[Full-Disclosure] client attacks server - XSS
huh, is this normal? muhaaa-hehe!!! this... http://host/stupidscript?someoption=scriptjavascript:location.reload()/script effectivly causes the client, to repeatedly reload the page, sending never ending requests to the server, some sites can do funny stuffts like this... http://ws.arin.net/cgi-bin/whois.pl?queryinput=scriptjavascript:location.reload()/script give it a minute... Oct 12, 2003 Donnie Werner [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Hacker suspect says his PC was hijacked
OK my point was (sorry I didn't state it accurately enough)that you can't compare cars to computers becuase the warrantee/fitness needed for a car to be allowed on the road is massively different to having a computer on the internet because firstly the car needs to be legally on the road and secondly the driver needs to be licenced e.g tested and past an exam to use the road. For example in this country to operate a car you need: 1/To have a licence to drive 2/Your car has to be licenced to be on the road 3/Your car needs a warrant of fitness signifing that it is safe note: you can't get 2/ unless you have 3/ and if you don't have 1/ then you don't have a car. All regardless of where you buy the car from. If there is a known defect and/or recall for the model of car you are using, you have to take it in and get it fixed otherwise you are not legaly safe on the road. The hardware thing (the way I ment it) physicaly when hardware crashes it hurts/kills, when software crashes it's more a pain in the butt than anything! Harry I eco your thoughts! :-) Cheers Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Harry Hoffman Sent: Tuesday, October 14, 2003 3:24 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Hacker suspect says his PC was hijacked Great give MS another service to sell ;-) Of course they will require complete access to your computer to give you the full service. Cheers, Harry Quoting Bojan Zdrnja [EMAIL PROTECTED]: * Ok, I think car-computer anology is *COMPLETELY* stupid, but here comes * another ... * * -Original Message- * From: [EMAIL PROTECTED] * [mailto:[EMAIL PROTECTED] On Behalf Of * Joshua Levitsky * Sent: Tuesday, 14 October 2003 5:21 a.m. * To: [EMAIL PROTECTED] * Cc: [EMAIL PROTECTED] * Subject: Re: [Full-Disclosure] Hacker suspect says his PC was * hijacked * * Or is it -your- responsibility to take it to an authorized dealer to * have the recall performed? Nobody makes you service your car. Nobody * * Nobody makes you service your car? * * In all countries I lived in so far, you have to check your car at an * official service at least once a year, and somewhere once each six months to * be able to drive it. That official service should check all critical things * about your car and if something is wrong, it'll sent you to a mechanic. * * I don't see that being done with computers (ie. No official service checks * your Windows every 6 months and if they are not ok, you can't use them * anymore). * * I also think this thread is stupid :) But that's my opinion only. * * Cheers, * * Bojan * * ___ * Full-Disclosure - We believe in it. * Charter: http://lists.netsys.com/full-disclosure-charter.html * -- Harry Hoffman [EMAIL PROTECTED] ## # Harry: version 4.0a# # Known bugs:# # 1) Verbal output may occur before data processing is complete. # # 2) Loudspeaker option may activate without being invoked. # # 3) Other bugs as reported # ## - This mail sent through IpSolutions: http://www.ip-solutions.net/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Any news on www.kievonline.org site?
Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 October 2003 6:34 p.m. To: Steve Wray Subject: thank you You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
I got the very same mail and this seems to proove my guess that it was a new kind of social engineering attack. I reviewed the logs, I also got some spamish mail from them a few hours ago. While not being explicit, I think that was an ad for a sex site. My guess is that they send these two mails to create curiosity. I have checked the site, and there seems to be no malware hidden on it (at least as of now). But eventually it will reappear... but maybe just a joke (though I doubt this with spammers). Rainer On Wed, 2003-10-15 at 00:11, Steve Wray wrote: Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 October 2003 6:34 p.m. To: Steve Wray Subject: thank you You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Any news on www.kievonline.org site?
Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) Yeah, I got the same one today. I couldn't really see a point in him sending it, as it's not trying to sell me anything, or steal my details. Benjamin Meade System Administrator LanWest Pty Ltd ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
I got several messages and the first one is the same message as yours. never heard about kievonline.org before -- Dimitry On Tuesday 14 October 2003 12:11, Steve Wray wrote: Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 October 2003 6:34 p.m. To: Steve Wray Subject: thank you You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
Timo Sirainen [EMAIL PROTECTED] wrote: You're thinking about how to do it currently in UNIX world. I'm thinking about adding new concepts in kernel level. systrace would be much more closer to it than chroot jails. Indeed, I've been thinking a lot about how to create the sort of desktop environment you describe, and I don't think it's 'properly' doable within the current Unix-style or Windows operating environments. It would require a pervasive system of fine-grained capabilities, from base OS level right up to user desktop services. Programs would have to get used to pre-requesting each service they require, and cope with being refused (either on policy grounds, or user choice, or the user themselves not having the required rights). There are also user interface concerns (ie. how to prevent an application 'faking' the system security interface). An attempt starting along these lines can be seen in Tiny Personal Firewall. Its interface isn't too great, it's not complete, and of course on a Windows platform there is nothing stopping a malicious process from subverting the protection, but it's an interesting glimpse at the sort of thing we might need. -- Andrew Clover mailto:[EMAIL PROTECTED] http://www.doxdesk.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
On Tue, Oct 14, 2003 at 10:11:17PM +1300, Steve Wray wrote: today I found a really wierd email in my inbox, which got me curious about this kievonline.org I got a dozen of identical messages sent to various email addresses, including two addresses that are only spam traps. -- __ /*- Frank DENIS (Jedi/Sector One) [EMAIL PROTECTED] -*\ __ \ '/a href=http://www.PureFTPd.Org/; Secure FTP Server /a\' / \/ a href=http://www.Jedi.Claranet.Fr/; Misc. free software /a \/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Any news on www.kievonline.org site?
Yes. A couple days ago I got an email (sent to me and 'webmaster') from them (which I deleted as being spam), got curious, and visited the site anyway. Just like you Steve, I also found the illustrious 'infidel' message on what appeared to be a defaced site. Didn't think anything of it, and canned the messages. This morning, I received an email from [EMAIL PROTECTED] titled 'thank you', which I am going to quote here, sorry if it is deemed offensive: -[quote]- You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ---[end quote]--- In the first instance, I sent a message back to [EMAIL PROTECTED] cc my ISP to put the record straight - which bounced back. Then I did a whois, and got hold of another email address, [EMAIL PROTECTED], to which I forwarded my email. Got no reply back yet. Maybe it is a case of The Spammer Who Cried Wolf?? FYI... Registrant: Aharon, Moshe (ALDXLFELGD) 1259 - 56th Street Brooklyn, NY 11219 US Domain Name: KIEVONLINE.ORG Administrative Contact: Aharon, Moshe (36027953P) [EMAIL PROTECTED] 1259 - 56th Street Brooklyn, NY 11219 US 718-437-3233 Technical Contact: Network Solutions, Inc. (HOST-ORG) [EMAIL PROTECTED] 21355 Ridgetop Circle Dulles, VA 20166 US 1-888-642-9675 fax: 571-434-4620 Record expires on 24-Sep-2005. Record created on 24-Sep-2003. Database last updated on 14-Oct-2003 06:03:42 EDT. Domain servers in listed order: NS10.HOSTONY.NET 64.74.112.74 NS11.HOSTONY.COM 207.44.244.81 What/who it is, or whether the email is sent in error is currently a mystery to me, but I am interested to find out if others have had the same experience. Any theories on this occurrence? Regards, Anthony Aykut Frame4 Security Systems Your Partner in IT Security http://www.frame4.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Wray Sent: Tuesday, October 14, 2003 11:11 To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Any news on www.kievonline.org site? Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 October 2003 6:34 p.m. To: Steve Wray Subject: thank you You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
It seems to be another spammer who wants to verify the email... I got also the same mail (posted from a GTE network). On Tue, 14 Oct 2003, Steve Wray wrote: Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://pgp.ael.be:11371/pks/lookup?op=getsearch=0x44E6CBCD -- Knowledge can create problems, it is not through ignorance --that we can solve them Isaac Asimov ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Any news on www.kievonline.org site?
-Original Message- From: Steve Wray [mailto:[EMAIL PROTECTED] Sent: 14 October 2003 10:11 To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Any news on www.kievonline.org site? Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! I got one of these too. It's either someone harvesting email addresses (eg from the Full-Disclosure public archives). I also received a welcome message with a picture attached (even though I have to use evil Outlook, I use Zone-Alarm to prevent it talking to anything outside our LAN). Although it does look like a genuine abusive message, it lacks both the name of the person it's sent to and who it's from. If I was going to insult someone, I'd at least use their name. Also, the email headers make it look like it's come through some cable modem connection, rather than direct from kievonline.org: Received: from fl.24.96.20.54.cablemodem.gte.net (fl.24.96.20.54.cablemodem.gte.net [24.96.20.54]) All I've done is reply to it to inform the person that the address was being used to send abusive email. - John Airey, BSc (Jt Hons), CNA, RHCE Internet systems support officer, ITCSD, Royal National Institute of the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] Political correctness - a modern day tool to confuse the minds of the unwary. - DISCLAIMER: NOTICE: The information contained in this email and any attachments is confidential and may be privileged. If you are not the intended recipient you should not use, disclose, distribute or copy any of the content of it or of any attachment; you are requested to notify the sender immediately of your receipt of the email and then to delete it and any attachments from your system. RNIB endeavours to ensure that emails and any attachments generated by its staff are free from viruses or other contaminants. However, it cannot accept any responsibility for any such which are transmitted. We therefore recommend you scan all attachments. Please note that the statements and views expressed in this email and any attachments are those of the author and do not necessarily represent those of RNIB. RNIB Registered Charity Number: 226227 Website: http://www.rnib.org.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
Alexandre Dulaunoy [EMAIL PROTECTED] wrote: It seems to be another spammer who wants to verify the email... I got also the same mail (posted from a GTE network). Not from 67.161.85.41 as mine was then?? Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Any news on www.kievonline.org site?
I got one of these too. It's either someone harvesting email addresses The image was attached and did not link to any script in the outside world, so unless he's using some other method to harvest the addresses this would be a negative. I passed this off as spam until I got an abusive message this morning calling the recipient a few choice words. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
- Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 8:52 PM Subject: RE: [Full-Disclosure] Any news on www.kievonline.org site? I got one of these too. It's either someone harvesting email addresses (eg from the Full-Disclosure public archives). I also received a welcome message with a picture attached (even though I have to use evil Outlook, I use Zone-Alarm to prevent it talking to anything outside our LAN). Don't get too comfortable with that feature of Zone Alarm. They removed it in V4. They have something that SHOULD work in there to replace it but it doesn't and they wont admit it or fix it. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Any news on www.kievonline.org site?
I received both as well, and since I HAD forwarded the first message on to the ISP in question as spam, I didn't realize the second message wasn't actually targetted at me until I saw this thread. ;-) I was about to get real pissed off. -- Jordan Wiens, CISSP UF Network Incident Response Team (352)392-2061 On Tue, 14 Oct 2003, Anthony Aykut wrote: Yes. A couple days ago I got an email (sent to me and 'webmaster') from them (which I deleted as being spam), got curious, and visited the site anyway. Just like you Steve, I also found the illustrious 'infidel' message on what appeared to be a defaced site. Didn't think anything of it, and canned the messages. This morning, I received an email from [EMAIL PROTECTED] titled 'thank you', which I am going to quote here, sorry if it is deemed offensive: -[quote]- You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ---[end quote]--- In the first instance, I sent a message back to [EMAIL PROTECTED] cc my ISP to put the record straight - which bounced back. Then I did a whois, and got hold of another email address, [EMAIL PROTECTED], to which I forwarded my email. Got no reply back yet. Maybe it is a case of The Spammer Who Cried Wolf?? FYI... Registrant: Aharon, Moshe (ALDXLFELGD) 1259 - 56th Street Brooklyn, NY 11219 US Domain Name: KIEVONLINE.ORG Administrative Contact: Aharon, Moshe (36027953P) [EMAIL PROTECTED] 1259 - 56th Street Brooklyn, NY 11219 US 718-437-3233 Technical Contact: Network Solutions, Inc. (HOST-ORG) [EMAIL PROTECTED] 21355 Ridgetop Circle Dulles, VA 20166 US 1-888-642-9675 fax: 571-434-4620 Record expires on 24-Sep-2005. Record created on 24-Sep-2003. Database last updated on 14-Oct-2003 06:03:42 EDT. Domain servers in listed order: NS10.HOSTONY.NET 64.74.112.74 NS11.HOSTONY.COM 207.44.244.81 What/who it is, or whether the email is sent in error is currently a mystery to me, but I am interested to find out if others have had the same experience. Any theories on this occurrence? Regards, Anthony Aykut Frame4 Security Systems Your Partner in IT Security http://www.frame4.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Wray Sent: Tuesday, October 14, 2003 11:11 To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Any news on www.kievonline.org site? Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 October 2003 6:34 p.m. To: Steve Wray Subject: thank you You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Re: Bad news on RPC DCOM vulnerability
Yes the code does work against an unpatched system.. Code execution reaches 77FCC992 mov dword ptr [edx],ecx 77FCC994 mov dword ptr [eax+4],ecx Where EDX is critical address and ECX is heap offset It then reaches 77FCC663 mov dword ptr [ecx],eax 77FCC665 mov dword ptr [eax+4],ecx Where ECX is heap offset and EAX is jump instruction.. This is what flashsky was referring to in his post about a universal way to exploit heap overflows.. Its not 100% reliable tho, as sometimes execution reaches the second code segment first, which will cause a crash. We also saw execution reaching 77D399FD calldword ptr [esi+8] where ESI points into the overflow buffer, but also causes a crash.. After installig the MS03-039 patch, the exploit code had no affect on our test system... Test system is Win2k English SP4+MS03-039.. It is possible however that other versions of Win2K are vulnerable to the denial of service that has been discussed... Has anybody confirmed this with details of the vulnerable systems? Brett -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alex Sent: Monday, October 13, 2003 5:33 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: Re: Bad news on RPC DCOM vulnerability Importance: Low This code doesn't work without shellcode. The simple version of a battle shellcode can be found here: http://www.SecurityLab.ru/_exploits/bshell2 (add user 'a' with pass 'a' in administrator group) You can change this shellcode as you need. On system with MS03-39 installed, this code only crash systems, because nature of new vulnerability is not known. See more: http://www.securitylab.ru/40757.html - Original Message - From: Mike Gordon To: [EMAIL PROTECTED] Sent: Monday, October 13, 2003 1:41 AM Subject: [Full-Disclosure] RE: Re: Bad news on RPC DCOM vulnerability A compiled version is found at http://www.SecurityLab.ru/_exploits/rpc3.zip But it seems to only crash systems. Does any one have a clean complile of the better code from http://www.cyberphreak.ch/sploitz/MS03-039.txt ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
On Tue, 14 Oct 2003, Steve Wray wrote: today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) Yup, I've got two mails from that admin at kievonline.org From: address. One sent from someone masquerading as Moshe Koldny, with a vba3221.jpg attached (a black-haired smiling young woman), advertising for a forum, and one mail that looked exactly like the one Steve quoted. (Steve, please put your quotation ABOVE your own text, many people ignore the junk quotation format of Outlook (Express), I almost missed it). The forum advertise email was injected at 203.234.48.103 and received by my MX at Monday 2003-10-13 23:09:08 UTC, the offensive fuck with the right person mail was injected at dhcp0877.hil.resnet.group.upenn.edu [165.123.128.133] and received at 06:46:52 UTC today, Tuesday 2003-10-14. That machine might run an open proxy or something - or be the offender's machine, can't say. When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. For me, I'll translate it to infidels := people who do not believe in unfair competition, including email advertising in the first place -- the period between these two spam mails might be the period where the ISP or some hacker took the site off-line. Of course, it MIGHT have religous background, but just as well it MIGHT NOT. -- Matthias Andree Encrypt your mail: my GnuPG key ID is 0x052E7D95 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Re: [Full-Disclosure] Hotmail Passport (.NET Accounts) Vulnerability]
It does work, however, I believe you still need to know your old password to kick it over. -- Thanks, Dan Renner President Los Angeles Computerhelp 818-352-8700 http://losangelescomputerhelp.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Mod-Throttle [was: client attacks server - XSS]
That reminds me... From http://www.snert.com/Software/mod_throttle/ ... Elements of the critical shared memory code, as of mod_throttle/3.0, originally derived from the Apache Web Server source code. ... The elements of the shared memory code that were used were the same elements that were buggy in Apache = 1.3.26. The outcome though is worse. A local root exploit is possible if you gain access to the user apache is running as, due to the module storing pointers in shared memory, and a data file being writable by the same user. (Yes, local root from apache is possible because the shutdown/startup stuff that is done by the parent process, which runs as root.) Without the apache scoreboard bug, this is slightly harder to exploit, as it requires getting the httpd to do a reload config, which used to be possible via sending the SIGUSR1 to it. Author was contacted 26 Jan 2002 and apparently he still hasn't got around to releasing version 4.0 which was going to fix the problem. -- zen-parse -- - 1) If this message was posted to a public forum by [EMAIL PROTECTED], it may be redistributed without modification. 2) In any other case the contents of this message is confidential and not to be distributed in any form without express permission from the author. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
Timo Sirainen wrote: For a while I've been wondering if it's possible to create an operating system that would allow stupid users to easily do whatever they want, but still prevent viruses and other malware from doing any harm. Today I finally spent a few minutes thinking about it and then wrote some of the thoughts down: http://iki.fi/tss/security/friendly-secure-os.html You're talking about a mandatory access control OS - see SELinux, TrustedBSD, Trusted Solaris, Flask/Flux, Trusted IRIX - described in the Orange Book. Goetz ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
I was starting to feel left out, but I checked my blocked E-mail, and sure enough, I had the following: 2003/Oct/13 6:39pm [EMAIL PROTECTED] [61.236.13.45] 2003/Oct/14 12:38am [EMAIL PROTECTED] [24.199.120.146] Times are GMT-500 if anyone cares. Seems pretty obvious that someone harvested us on full-disclosure. As a side note, I am tracking down the third new spam trojan discovered here in the past few weeks. There are two computers on campus that fully updated Symantec AV CE doesn't find anything on. I'm hoping to touch one of those computers today. (Yes. I severed their network connection in the meantime.) This is getting really old... Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
Nick FitzGerald wrote: Alexandre Dulaunoy [EMAIL PROTECTED] wrote: It seems to be another spammer who wants to verify the email... I got also the same mail (posted from a GTE network). Not from 67.161.85.41 as mine was then?? I got one of these this morning on another address and this one originated from some IP address in Korea. After Googling around and seeing the same message show up in some newsgroups, I decided that this was a troll of some sort. I debated sending an email to abuse@, but given the general level of response from Korean ISPs, I dropped the idea and sent the message to the bit bucket. Cheers, George Capehart -- George W. Capehart We did a risk management review. We concluded that there was no risk of any management. -- Dilbert ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Any news on www.kievonline.org site?
Steve Wray [EMAIL PROTECTED] wrote: So far in my googling I havn't found anything about the site. It's slowly getting into the index http://groups.google.com/groups?q=kievonline.orghl=enlr=ie=UTF-8oe=utf-8sa=Ntab=wg It's spam. Just feed your $BAYESIAN_FILTER Regards, Johannes -- Give a man a match and he will be warm for a while, light him on fire and he will be warm for the rest of his life ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Friendly and secure desktop operating syste m
Goetz Von Berlichingen wrote: You're talking about a mandatory access control OS - see SELinux, TrustedBSD, Trusted Solaris, Flask/Flux, Trusted IRIX - described in the Orange Book. or BarbieOS: http://qrxx.4t.com/barbieOS.htm This email and any attachments are strictly confidential and are intended solely for the addressee. If you are not the intended recipient you must not disclose, forward, copy or take any action in reliance on this message or its attachments. If you have received this email in error please notify the sender as soon as possible and delete it from your computer systems. Any views or opinions presented are solely those of the author and do not necessarily reflect those of HPD Software Limited or its affiliates. At present the integrity of email across the internet cannot be guaranteed and messages sent via this medium are potentially at risk. All liability is excluded to the extent permitted by law for any claims arising as a re- sult of the use of this medium to transmit information by or to HPD Software Limited or its affiliates. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
I got some email too. http://infohost.nmt.edu/~wcolburn/spam/kiev-1 http://infohost.nmt.edu/~wcolburn/spam/kiev-2 On Tue, Oct 14, 2003 at 10:11:17PM +1300, Steve Wray wrote: From: Steve Wray [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Any news on www.kievonline.org site? Date: Tue, 14 Oct 2003 22:11:17 +1300 Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 October 2003 6:34 p.m. To: Steve Wray Subject: thank you You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- William Colburn, Sysprog [EMAIL PROTECTED] Computer Center, New Mexico Institute of Mining and Technology http://www.nmt.edu/tcc/ http://www.nmt.edu/~wcolburn ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Any news on www.kievonline.org site?
It's nice to have friends... I've been doing searches this morning also and then it dawned on me to check this list. Now, I know I'm not alone and, hopefully, don't need to worry about some jerk's threats. Mark Challender, MCSE Network Administrator -Original Message- From: Jordan Wiens [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 5:11 AM To: Anthony Aykut Cc: Steve Wray; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Any news on www.kievonline.org site? I received both as well, and since I HAD forwarded the first message on to the ISP in question as spam, I didn't realize the second message wasn't actually targetted at me until I saw this thread. ;-) I was about to get real pissed off. -- Jordan Wiens, CISSP UF Network Incident Response Team (352)392-2061 On Tue, 14 Oct 2003, Anthony Aykut wrote: Yes. A couple days ago I got an email (sent to me and 'webmaster') from them (which I deleted as being spam), got curious, and visited the site anyway. Just like you Steve, I also found the illustrious 'infidel' message on what appeared to be a defaced site. Didn't think anything of it, and canned the messages. This morning, I received an email from [EMAIL PROTECTED] titled 'thank you', which I am going to quote here, sorry if it is deemed offensive: -[quote]- You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ---[end quote]--- In the first instance, I sent a message back to [EMAIL PROTECTED] cc my ISP to put the record straight - which bounced back. Then I did a whois, and got hold of another email address, [EMAIL PROTECTED], to which I forwarded my email. Got no reply back yet. Maybe it is a case of The Spammer Who Cried Wolf?? FYI... Registrant: Aharon, Moshe (ALDXLFELGD) 1259 - 56th Street Brooklyn, NY 11219 US Domain Name: KIEVONLINE.ORG Administrative Contact: Aharon, Moshe (36027953P) [EMAIL PROTECTED] 1259 - 56th Street Brooklyn, NY 11219 US 718-437-3233 Technical Contact: Network Solutions, Inc. (HOST-ORG) [EMAIL PROTECTED] 21355 Ridgetop Circle Dulles, VA 20166 US 1-888-642-9675 fax: 571-434-4620 Record expires on 24-Sep-2005. Record created on 24-Sep-2003. Database last updated on 14-Oct-2003 06:03:42 EDT. Domain servers in listed order: NS10.HOSTONY.NET 64.74.112.74 NS11.HOSTONY.COM 207.44.244.81 What/who it is, or whether the email is sent in error is currently a mystery to me, but I am interested to find out if others have had the same experience. Any theories on this occurrence? Regards, Anthony Aykut Frame4 Security Systems Your Partner in IT Security http://www.frame4.com/ -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Steve Wray Sent: Tuesday, October 14, 2003 11:11 To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Any news on www.kievonline.org site? Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 October 2003 6:34 p.m. To: Steve Wray Subject: thank you You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating syste m
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 14 October 2003 07:51, Sam Pointer wrote: Goetz Von Berlichingen wrote: You're talking about a mandatory access control OS - see SELinux, TrustedBSD, Trusted Solaris, Flask/Flux, Trusted IRIX - described in the Orange Book. or BarbieOS: http://qrxx.4t.com/barbieOS.htm You're not a Pink Daisy. You can see Pink Daisy Files... ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/jBr3Ji2cv3XsiSARAjfRAJ9lhG50+wT9YK2cndMsGWf4dyPrswCgyCI/ QRYioxgTDLLr0edJt4WjnYs= =rUYf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Any news on www.kievonline.org site?
On Tue, Oct 14, 2003 at 10:11:17PM +1300, Steve Wray wrote: Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) Yesterday, I received this. I don't remember seeing anything else from there, but my spam filters are pretty good: Date: Mon, 13 Oct 2003 22:59:53 + From: [EMAIL PROTECTED] [EMAIL PROTECTED] Subject: you have been sent this email by To: Mail Delivery Subsystem [EMAIL PROTECTED] You have been spamed by an individual who has nothing else what to do. Please ignore this, i have already notified the authorities in the USA and in Israel. Sorry for this. Quite odd. -Dan -- Burnished gallows set with red Caress the fevered, empty mind Of man who hangs bloodied and blind To reach for wisdom, not for bread. -- Deoridhe Grimsdaughter ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SPAM, credit card numbers, what would you do?
So I get a piece of SPAM that advertises a how to make money on eBay book. For kicks, I go to the website (hosted in Asia, of course) (Aside -- the website includes a gimmick where if you buy by midnight on (today's date), save 50%. Change the date on your PC, and the offer gets extended to THAT day) I check out the order form, which a) isn't secured with SSL, and b) submits the information to a different website. So I go there to muck around and see what there is (again, hosted in Asia) Lo and behold, I look at the root of said website, and I get a directory listing: submit.php orders.txt And as you can probably guess, orders.txt contains -- ORDERS. Names, addresses, phone numbers, and CREDIT CARD NUMBERS. Dozens of them. So I got to thinking... what should I do here? a) Nothing. It's not my problem. b) Notify the provider who hosts the submission page c) Send e-mails to all the morons who tried to buy this product (their e-mail addresses are readily available, next to their credit card numbers), letting them know that they are morons and this is why they shouldn't buy products advertised in SPAM. d) Something else I chose option a. What would you do? (What would Brian Boitano do?) __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Any news on www.kievonline.org site?
FYI: I got the thank you reply very close after reporting the original message to spamcop.net == makes me think that some monitoring takes place?!? Here are the two reports: trace for the original message == SpamCop version 1.3.4 (c) SpamCop.net, Inc. 1998-2003 All Rights Reserved Received: from ABE (unknown[208.131.61.181](misconfigured sender)) by rwcrmxc11.comcast.net (rwcrmxc11) with SMTP id 20031014010448r1100evm7qe; Tue, 14 Oct 2003 01:04:59 + Message-ID: [EMAIL PROTECTED] Reply-To: Moshe Koldny [EMAIL PROTECTED] From: Moshe Koldny [EMAIL PROTECTED] To: x x Subject: Please Support Me Date: Mon, 13 Oct 2003 23:21:04 +0200 MIME-Version: 1.0 Content-Type: multipart/related; type=multipart/alternative; boundary==_NextPart_000_000F_01C391E0.AC22A7C0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: Skip to Reports Parsing header: Received: from ABE (unknown[208.131.61.181](misconfigured sender)) by rwcrmxc11.comcast.net (rwcrmxc11) with SMTP id 20031014010448r1100evm7qe; Tue, 14 Oct 2003 01:04:59 + Possible spammer: 208.131.61.181 Received line accepted Tracking message source: 208.131.61.181: Routing details for 208.131.61.181 [refresh/show] Cached whois for 208.131.61.181 : [EMAIL PROTECTED] Using abuse net on [EMAIL PROTECTED] abuse net cw.net = [EMAIL PROTECTED], [EMAIL PROTECTED] Using best contacts [EMAIL PROTECTED] [EMAIL PROTECTED] 208.131.61.181 not listed in dnsbl.njabl.org 208.131.61.181 not listed in dnsbl.njabl.org 208.131.61.181 not listed in proxies.blackholes.easynet.nl 208.131.61.181 listed in cbl.abuseat.org ( 127.0.0.2 ) 208.131.61.181 is an open proxy 208.131.61.181 not listed in query.bondedsender.org Would send message source reports to: Re:208.131.61.181 (Administrator of network where email originates) [EMAIL PROTECTED] [EMAIL PROTECTED] === trace of the thank you one = SpamCop version 1.3.4 (c) SpamCop.net, Inc. 1998-2003 All Rights Reserved Received: from user-0cetm97.cable.mindspring.com ([24.238.217.39]) by sccrmxc14.attbi.com (sccrmxc14) with SMTP id 20031014055315s14005gs82e; Tue, 14 Oct 2003 05:53:15 + Message-ID: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] From: [EMAIL PROTECTED] To: x x Subject: thank you Date: Tue, 14 Oct 2003 07:34:07 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary==_NextPart_000_000A_01C39225.8D4F8530 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Status: R X-Status: N X-KMail-EncryptionState: X-KMail-SignatureState: Skip to Reports Parsing header: Received: from user-0cetm97.cable.mindspring.com ([24.238.217.39]) by sccrmxc14.attbi.com (sccrmxc14) with SMTP id 20031014055315s14005gs82e; Tue, 14 Oct 2003 05:53:15 + Possible spammer: 24.238.217.39 Received line accepted Tracking message source: 24.238.217.39: Routing details for 24.238.217.39 [refresh/show] Cached whois for 24.238.217.39 : [EMAIL PROTECTED] Using abuse net on [EMAIL PROTECTED] abuse net abuse.earthlink.net = [EMAIL PROTECTED] Using best contacts [EMAIL PROTECTED] 24.238.217.39 not listed in dnsbl.njabl.org 24.238.217.39 not listed in dnsbl.njabl.org 24.238.217.39 not listed in proxies.blackholes.easynet.nl 24.238.217.39 not listed in cbl.abuseat.org 24.238.217.39 not listed in dnsbl.sorbs.net 24.238.217.39 not listed in relays.ordb.org. 24.238.217.39 not listed in query.bondedsender.org Would send message source reports to: Re:24.238.217.39 (Administrator of network where email originates) [EMAIL PROTECTED] Re:24.238.217.39 (Third party interested in email source) [EMAIL PROTECTED] On Tuesday 14 October 2003 10:31 am, Michael A. Starr wrote: Gentlemen; I got the same message that is being discussed in this thread. I include it again, not to continue the propagation, but to have it convenient for viewing. From reading this thread, it seems that the site in question is, or rather was, some kind of porn site, possibly which this guy [EMAIL PROTECTED] would like to advertise. If you look at the words that were chosen, you'll notice that there are several of the words that *should* get picked up by body content filters (if we're running body content filters) -- ranging from sex (fuck, head), to golden showers (piss), to hate words (nigger), to hacking and warez (hacking), phrases like in my face, and a man needs might get tagged as well. What I suspect is that the kievonline.org site was a throw-away, and that this guy is really running some kind of sophisticated probe against mail servers to determine what filters we have in place. I hate to say so, but it might even be a subscriber to this list that is
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
And as you can probably guess, orders.txt contains -- ORDERS. Names, addresses, phone numbers, and CREDIT CARD NUMBERS. Dozens of them. So I got to thinking... what should I do here? My suggestion? Speak with a lawyer. A number of 'hackers' recently in the news did their 'hacking' via web browsers -- just like you. It could likely be successfully argued by a prosecutor that you intentionally stole this credit card data. Yes, I know it was a via clickable link and the site was ridiculously unsecured, but that probably wouldn't make a difference to a court. Anyhow, take care and good luck. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
This must be a piece of software, because I ran into the same exact thing a few years back on the guys websites...e.g. radar-guys.com, telephone-guys.com, radio-guys.com, cordless-guys.com, etc. The file 'order.txt' which carried all the credit card numbers and order information. This file was dumped daily. I decided to play good Samaritan and notify them to alert them of this problem, but since they didn't bother responding I took it upon myself to notify all the individuals on the list. Many of them were grateful and very pissed at the guys.com...many immediately canceled their credit cards and their orders. They finally changed it about a month later...i'm sure they probably just renamed it to orders2.txt or something lame, and dropped an index.html file in the directory. Anyway, I don't go around looking for things like this, but if it were me I would sure love to be notified if my credit card info got out there. You reap what you sow. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Any news on www.kievonline.org site?
One question: On Tue, Oct 14, 2003 at 09:36:18AM -0600, William D. Colburn (aka Schlake) wrote: I got some email too. http://infohost.nmt.edu/~wcolburn/spam/kiev-1 http://infohost.nmt.edu/~wcolburn/spam/kiev-2 /* snip */ Can the threads on this list sink any lower? I hope not. What does any of this thread have to do anything in the list charter? I quote: Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. There is nothing in this thread about: 1) vulnerabilities; 2) exploits, and/or exploit techniques; 3) exploit code, tools or papers. This is about friggin' spam, for crissakes. There is one feeble speculation about ...a throw-away site...sophisticated probe against mail servers...might even be a subcriber to this list...spam flood... that is just utter conjecture. Everything else is pretty much limited to ME TOO! z.. - John -- You are in a twisty maze of weblogs, all alike. - John Sage: InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
On Tue, Oct 14, 2003 at 09:48:40AM -0700, [EMAIL PROTECTED] said: [snip] Lo and behold, I look at the root of said website, and I get a directory listing: submit.php orders.txt And as you can probably guess, orders.txt contains -- ORDERS. Names, addresses, phone numbers, and CREDIT CARD NUMBERS. Dozens of them. So I got to thinking... what should I do here? a) Nothing. It's not my problem. b) Notify the provider who hosts the submission page c) Send e-mails to all the morons who tried to buy this product (their e-mail addresses are readily available, next to their credit card numbers), letting them know that they are morons and this is why they shouldn't buy products advertised in SPAM. d) Something else I chose option a. I'd've done option c, coupled with an email to the security/fraud division of Mastercard/Visa/Amex/Discover/etc. But then, I'm feeling altruistic today. Must be the lack of user interaction so far. (option b would probably be a complete waste of time. Also, if this had a criminal/scam feel to it, I'd probably notify the FTC/FBI ... they have reasonably responsive folks that deal with electronic fraud/scams. Too bad they don't pay any attention to other kinds of network abuse ...) -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui pgp0.pgp Description: PGP signature
RE: [Full-Disclosure] Any news on www.kievonline.org site?
Initially it looked like a security issue, especially if you look at the site with its references to hacking and investigation. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Sage Sent: Wednesday, 15 October 2003 6:23 a.m. To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Any news on www.kievonline.org site? One question: On Tue, Oct 14, 2003 at 09:36:18AM -0600, William D. Colburn (aka Schlake) wrote: I got some email too. http://infohost.nmt.edu/~wcolburn/spam/kiev-1 http://infohost.nmt.edu/~wcolburn/spam/kiev-2 /* snip */ Can the threads on this list sink any lower? I hope not. What does any of this thread have to do anything in the list charter? I quote: Any information pertaining to vulnerabilities is acceptable, for instance announcement and discussion thereof, exploit techniques and code, related tools and papers, and other useful information. There is nothing in this thread about: 1) vulnerabilities; 2) exploits, and/or exploit techniques; 3) exploit code, tools or papers. This is about friggin' spam, for crissakes. There is one feeble speculation about ...a throw-away site...sophisticated probe against mail servers...might even be a subcriber to this list...spam flood... that is just utter conjecture. Everything else is pretty much limited to ME TOO! z.. - John -- You are in a twisty maze of weblogs, all alike. - John Sage: InfoSec Groupie - ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus- - ATTENTION: this entire message is privileged communication, intended for the sole use of its recipients only. If you read it even though you know you aren't supposed to, you're a poopy-head. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Patch Deployment
Anyone on the list have any experience with a product called PatchLink Update? And if so do you mind sharing your experiences with it? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SPAM, credit card numbers, what would you do?
Yes, I know it was a via clickable link and the site was ridiculously unsecured, but that probably wouldn't make a difference to a court. You know... That's the big thing about reporting anymore... If you do... You're assumed just as guilty. And they -WILL- go after you for reporting it if they can't get the original person! It's sad... Look at some of the reports on some 'hacker' being arrested for pointing out a problem in some companies network. (WiFi maybe?) Sorry, it just gets old for me. Not safe to try to be the 'nice guy' anymore. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
[SNIP] My suggestion? Speak with a lawyer. A number of 'hackers' recently in the news did their 'hacking' via web browsers -- just like you. It could likely be successfully argued by a prosecutor that you intentionally stole this credit card data. Yes, I know it was a via clickable link and the site was ridiculously unsecured, but that probably wouldn't make a difference to a court. Anyhow, take care and good luck. Cael Perhaps, if this is a legit site, but, one gets the strong feeling this site might well be less then legit and perhaps just taking names and number for future fraud. And this is the legal rub, as if it is indeed a legit site, issues such as the potential theft of valuable information that could well be scarffed up and used to further the suggested billions lost by the credit companies, and further passed onto their clients, us folks that use their credit cards and such, one can't clue them, nor even poke about to see if they hold your private infoo in a secure fashion, without ending up in a court facing major charges. Perhaps homeland security and it's bundles of joy and offerings need to start handleing such issues, we call, ask they chaeck a site out, and they do the poking in a legal fashuion. Course, I'm sure that having the feds do some such send not a warm fuzie feeling down some backs and necks but a sever shiver... Then again, fewls and their monies are soon parted, and in a much more effiecient fashion these days... Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 14 October 2003 10:33, Cael Abal wrote: My suggestion? Speak with a lawyer. A number of 'hackers' recently in the news did their 'hacking' via web browsers -- just like you. Two words: Adrian Lamo -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/jE1eJi2cv3XsiSARAl7AAJ9NNEonR5OsAgaIEENx+O7qyErVIACgjyg7 hTx09C+mRlVWUq4b47qXg+c= =hTdm -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Patch Deployment
-Original Message- From: Myers, Marvin [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 2:09 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Patch Deployment Anyone on the list have any experience with a product called PatchLink Update? And if so do you mind sharing your experiences with it? Tried it. They said it would do everything. About all it did was crash most of our test workstations and install its agent software that we couldn't easily remove. We ended up dumping it and going with StBernard's UpdateExpert. We like it. # CONFIDENTIAL: This e-mail, including its contents and attachments, if any, are confidential. It is neither an offer to buy or sell, nor a solicitation of an offer to buy or sell, any securities or any related financial instruments mentioned in it. If you are not the named recipient please notify the sender and immediately delete it. You may not disseminate, distribute, or forward this e-mail message or disclose its contents to anybody else. Unless otherwise indicated, copyright and any other intellectual property rights in its contents are the sole property of Mizuho Securities USA Inc. E-mail transmission cannot be guaranteed to be secure or error-free. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Although we routinely screen for viruses, addressees should check this e-mail and any attachments for viruses. We make no representation or warranty as to the absence of viruses in this e-mail or any attachments. Please note that to ensure regulatory compliance and for the protection of our customers and business, we may monitor and read e-mails sent to and from our server(s). # ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: RE: Re: Bad news on RPC DCOM vulnerabil ity
I Have been working with this exploit for several days in the test lab. I could not get the code to add a new user/passwd under an unpatched win2k server, but rather get a The instruction at 0x77fc9e82 referenced at memory0x28030700. The memory could not be written. Did the same thing on a win2k server +SP2. RPC crashes and needs to be restarted. I do get this in the app. log: 10/6/2003 10:37:05 AM EventSystem Error Event System 4097 N/A TESTSERVER The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. 10/6/2003 10:36:25 AM EventSystem Error Event System 4097 N/A TESTSERVER The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BF from line 42 of .\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error. And the system log: 10/6/2003 10:21:53 AM Service Control Manager Error None 7031 N/A TESTSERVER The Remote Procedure Call (RPC) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action. 10/6/2003 10:20:06 AM Application Popup Information None 26 N/A TESTSERVER Application popup: svchost.exe - Application Error : The instruction at 0x77fc9e82 referenced memory at 0x28030700. The memory could not be written. -Original Message- From: Gordon, Mike [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 9:47 AM To: '[EMAIL PROTECTED]' Cc: '[EMAIL PROTECTED]' Subject: [Full-Disclosure] RE: RE: Re: Bad news on RPC DCOM vulnerability Brett: Are you using the version of the code from the Russian Web Site? I compiled and tested it against XP. Forces the machine to crash both patched and unpatched. (MS is aware of this). None of the code ever added a user to the device. Did this happen on the 2K unpatched machine? I've seen some other versions of the code that don't seem to require the external bshell file but incorporates the shell into the C code but I haven't really had much time to investigate. Yes the code does work against an unpatched system.. Code execution reaches 77FCC992 mov dword ptr [edx],ecx 77FCC994 mov dword ptr [eax+4],ecx Where EDX is critical address and ECX is heap offset It then reaches 77FCC663 mov dword ptr [ecx],eax 77FCC665 mov dword ptr [eax+4],ecx Where ECX is heap offset and EAX is jump instruction.. This is what flashsky was referring to in his post about a universal way to exploit heap overflows.. Its not 100% reliable tho, as sometimes execution reaches the second code segment first, which will cause a crash. We also saw execution reaching 77D399FD call dword ptr [esi+8] where ESI points into the overflow buffer, but also causes a crash.. After installig the MS03-039 patch, the exploit code had no affect on our test system... Test system is Win2k English SP4+MS03-039.. It is possible however that other versions of Win2K are vulnerable to the denial of service that has been discussed... Has anybody confirmed this with details of the vulnerable systems? Brett Michael A. Gordon Information Security Services LM Aero - Fort Worth 817-935-1646 Mail Zone: 9381 Gordon, Mike.vcf ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: [Re: Hotmail Passport (.NET Accounts) Vulnerability]
also sprach Daniel H. Renner [EMAIL PROTECTED] [2003.10.14.0458 +0200]: It does work, however, I believe you still need to know your old password to kick it over. It does not work. The email is never sent/never arrives. -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver! micro$oft is to operating systems security what mcdonalds is to gourmet cuisine. pgp0.pgp Description: PGP signature
RE: [Full-Disclosure] SPAM, credit card numbers, what would you do?
It's sad... Look at some of the reports on some 'hacker' being arrested for pointing out a problem in some companies network. (WiFi maybe?) You may be referring to the guy who pointed out to a reporter that the Houston, TX County Courthouse wifi was wide open allowing complete access to the network. Also in that vein is Adrian Lamo, an underground hero of the highest caliber who has just been arrested for helping many large corporations like GE clean up their act. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] about mcbeth claims: reasons and wrong information
Dear mcbeth, you are wrong , check the headers of the geeklog message, there was a bounce in my server due to mal domain changing, do you know this ? i think no. and it wasn't the my first message in this list. i don't want fame but you seems to want annoid people. morning_wood is a friend and a partner of this list like you. please , if you want to say something , first check it for tht truth and then say , if not , close your mouth. again, check please the message headers. best regards and take time before posting annoying messages to people that doesn't are related with your port , the post for morning_wood said tht i discovered the hole before, ( in august ;-) but morning_wood discovered it too and then he posted it , no bad or malicious things were made, mrning_wood had a fantastic surprise for me including my last xss exploit code. AGAIN THANKS morning-wood for INCLUDE MY EXPLOIT !! -off-topic- i'm preparing new releases , more professional and real useful functions ! -EOF Best regards to all and have good time please, - Original Message - From: [EMAIL PROTECTED] To: Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 7:26 PM Subject: Re: [Full-Disclosure] morning_wood , i discovered the arin.net whois XSS before ou but yo was more quickly to report it! On Tue, 14 Oct 2003 00:31:50 +0200 Lorenzo Hernandez Garcia-Hierro [EMAIL PROTECTED] wrote: it's the truth , i'm sad ;-) i discovered one month ago the arin bug , believe in me. next time i will be the first one. ;-) good shoot ! ;-) Is this some kind of fucking race or what ? Obviously you are kind of guy who reports vulnerabilities to get fame. You don't have to do it more... everybody knows who is Lorenzo Hernandez Garcia-Hierro because you have send your advisory about geeklog about 30 times to this list. mcbethh -- The Lord supports non-disclosure ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Weekly Vulnerability Summary, Week 41 2003
SINTRAQ Weekly Summary Week 41, 2003 Created for you by SINTELLI, the definitive source of IT security intelligence. Welcome to the latest edition of SINTRAQ Weekly Summary. Information on how to manage your subscription can be found at the bottom of the newsletter. If you have any problems or questions, please e-mail us at [EMAIL PROTECTED] PDF version : http://www.sintelli.com/sinweek/week41-2003.pdf = Highlights: This week is Week 41 plus elements of Week 40, so the dates covered by this summary are 02 October - 13October. The reason for this is Microsoft surprised everyone by released MS03-40 on the evening of 03 October, thus we thought it would be more useful to incorporate it into Week 41. Whilst still on Microsoft there are two publicly available exploits for MS03-39 available at the K-otik web site: http://www.k-otik.com/exploits/10.09.rpcdcom3.c.php http://www.k-otik.com/exploits/10.09.rpcunshell.asm.php Other items of note this week are multiple vulnerabilities in Adobe SVG, Peoplesoft and Hummingbird Cyberdocs. Until next week, -- SINTELLI Research www.sintelli.com ***Advertisement*** Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.solsoft.com/whitepaper_sintelli ***Advertisement*** TABLE OF CONTENTS: SID-2003-3467 [ Adobe ] Adobe SVG Viewer Active Scripting Bypass SID-2003-3470 [ Adobe ] Adobe SVG Viewer Cross Domain and Zone Access SID-2003-3469 [ Adobe ] Adobe SVG Viewer Local and Remote File Reading SID-2003-3501 [ aziem ] prayerboard_db.php cross-site scripting vulnerability SID-2003-3495 [ Centrinity ] FirstClass Denial of Service Vulnerability SID-2003-3522 [ Compaq ] HP Tru64 dtmailpr Unspecified Flaw SID-2003-3472 [ Conexant Systems ] Conexant Access Runner DSL Console login bypass vulnerability SID-2003-3464 [ divine ] Divine OpenMarket Content Server XSS Vulnerability SID-2003-3471 [ EFS Software ] Easy File Sharing Web Server Vulnerabilities SID-2003-3481 [ EternalMart ] EternalMart Guestbook Execution of Arbitrary Code SID-2003-3480 [ EternalMart ] EternalMart Mailing List Manager Vulnerability SID-2003-3497 [ freeguppy.org ] GuppY Cross Site Scripting and Files Read/Write Vulnerabilities SID-2003-3504 [ HP ] HP OVOW Unauthorised admin access SID-2003-3505 [ HP ] HP SCM Unauthorised Access SID-2003-3486 [ HP ] HPUX dtprintinfo buffer overflow vulnerability SID-2003-3508 [ Hummingbird ] Hummingbird CyberDOCS error page installation path disclosure SID-2003-3509 [ Hummingbird ] Hummingbird CyberDOCS insecure file permissions vulnerability SID-2003-3507 [ Hummingbird ] Hummingbird CyberDOCS multiple cross-site scripting vulnerabilities SID-2003-3506 [ Hummingbird ] Hummingbird CyberDOCS SQL injection SID-2003-3474 [ JBoss Group ] JBoss Remote Command Injection Vulnerability SID-2003-3465 [ Juan Cespedes ] ltrace 'Library Call Tracer' Heap Overflow SID-2003-3494 [ Kevin Lindsay ] slocate heap overflow SID-2003-3516 [ Microsoft ] Buffer Overflow in Microsoft Word Macros SID-2003-3482 [ Microsoft ] Microsoft Internet Explorer XML data binding vulnerability SID-2003-3503 [ Microsoft ] Microsoft Windows Media Player DHTML Local Zone Access SID-2003-3499 [ Microsoft ] Microsoft Windows PostThreadMessage API process termination SID-2003-3487 [ Microsoft ] Microsoft Windows Server 2003 Shell Folders Directory Traversal SID-2003-3489 [ muziqpakistan.net ] File inclusion vulnerability in PayPal Store Front SID-2003-3485 [ NetScreen ] Netscreen Leakage of Sensitive Information via DHCP Offer SID-2003-3483 [ OpenOffice.org ] Openoffice Denial of service Vulnerability SID-2003-3468 [ Peoplesoft ] PeopleSoft Grid Option Vulnerability SID-2003-3493 [ Peoplesoft ] PeopleSoft Information Disclosure Vulnerability SID-2003-3490 [ Peoplesoft ] PeopleSoft Longchar and Varchar Data Upload Vulnerability SID-2003-3488 [ PHP-Nuke ] PHP-Nuke 6.6 SQL Injection SID-2003-3478 [ PHP-Nuke ] PHP-Nuke 6.7 Arbitrary File Upload SID-2003-3517 [ Planet ] Undocumented Superuser Account in Planet WGSD-1020 Switch SID-2003-3492 [ S.u.S.E. ] SuSE Linux javarunt symlink attack SID-2003-3491 [ S.u.S.E. ] SuSE Linux susewm symlink attack SID-2003-3520 [ scripts4webmasters.com ] TRACKtheCLICK Script Injection Vulnerabilities SID-2003-3496 [ SNAP Innovation ] SNAP Innovations PrimeBase Database Vulnerability SID-2003-3521 [ SourceForge.net ] Gallery 1.4 file inclusion vulnerability SID-2003-3484 [ SSH Communications Security ] SSH Vulnerability in BER Decoding SID-2003-3479 [ Sun ] Sun Cobalt RaQ Control Panel Cross-Site Scripting SID-2003-3502 [ Techfirm ]
[Full-Disclosure] Any news on www.kievonline.org site?
I DID complain, anonymously, to his ISP chain when I received the first message from them. Now I suspect he blasted everybody who got the first message because he doesn't know who complained. And I may not be the only one who did complain. I feel SO bad. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SPAM, credit card numbers, what would you do?
Also in that vein is Adrian Lamo, an underground hero of the highest caliber who has just been arrested for helping many large corporations like GE clean up their act. Hero? Hardly. His willingness to help out the companies he hacked into was quickly overshadowed by the fact that he stole hundreds of thousands of dollars worth of services while he was doing it. He's no hero, he's an idiot. Had Adrian Lamo coordinated his efforts with the companies he was auditing and had their permission to test the network, he would've been a hero. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Friendly and secure desktop operating system
Am Tuesday 14 October 2003 16:51 schrieb Sam Pointer: Goetz Von Berlichingen wrote: You're talking about a mandatory access control OS - see SELinux, TrustedBSD, Trusted Solaris, Flask/Flux, Trusted IRIX - described in the Orange Book. or BarbieOS: http://qrxx.4t.com/barbieOS.htm oh - Many of the girls we talked to said that they were tired of constantly patching their Windows systems against the latest Outlook worm, only to find that the patch breaks one of their custom applications or reduces the performance and stability of the operating system... :- -- . ___ | | | | ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen within my household
Sorry for the rant, but what's wrong with being anti-social? When i look in bulgarian history, i see that the heroes of today are something-similar-to-terrorist of yesterday. May apply to others countries as well. georgi On Mon, 13 Oct 2003 07:09:21 -0400 Joshua Levitsky [EMAIL PROTECTED] wrote: because they choose not to. Some of these people are damn cool. Some are just anti-social, but that really isn't the norm so far as I can ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] something evil in your email
Folks might want to be on alert for this: From: swiftpay service central [EMAIL PROTECTED] Reply-To: swiftpay service central [EMAIL PROTECTED] Subject: Please accept payment from andy #182-91DW-23252 Date: Die, 14 Okt 2003 23:47:37 +0200 MIME-Version: 1.0 Content-Type: text/html; charset=us-ascii X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001 Message-Id: [EMAIL PROTECTED] !DOCTYPE HTML PUBLIC \-//W3C//DTD HTML 4.01 Transitional//EN\ \http://www.w3.org/TR/html4/loose.dtd\; html head titleUntitled Document/title meta http-equiv=\Content-Type\ content=\text/html; charset=iso-8859-1\ /head body div align=\left\ pimg src=\http://203.82.33.50/sw/swiftpay7_01.gif\;/p hr pbr User emandy3/em just send $476.60 USD to you: br SwiftPay UserID: andy3 br Transaction#: 182-91SW-27251 br Date: 14-10-2003 br Comments: Membership #0248278 was selected to receive this month\'s bonus. We cannot send funds directly to your debit card\'s bank account because our merchant currently disabled this option. SwiftPay will not charge your card for the transfer; we already deducted $23.40 from your funds for the service fees. br br Your E-mail is not registered with SwiftPay. In order to receive your funds you need to apply for account with us and verify your identity. All information will be kept confidential. Please follow the link: a href=\http://203.82.33.50/sw/signup/\;http://www.swiftpay.us/signup/?transaction#125433SW2751/abr When you enter our service your funds will appear in your account balance under overview page. You can withdraw the outstanding balance to your debit card account that you added during the registration process. br SwiftPay`s intuitive interface makes sending and receiving money over the web as easy as one two three. Simply logon at SwiftPay and select which SwiftPay service you wish to avail of, whether it\'s to fund your account, send money to friends family or businesses, request money or check your account details. With everything you need available at the click of a mouse, paying with SwiftPay couldn\'t be easier. Don\'t forget, we value our commitment to Customer Service at SwiftPay should you have any queries, please don\'t hesitate to contact us and we\'ll do our best to answer your query as soon as possible. br br Kind Regards, br SwiftPay Customer Support br --- /p pnbsp;/p pnbsp;/p /div /body /html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] SPAM, credit card numbers, what would you do?
At 05:57 PM 10/14/03 -0400, Jonathan A. Zdziarski wrote: Hero? Hardly. His willingness to help out the companies he hacked into was quickly overshadowed by the fact that he stole hundreds of thousands of dollars worth of services while he was doing it. He's no hero, he's an idiot. Mostly Lamo is a sterling illustration of technical knowledge without concurrent wisdom. Not unusual for our profession, though. m5x ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 14 October 2003 14:57, Jonathan A. Zdziarski wrote: Also in that vein is Adrian Lamo, an underground hero of the highest caliber who has just been arrested for helping many large corporations like GE clean up their act. Hero? Hardly. His willingness to help out the companies he hacked into was quickly overshadowed by the fact that he stole hundreds of thousands of dollars worth of services while he was doing it. He's no hero, he's an idiot. He's just a boy. hundreds of thousands of dollars worth of services What? Bandwith usage? Subscription fees? Gimme a break. He cost nothing in real dollars to anyone. You presume either that he would have paid for services if he couldn't get them free, and/or that his utilization deprived other, legitimate users of their ability to access resources. None of this is demonstrable, and none is even true. With engineers, there seems to be a kind of unexamined binary thinking about law and legality. Laws frequently change -often arbitrarily, differ in jurisdictions, are enforced in violation of over-ruling statutes, etc. Everyone reading this list is likely to be in violation of dozens of different laws that apply to them in the course of any given week. This is outside of time spent interacting with networked computer systems! Adrian may get jail time, while Ken Lay will go free. Sprint may have fake billing losses, while retirees lose their homes and pension benefits. Laws tend to favour those with the ability to purchase them - too bad. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/jIBmJi2cv3XsiSARAnSDAJ4tgcMZmZLwB9ut+hv60F47+mYKKgCeNgPU KdlddtGaBKTd4ij5OiV2o2Q= =QT2t -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen within my household
Sorry for the rant, but what's wrong with being anti-social? When i look in bulgarian history, i see that the heroes of today are something-similar-to-terrorist of yesterday. May apply to others countries as well. The term anti-social is used a bit too loosely these days. Gassing a million jews was anti-social. Not wanting to talk to people in general is just filtering. Arrogant at the most, but definitely not anti-social. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] More NASA.GOV HOLES: naade02.msfc.nasa.gov
Hi again, naade02.msfc.nasa.gov host of nasa is too affected by security holes, in this case the stupid hole of maintain sample scripts of iis in the webroot. http://naade02.msfc.nasa.gov/scripts/samples/ http://naade02.msfc.nasa.gov/samples/ http://naade02.msfc.nasa.gov/IISsamples/ w00w, NOTE: attacking possibilities are related with FPExtensions in the directories. VENDOR NOTICED: No contat info found NOTE 2: OPEN AN ACCOUNT FOR SECURITY ISSUES Best regards, --- 0x00-Lorenzo Hernandez Garcia-Hierro 0x01-/* not csh but sh */ 0x02-$ PATH=pretending!/usr/ucb/which sense 0x03- no sense in pretending! __ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ** No Secure Root Group Security Research Team http://www.nsrg-security.com __ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New MS Patch - Any Idea What This Is
- Original Message - From: Anthony Aykut [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 4:41 PM Subject: [Full-Disclosure] New MS Patch - Any Idea What This Is Hi, Anyone come across this one?? I have *just* received this - yet another email claiming to be from MS (showing initially as being from [EMAIL PROTECTED]), titled 'New Patch'. Same nice HTML page, with message body... Swen virus. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] NASA.GOV SQL Injections
Hi all again, http://liftoff.msfc.nasa.gov/toc.asp?s=Tracking' admits sql characters injection but seems not easy to include successful queries security of nasa websites sucks ( sucks the web app security...) best regards, --- 0x00-Lorenzo Hernandez Garcia-Hierro 0x01-/* not csh but sh */ 0x02-$ PATH=pretending!/usr/ucb/which sense 0x03- no sense in pretending! __ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ** No Secure Root Group Security Research Team http://www.nsrg-security.com __ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen within my household
- Original Message - From: Georgi Guninski [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 12:23 PM Subject: Re: [Full-Disclosure] OT: An odd question that has arrisen within my household Sorry for the rant, but what's wrong with being anti-social? Nothing so much the matter with it, but the anti-social ones I probably wouldn't have met, and if I have met them then I haven't spoken much with them... due to their anti-socialness :) And I much prefered the friends of mine that liked to hang out and such. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 14 October 2003 14:57, Jonathan A. Zdziarski wrote: Also in that vein is Adrian Lamo, an underground hero of the highest caliber who has just been arrested for helping many large corporations like GE clean up their act. We might also question the heroic quality of actions that benefit GE, and their like. If in doing so, the privacy and security of ordinary peons and their livlihoods is protected - that may be heroic. Free services to multi-billionaire corporations which should face the wrath of their stockholders and the public at large are really a misguided effort. But as I said, all agendas aside - Adrian Lamo is just a boy. I'm sorry for his difficulties -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/jIHHJi2cv3XsiSARAhtdAKDeiK/o0y8Nvq9OKbBwY8z6nsua4QCeOdS2 Vv7qZkXcj8u62q/1HqSEcGM= =XyWp -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
A number of 'hackers' recently in the news did their 'hacking' via web browsers -- just like you. It could likely be successfully argued by a prosecutor that you intentionally stole this credit card data. Yes, I know it was a via clickable link and the site was ridiculously unsecured, but that probably wouldn't make a difference to a court. How is 'hacking' defined where you are? In Australia (at least in NSW), and some other places, an access control mechanism of some description has to be circumvented for it to be an offence. In Canada, anyone who fraudulently and without colour of right obtains, directly or indirectly, any computer service is guilty of Unauthorized Use of a Computer -- note 'computer service' includes computer service 'data processing and the storage or retrieval of data'. It definitely wouldn't be a stretch to say that accessing a server-held record of previous orders was without colour of right. Additionally, any number of fraud / mischief offences may be applied to computer-related charges. I believe the US laws are similar. Cheers, Cael --- See PART IX: OFFENCES AGAINST RIGHTS OF PROPERTY -- 342.1: Unauthorized Use of Computer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen withinmy household
antisocial adj. 1) Shunning the society of others; not sociable. 2) Hostile to or disruptive of the established social order; marked by or engaging in behavior that violates accepted mores: gangs engaging in vandalism and other antisocial behavior. 3) Antagonistic toward or disrespectful of others; rude. Source: The American Heritage Dictionary of the English Language, Fourth Edition Dictionaries use what the current accepted meanings are. I think this is incorrect. IMAO, what you've described is non-social, not anti-social. Anti-social to me involves specifically attempting to damage society (as my example, which wasn't intended to be offensive). But c'est la vie...if society wants to use the term loosely that's their business. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen withinmy household
- Original Message - From: Jonathan A. Zdziarski [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 6:42 PM Subject: Re: [Full-Disclosure] OT: An odd question that has arrisen withinmy household The term anti-social is used a bit too loosely these days. removed text Not wanting to talk to people in general is just filtering. Arrogant at the most, but definitely not anti-social. First that is not a comparison that makes me comfortable, but you knew that you were being extreme when you wrote it. The below definition says to me that someone could be not sociable or be hermit-like and shun society without becoming the unibomber. Anti-social doesn't have to be so extreme. Anyways you are just playing semantics. an·ti·so·cial adj. 1) Shunning the society of others; not sociable. 2) Hostile to or disruptive of the established social order; marked by or engaging in behavior that violates accepted mores: gangs engaging in vandalism and other antisocial behavior. 3) Antagonistic toward or disrespectful of others; rude. Source: The American Heritage® Dictionary of the English Language, Fourth Edition ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
On Wed, 2003-10-15 at 03:33, Cael Abal wrote: A number of 'hackers' recently in the news did their 'hacking' via web browsers -- just like you. It could likely be successfully argued by a prosecutor that you intentionally stole this credit card data. Yes, I know it was a via clickable link and the site was ridiculously unsecured, but that probably wouldn't make a difference to a court. How is 'hacking' defined where you are? In Australia (at least in NSW), and some other places, an access control mechanism of some description has to be circumvented for it to be an offence. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] something evil in your email
Michael 'Moose' Dinn wrote: Folks might want to be on alert for this: Same old, same old. At this point I would expect any halfway-intelligent user to be suspicious of this sort of e-mail -- wake me up when the con does something novel. Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] More NASA.GOV HOLES: naade02.msfc.nasa.gov
Welcome to a honey pot putz! On Tue, 2003-10-14 at 19:21, Lorenzo Hernandez Garcia-Hierro wrote: Hi again, naade02.msfc.nasa.gov host of nasa is too affected by security holes, in this case the stupid hole of maintain sample scripts of iis in the webroot. http://naade02.msfc.nasa.gov/scripts/samples/ http://naade02.msfc.nasa.gov/samples/ http://naade02.msfc.nasa.gov/IISsamples/ w00w, NOTE: attacking possibilities are related with FPExtensions in the directories. VENDOR NOTICED: No contat info found NOTE 2: OPEN AN ACCOUNT FOR SECURITY ISSUES Best regards, --- 0x00-Lorenzo Hernandez Garcia-Hierro 0x01-/* not csh but sh */ 0x02-$ PATH=pretending!/usr/ucb/which sense 0x03- no sense in pretending! __ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ** No Secure Root Group Security Research Team http://www.nsrg-security.com __ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Cross-Site Scripting Vulnerability in Wrensoft Zoom Search Engine
Cross-Site Scripting Vulnerability in Wrensoft Zoom Search Engine 09 October 2003 PDF version: http://www.sintelli.com/adv/sa-2003-02-zoomsearch.pdf Background Zoom is a package that adds search facilities to your website and produces fast search results by indexing your website in advance. Unlike other solutions relying on server-side software, Zoom allows you to do this from the convenience of your own Windows computer. More information about the product is available here: http://www.wrensoft.com/zoom/index.html Description The Zoom Search engine does not properly filter user supplied input when displaying the search results. This issue allows remote attacker to inject malicious code in the target system. All the code will be executed within the context of the website. An example of such an attack is http://www.victim.com/search.php?zoom_query=scriptalert(hello)/scriptscriptalert(hello)/script In order for the attack to work a user must click on one of these specially crafted URLs, which can be sent by email to the user, or by the using clicking on a link. Impact It is possible for an attacker to retrieve information from a user's system. Versions affected Version 2.0 - Build: 1018 (Earlier builds may be vulnerable) Solution Upgrade to Build 1019. This can be downloaded from http://www.wrensoft.com/ftp/zoomsearch.exe Vulnerability History 30 Sep 2003 Identified by Ezhilan of Sintelli 01 Oct 2003 Issue disclosed to Wrensoft 02 Oct 2003 Second notification to Wrensoft 02 Oct 2003 Vulnerability confirmed by Raymond Leung of Wrensoft. 08 Oct 2003 Sintelli informed of fix Wrensoft 08 Oct 2003 Sintelli confirms vulnerability has been addressed 08 Oct 2003 Build 1019 available 09 Oct 2003 Sintelli Public Disclosure Credit Ezhilan of Sintelli discovered this vulnerability. About Sintelli: Sintelli is the world's largest provider of security intelligence solutions. Sintelli is the definitive source for IT Security intelligence and is a provider of third generation intelligence security solutions. Request a free trial of our alerting solution by clicking here http://www.sintelli.com/free-trial.htm Copyright 2003 Sintelli Limited. All rights reserved. www.sintelli.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] NASA.GOV Search system Cross Site Scripting ( SEARCH.NASA.GOV )
Hi there, - WebSite: Vendor: NASA w0w! Risk: 7-5 VENDOR NOTICED: Yes ( same email as this ) I'm a little surprised today. I found some cross site scripting holes in the NASA.gov search engine , PROOF OF CONCEPT: http://search.nasa.gov/nasasearch/search/search.jsp?nasaInclude=nullSimple+Search.y=10;scriptalert(The XSS Prince\nOnce upon a time there was a prince\nthat liked so much XSS exploits);/script http://search.nasa.gov/nasasearch/search/search.jsp?nasaInclude=nullGo.x=17;scriptalert(The%20XSS%20Prince\nOnce%20upon%20a%20time%20there%20was%20a%20prince\nthat%20liked%20so%20much%20XSS%20exploits);/scriptGo.y=13 Remember: website security cannot be real if maintainers don't know how much danger is a xss hole ;-) contact info: __ --- 0x00-Lorenzo Hernandez Garcia-Hierro 0x01-/* not csh but sh */ 0x02-$ PATH=pretending!/usr/ucb/which sense 0x03- no sense in pretending! __ PGP: Keyfingerprint 4ACC D892 05F9 74F1 F453 7D62 6B4E B53E 9180 5F5B ID: 0x91805F5B ** No Secure Root Group Security Research Team http://www.nsrg-security.com __ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re:
Microsoft *does not*, repeat *does not* mail out security updates. Its clear for anyone to see on their website. You've been had by a (not too clever) social engineer. do a portscan on your system to see what services have been opened. and never,never open attcahments from peiople you dont know.remember.. email addresses can be spoofed. just coz NAV doesnt recognize it as a virus doesnt mean it isnt. maybe it is a virus.. too new for the scanning engine to recognize. all i know is that it is definitely not from microsoft. cheers! Rupam. smime.p7s Description: S/MIME cryptographic signature
Re: [Full-Disclosure] Any news on www.kievonline.org site?
Very strange dude if you ask me.. He made it past my TMDA filter.. But glad to see he got slamed.. On Tue, 14 Oct 2003, Steve Wray wrote: Hi all, today I found a really wierd email in my inbox, which got me curious about this kievonline.org that this guy is screaming about (I had never heard of it before. I may be an 'infidel' not being moslem but they guy has my skintone and drinking habits all wrong!) When I go to the site, it has a very sad look to it... Apparently it was taken down by 'infidels'. So far in my googling I havn't found anything about the site. Ring any bells with anyone? Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, 14 October 2003 6:34 p.m. To: Steve Wray Subject: thank you You are a piss head for hacking my site and informing my isp !!! Fuck you nigger. if your a man you should come here and tell me in my face A man needs to make a living you know, Now you think my isp is going to do something to stop me ? FUCK YOU Nice try. I have added your email address to every fucking spam list I can find Next time youll fuck with the right person ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Any news on www.kievonline.org site?
stefmit [EMAIL PROTECTED] wrote: FYI: I got the thank you reply very close after reporting the original message to spamcop.net == makes me think that some monitoring takes place?!? It may make _you_ think that, but I received the same thank you without reporting him/her/it to anyone, so I think you need a better conspiracy theory in this case...8-) Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] SPAM, credit card numbers, what would you do?
On Tue, 14 Oct 2003 09:48:40 PDT, ted klugman [EMAIL PROTECTED] said: And as you can probably guess, orders.txt contains -- ORDERS. Names, addresses, phone numbers, and CREDIT CARD NUMBERS. Dozens of them. One wonders if this company is in California pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] OT: An odd question that has arrisen withinmy household
On Tue, 14 Oct 2003 19:54:36 EDT, Jonathan A. Zdziarski said: Dictionaries use what the current accepted meanings are. I think this is incorrect. Are you suggesting that dictionaries should list something OTHER than the current accepted meanings, or did I manage to totally misparse what you meant? pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Friendly and secure desktop operating syste m
On Tue, 14 Oct 2003 15:51:58 BST, Sam Pointer said: This email and any attachments are strictly confidential and are intended solely for the addressee. If you are not the intended recipient you must Hmm... I'm not the addressee. And you might want to ask your legal eagles if they think this disclaimer will count for much in court if you blindly stick it on ALL mail, including posting to a world-wide mailing list. And since I'm not the addressee not disclose, forward, copy or take any action in reliance on this message or its attachments. If you have received this email in error please notify the sender as soon as possible and delete it from your computer systems. Delete it? Hmm.. not as simple as that. Your mail happened to arrive before our backups ran, so it's out on tape as well. Please specify how much you are willing to pay to avoid another Ollie North situation: http://www.fas.org/spp/starwars/offdocs/reagan/chron.txt (Also - if you are not the intended recpient you must not You *do* realize that this means that if I receive your mail with this blanket disclaimer, and I realize that George over in Sales is the right person to deal with it, I have to delete it rather than forward it and get stuff done for you? And if I *do* forward it to George, he has to delete it because he's not the addressee...) and messages sent via this medium are potentially at risk. All liability is excluded to the extent permitted by law for any claims arising as a re- sult of the use of this medium to transmit information by or to HPD Software Limited or its affiliates. Oh. Not willing to pay for it? Isn't much I can do to help you then pgp0.pgp Description: PGP signature
