadi evron he is a fruit cake. > > if we ignore him he will go away. > > :) it didn't work for you, it won't work for G.E. Regards, T ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Jan 15, 2008 5:24 PM, crazy frog crazy frog <[EMAIL PROTECTED]> wrote: > nope i dont thnk it has to do with user agent.i have tried with > IE,Firefox but nothing.though when u change ip it shows the stuff.so i > think its ip based? stop replying to gadi evron he is a fruit cake. if we ignore him he will go away. :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Tue, 15 Jan 2008, crazy frog crazy frog wrote:
> nick,
> ur not getting my point,the url is techicorner.com/{random string
> here},i have already mentioned it in previous posts.
> i have read the link sent by denis,and i would have to conclude that:
> 1)The problem does not occurs always,instead it occurs randomly based
> on IP or something like tht.
In recent kits, it is more likely it is user-agent based.
> 2)if u look at the pages on techicorner.com u will not find any
> malicious code,so its possible that the server is compromised and its
> an LKM
> please refer to these links:
> http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]
>
> Thanks again everyone for your valuable suggestion,i posted here to
> share this stuff with everyone and may be u can learn from it.
>
> regards,
> _CF
>
> On Jan 15, 2008 12:15 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote:
>> crazy frog crazy frog wrote:
>>
>>> well,
>>> i received many response but no one is perfact.i checked the files and
>>> didn't find anything embeded in my scripts or pages.still i have to
>>> figure out why my antivirus randomly popsup?i mean most of the times
>>> it doesnt detect any infection but then suddenly this thing happnes
>>> and then everything seems ok.
>>> i dont think its a problem with my script otherwise i could have find
>>> the code or it should be repeating consistly.has any one still facing
>>> this issue in the techicorner.com or on tubeley.com or on
>>> secgeeks.com?
>>>
>>> let me know i m trying hard to digg this issue.
>>
>> If you would tell us the _actual_ URL where this behaviour is being
>> seen we would have a reasonable chance of actually diagnosing it. As
>> it is, we're having to guess based on matching your half-arsed
>> descriptions of what you think is happening with our knowledge of what
>> has been seen going on out there.
>>
>> This may surprise you, but many thousands and thousands of sites are
>> compromised each day to display "similar" activity to what you've asked
>> to us to diagnose (aka "guess").
>>
>> If we could look at the actual site and see what is really happening
>> should have a better (if not perfect) chance of success.
>>
>>
>> Regards,
>>
>> Nick FitzGerald
>>
>>
>> ___
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>
> --
> advertise on secgeeks?
> http://secgeeks.com/Advertising_on_Secgeeks.com
> http://newskicks.com
>
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Jan 15, 2008 3:08 PM, Paul Schmehl <[EMAIL PROTECTED]> wrote: > > It's better to remain silent and be thought a fool than to open your mouth and > remove all doubt. tell that to gadi evron, wait a minute i think you were. (?) -- cyber security mailing list http://n3td3v.googlepages.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
nope i dont thnk it has to do with user agent.i have tried with
IE,Firefox but nothing.though when u change ip it shows the stuff.so i
think its ip based?
On Jan 15, 2008 10:52 PM, Gadi Evron <[EMAIL PROTECTED]> wrote:
> On Tue, 15 Jan 2008, crazy frog crazy frog wrote:
> > nick,
> > ur not getting my point,the url is techicorner.com/{random string
> > here},i have already mentioned it in previous posts.
> > i have read the link sent by denis,and i would have to conclude that:
> > 1)The problem does not occurs always,instead it occurs randomly based
> > on IP or something like tht.
>
> In recent kits, it is more likely it is user-agent based.
>
>
> > 2)if u look at the pages on techicorner.com u will not find any
> > malicious code,so its possible that the server is compromised and its
> > an LKM
> > please refer to these links:
> > http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]
> >
> > Thanks again everyone for your valuable suggestion,i posted here to
> > share this stuff with everyone and may be u can learn from it.
> >
> > regards,
> > _CF
> >
> > On Jan 15, 2008 12:15 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote:
> >> crazy frog crazy frog wrote:
> >>
> >>> well,
> >>> i received many response but no one is perfact.i checked the files and
> >>> didn't find anything embeded in my scripts or pages.still i have to
> >>> figure out why my antivirus randomly popsup?i mean most of the times
> >>> it doesnt detect any infection but then suddenly this thing happnes
> >>> and then everything seems ok.
> >>> i dont think its a problem with my script otherwise i could have find
> >>> the code or it should be repeating consistly.has any one still facing
> >>> this issue in the techicorner.com or on tubeley.com or on
> >>> secgeeks.com?
> >>>
> >>> let me know i m trying hard to digg this issue.
> >>
> >> If you would tell us the _actual_ URL where this behaviour is being
> >> seen we would have a reasonable chance of actually diagnosing it. As
> >> it is, we're having to guess based on matching your half-arsed
> >> descriptions of what you think is happening with our knowledge of what
> >> has been seen going on out there.
> >>
> >> This may surprise you, but many thousands and thousands of sites are
> >> compromised each day to display "similar" activity to what you've asked
> >> to us to diagnose (aka "guess").
> >>
> >> If we could look at the actual site and see what is really happening
> >> should have a better (if not perfect) chance of success.
> >>
> >>
> >> Regards,
> >>
> >> Nick FitzGerald
> >>
> >>
> >> ___
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> > --
> > advertise on secgeeks?
> > http://secgeeks.com/Advertising_on_Secgeeks.com
> > http://newskicks.com
> >
>
--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Tue, 15 Jan 2008 09:08:32 CST, Paul Schmehl said: > >> I did not look at the malware, but it is pretty obvious you have > > been > >> compromised. > No, he's Nick Fitzgerald, one of the foremost experts in the world on > malware, > you bozo. Umm... Paul? Hate to tell you this, but Nick replied with a fairly long and cogent description. The quoted person "I did not look at the malware" was actually Gadi. Doesn't change the fact that Gadi was right - at some point in the description, the facts add up to 'pwned', and actually looking at the malware only serves to show *how* you got pwned. ;) pgptvxh5AiMRd.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
--On Tuesday, January 15, 2008 10:29:32 +0100 [EMAIL PROTECTED] wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > >> I did not look at the malware, but it is pretty obvious you have > been >> compromised. > > Dear Asshole, > You did not look at the malware but you're sure (err, excuse.. "its > pretty obvious") he's owned. Thats really funny. Are you the great > Gandalf the magician or John Titor? > No, he's Nick Fitzgerald, one of the foremost experts in the world on malware, you bozo. The malware was VBS/Psyme, but Nick didn't need to know that to understand that the guy had been compromised. Why you did is an exercise for the reader. It's better to remain silent and be thought a fool than to open your mouth and remove all doubt. -- Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 >I did not look at the malware, but it is pretty obvious you have been >compromised. Dear Asshole, You did not look at the malware but you're sure (err, excuse.. "its pretty obvious") he's owned. Thats really funny. Are you the great Gandalf the magician or John Titor? >Defacements today (unless for specific reason of being "seen") are >about >leaving the site the same way you find it, and infecteing its user >base/visitors. Stop to act as a guru, you're just funny. And please, stop to subscribe to all the mailing list around TEH INTERNET. You're really boring us (not since today by the way, but i think someone have to tell you that). Have a nice day, Harry Potter -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkeMfPQACgkQPpltNbWHYoftNQP/ctEOQgN4fQC9GG37CN2LVKHq+H6m +eXxxz0Sg9TPrub4wgcANami0+14YzjeJwW9gxIYRtDRKoVNXsYfBE565sRAydceJx/k SRqZEZjVxXcY32T0+FXYDGdG59djpXkO+2MKlGrec9Zz5cQe+8PutmfPd4ZiJe7NWteA h27cX+k= =0aO7 -END PGP SIGNATURE- -- Shop & save on all of the office supplies you need. Click now! http://tagline.hushmail.com/fc/Ioyw6h4e9j0chEYgPsh2ViLinqAGnD5yFxEIhNlaMZmuqfn7KgZES0/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
nick,
ur not getting my point,the url is techicorner.com/{random string
here},i have already mentioned it in previous posts.
i have read the link sent by denis,and i would have to conclude that:
1)The problem does not occurs always,instead it occurs randomly based
on IP or something like tht.
2)if u look at the pages on techicorner.com u will not find any
malicious code,so its possible that the server is compromised and its
an LKM
please refer to these links:
http://www.webhostingtalk.com/showthread.php?t=651748 [thanks denis]
Thanks again everyone for your valuable suggestion,i posted here to
share this stuff with everyone and may be u can learn from it.
regards,
_CF
On Jan 15, 2008 12:15 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote:
> crazy frog crazy frog wrote:
>
> > well,
> > i received many response but no one is perfact.i checked the files and
> > didn't find anything embeded in my scripts or pages.still i have to
> > figure out why my antivirus randomly popsup?i mean most of the times
> > it doesnt detect any infection but then suddenly this thing happnes
> > and then everything seems ok.
> > i dont think its a problem with my script otherwise i could have find
> > the code or it should be repeating consistly.has any one still facing
> > this issue in the techicorner.com or on tubeley.com or on
> > secgeeks.com?
> >
> > let me know i m trying hard to digg this issue.
>
> If you would tell us the _actual_ URL where this behaviour is being
> seen we would have a reasonable chance of actually diagnosing it. As
> it is, we're having to guess based on matching your half-arsed
> descriptions of what you think is happening with our knowledge of what
> has been seen going on out there.
>
> This may surprise you, but many thousands and thousands of sites are
> compromised each day to display "similar" activity to what you've asked
> to us to diagnose (aka "guess").
>
> If we could look at the actual site and see what is really happening
> should have a better (if not perfect) chance of success.
>
>
> Regards,
>
> Nick FitzGerald
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
advertise on secgeeks?
http://secgeeks.com/Advertising_on_Secgeeks.com
http://newskicks.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
crazy frog crazy frog wrote: > well, > i received many response but no one is perfact.i checked the files and > didn't find anything embeded in my scripts or pages.still i have to > figure out why my antivirus randomly popsup?i mean most of the times > it doesnt detect any infection but then suddenly this thing happnes > and then everything seems ok. > i dont think its a problem with my script otherwise i could have find > the code or it should be repeating consistly.has any one still facing > this issue in the techicorner.com or on tubeley.com or on > secgeeks.com? > > let me know i m trying hard to digg this issue. If you would tell us the _actual_ URL where this behaviour is being seen we would have a reasonable chance of actually diagnosing it. As it is, we're having to guess based on matching your half-arsed descriptions of what you think is happening with our knowledge of what has been seen going on out there. This may surprise you, but many thousands and thousands of sites are compromised each day to display "similar" activity to what you've asked to us to diagnose (aka "guess"). If we could look at the actual site and see what is really happening should have a better (if not perfect) chance of success. Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
well, i received many response but no one is perfact.i checked the files and didn't find anything embeded in my scripts or pages.still i have to figure out why my antivirus randomly popsup?i mean most of the times it doesnt detect any infection but then suddenly this thing happnes and then everything seems ok. i dont think its a problem with my script otherwise i could have find the code or it should be repeating consistly.has any one still facing this issue in the techicorner.com or on tubeley.com or on secgeeks.com? let me know i m trying hard to digg this issue. On Jan 15, 2008 10:46 AM, Denis <[EMAIL PROTECTED]> wrote: > This is a very serious new threat affecting Linux servers and thousands > of boxes have been compromised since December 2007. > > Each box serving the nasty javascript has been rooted. One person has > found a way to CLEAN the infection (ie. stop your server from serving > the bad javascript), however not the root hole ie. the servers in > question are still rooted as nobody so far has found what hole is being > exploited to gain root access in the first place. > > See the following urls for a lot more info on this exploit: > > http://www.webhostingtalk.com/showthread.php?t=651748 (useful discussion > starts on page 3 or so) > > http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/ > > Time for some honey pot action to find out how they're gaining root > access to begin with. From all reports so far it does not appear to be a > kernel vulnerability (as some of the affected servers were using latest > kernels) > > Cheers, > Denis > > > On Sun, 13 Jan 2008 21:31:34 +0530 > "crazy frog crazy frog" <[EMAIL PROTECTED]> wrote: > > ---> Hi, > > ---> > ---> Recently on opening one of my site,my antivirus pops up saying that it > ---> has found on malicious script.the url is random and i have managed to > ---> get tht script.it is using some flaw in apple quick time. > ---> u can get the zip file for java script here: > ---> http://secgeeks.com/what.zip > ---> password is 12345 > ---> can somebody guide/help me what is this and how can i remove it? > ---> > ---> -- > ---> advertise on secgeeks? > ---> http://secgeeks.com/Advertising_on_Secgeeks.com > ---> http://newskicks.com > > Denis > -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
> Hi, > > Recently on opening one of my site,my antivirus pops up saying that it > has found on malicious script.the url is random and i have managed to > get tht script.it is using some flaw in apple quick time. > u can get the zip file for java script here: > http://secgeeks.com/what.zip > password is 12345 > can somebody guide/help me what is this and how can i remove it? I did not look at the malware, but it is pretty obvious you have been compromised. Defacements today (unless for specific reason of being "seen") are about leaving the site the same way you find it, and infecteing its user base/visitors. A second option is that you are secure but a "partner" such as ad sites has been compromised and infects your users. Naturally, a compromise can come from anywhere, but in most cases it is something like RFI... Taosecurity linked to three great papers on the subject of web botnets / cross-platform web malware: http://taosecurity.blogspot.com/2007/11/great-papers-from-honeynet-project.html Linking also to my original article here: http://blogs.securiteam.com/index.php/archives/815 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Looks like the local name is actually more random: var name = "c:\\win"+GetRandString(4)+".exe"; Kinda dumb though, as any non-admin class user won't have access to the local folder on the root [c:\]. [EMAIL PROTECTED] http://securitymario.spaces.live.com/ -Original Message- From: Jose Nazario [mailto:[EMAIL PROTECTED] Sent: Monday, January 14, 2008 10:44 AM To: crazy frog crazy frog Cc: Untitled; PenTest; [EMAIL PROTECTED] Subject: Re: what is this? On Sun, 13 Jan 2008, crazy frog crazy frog wrote: > http://secgeeks.com/what.zip > password is 12345 > can somebody guide/help me what is this and how can i remove it? te file you sent here contains a bunch of embeded nulls (every other character is 00). stripping those out reveals ... that it's a collection of browser exploits. by the looks of it it's MPack and uses the heapspray slide stuff. the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead) as a local file c:\\mosvs8.exe and then run it. very common exploit scenario these days (but they usually have some form of js obfuscation going on). i hope this helps. jose nazario, ph.d. http://monkey.org/~jose/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Dear Jose Nazario, JN> te file you sent here contains a bunch of embeded nulls (every other JN> character is 00). stripping those out reveals ... jose JN> nazario, ph.d. http://monkey.org/~jose/ This is Little Endian UCS-2 Unicode, not a bunch of embedded nulls. Never stop to educate yourself. -- ~/ZARAZA http://securityvulns.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
On Sun, 13 Jan 2008, crazy frog crazy frog wrote: > http://secgeeks.com/what.zip > password is 12345 > can somebody guide/help me what is this and how can i remove it? te file you sent here contains a bunch of embeded nulls (every other character is 00). stripping those out reveals ... that it's a collection of browser exploits. by the looks of it it's MPack and uses the heapspray slide stuff. the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead) as a local file c:\\mosvs8.exe and then run it. very common exploit scenario these days (but they usually have some form of js obfuscation going on). i hope this helps. jose nazario, ph.d. http://monkey.org/~jose/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Apologies I should clarify. In this attack legitimate pages on a site are first populated with html tags embedding Javascript like so these all point to the page you sent on. All the Mp3, quicktime, etc stuff are expoits that are launched against the browser of the victim who browses to the site. The full descriptions of the various exploits are linked off http://blog.trendmicro.com/e-commerce-sites-invaded/ Robert McArdle -- www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings On Jan 13, 2008 5:33 PM, crazy frog crazy frog <[EMAIL PROTECTED]> wrote: > more,its not a java script,looks like a html page[notice the > and tag n the file] there is also a random function,which > generate the random string which is used to store teh files on c drive > and may be for the random url.its trying to play mp3 and other > files.all looks like messed up.may be there is another script which is > getting embeded in pages which infect calling this script? > > > On Jan 13, 2008 9:31 PM, crazy frog crazy frog <[EMAIL PROTECTED]> wrote: > > Hi, > > > > Recently on opening one of my site,my antivirus pops up saying that it > > has found on malicious script.the url is random and i have managed to > > get tht script.it is using some flaw in apple quick time. > > u can get the zip file for java script here: > > http://secgeeks.com/what.zip > > password is 12345 > > can somebody guide/help me what is this and how can i remove it? > > > > -- > > advertise on secgeeks? > > http://secgeeks.com/Advertising_on_Secgeeks.com > > http://newskicks.com > > > > > > -- > advertise on secgeeks? > http://secgeeks.com/Advertising_on_Secgeeks.com > http://newskicks.com > -- www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
yep ther eis one yahoo messenger exploit too. On Jan 14, 2008 9:14 PM, Jose Nazario <[EMAIL PROTECTED]> wrote: > On Sun, 13 Jan 2008, crazy frog crazy frog wrote: > > > http://secgeeks.com/what.zip > > password is 12345 > > can somebody guide/help me what is this and how can i remove it? > > te file you sent here contains a bunch of embeded nulls (every other > character is 00). stripping those out reveals ... > > that it's a collection of browser exploits. by the looks of it it's MPack > and uses the heapspray slide stuff. > > the goal is to download hxxp://techicorner.com/bcuoixqf (which looks dead) > as a local file c:\\mosvs8.exe and then run it. > > > very common exploit scenario these days (but they usually have some form > of js obfuscation going on). > > i hope this helps. > > > jose nazario, ph.d. http://monkey.org/~jose/ > -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Looks like your site was compromised along with several hundred others in the last day or so. A full account is up on http://blog.trendmicro.com/e-commerce-sites-invaded/ but the JS you posted is the exact same as the one used in those attacks. I'm guessing you have Javascripts embedded in your pages that pointed to a randomly named js in the same directory, right? Robert McArdle -- www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings On Jan 13, 2008 4:01 PM, crazy frog crazy frog < [EMAIL PROTECTED]> wrote: > Hi, > > Recently on opening one of my site,my antivirus pops up saying that it > has found on malicious script.the url is random and i have managed to > get tht script.it is using some flaw in apple quick time. > u can get the zip file for java script here: > http://secgeeks.com/what.zip > password is 12345 > can somebody guide/help me what is this and how can i remove it? > > -- > advertise on secgeeks? > http://secgeeks.com/Advertising_on_Secgeeks.com > http://newskicks.com > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Looks like your site was compromised along with several hundred others in the last day or so. A full account is up on http://blog.trendmicro.com/e-commerce-sites-invaded/but the JS you posted is the exact same as the one used in those attacks. I'm guessing you have Javascripts embedded in your pages that pointed to a randomly named js in the same directory, right? Robert McArdle -- www.RobertMcArdle.com/blog/ - Techie/Security/Inane Ramblings On Jan 13, 2008 4:01 PM, crazy frog crazy frog <[EMAIL PROTECTED]> wrote: > Hi, > > Recently on opening one of my site,my antivirus pops up saying that it > has found on malicious script.the url is random and i have managed to > get tht script.it is using some flaw in apple quick time. > u can get the zip file for java script here: > http://secgeeks.com/what.zip > password is 12345 > can somebody guide/help me what is this and how can i remove it? > > -- > advertise on secgeeks? > http://secgeeks.com/Advertising_on_Secgeeks.com > http://newskicks.com > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Dear Nick FitzGerald, --Monday, January 14, 2008, 2:52:23 PM, you wrote to full-disclosure@lists.grok.org.uk: NF> U -- the only part of that likely to be relevant here is the last. NF> These kinds of web page "compromises" are typically achieved through NF> bad/ill-configured/non-updated server-side web applications (or NF> their underlying script engines) and are typically achieved without NF> requiring any more special or privileged access to the victim sites NF> than the ability to run a clever Google search or your own NF> brute-force spidering via a bot-net, etc. During last few months, we monitor mass infection attempts through stollen FTP passwords. Yes, web exploitation scenario is also possible. These are automated exploitation requests received during a single day: http://securityvulns.com/files/exprequests.txt In this case there is a quick workaround (and also a good security practice) of disabling write access for web server account. Of cause, investigation is required anyway. -- ~/ZARAZA http://securityvulns.com/ Всегда будем рады послушать ваше чириканье (Твен) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
hmm.thanks everyone for the suggestions. On Jan 14, 2008 5:22 PM, Nick FitzGerald <[EMAIL PROTECTED]> wrote: > 3APA3A wrote: > > > Dear crazy frog crazy frog, > > > > Clear your computer from trojan, change FTP password for you site > > hosting access, because it's stolen, access your hosting account via > > FTP and remove additional text (usually at the end of the file, after > > ) from all HTML/PHP pages. > > U -- the only part of that likely to be relevant here is the last. > > These kinds of web page "compromises" are typically achieved through > bad/ill-configured/non-updated server-side web applications (or their > underlying script engines) and are typically achieved without requiring > any more special or privileged access to the victim sites than the > ability to run a clever Google search or your own brute-force spidering > via a bot-net, etc. > > Of course, simply removing the undesired iframe/script/etc tags from > your compromised pages is not enough. Although doing so does not mean > that this attacker will come back, it equally does nothing to close the > hole they used in the first place, and the next attacker searching for > that hole will hit you just as easily and indiscriminately... > > > Regards, > > Nick FitzGerald > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
3APA3A wrote: > Dear crazy frog crazy frog, > > Clear your computer from trojan, change FTP password for you site > hosting access, because it's stolen, access your hosting account via > FTP and remove additional text (usually at the end of the file, after > ) from all HTML/PHP pages. U -- the only part of that likely to be relevant here is the last. These kinds of web page "compromises" are typically achieved through bad/ill-configured/non-updated server-side web applications (or their underlying script engines) and are typically achieved without requiring any more special or privileged access to the victim sites than the ability to run a clever Google search or your own brute-force spidering via a bot-net, etc. Of course, simply removing the undesired iframe/script/etc tags from your compromised pages is not enough. Although doing so does not mean that this attacker will come back, it equally does nothing to close the hole they used in the first place, and the next attacker searching for that hole will hit you just as easily and indiscriminately... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
Dear crazy frog crazy frog, Clear your computer from trojan, change FTP password for you site hosting access, because it's stolen, access your hosting account via FTP and remove additional text (usually at the end of the file, after ) from all HTML/PHP pages. --Sunday, January 13, 2008, 7:01:34 PM, you wrote to full-disclosure@lists.grok.org.uk: cfcf> Hi, cfcf> Recently on opening one of my site,my antivirus pops up saying that it cfcf> has found on malicious script.the url is random and i have managed to cfcf> get tht script.it is using some flaw in apple quick time. cfcf> u can get the zip file for java script here: cfcf> http://secgeeks.com/what.zip cfcf> password is 12345 cfcf> can somebody guide/help me what is this and how can i remove it? -- ~/ZARAZA http://securityvulns.com/ Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] what is this?
more,its not a java script,looks like a html page[notice the and tag n the file] there is also a random function,which generate the random string which is used to store teh files on c drive and may be for the random url.its trying to play mp3 and other files.all looks like messed up.may be there is another script which is getting embeded in pages which infect calling this script? On Jan 13, 2008 9:31 PM, crazy frog crazy frog <[EMAIL PROTECTED]> wrote: > Hi, > > Recently on opening one of my site,my antivirus pops up saying that it > has found on malicious script.the url is random and i have managed to > get tht script.it is using some flaw in apple quick time. > u can get the zip file for java script here: > http://secgeeks.com/what.zip > password is 12345 > can somebody guide/help me what is this and how can i remove it? > > -- > advertise on secgeeks? > http://secgeeks.com/Advertising_on_Secgeeks.com > http://newskicks.com > -- advertise on secgeeks? http://secgeeks.com/Advertising_on_Secgeeks.com http://newskicks.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] What is this
This link came through MSN chat. The IM worm inserted this link in chat. Armando Guimarães Jr -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ron Sent: segunda-feira, 08 de agosto de 2005 16:06 To: [EMAIL PROTECTED] Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] What is this I've seen something very similar spreading as an IM worm. There's a pretty good chance he got it from AIM or MSN. Of course, it could also be a classic email worm, who knows? Michael Hale wrote: > Anti virus doesn't detect it because its packed with ASProtect 1.2.x > (using StudPE). You can see the difference when it's dumped out of RAM > into it's uncompressed/decrypted form (see VirusTotal results below). > My interest is where you came across this URL. Can you provide that > information? > > Scan results > File: DUMPED.php > Date: 08/08/2005 20:39:56 (CET) > > AntiVir 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] > Avast 4.6.695.0/20050808 found nothing > AVG 718/20050807found nothing > Avira 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] > BitDefender 7.0/20050808found nothing > CAT-QuickHeal 7.03/20050808 found [(Suspicious) - DNAScan] > ClamAV devel-20050725/20050808 found [Trojan.Mybot-312] > DrWeb 4.32b/20050808 found [BackDoor.IRC.Sdbot.118] > eTrust-Iris 7.1.194.0/20050806 found nothing > eTrust-Vet 11.9.1.0/20050808 found [Win32.Slinbot] > Fortinet2.36.0.0/20050808 found [suspicious] > F-Prot 3.16c/20050808 found nothing > Ikarus 0.2.59.0/20050808 found nothing > Kaspersky 4.0.2.24/20050808 found nothing > McAfee 4552/20050808 found [New Malware.b] > NOD32v2 1.1187/20050805 found [BAT/NoShare.L] > Norman 5.70.10/20050805found nothing > Panda 8.02.00/20050808found nothing > Sophos 3.96.0/20050808 found nothing > Sybari 7.5.1314/20050808 found [Win32.Slinbot] > Symantec8.0/20050808found [W32.Randex] > TheHacker 5.8.2.082/20050808 found nothing > VBA32 3.10.4/20050808 found [suspected of Backdoor.RxBot.2] > > On 8/8/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >>Quoting Armando Rogerio Brandão Guimaraes Junior <[EMAIL PROTECTED]>: >> >> >>>Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php >>>AntiVirus and SpyBot doesn´t detect!!! >>> >>>Armando Guimarães Jr >> >>It is an MS-EXE executable program. Anti virus doesn't find it because >>it is not an virus. Spybot for the same reason. To block these you >>need an smtp policy that does not allow executable attachments to >>incoming emails. >> >>"What it does" could be anything from typing "hello world" in a dialog >>box (unlikely) to creating a new Administrator account on your >>corporate AD server and posting the entire contents thereof to an IRC >>channel (somewhat more likely). But at first glance it looks like it >>is going to open a backdoor shell on the recipient's PC. >> >>tc >> >> >> >> >>This message was sent using IMP, the Internet Messaging Program. >> >>___ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] What is this
> http://www.pokersverige.se/IMAGE0004.php
.exe file of some kind using only the headers will
have to download it and test in some vmware machine to
debug it - anyone volunteer for that task ?
begin 666 smime.p7s
M,( &"2J&2(;W#0$'`J" ,( "`0$Q"S )[EMAIL PROTECTED]@,"&@4`,( &"2J&2(;W#0$'
M`0``H(()?3""`P4P@@)NH ,"`0("`P]$"# [EMAIL PROTECTED]&]PT!`00%`#!B,0LP
M"08#500&$P):03$E,",&`U4$"A,<5&AA=W1E($-O;G-U;'1I;F<@*%!T>2D@
M3'1D+C$L,"H&`U4$`Q,C5&AA=W1E(%!E,1\P'08#
M500#$Q94:&%W=&[EMAIL PROTECTED])E96UA:[EMAIL PROTECTED],3LP.08)*H9(AO<-`0D!%BQA
M9&ET>6$N9&5S:&UU:VA ;VYL:6YE+F=A=&5W87DNW$3
M#Y[VQE1?27[6O))6O0TQLW<>.T@"MP_U8N/"P@'?3-Q4J_GR0P_=0B-%7T%]
M/_*118FW>[EMAIL PROTECTED],1J*ZPO1$$IU5'0C]8<::RUXQP#U>TTOXC,;U"
M0.[%) ]V#K2#6AY.E&P[2_W9XX=QE<<@]*K%%\;R6?<"W&ZX2A]ZU%K",%
MBXMM!V2R'^.5P!5 A+R&K^$(G9?,MQBX5#NX"_6)%PTY-C Q
M,#$P,# P,#!:%PTR,#$R,S$R,S4Y-3E:,('1,0LP"08#500&$P):03$5,!,&
M`U4$"!,,5V5S=&5R;B!#87!E,1(P$ 8#500'$PE#87!E(%1O=VXQ&C [EMAIL PROTECTED]
M! H3$51H87=T92!#;VYS=6QT:6YG,[EMAIL PROTECTED])@8#500+$Q]#97)T:69I8V%T:6]N
M(%-EE'V Q1MNIRD;"$7GTM#8][$M^%)74H=#I"+&,GGY5[2^]^&8<=ANJC
MW;G.EF0:PA1N1*Q\YH_H30]Q'T XI@"CAWCV^92&7JWJP%YVZ]D4HUUN>GP,
MI4M5?P89*7^>FB;5:KLX) AJF,>QVJ.8D?UYV^5:Q!RY`@,!``&C$S 1, \&
M`U4=$P$!_P0%, ,!`?\P#08)*H9(AO<[EMAIL PROTECTED]:E9V(J
MI/!-$6#0;[EMAIL PROTECTED]&&L)KM2-5P(SS#[J$J6BA]B0B.,%P_TNF2<%ZQ'*=^=F%[2
M;&!Q7**LW'GCYVX`1Q^U#2CH`IWDFOT3]*;9?+'XW%\C)@F1@'/0%!O>0ZF#
M)?+FG"\5ROZFJXH'=8L,W5&$:^3XT[EMAIL PROTECTED]'1D+C$L,"H&
M`U4$`Q,C5&AA=W1E(%!E_0( "9->GIKN?9='%*E2%
[EMAIL PROTECTED]>VT3QA!$ >9!ER8+?[`@,!``&[EMAIL PROTECTED]@[EMAIL
PROTECTED]'_! @[EMAIL PROTECTED]
M_P([EMAIL PROTECTED]'1\$/# Z,[EMAIL PROTECTED]
TAC)H='1P.B\O8W)L+G1H87=T92YC;VTO
M5&AA=W1E4&5R,!PQ&C [EMAIL PROTECTED] ,3$5!R:79A=&5,86)E;#(M,3,X, T&"2J&
M2(;W#0$!!04``X&!`$B,T5"[EMAIL PROTECTED] VC9JQG#W^OK+["%Z%#EI2=?TPAN/@V
M'ZHMGS8OP/0<4""3<#S]K>%A8L/9.AE^A+&9&P#%&@N"=)XE4)1BQ]LG<5[EMAIL PROTECTED]'1D+C$L,"H&`U4$`Q,C5&AA=W1E
M(%!E[EMAIL PROTECTED]&]PT!"1 "`3%6,%0$'0`0"[EMAIL PROTECTED]>I
MIR2XE:?\7P$`@ $`,# P+H$L861I='EA+F1E 8)*P8!! &"
M-Q $,6LP:3!B,0LP"08#500&$P):03$E,",&`U4$"A,<5&AA=W1E($-O;G-U
M;'1I;F<@*%!T>[EMAIL PROTECTED]'1D+C$L,"H&`U4$`Q,C5&AA=W1E(%!E$@;T70NAD;0[_6
MHN85I2YI*[BOQ#JB8RT4HE,3\!Z)3*3^3J5K8/[DKZ>G\1!=\U6T+46M>Y8> AU\]"Y]DVY\R3C
6=',D=,]TETU3`0http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] What is this
Hi, > It is an MS-EXE executable program. Anti virus doesn't find > it because it is not an virus. Spybot for the same reason. > To block these you need an smtp policy that does not allow > executable attachments to incoming emails. As a matter of fact this is a new sdbot variant. It does pretty much the same as any other sdbot variant outthere: It allows the author of the code and others to control the infected host. Kind regards Peter Kruse ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What is this
On 8/8/05, Armando Rogerio Brandão Guimaraes Junior <[EMAIL PROTECTED]> wrote: > Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php > AntiVirus and SpyBot doesn´t detect!!! > > Armando Guimarães Jr Installs a bot. Looks up lists2.dc21business.com, connects to an IRC server on port 12000. Joins a few rooms. Gets a message/command to download http://home.comcast.net/~soliveria/n3.exe . Does so, then gets a message to download http://home.comcast.net/~ebaker1973/up.exe . Reports to http://dos2.deadlist.net/ . Joins another IRC server at 204.8.34.78 port 12000. Gets told to download http://hec-ulg-entrepreneurs.com/3.exe , then http://hec-ulg-entrepreneurs.com/1.exe . Starts a netbios scan of local network. Joins several different irc chats. It just keeps going and going and going Lots of spyware, lots of malware, chaos. Still watching, ~J ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What is this
I've seen something very similar spreading as an IM worm. There's a pretty good chance he got it from AIM or MSN. Of course, it could also be a classic email worm, who knows? Michael Hale wrote: > Anti virus doesn't detect it because its packed with ASProtect 1.2.x > (using StudPE). You can see the difference when it's dumped out of RAM > into it's uncompressed/decrypted form (see VirusTotal results below). > My interest is where you came across this URL. Can you provide that > information? > > Scan results > File: DUMPED.php > Date: 08/08/2005 20:39:56 (CET) > > AntiVir 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] > Avast 4.6.695.0/20050808 found nothing > AVG 718/20050807found nothing > Avira 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] > BitDefender 7.0/20050808found nothing > CAT-QuickHeal 7.03/20050808 found [(Suspicious) - DNAScan] > ClamAV devel-20050725/20050808 found [Trojan.Mybot-312] > DrWeb 4.32b/20050808 found [BackDoor.IRC.Sdbot.118] > eTrust-Iris 7.1.194.0/20050806 found nothing > eTrust-Vet 11.9.1.0/20050808 found [Win32.Slinbot] > Fortinet2.36.0.0/20050808 found [suspicious] > F-Prot 3.16c/20050808 found nothing > Ikarus 0.2.59.0/20050808 found nothing > Kaspersky 4.0.2.24/20050808 found nothing > McAfee 4552/20050808 found [New Malware.b] > NOD32v2 1.1187/20050805 found [BAT/NoShare.L] > Norman 5.70.10/20050805found nothing > Panda 8.02.00/20050808found nothing > Sophos 3.96.0/20050808 found nothing > Sybari 7.5.1314/20050808 found [Win32.Slinbot] > Symantec8.0/20050808found [W32.Randex] > TheHacker 5.8.2.082/20050808 found nothing > VBA32 3.10.4/20050808 found [suspected of Backdoor.RxBot.2] > > On 8/8/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > >>Quoting Armando Rogerio Brandão Guimaraes Junior <[EMAIL PROTECTED]>: >> >> >>>Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php >>>AntiVirus and SpyBot doesn´t detect!!! >>> >>>Armando Guimarães Jr >> >>It is an MS-EXE executable program. Anti virus doesn't find it because >>it is not an virus. Spybot for the same reason. To block these you >>need an smtp policy that does not allow executable attachments to >>incoming emails. >> >>"What it does" could be anything from typing "hello world" in a dialog >>box (unlikely) to creating a new Administrator account on your >>corporate AD server and posting the entire contents thereof to an IRC >>channel (somewhat more likely). But at first glance it looks like it >>is going to open a backdoor shell on the recipient's PC. >> >>tc >> >> >> >> >>This message was sent using IMP, the Internet Messaging Program. >> >>___ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What is this
Anti virus doesn't detect it because its packed with ASProtect 1.2.x (using StudPE). You can see the difference when it's dumped out of RAM into it's uncompressed/decrypted form (see VirusTotal results below). My interest is where you came across this URL. Can you provide that information? Scan results File: DUMPED.php Date: 08/08/2005 20:39:56 (CET) AntiVir 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] Avast 4.6.695.0/20050808 found nothing AVG 718/20050807found nothing Avira 6.31.1.0/20050808 found [BDS/SdBot.Gen.Plus] BitDefender 7.0/20050808found nothing CAT-QuickHeal 7.03/20050808 found [(Suspicious) - DNAScan] ClamAV devel-20050725/20050808 found [Trojan.Mybot-312] DrWeb 4.32b/20050808 found [BackDoor.IRC.Sdbot.118] eTrust-Iris 7.1.194.0/20050806 found nothing eTrust-Vet 11.9.1.0/20050808 found [Win32.Slinbot] Fortinet2.36.0.0/20050808 found [suspicious] F-Prot 3.16c/20050808 found nothing Ikarus 0.2.59.0/20050808 found nothing Kaspersky 4.0.2.24/20050808 found nothing McAfee 4552/20050808 found [New Malware.b] NOD32v2 1.1187/20050805 found [BAT/NoShare.L] Norman 5.70.10/20050805found nothing Panda 8.02.00/20050808found nothing Sophos 3.96.0/20050808 found nothing Sybari 7.5.1314/20050808 found [Win32.Slinbot] Symantec8.0/20050808found [W32.Randex] TheHacker 5.8.2.082/20050808 found nothing VBA32 3.10.4/20050808 found [suspected of Backdoor.RxBot.2] On 8/8/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Quoting Armando Rogerio Brandão Guimaraes Junior <[EMAIL PROTECTED]>: > > > Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php > > AntiVirus and SpyBot doesn´t detect!!! > > > > Armando Guimarães Jr > > It is an MS-EXE executable program. Anti virus doesn't find it because > it is not an virus. Spybot for the same reason. To block these you > need an smtp policy that does not allow executable attachments to > incoming emails. > > "What it does" could be anything from typing "hello world" in a dialog > box (unlikely) to creating a new Administrator account on your > corporate AD server and posting the entire contents thereof to an IRC > channel (somewhat more likely). But at first glance it looks like it > is going to open a backdoor shell on the recipient's PC. > > tc > > > > > This message was sent using IMP, the Internet Messaging Program. > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] What is this
Quoting Armando Rogerio Brandão Guimaraes Junior <[EMAIL PROTECTED]>: Somebody know what fuck is this? http://www.pokersverige.se/IMAGE0004.php AntiVirus and SpyBot doesn´t detect!!! Armando Guimarães Jr It is an MS-EXE executable program. Anti virus doesn't find it because it is not an virus. Spybot for the same reason. To block these you need an smtp policy that does not allow executable attachments to incoming emails. "What it does" could be anything from typing "hello world" in a dialog box (unlikely) to creating a new Administrator account on your corporate AD server and posting the entire contents thereof to an IRC channel (somewhat more likely). But at first glance it looks like it is going to open a backdoor shell on the recipient's PC. tc This message was sent using IMP, the Internet Messaging Program. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
