Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)
--On Wednesday, October 22, 2003 6:00 PM -0600 Bruce Ediger <[EMAIL PROTECTED]> wrote: The real questions go something like: "Source code for Unix viruses has been available for years, from sources almost too numerous to mention. Why haven't Unix viruses become epidemic the way that Windows viruses have?" The usual argument is that Windows is more ubiquitous than Unix and is therefore the target of choice. I would argue that the *real* reason is that Windows is more ubiquitous as a *desktop* operating system and is therefore the target of choice. However, that's changing. Linux is gaining in the desktop space and so is Mac OS X, which is really "exposed" for the first time. By that I mean that previous Mac OSes weren't as easily attacked remotely because they used Appletalk rather than TCP/IP. (Yes, Macophiles, I know TCP/IP was available before OS X.) The real key to prevalence of malware, IMNSHO, is the ease of attack *and* the potential pool of victims. People think it's really stupid to "surf" the Internet using an administrator account on Windows. Well what do you think the neophyte Linux users are doing? I seriously doubt you'll find many that have a regular account and use su or sudo to do administrative tasks. They're bound to run in to something sooner or later that they find irritating (like being prompted for root's password every time they try to run up2date on RedHat) and they'll do the same thing they always do on a desktop system. They'll start logging in as root because they don't get "pestered" by all those warning messages and they can install software any time they want. (Mind you, Windows still has a long way to go in that regard. MS doesn't make it easy to run as an unprivileged user, that's for sure.) And when folks are on the net, logged in as root, on a Unix box, they're just as susceptible to worms and viruses as any Windows user is. All it takes is some momentum in the desktop space and the stats will change. When the average desktop user can figure out how to burn CDs, listen to music and print on *nix as easily as they can do it on Windows, you'll see more and more malware for *nix as they move over to it (if they do.) Now I am *not* arguing that Windows is the best OS to use (or even a good one for that matter) or even that Windows is no easier to attack than *nix. But worms and viruses will follow desktop users, not OSes, no question about it. "Security problems of the same magnitude as .ida buffer overflows, or MSRPC buffer overflows exist in unix programs like Sendmail and others. Why hasn't a worm materialized for this problem?" Because unpatched apache isn't installed *and* running on *nix boxes by default. We had 90 boxes hit by Code Red. Only one was an "IT" box, and that one had just been installed and was *at* windowsupdate when it got infected. Of the other 89, all but three were desktop systems. When Nimda hit, we had 40. All 40 were desktops. People who know what they're doing don't get infected with that crap. People who don't, do. What OS they're using is irrelevant. "The scalper worm didn't effect nearly as many hosts as msblast did. Why not? Why did the scalper worm seem to die out, yet wormwatch.org still records many hits from much older worms like SQLSpida and Nimda?" Because desktop users don't patch. Scalper didn't make much headway because *very few* desktop *nix boxes run Apache, and servers that do are admined by people who understand the need to patch. Remember the SunOS.Poisonbox.worm? That made pretty good headway on Solaris boxes and can still be found today. What did it attack? Sadmind, which few server admins would ever run and far fewer would run unpatched. Only desktop users have that on and don't want to be bothered with patching. And they got infected. Every *nix infection that I've had to deal with has been a desktop system, not a server. Why do you think wuftpd is so heavily attacked? I think it's because it's had many holes *and* lots of desktop users run it because it lets them easily move files around. And I guess you can generalize and ask why the Windows "culture" generates so many problems of such a magnitude, that last so long? My home office web server got a Code Red hit on Sept 19th 2003, for example. Other computing cultures (Unix, Mac, etc) don't seem to exhibit this. Why not? Well, historically *nix was for the clued in. All others were excluded. And Mac wasn't easily exploited due to Appletalk. But all that's changing. KDE has been riddled with security problems. Once the number of desktop users using KDE reaches critical mass (whatever that is) you'll start seeing more and more malware on *nix. Malware follows negligent users, *not* OSes. Shouldn't we focus our efforts on figuring out what aspects of Linux or Mac cultures keep epidemics from occuring? It's certainly a waste of breath to point out that OS X has horrendous security flaws
RE: [Full-Disclosure] Anyone running SUS see the content update today?
There were a variety of "issues" with last weeks patches. MS03-045 installation failed on some language version of Windows 2000 SP4. Since this patch replaces the entire core of the OS, it often left the computer in a completely unusable state. This patch has also been repackaged so that a single download can be used to patch Windows 2000 SP2, SP3, and SP4. Previously, SP2 had a separate package. All the original 10/15 OS patches included a new version of update.exe that contained a critical bug. In an attempt to reduce the number of reboots, MS tested to see if the user installing the patch had the debug privilege. This privilege allows system files that are in-use to be replaced on a running system. Normally only Local System and Administrators have this right. The intention was that if the user had the debug right, the files would be replaced and no reboot would be needed. The check to see if the current user had this right would sometimes enter an infinite loop, and sometimes system files would be damaged, putting the computer into an endless reboot cycle. Sometimes recovery was possible by booting into safe mode or using the recovery console and uninstalling the patches or manually copying the old files. The updated bulletins so far make no mention of this. I would bet that when the updated patches are actually available on the the download site (they're not there yet) they will have a new version of update.exe. I believe that in every case, the patches themselves contain the same system files. It is only the patch installer that is being replaced. We should know for sure by tomorrow. Jerry -Original Message- From: Joshua Levitsky [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2003 9:12 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Anyone running SUS see the content update today? Seems like tonight Microsoft re-released all the updates from last week. Anyone else see this? Anyone know why all the updates from last week got re-released and some of them show up as new rather than updated even though the KB articles in the description are last weeks patches. -Josh Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Anyone running SUS see the content update today?
Here are all the new patches in case anyone is curious what has changed since last week. Looks like all Win 2k and Windows Media player updates got refreshed. Note that on Friday the 824141 patches got re-released also. See below. -Josh Manual Sync Started- Wednesday, October 22, 2003 7:28:09 PM Successful Updates Added: Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ARA-CSP_9f86f61d518c3c04d09cb309a6f4314.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-CHS-CSP_a0f795892ba29283bbaf19b54fe6d6e.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-CHT-CSP_8316e7a45f07e1c2aabc06ca8025d8d.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-CSY-CSP_92fcf7aeea87ea9e6ce456a647e9602.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-DAN-CSP_c6542f7ecb807f261c5a0bf2a0d6843.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-NLD-CSP_d30aadd797f110bb219c72d0b10c79d.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ENU-CSP_7c15826110e3809bbe56ff478e68d84.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-FIN-CSP_7ec5cfa361a5cca3e05572805fee2fd.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-FRA-CSP_759ecb8dc05687ad75e93904a622064.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-DEU-CSP_795ae167382abba0add7f6fc3930045.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ELL-CSP_2ef9ce508b31d7bdf63d309df68ea66.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-HEB-CSP_ef9288fd08f8113ca348bc12179a945.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-HUN-CSP_23382aeb237ed4441a5edd1fb7eeb9c.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ITA-CSP_8492978f87c2366cb3b46e05e95ccb6.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-JPN-CSP_d71d4ef366a244a7ff2362e65c74cb5.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-nec98-JPN-CSP_5bdc8e9232757259bfc77b27883e3bb.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-KOR-CSP_dab23f0acea1af7ee0aef3df851e5ae.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-NOR-CSP_411c192ee67cf05c6b32be9b11cf31b.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-PLK-CSP_9941238f212e886594c3ab81852365f.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-PTB-CSP_57e25d000792f5341ed582e83f3df1d.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-PTG-CSP_defaea55e88f0f651881e6cc88a0ea4.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-RUS-CSP_7382ff4150f0ad6251d0a7fdd55871a.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ESN-CSP_8fd65bdae48134879516a1af13dbcf9.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-SVE-CSP_fb576380a844da17913393b0d8c0d78.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-TRK-CSP_63dc9cc87c9adb9746cd829a04b699b.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-ARA-CSP_784a1fedd6bdc1697e33571c2b341d4.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-CHS-CSP_a66d05069bd431e298b26c9d8fb30f4.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-CHT-CSP_a7f97cbefba389828aafb7960a2e11c.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-NLD-CSP_97be6324bf658e20377258083ab24dd.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-ENU-CSP_baec16e62a678728e8ca57a1f732287.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-FRA-CSP_b54624745fbbcadb4dab82f438cd225.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-DEU-CSP_550af394ce8ea3d3b95fc873f5b91de.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-ELL-CSP_60923bbb9b8b74b4a02255500388bb5.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-HEB-CSP_7f2a6eae9948832c7d6ae4c04fa945a.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-JPN-CSP_58f19cfbf84285430b2bf267151cd14.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-KOR-CSP_75fa97cbfd7bc6d6ac894bc9a1dd507.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-nec98-JPN-CSP_7198f76a3660579bf8bc7a052d54efa.EXE Security Update for Micros
Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)
Bruce Ediger wrote: The real questions go something like: "Source code for Unix viruses has been available for years, from sources almost too numerous to mention. Why haven't Unix viruses become epidemic the way that Windows viruses have?" Not sure the source has anything to do with viruses. But your statement certainly says something about the concept that publishing source magically makes software that is secure. ;) "Security problems of the same magnitude as .ida buffer overflows, or MSRPC buffer overflows exist in unix programs like Sendmail and others. Why hasn't a worm materialized for this problem?" "The scalper worm didn't effect nearly as many hosts as msblast did. Why not? Why did the scalper worm seem to die out, yet wormwatch.org still records many hits from much older worms like SQLSpida and Nimda?" And I guess you can generalize and ask why the Windows "culture" generates so many problems of such a magnitude, that last so long? My home office web server got a Code Red hit on Sept 19th 2003, for example. Other computing cultures (Unix, Mac, etc) don't seem to exhibit this. Why not? Shouldn't we focus our efforts on figuring out what aspects of Linux or Mac cultures keep epidemics from occuring? It's certainly a waste of breath to point out that OS X has horrendous security flaws when none of them turn into grotesque epidemics like Sobig.f. To extend your "wooden house" analogy a bit: In a city made entirely of wooden houses, a single house fire is way more likely to level the city than a in a city where a mix of wooden, brick and vinly-sided houses. Having the occasional brick house mixed in with the wooden houses provides a lot of resistance to a whole-city conflagration. It doesn't provide absolute immunity from fires for every house in the city. Three things come immediately to my mind: 1) Make up of user base. Generally not understanding the nature and aspects of a programmable, general purpose computer connected to a world-wide network. 2) Size of target. If you're going to cause havoc, why not cause havoc in the largest population? If you're going to study how to break into safes, why not study the ones in most common use? I don't buy the monoculture argument. Sure, it has some validity but can you imagine explaining to users of 40 different platforms and applications how to secure their systems? While we might not have worms, we'll have worse...silent parasites. Besides, there are very strong advantages to a standard platform. TCP/IP is a monoculture. HTTP/HTML is a monoculture. i86 is a monoculture. We had the BSD/SystemV/POSIX wars. We're having the BSD and linux wars. Do you really want to live in a world with completely fragmented platforms...one without the common APIs we've been trying for decades to achieve? 3) Microsoft's steadfast refusal to ship systems in a "NO listening ports configuration" by default. Cripe, now we've got anonymous, distributed file storage on how many Windows XP Shared Documents folders all over the Internet available to anyone that wants it not to mention a hack or infection in waiting with every new install of 2000 or XP because netbios/RPC is shipped in the open state. This isn't a problem of not having a firewall. Its a problem of shipping a system in a state presenting unnecessary risk for the vast population of users of that system. Bad, nay, irresponsible, business decision IMHO. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Anyone running SUS see the content update today?
Seems like tonight Microsoft re-released all the updates from last week. Anyone else see this? Anyone know why all the updates from last week got re-released and some of them show up as new rather than updated even though the KB articles in the description are last weeks patches. -Josh
Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)
In some mail from Bruce Ediger, sie said: > > The real questions go something like: > > "Source code for Unix viruses has been available for years, from sources > almost too numerous to mention. Why haven't Unix viruses become epidemic > the way that Windows viruses have?" How quickly we forget "modern" history...but then my guess is that most of the people who do IT security today are... I found this quickly via google: http://legacy.eos.ncsu.edu/eos/info/computer_ethics/abuse/wvt/worm/lecture.html There are numerous differences between that worm and the ones we have taking out servers left right and centre, today. If the worm programmers of today were half as capable as the author of that worm, we'd be in a LOT more trouble. But what you've got to realise is this... the network that makes these attacks possible is the very same network that miscreants have to use (mostly) to chat with peers, get their daily intake of warez, porn, music, etc. so to make the 'net unusable is to also deny themselves some enjoyment (well that's my theory anyway :) > To extend your "wooden house" analogy a bit: This was just another bad analogy. I'd encourage people to stop using analogies and just exlpain whatever it is in 'native' terms. Darren ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)
On Wed, 22 Oct 2003, Peter Busser wrote: > Because Linux people in general seem to be more concerned about speed and > features than about security. For example, the only reason Linux Security > Modules (LSM) have been included in the kernel, is that they don't have a > performance impact on users who do not load any security modules. People have ... > In general people seem to believe that Linux is either secure or can be made > secure by removing packages and unused services. This believe that Linus is > already secure makes people uninterested in security. Why improve something ... > People apparently do not realise that a wooden house is not sufficient to > protect against the big bad wolf. And there is currently no brick house to flee > to when the wolf comes... OK. No quibble from me about the absolute security of any particular operating system. But arguments like "linux viruses are possible" or "NetBSD has security flaws, too" don't address real questions, and they approach being vacuous truisms. The real questions go something like: "Source code for Unix viruses has been available for years, from sources almost too numerous to mention. Why haven't Unix viruses become epidemic the way that Windows viruses have?" "Security problems of the same magnitude as .ida buffer overflows, or MSRPC buffer overflows exist in unix programs like Sendmail and others. Why hasn't a worm materialized for this problem?" "The scalper worm didn't effect nearly as many hosts as msblast did. Why not? Why did the scalper worm seem to die out, yet wormwatch.org still records many hits from much older worms like SQLSpida and Nimda?" And I guess you can generalize and ask why the Windows "culture" generates so many problems of such a magnitude, that last so long? My home office web server got a Code Red hit on Sept 19th 2003, for example. Other computing cultures (Unix, Mac, etc) don't seem to exhibit this. Why not? Shouldn't we focus our efforts on figuring out what aspects of Linux or Mac cultures keep epidemics from occuring? It's certainly a waste of breath to point out that OS X has horrendous security flaws when none of them turn into grotesque epidemics like Sobig.f. To extend your "wooden house" analogy a bit: In a city made entirely of wooden houses, a single house fire is way more likely to level the city than a in a city where a mix of wooden, brick and vinly-sided houses. Having the occasional brick house mixed in with the wooden houses provides a lot of resistance to a whole-city conflagration. It doesn't provide absolute immunity from fires for every house in the city. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
On Wed, 22 Oct 2003, Curt Purdy wrote:
>> http://www.linuxunlimited.com/why-linux.htm
>> ``Properly configured and maintained, Linux is one of the
>> most secure operating systems available today.''
>
> The key words here are "properly configured".
Well, once "properly configured", pretty much _any_ operating system would
make it to the top 0.01% of the most secure boxes in the world. I do not
know a single popular OS that would limit your abilities to harden it up
to a point where it is impossible to do it effectively.
I know plenty of systems that lack some nice features, and that make it
difficult to configure and manage overall system security features in a
reasonable manner to make it possible for a "seasoned novice" to find out
what has to be done, and to fine-tune his OS without breaking some stuff
or making it worse.
It's just a matter of how easy it is to properly configure and secure your
system (far beyond downloading most recent patches), and how much control
_and_ supervision you're given over this process.
Popular Linux releases do not score remarkably higher than other
well-known OSes in the above.
--
- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--- 2003-10-23 01:34 --
http://lcamtuf.coredump.cx/photo/current/
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [inbox] Re: [Full-Disclosure] RE: Linux (in)security
> > I have never heard of a Linux vendor saying that Linux is > "secure out of the > > box." > > More than enough people assert that Linux is secure. Just > enter "Linux is > secure" in Google and you see what I mean: > > http://www.linuxunlimited.com/why-linux.htm > ``Properly configured and maintained, Linux is one of the > most secure operating > systems available today.'' The key words here are "properly configured". One of the folowing links talked about the model being based on UNIX, true but the implementation is quite different. Take FreeBSD 5.1, though more solid than any first release of Linux, it is still referred to as a "New Technology Release" basically synonymous with beta. There "Production" release is 4.8 that I have on some of our servers (not running a gui). I have 5.1 as well as Linux on workstations. Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
On Wed, Oct 22, 2003 at 04:10:53PM -0400, Arcturus wrote: [snip] > In lieu of securing the actual box, we put a firewall (running linux/unix) > in front of it. Then, we use a simple approach of "that which is not > expressly allowed, is expressly denied" in our policies, and voila. > Secured. It might be better to say "protected from attacks sourced from the other side of the firewall and directed at ports that we filter." [snip] > Just for the record, this was written in Outlook, and sent out via a secured > system, that happens to run a Microsoft OS. I'd never have guessed: > "It's not the OS, its the operator" --Foofus. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 22 October 2003 13:10, Arcturus wrote: > Just for the record, this was written in Outlook, and sent out via a > secured system, that happens to run a Microsoft OS. So this explains your "top posting". ;-) I live dangerously. This is a Debian Experimental/Unstable system - with KMail from KDE CVS HEAD. - -- Jeremiah Cornelius, CISSP, CCNA, MCSE farm9 Information Security email: [EMAIL PROTECTED] Phone: 510.835.3276 mobile: 415.235.7689 ___ | WARNING: | | This product attracts every other piece | | of matter in the Universe, including the | | products of other manufacturers, with a | | force proportional to the product of the | | masses and inversely proportional to the | | distance between them. | +---+ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/lvJNJi2cv3XsiSARAjFjAKCYDDts2V6xjw/A9DQDAAYiYL7raACgpzam dD13gejdt/iwy4xxVszDA24= =PXD3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
Linux is the hands of someone with no interest or regard for security is the same as Windows or any other OS in the hands of the same clueless individual. The main difference between the Linux and Unix variants (i.e. BSD, Solaris, HP-UX) is that they have already learned their lesson regarded buffer overflows and kernel hardening and allowed the user more control in securing their systems. This is repeated over and over again, but it is simply not entirely true. It may protect against script kiddies, but not against more sophisticated crackers. The following URL proves that: http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it Both persons in this conversation have a Linux box which: 1) Has the latest security patches installed and 2) Is only running the necessary services. In other words, boxes that have ``been made secure by their users''. Hi Peter, You're investing a significant amount of time into convincing us that linux boxes sitting on the internet (even when completely up to date and reasonably locked down) aren't 100% secure. Rest easy, each and every one of us knows this. The point raised by others in this thread (which you seem to object to, although you haven't really responded to) is that linux (operated by a knowlegable user) is 'stronger' than a similar Microsoft box. This, you should have realized immediately, is one of those my-dad-can-beat-up-your-dad type arguments which really don't deserve a response. Cheers, Cael ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Need help to find web server attacks signature
I'm currently seeing this scenario : 1. the person get on the web site with his browser (ie6 on xp) we see some valid GETs at the beginning 2. the person ran one of these tools : Nikto : http://www.cirt.net/code/nikto.shtml Whisker : http://sourceforge.net/projects/whisker/ N-Stealth : http://www.nstalker.com/nstealth/ Retina: http://www.eeye.com/html/Products/Retina/ another... 3. The person retry the website to get some URLs we see some other valid GETs further 4. the person either ran another tools on specific URLs like Paul just said The source IP isnt listed in DShield or mynetwatchman The server doesnt show any weird behavior, neither have weird traffic going on We are thinking URLScan did a good job :) Thanks all for your replies --- Maxime Ducharme Administrateur reseau, Programmeur - Original Message - From: "Schmehl, Paul L" <[EMAIL PROTECTED]> To: "Maxime Ducharme" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 4:05 PM Subject: RE: [Full-Disclosure] Need help to find web server attacks signature > > -Original Message- > > From: Maxime Ducharme [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, October 22, 2003 12:40 PM > > To: [EMAIL PROTECTED] > > Subject: [Full-Disclosure] Need help to find web server > > attacks signature > > > > > > Hi all, > > i'd need help to identify an attack that happened on one > > of our customer's web server yesterday, I put the log file > > here : > > http://www.pandore-design.com/security/2003-10-21-IIS-attack.t > xt > > Looks like a vuln scanner that's designed to try a number of default > install mistakes to see if anything works. The previous poster may be > correct that it was NIKTO. Could also be whisker or stealth. > > Paul Schmehl ([EMAIL PROTECTED]) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Need help to find web server attacks signature
> -Original Message- > From: Maxime Ducharme [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 22, 2003 12:40 PM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Need help to find web server > attacks signature > > > Hi all, > i'd need help to identify an attack that happened on one > of our customer's web server yesterday, I put the log file > here : > http://www.pandore-design.com/security/2003-10-21-IIS-attack.t xt Looks like a vuln scanner that's designed to try a number of default install mistakes to see if anything works. The previous poster may be correct that it was NIKTO. Could also be whisker or stealth. Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Linux (in)security
Ahh, True, true, but: For those of us who secure Microsoft Systems and Networks for fun and profit, we understand the vulnerabilities just as you do for your linux/unix systems. We simply use alternate approaches to security. In lieu of securing the actual box, we put a firewall (running linux/unix) in front of it. Then, we use a simple approach of "that which is not expressly allowed, is expressly denied" in our policies, and voila. Secured. Now OF COURSE, I am over simplifying, it wouldn't matter what type of system was behind the firewall if the rules were not tight enough, but, the simple fact still remains: The majority of the world's corporations are using Microsoft for their platform of choice, so, we are simply changing with the times... Just for the record, this was written in Outlook, and sent out via a secured system, that happens to run a Microsoft OS. I would completely agree with Edward, "It's not the OS, its the operator" Just my 2¢, YMMV. Arcturus. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward W. Ray Sent: Wednesday, October 22, 2003 1:16 PM To: 'Thomas Binder'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] RE: Linux (in)security There seems to be this tendency in every market the have the product with the most widgets at the least cost. Security vendors are out there selling a "one size fits all" solution to all of your security problems these days. I have never heard of a Linux vendor saying that Linux is "secure out of the box." Maybe Openwall or Engarde Linux, but most distos need to be made secure by the user. Linux is the hands of someone with no interest or regard for security is the same as Windows or any other OS in the hands of the same clueless individual. The main difference between the Linux and Unix variants (i.e. BSD, Solaris, HP-UX) is that they have already learned their lesson regarded buffer overflows and kernel hardening and allowed the user more control in securing their systems. M$ has not, and that is unfortunate. Edward W. Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Binder Sent: Wednesday, October 22, 2003 8:39 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: Linux (in)security Hi! On Wed, Oct 22, 2003 at 09:12:12AM -0500, Schmehl, Paul L wrote: > Now, lest you get your hopes up and think it's possible to change the > world, read this: > > http://www.ukauthority.com/articles/story898.asp > > After reading this, I had a good cry and then took some aspirin. > :-( Of course, what they do not (and most likely cannot) mention is how many of the passwords entered where just random keystrokes instead of a real world password. In fact, I tend to advise people not to completely refuse giving their password / PIN / etc. when asked for by someone, but to reluctantly "disclose" something completely wrong. This way, the attacker might think he's won and - depending on the attacked system - effectively locks the account he wants to break into. Ciao Thomas -- It is better to never have tried anything than to have tried something and failed. - motto of jerks, weenies and losers everywhere ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
Hi! > I have never heard of a Linux vendor saying that Linux is "secure out of the > box." Maybe Openwall or Engarde Linux, but most distos need to be made > secure by the user. More than enough people assert that Linux is secure. Just enter "Linux is secure" in Google and you see what I mean: http://www.linuxunlimited.com/why-linux.htm ``Properly configured and maintained, Linux is one of the most secure operating systems available today.'' http://www.faqs.org/docs/linux_intro/sect_01_04.html ``The security model used in Linux is based on the UNIX idea of security, which is known to be robust and of proven quality. But Linux is not only fit for use as a fort against enemy attacks from the Internet: it will adapt equally to other situations, utilizing the same high standards for security. Your development machine or control station will be as secure as your firewall.'' Note: The UNIX idea of security: You can trust users, especially the administrator (root). http://www.usermode.org/docs/whatslinux.html http://news.zdnet.co.uk/software/linuxunix/0,39020390,2075966,00.htm ``Linux is as secure as you can make a computer,'' ``First of all, Unix [on which Linux is based] is the paradigm that the computer is the network, so Linux is secure from the ground up.'' http://www.suse.co.uk/uk/company/schools/sheet.pdf ``As a desktop operating system Linux is secure, stable and easy to use.'' (SuSE is a vendor BTW) http://www.bio-itworld.com/news/022503_report2077.html ``The certification is "additional validation" that Linux is secure, ...'' The list goes on and on and on. > Linux is the hands of someone with no interest or regard for security is the > same as Windows or any other OS in the hands of the same clueless > individual. The main difference between the Linux and Unix variants (i.e. > BSD, Solaris, HP-UX) is that they have already learned their lesson regarded > buffer overflows and kernel hardening and allowed the user more control in > securing their systems. This is repeated over and over again, but it is simply not entirely true. It may protect against script kiddies, but not against more sophisticated crackers. The following URL proves that: http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it Both persons in this conversation have a Linux box which: 1) Has the latest security patches installed and 2) Is only running the necessary services. In other words, boxes that have ``been made secure by their users''. > M$ has not, and that is unfortunate. Flaws in other products do not make Linux more secure. Groetjes, Peter Busser -- The Adamantix Project Taking trustworthy software out of the labs, and into the real world http://www.adamantix.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
On Wed, 22 Oct 2003, Kenton Smith wrote: > What I find interesting about this is that the survey was done by a > company that sells security services. And of course I'm sure the news > release was put out by them as well. Exactly. What most people don't seem to understand is that the people issuing the survey have a vested interested. Unless I can verify the method used and believe they have no vested interest I will automatically assume they had an agenda to push. It seems alot of people see things the other way and accept the results unless they are shown to be false. As security types we do seem to be more cynical than most ;) Btw, I gave them feedback that their results were a joke because they couldn't verify that the passwords they were given were valid. I invite others to respond to them too (the url was available in the thread previously). Rob -- Robert Brockway B.Sc. email: [EMAIL PROTECTED], [EMAIL PROTECTED] Linux counter project ID #16440 (http://counter.li.org) "The earth is but one country and mankind its citizens" -Baha'u'llah ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows hosts file changing.
Well, this isn't my specific computer. So, I have no real control at what they screw up on it. They just expect me to fix it. -_- ~ > -Original Message- > From: [EMAIL PROTECTED] [mailto:full-disclosure- > [EMAIL PROTECTED] On Behalf Of Austin Ehlers > Sent: Wednesday, October 22, 2003 6:54 AM > To: [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] Windows hosts file changing. > > Why are you browsing the internet on an Administrator account? The HOSTS > file is only editable by Admin accounts. Never never never do daily work > from an account with full priveleges, that's what the Power Users' group > is > for. Admin accounts are for maintenance-only (installing and configuring > s/w), not general work. > > Austin Ehlers > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Kevin Gerry > > Sent: Wednesday, October 22, 2003 03:01 AM > > To: [EMAIL PROTECTED] > > Subject: [Full-Disclosure] Windows hosts file changing. > > > > > > Does -ANYBODY- know how it occurs? > > > > I've had this happen to a couple boxes of mine now... > > > > New one: > > -- > > 127.0.0.1 localhost > > 66.40.16.131livesexlist.com > > 66.40.16.131lanasbigboobs.com > > 66.40.16.131thumbnailpost.com > > 66.40.16.131adult-series.com > > 66.40.16.131www.livesexlist.com > > 66.40.16.131www.lanasbigboobs.com > > 66.40.16.131www.thumbnailpost.com > > 66.40.16.131www.adult-series.com > > -- > > > > Any idea how the search site is replacing that? =/ It's starting > > to piss me > > off =/ I had some custom information in there that's now overwritten > (Not > > backed up) > > > > Thanks =/ > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Need help to find web server attacks signature
More weird stuff beginning, we see some HTTP GETs which contains these information : Accept: */* Host: website.domain.com User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt) ---: :-- --: - We got this via tcpdump There is no other HTTP information. 2 headers are "hidden" and replaced with "-" char. It looks like a bot (GET many times on many pages) and the source is in this block : 81.62.0.0 - 81.62.255.255 BLUEWINNET which is not the same as the one used for our attack yesterday. Any thoughts on these "hidden" HTTP headers ? Thanks again --- Maxime Ducharme Administrateur reseau, Programmeur E-Mail : [EMAIL PROTECTED] Clé publique PGP : http://pandore-design.com/pgp/maxime.asc Pandore-Design [http://www.pandore-design.com] Tel : (866) 961-9321 Fax : (866) 961-9943 - Original Message - From: "Maxime Ducharme" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 1:40 PM Subject: Need help to find web server attacks signature > Hi all, > i'd need help to identify an attack that happened on one of our > customer's web server yesterday, I put the log file here : > http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt > > I see some attacks that seem to be a security scanner tool, > and some attacks which targets specific pages of the web site > (where we begin to see 200 responses from the web server). > > Someone recognize a tool / virus / worm in this ? > > Thanks in advance for help > > --- > Maxime Ducharme > Administrateur reseau, Programmeur > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] AT&T early warning system
On Sat, Oct 18, 2003 at 12:27:23PM -0400, Hoho wrote: > > Doesn't it seem like they're trying to violate causality? If the worm > doesn't exist yet, then its associated traffic doesn't exist yet, hence > there's nothing to detect. Wonder what those 'anomalies' were. Seems no > more effective than just watching MS security patches and reading FD. > -- Perhaps they were using memetic trending, which does violate causality, but works pretty well nonetheless. -Jimmy ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Need help to find web server attacks signature
Hmmm, looks like a NITKO scan from what I see. I'll verify though. Sonny Discini Network Security Engineer Department of Technical Services Enterprise Infrastructure Division Montgomery County Government -Original Message- From: Maxime Ducharme [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2003 1:40 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Need help to find web server attacks signature Hi all, i'd need help to identify an attack that happened on one of our customer's web server yesterday, I put the log file here : http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt I see some attacks that seem to be a security scanner tool, and some attacks which targets specific pages of the web site (where we begin to see 200 responses from the web server). Someone recognize a tool / virus / worm in this ? Thanks in advance for help --- Maxime Ducharme Administrateur reseau, Programmeur ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
Shawn McMahon wrote: Schmehl, Paul L wrote: Now, lest you get your hopes up and think it's possible to change the world, read this: http://www.ukauthority.com/articles/story898.asp Ok, I read that as "we asked them to enter their password, and 15% of them typed something in response". I don't see where it says they verified that this was indeed the person's password. I'd have typed something in there too; probably "your password". I don't know a security expert that has only one password. I'd prob type some jiberish.or maybe "your password". (I don't include windows-wizard-engineers that have only one password because everything is in 1 big AD) Gr, Ivo ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Need help to find web server attacks signature
Hi all, i'd need help to identify an attack that happened on one of our customer's web server yesterday, I put the log file here : http://www.pandore-design.com/security/2003-10-21-IIS-attack.txt I see some attacks that seem to be a security scanner tool, and some attacks which targets specific pages of the web site (where we begin to see 200 responses from the web server). Someone recognize a tool / virus / worm in this ? Thanks in advance for help --- Maxime Ducharme Administrateur reseau, Programmeur ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
What I find interesting about this is that the survey was done by a company that sells security services. And of course I'm sure the news release was put out by them as well. Why not show in-house IT staff as being just as stupid as any other user. Sales pitch; "You need our services because your administrator was tricked into giving his password in an online survey." On Wed, 2003-10-22 at 08:12, Schmehl, Paul L wrote: > > -Original Message- > > From: Peter Busser [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, October 22, 2003 3:10 AM > > To: [EMAIL PROTECTED] > > Subject: Linux (in)security (Was: Re: [Full-Disclosure] Re: > > No Subject) > > > > In general people seem to believe that Linux is either secure > > or can be made secure by removing packages and unused > > services. This believe that Linus is already secure makes > > people uninterested in security. Why improve something that > > is already sufficient? Besides that, it is more rewarding to > > write a new window manager providing more and faster flashy > > eye candy than to fix potential memory allocation problems > > that noone ever notices. Well, until it becomes a problem that is. > > Is it any wonder? With thousands of rabid slash dotters cajoling their > friends into switching to Linux because "it's secure out of the box" and > "it can't be infected like Windows", what would anyone expect? The same > idiots that can't keep a Windows box from being owned are now using > Linux. And the result is the same. > > Now, lest you get your hopes up and think it's possible to change the > world, read this: > > http://www.ukauthority.com/articles/story898.asp > > After reading this, I had a good cry and then took some aspirin. :-( > > Paul Schmehl ([EMAIL PROTECTED]) > Adjunct Information Security Officer > The University of Texas at Dallas > AVIEN Founding Member > http://www.utdallas.edu/~pauls/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: Linux (in)security
There seems to be this tendency in every market the have the product with the most widgets at the least cost. Security vendors are out there selling a "one size fits all" solution to all of your security problems these days. I have never heard of a Linux vendor saying that Linux is "secure out of the box." Maybe Openwall or Engarde Linux, but most distos need to be made secure by the user. Linux is the hands of someone with no interest or regard for security is the same as Windows or any other OS in the hands of the same clueless individual. The main difference between the Linux and Unix variants (i.e. BSD, Solaris, HP-UX) is that they have already learned their lesson regarded buffer overflows and kernel hardening and allowed the user more control in securing their systems. M$ has not, and that is unfortunate. Edward W. Ray -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Binder Sent: Wednesday, October 22, 2003 8:39 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: Linux (in)security Hi! On Wed, Oct 22, 2003 at 09:12:12AM -0500, Schmehl, Paul L wrote: > Now, lest you get your hopes up and think it's possible to change the > world, read this: > > http://www.ukauthority.com/articles/story898.asp > > After reading this, I had a good cry and then took some aspirin. > :-( Of course, what they do not (and most likely cannot) mention is how many of the passwords entered where just random keystrokes instead of a real world password. In fact, I tend to advise people not to completely refuse giving their password / PIN / etc. when asked for by someone, but to reluctantly "disclose" something completely wrong. This way, the attacker might think he's won and - depending on the attacked system - effectively locks the account he wants to break into. Ciao Thomas -- It is better to never have tried anything than to have tried something and failed. - motto of jerks, weenies and losers everywhere ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] WSTI03 Honeypots conference
The Workshop on Security of Information Technologies will take place in Algiers (Algery). The official site for the WSTI03 is: http://leria.epitech.net/wsti03/en/ During this I will held a conference about Honeypots. The topic of the conference is "honeypots: a blackhat point of view". It will be composed of 4 parts: -What is and what are the targets of an honeypot. *why* -How to grow up it. *how* -How to *hack* it, understanding we have been "trapped" into an honeypot, how to modify and confuse results, and in some special cases how to break out of an honeypot. *hack* -Conclusions and ethical questions. *ethic* I will release a paper about the third and the forth part for interested people. Thank you in advance, Davide Del Vecchio. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Davide Del Vecchio "Dante Alighieri" [EMAIL PROTECTED] http://www.alighieri.org - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Fun with /bin/ls, yet still ls better than windows
Georgi Guninski security advisory #62, 2003 Fun with /bin/ls, yet still ls better than windows Systems affected: coreutils - /bin/ls, wu-ftpd DoS Fixed in CVS Risk: Low Date: 22 October 2003 Legal Notice: This Advisory is Copyright (c) 2003 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission - this especially applies to so called "vulnerabilities databases" and securityfocus, microsoft, cert and mitre. If you want to link to this content use the URL: http://www.guninski.com/binls.html Anything in this document may change without notice. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: /bin/ls is used in wu-ftpd. There is remote denial of service involving /bin/ls - the result is great memory consumption. In addition, there is an integer overflow in /bin/ls, which seems non exploitable. Details: To check the DoS attack, in wu-ftpd try: ls "-w 100 -C" The integer overflow is demonstrated by this: - valgrind /bin/ls -w 1073741828 -C ==21243== Invalid write of size 4 ==21243==at 0x804E498: (within /bin/ls) ==21243==by 0x804CC3C: (within /bin/ls) ==21243==by 0x804B721: (within /bin/ls) ==21243==by 0x8049F74: (within /bin/ls) ==21243==Address 0x41430CC8 is 8 bytes after a block of size 8 alloc'd ==21243==at 0x40160504: malloc (vg_clientfuncs.c:100) ==21243==by 0x80534D0: (within /bin/ls) ==21243==by 0x804E4FB: (within /bin/ls) ==21243==by 0x804CC3C: (within /bin/ls) The heap is quite screwed, but ls is killed by the kernel due to memory usage. Vendor status: coreutils developers were notified on Sun, 12 Oct 2003 It was fixed in CVS on the same day. Fix in this thread: http://mail.gnu.org/archive/html/bug-coreutils/2003-10/msg00070.html Regards, Georgi Guninski http://www.guninski.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Sylpheed-claws format string bug, yet still sylpheed much better than windows
Hmm ... I think I missed the part where you explain your subject line ?
-Original Message-
From: Georgi Guninski [mailto:[EMAIL PROTECTED]
Sent: woensdag 22 oktober 2003 16:50
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Sylpheed-claws format string bug, yet still
sylpheed much better than windows
Georgi Guninski security advisory #61, 2003
Sylpheed-claws format string bug, yet still sylpheed much better than
windows
Systems affected:
Sylpheed-claws 0.9.6 - 0.9.4
Fixed in CVS
Risk: Medium
Date: 22 October 2003
Legal Notice:
This Advisory is Copyright (c) 2003 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/sylph.html
Anything in this document may change without notice.
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
There is an exploitable format string in sylpheed claws which may be
exploited by malicous SMTP server.
Details:
The problem seems in:
send_message.c
alertpanel_error_log(err_msg);
The format string is missing.
How to reproduce:
Create a test account with smtp server localhost:1234
Then do:
perl -e 'print "535 failed %x%x%n\r\n"' | nc -l -p 1234
Then send a message.
Actual result - sylpheed crashes.
Vendor status:
Notified on Fri, 3 Oct 2003
It was fixed in CVS on the same day.
Fix:
http://cvs.sourceforge.net/viewcvs.py/sylpheed-claws/sylpheed-claws/src/send
_message.c?r1=1.18&r2=1.19&diff_format=u
===
RCS file: /cvsroot/sylpheed-claws/sylpheed-claws/src/send_message.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- sylpheed-claws/sylpheed-claws/src/send_message.c2003/09/27 21:01:26
1.18
+++ sylpheed-claws/sylpheed-claws/src/send_message.c2003/10/03 17:39:39
1.19
@@ -608,7 +608,7 @@
if (log_msg)
log_warning("%s\n", log_msg);
if (err_msg) {
- alertpanel_error_log(err_msg);
+ alertpanel_error_log("%s", err_msg);
g_free(err_msg);
}
}
Regards,
Georgi Guninski
http://www.guninski.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
===
De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen
bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt,
wordt u verzocht de inhoud niet te gebruiken en de afzender direct te
informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft
genomen om virussen in deze email of attachments te voorkomen, dient u ook
zelf na te gaan of virussen aanwezig zijn aangezien Orange niet
aansprakelijk is voor computervirussen die veroorzaakt zijn door deze
email..
The information contained in this message may be confidential and is
intended to be only for the addressee. Should you receive this message
unintentionally, please do not use the contents herein and notify the sender
immediately by return e-mail. Although Orange has taken steps to ensure that
this email and attachments are free from any virus, you do need to verify
the possibility of their existence as Orange can take no responsibility for
any computer virus which might be transferred by way of this email.
===
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] No Subject (re: openssh exploit code?)
Funny thing here is; fixing up openssh/ssl does not require a reboot, so 'downtime is minimal" if tere's any real downtime at all. So, arguements about the effects on a ebusiness/work modle are just plain stupid. At least for this patch/threat vector. hell, if there's real need for concern of 'downtime' limit exposure while working things out by filtering/firewalling access to the ssh port. Now, there has been alot of interesting discussion on this thread, thanks to all for 'sharing'. One point that strikes me on Mith's arguements is that his stand puts him in an "anti-social" mode; "these are my work, my toys, and you can see nor play with them" I do like and apppreciate many of Mitch's points, but, I think there's a far line being crossed when one wishes to remove themselves from the social model/norm. Especially in light of the fact that most folks keep trying to convince Mitch they do not want his toys, nor are they interested inn his supplying them with any toys, they just seek informatioon. Mitch's stand seems to play on the old/new line of 'knowledge/information being a commodity', which is pretty much the stance of the current security big business thing that kinda brought this list into existance. Mitch;s stance seems to be rife with a moral code close to that which my father grew up in post WWII/depresion. I'm not sure that clinging to the past is the proper way to proced in the present... But, I have to conceed, if Mitch does to buy that solitary island in the ocena to seclude into, I might be interested in the far side lagooon. Still reading, thanks, Ron DuFresne On Tue, 21 Oct 2003, Bassett, Mark wrote: > If I have say.. 100 boxes with ssh on them I would not be likely to drop > them all, install the patches and bring them back up for an exploit that > > > *May** allow a remote attacker to corrupt heap memory > Which in turn > *could cause a > denial-of-service condition. > > Furthermore > It ***may*** also be possible for an attacker > to execute arbitrary code." > > Sounds to me that they are saying.. well there might be a problem, we're > just letting you know of the possibility. > > Mark Bassett > Network Administrator > World media company > Omaha.com > 402-898-2079 > > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 21, 2003 12:18 PM > To: Schmehl, Paul L > Cc: [EMAIL PROTECTED] > Subject: RE: [Full-Disclosure] No Subject (re: openssh exploit code?) > > Hi Paul, > > I'm glad to see you are capable of a sensible response. I see > your points and it's nothing I haven't heard before. The thing > is, your arguments don't really hold any ground in this particular > event. > > I've said all along that this issue has been publicly recognised > as being a security issue from the getgo. Besides my personal > beliefs that has been the main fuel behind my arguments against > exploit or practical exploit methodology disclosure for an issue that is > potentially devastating. > > Now you state the following: > > > Again, you miss the point entirely. The folks that have > > asked you for more information are not looking for "fun". > > They are trying to make real life decisions about taking down > > critical systems for **unscheduled downtime** to patch them. > > You fail to understand that many admins can't simply take > > a system down because Mitch says they should. They need solid > > arguments to take to their bosses to explain why this particular > > system needs to be downed *today* rather than waiting for a > > regularly scheduled maintenance window. When a worm comes out, > > it's a no brainer. (But even then sometimes the bosses don't > > believe you until they've been burned at least once.) But admins > > can't take systems down every time someone cries "Patch now! > > This is exploitable!" > > Your main argument being that you can't take some yahoo's word > for it when they claim this issue is exploitable. The thing is > you don't have to take some yahoo's word for it. > > Let me quote from CERT Advisory CA-2003-24: > > "There is a remotely exploitable vulnerability in a general buffer > management function in versions of OpenSSH prior to 3.7.1. This may > allow a remote attacker to corrupt heap memory which could cause a > denial-of-service condition. It may also be possible for an attacker > to execute arbitrary code." > > And allthough I hate to quote the childmolestors at CERT on > anything, it would seem to me that a CERT bulletin, which > indicates the likely exploitability, of this issue is all > the official leverage an admin would need to convince > management of the need to patch no? > > So with that base covered, why is there still a need for admins > to hunt exploit code on public forums, unwittingly shouting > "look world, I haven't patched any mission critical systems on > my network yet". It's a sad state of affairs when admins are > forced to seek out proof beyond the bulleti
[Full-Disclosure] Worm Propagation Simulation (paper)
Greetings - After several cycles through peer-review, I have decided to publish my paper on simulation of worm propagation algorithms. This was started as a means to find out just how bad things could in theory become. It concentrates on the propagation only, I do not discuss specific exploits and include only a small discussion of possible payloads. You can find it at http://web.lemuria.org/security/WormPropagation.pdf Some results: Very fast worms (aka flash worms) are possible. Wide-spread destruction of host systems is possible and will not slow down a properly written worm, contrary to popular opinion. I also show how such worms could work (discussion, no code). -- PGP/GPG key: http://web.lemuria.org/pubkey.html pub 1024D/2D7A04F5 2002-05-16 Tom Vogt <[EMAIL PROTECTED]> Key fingerprint = C731 64D1 4BCF 4C20 48A4 29B2 BF01 9FA1 2D7A 04F5 pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] RE: Linux (in)security
Schmehl, Paul L wrote: Now, lest you get your hopes up and think it's possible to change the world, read this: http://www.ukauthority.com/articles/story898.asp Ok, I read that as "we asked them to enter their password, and 15% of them typed something in response". I don't see where it says they verified that this was indeed the person's password. I'd have typed something in there too; probably "your password". pgp0.pgp Description: PGP signature
RE: [Full-Disclosure] RE: Linux (in)security
Now, lest you get your hopes up and think it's possible to change the world, read this: http://www.ukauthority.com/articles/story898.asp After reading this, I had a good cry and then took some aspirin. :-( The final question in the survey asked respondents to enter their password to be included in a prize draw. Despite the fact that this information would give a hacker open-access to private IT networks, an incredible 15 percent of people opted to give their password - before the on-line survey pointed out their mistake. And 14 of those 15% entered bogus passwords just to enter into the prize drawing. I'm sure there are some dumbasses out there, but why put in a real password when a fake one will do? Mark Bassett Network Administrator World media company Omaha.com 402-898-2079 -Original Message- From: Schmehl, Paul L [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 22, 2003 9:12 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] RE: Linux (in)security ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Linux (in)security
Hi! On Wed, Oct 22, 2003 at 09:12:12AM -0500, Schmehl, Paul L wrote: > Now, lest you get your hopes up and think it's possible to > change the world, read this: > > http://www.ukauthority.com/articles/story898.asp > > After reading this, I had a good cry and then took some aspirin. > :-( Of course, what they do not (and most likely cannot) mention is how many of the passwords entered where just random keystrokes instead of a real world password. In fact, I tend to advise people not to completely refuse giving their password / PIN / etc. when asked for by someone, but to reluctantly "disclose" something completely wrong. This way, the attacker might think he's won and - depending on the attacked system - effectively locks the account he wants to break into. Ciao Thomas -- It is better to never have tried anything than to have tried something and failed. - motto of jerks, weenies and losers everywhere ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
I have seen qhosts act in strange ways. Qhosts does indeed edit the HOSTS file, sometimes will add those registry keys but not all. Sometimes it will add the reg keys but leave the HOSTS file alone. I've seen it replace the real HOSTS file, and I've also seen it add a new HOSTS file into the temp directory. Qhosts doesn't always respond predictably from what I've seen. Exibar - Original Message - From: "Brian Eckman" <[EMAIL PROTECTED]> To: "David Gianndrea" <[EMAIL PROTECTED]> Cc: "Kevin Gerry" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 9:50 AM Subject: Re: [Full-Disclosure] Windows hosts file changing. > > > David Gianndrea wrote: > > Kind of sounds like this... > > > > http://vil.nai.com/vil/content/v_100719.htm > > > > > > Kevin Gerry wrote: > > > >> Does -ANYBODY- know how it occurs? > >> > >> I've had this happen to a couple boxes of mine now... > >> > >> New one: > >> -- > >> 127.0.0.1localhost > >> 66.40.16.131livesexlist.com > >> 66.40.16.131lanasbigboobs.com > >> 66.40.16.131thumbnailpost.com > >> 66.40.16.131adult-series.com > >> 66.40.16.131www.livesexlist.com > >> 66.40.16.131www.lanasbigboobs.com > >> 66.40.16.131www.thumbnailpost.com > >> 66.40.16.131www.adult-series.com > >> -- > >> > >> Any idea how the search site is replacing that? =/ It's starting to > >> piss me > >> off =/ I had some custom information in there that's now overwritten (Not > >> backed up) > >> > >> Thanks =/ > > > Actually, I don't think it sounds a damn thing like Qhosts. > > Qhosts modifies DHCP-issued DNS server settings in the registry, and > creates a new HOSTS file and tweaks the registry to use that HOSTS file. > It doesn't touch the original HOSTS file. > > This post exhibits no Qhosts behavior, and Qhosts doesn't exhibit any > of this behavior. I think Daniel got it right - quit going to porn > sites. Better yet, quit going to porn sites advertised in Spam. > > Also, to respond to another comment, the MS03-040 patch might *not* > address this type of attack on a system. Internet Explorer fully patched > with default settings *still* allows silent delivery and install of > executables. POC was sent to this list weeks ago. > > Brian > -- > Brian Eckman > Security Analyst > OIT Security and Assurance > University of Minnesota > 612-626-7737 > > "There are 10 types of people in this world. Those who > understand binary and those who don't." > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
On Wednesday 22 October 2003 4:01 am, Kevin Gerry wrote: > Does -ANYBODY- know how it occurs? This isn't Qhosts. It's a variant of the CoolWebSearch browser hijacker. Browsing the contact.htm page on the IP address given quickly reveals this site and CoolWebSearch are running the same scam under different names. The site's webmaster even has a link to the CWS removal tool and a "Don't blame me for trojaning you, blame Microsoft" message. More info on CoolWebSearch: http://www.spywareinfo.com/~merijn/cwschronicles.html -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Sylpheed-claws format string bug, yet still sylpheed much better than windows
Georgi Guninski security advisory #61, 2003
Sylpheed-claws format string bug, yet still sylpheed much better than windows
Systems affected:
Sylpheed-claws 0.9.6 - 0.9.4
Fixed in CVS
Risk: Medium
Date: 22 October 2003
Legal Notice:
This Advisory is Copyright (c) 2003 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/sylph.html
Anything in this document may change without notice.
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
There is an exploitable format string in sylpheed claws which may be
exploited by malicous SMTP server.
Details:
The problem seems in:
send_message.c
alertpanel_error_log(err_msg);
The format string is missing.
How to reproduce:
Create a test account with smtp server localhost:1234
Then do:
perl -e 'print "535 failed %x%x%n\r\n"' | nc -l -p 1234
Then send a message.
Actual result - sylpheed crashes.
Vendor status:
Notified on Fri, 3 Oct 2003
It was fixed in CVS on the same day.
Fix:
http://cvs.sourceforge.net/viewcvs.py/sylpheed-claws/sylpheed-claws/src/send_message.c?r1=1.18&r2=1.19&diff_format=u
===
RCS file: /cvsroot/sylpheed-claws/sylpheed-claws/src/send_message.c,v
retrieving revision 1.18
retrieving revision 1.19
diff -u -r1.18 -r1.19
--- sylpheed-claws/sylpheed-claws/src/send_message.c2003/09/27 21:01:26 1.18
+++ sylpheed-claws/sylpheed-claws/src/send_message.c2003/10/03 17:39:39 1.19
@@ -608,7 +608,7 @@
if (log_msg)
log_warning("%s\n", log_msg);
if (err_msg) {
- alertpanel_error_log(err_msg);
+ alertpanel_error_log("%s", err_msg);
g_free(err_msg);
}
}
Regards,
Georgi Guninski
http://www.guninski.com
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Linux (in)security
> -Original Message- > From: Peter Busser [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 22, 2003 3:10 AM > To: [EMAIL PROTECTED] > Subject: Linux (in)security (Was: Re: [Full-Disclosure] Re: > No Subject) > > In general people seem to believe that Linux is either secure > or can be made secure by removing packages and unused > services. This believe that Linus is already secure makes > people uninterested in security. Why improve something that > is already sufficient? Besides that, it is more rewarding to > write a new window manager providing more and faster flashy > eye candy than to fix potential memory allocation problems > that noone ever notices. Well, until it becomes a problem that is. Is it any wonder? With thousands of rabid slash dotters cajoling their friends into switching to Linux because "it's secure out of the box" and "it can't be infected like Windows", what would anyone expect? The same idiots that can't keep a Windows box from being owned are now using Linux. And the result is the same. Now, lest you get your hopes up and think it's possible to change the world, read this: http://www.ukauthority.com/articles/story898.asp After reading this, I had a good cry and then took some aspirin. :-( Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] No Subject (re: openssh exploit code?)
Montana Tenor wrote: I agree with Mitch. Lets say you get an advisory that a severe thunderstorm may be coming your way. Do you wait until the wind and rain are blowing inside your house to close the windows and doors. Do you allow the kids to keep playing outside? You do the prudent thing. Instead of trying to brute-force Mitch into this, think about why doing the right thing to protect the long term interests of your business is the RIGHT thing to do. Now let's say you get a severe thunderstorm WATCH. You're cooking dinner. Do you finish cooking dinner, or do you pitch it and seek shelter? You don't know, because all I told you was there was a watch; I didn't tell you anything else. Not every severe thunderstorm warning requires the same response, with the same alacrity. I used to be in radio, and I had to make exactly those choices; do I stay and broadcast, or is it time to shut down the transmitter? Do I have time to shut down the transmitter, or should I not even bother and just bolt for the shelter full speed? Security isn't a binary decision; not every vulnerability requires immediate shutdown of every vulnerable service. It's about gathering information and mitigating risk. Sometimes the loss to your business of shutting off that service immediately is so great that the risk of a hard-to-exploit vulnerability that hasn't been seen to be exploited in the wild is not great enough to sustain that loss. Let me put it this way; in between when the latest vulnerability is mentioned in Full Disclosure, and when the patch is released, tested, and installed, would you want to be told you could not ship any packages via FedEx or UPS because the necessary systems all had that service shut off while waiting for the patch? Would you want to be told that in order to make up for the shortfall in revenue of having done this, every package was going to cost $1 more to ship for the next few months? For your home system with a handful of users, just doing without services may always be the right answer. For an easily exploited hole for which there is a particularly nasty worm running around right now, that might even be the right answer for a mission-critical system in a Fortune 500 corporation. It isn't the right answer every time for every vulnerability for every system in every company. We gather the information, and then we make the decisions. Management HAS to be involved in those decisions because the risk to the company of fixing the problem is just as important to consider as the risk of delaying the fix, or even of not doing the fix at all sometimes. I don't have an example off the top of my head of the latter, although I can certainly come up with a couple of fixes delayed for months. I know of some systems at one of the two companies I mentioned above that had to delay a critical Windows fix for months because the alternative would have been all international flights being suspended. That would have been a big enough deal that it would have affected the economies of probably every country in the world negatively. No, I'm not saying any more than that about it, except to say that the fix has since been applied. pgp0.pgp Description: PGP signature
Re: [Full-Disclosure] Windows hosts file changing.
David Gianndrea wrote: Kind of sounds like this... http://vil.nai.com/vil/content/v_100719.htm Kevin Gerry wrote: Does -ANYBODY- know how it occurs? I've had this happen to a couple boxes of mine now... New one: -- 127.0.0.1localhost 66.40.16.131livesexlist.com 66.40.16.131lanasbigboobs.com 66.40.16.131thumbnailpost.com 66.40.16.131adult-series.com 66.40.16.131www.livesexlist.com 66.40.16.131www.lanasbigboobs.com 66.40.16.131www.thumbnailpost.com 66.40.16.131www.adult-series.com -- Any idea how the search site is replacing that? =/ It's starting to piss me off =/ I had some custom information in there that's now overwritten (Not backed up) Thanks =/ Actually, I don't think it sounds a damn thing like Qhosts. Qhosts modifies DHCP-issued DNS server settings in the registry, and creates a new HOSTS file and tweaks the registry to use that HOSTS file. It doesn't touch the original HOSTS file. This post exhibits no Qhosts behavior, and Qhosts doesn't exhibit any of this behavior. I think Daniel got it right - quit going to porn sites. Better yet, quit going to porn sites advertised in Spam. Also, to respond to another comment, the MS03-040 patch might *not* address this type of attack on a system. Internet Explorer fully patched with default settings *still* allows silent delivery and install of executables. POC was sent to this list weeks ago. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't." ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows hosts file changing.
Why are you browsing the internet on an Administrator account? The HOSTS file is only editable by Admin accounts. Never never never do daily work from an account with full priveleges, that's what the Power Users' group is for. Admin accounts are for maintenance-only (installing and configuring s/w), not general work. Austin Ehlers > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Kevin Gerry > Sent: Wednesday, October 22, 2003 03:01 AM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Windows hosts file changing. > > > Does -ANYBODY- know how it occurs? > > I've had this happen to a couple boxes of mine now... > > New one: > -- > 127.0.0.1 localhost > 66.40.16.131 livesexlist.com > 66.40.16.131 lanasbigboobs.com > 66.40.16.131 thumbnailpost.com > 66.40.16.131 adult-series.com > 66.40.16.131 www.livesexlist.com > 66.40.16.131 www.lanasbigboobs.com > 66.40.16.131 www.thumbnailpost.com > 66.40.16.131 www.adult-series.com > -- > > Any idea how the search site is replacing that? =/ It's starting > to piss me > off =/ I had some custom information in there that's now overwritten (Not > backed up) > > Thanks =/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
This sounds like qhosts. http://vil.nai.com/vil/content/v_100719.htm ---Mike At 04:01 AM 22/10/2003, Kevin Gerry wrote: Does -ANYBODY- know how it occurs? I've had this happen to a couple boxes of mine now... New one: -- 127.0.0.1 localhost 66.40.16.131livesexlist.com 66.40.16.131lanasbigboobs.com 66.40.16.131thumbnailpost.com 66.40.16.131adult-series.com 66.40.16.131www.livesexlist.com 66.40.16.131www.lanasbigboobs.com 66.40.16.131www.thumbnailpost.com 66.40.16.131www.adult-series.com -- Any idea how the search site is replacing that? =/ It's starting to piss me off =/ I had some custom information in there that's now overwritten (Not backed up) Thanks =/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
Kind of sounds like this... http://vil.nai.com/vil/content/v_100719.htm Kevin Gerry wrote: Does -ANYBODY- know how it occurs? I've had this happen to a couple boxes of mine now... New one: -- 127.0.0.1 localhost 66.40.16.131livesexlist.com 66.40.16.131lanasbigboobs.com 66.40.16.131thumbnailpost.com 66.40.16.131adult-series.com 66.40.16.131www.livesexlist.com 66.40.16.131www.lanasbigboobs.com 66.40.16.131www.thumbnailpost.com 66.40.16.131www.adult-series.com -- Any idea how the search site is replacing that? =/ It's starting to piss me off =/ I had some custom information in there that's now overwritten (Not backed up) Thanks =/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- David Gianndrea Senior Network Engineer Comsquared Systems, Inc. Email: [EMAIL PROTECTED] Web: www.comsquared.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
> > Does -ANYBODY- know how it occurs? > > > > I've had this happen to a couple boxes of mine now... > > > > New one: > > -- > > 127.0.0.1 localhost > > 66.40.16.131 livesexlist.com > > 66.40.16.131 lanasbigboobs.com > > 66.40.16.131 thumbnailpost.com > > 66.40.16.131 adult-series.com > > 66.40.16.131 www.livesexlist.com > > 66.40.16.131 www.lanasbigboobs.com > > 66.40.16.131 www.thumbnailpost.com > > 66.40.16.131 www.adult-series.com > > -- stop looking at pr0n? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
- Original Message - From: "Poof" <[EMAIL PROTECTED]> To: "'V.O.'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 8:10 PM Subject: RE: [Full-Disclosure] Windows hosts file changing. > Hate to say... > > But no filesharing software is installed on this computer. And only legal > software is installed. > > So... Nice try? =p > > Also, AdAware is installed. Along with an up to date virus scanner. Plus all > email is scanned before it enters. (Up to date too). > > AdAware was run BEFORE the hosts file changed. Without any spyware found. > And -AFTER- it was changed. Without any mention of any spyware (It was > updated both times) > > So... Hrm? =/ > Ad-Aware is NOT, unfortunately, successful at getting rid of a lot of things thought it does identify almost all things. It is also updated more frequently than Spybot but the best bet is if you identify Registry entries with Adaware, run Spybot to get rid of them. Adaware WILL get rid of a lot of them but not all. Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
- Original Message - From: "Kevin Gerry" <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 4:01 AM Subject: [Full-Disclosure] Windows hosts file changing. > Does -ANYBODY- know how it occurs? > > I've had this happen to a couple boxes of mine now... > > New one: > -- > 127.0.0.1 localhost > 66.40.16.131 livesexlist.com > 66.40.16.131 lanasbigboobs.com > 66.40.16.131 thumbnailpost.com Perhaps a variant of the QHosts virus which just exploits an IE vulnerability. Perhaps not even a "virus" per say. (It's kind of sketchy anyways to call Qhosts a virus.) Perhaps a user got an email and clicked on the URL and it sent them to a site that took advantage of their IE not being patched. http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html http://vil.nai.com/vil/content/v_100719.htm The MS03-040 patch addresses this type of attack on a system. -Josh -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
It's some homegrown filter set up by one Evanchik, Michael [EMAIL PROTECTED] High Power Marketing LLC 37 Ranson street stamford, ct 06902 US 2035709385 on both of his domains - alanpickel.com and high-pow-er.com Dont tell me you cannot use whois :) Received: from LAW-MAIN.AlanPickel.com (mail.high-pow-er.com [205.179.82.194]) by mail1.tpgi.com.au (8.11.6/8.11.6) with ESMTP id h9MAUX017421 for <[EMAIL PROTECTED]>; Wed, 22 Oct 2003 20:30:34 +1000 Received: from sir ([192.168.2.103]) by LAW-MAIN.AlanPickel.com with Microsoft SMTPSVC(6.0.3790.0); Wed, 22 Oct 2003 06:36:35 -0400 From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> Subject: Mail undeliverable and filtered - Original Message - From: "Poof" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 7:47 PM Subject: RE: [Full-Disclosure] Windows hosts file changing. > (Sending from the right email addy now) > > Anyhow... I just didn't expect it? > > And... What the HECK is with these bounces? -_- Can't people subscribe to FD > on email accounts that aren't secured to hell? Gets quite annoying. =/ > > (Bounce message I just got:) > Your mail to [EMAIL PROTECTED]; was filtered because of the > potential spam or virus keyword [boobs] > > please contact the user by fax or telephone thank you. > > For this email filter system and other powerful software visit > http://software.high-pow-er.com > > Meh. Doesn't even give me the person it's happening on. Nice software! > > > -Original Message- > > From: gregh [mailto:[EMAIL PROTECTED] > > Sent: Wednesday, October 22, 2003 2:44 AM > > To: Kevin Gerry; [EMAIL PROTECTED] > > Subject: Re: [Full-Disclosure] Windows hosts file changing. > > > > > > - Original Message - > > From: "Kevin Gerry" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, October 22, 2003 6:01 PM > > Subject: [Full-Disclosure] Windows hosts file changing. > > > > > > > Does -ANYBODY- know how it occurs? > > > > > > I've had this happen to a couple boxes of mine now... > > > > > > New one: > > > -- > > > 127.0.0.1 localhost > > > 66.40.16.131 livesexlist.com > > > 66.40.16.131 lanasbigboobs.com > > > 66.40.16.131 thumbnailpost.com > > > 66.40.16.131 adult-series.com > > > 66.40.16.131 www.livesexlist.com > > > 66.40.16.131 www.lanasbigboobs.com > > > 66.40.16.131 www.thumbnailpost.com > > > 66.40.16.131 www.adult-series.com > > > -- > > > > > > Any idea how the search site is replacing that? =/ It's starting to piss > > me > > > off =/ I had some custom information in there that's now overwritten > > (Not > > > backed up) > > > > > > > > > Not to answer your question directly but ask another - why don't you just > > set your hosts file to what you want and then just lock it so it cant ever > > be hijacked again? Easy to do even with Windows. > > > > Regards, Greg. > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows hosts file changing.
Install and run Spybot Search & Destroy from http://security.kolla.de/. It's the best remover I've seen, with a much broader scope than ad-aware. Spybot locks your hosts file if you ask. ;) :) Bjørnar -How smart can the user be if he trusts Windows? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows hosts file changing.
Hate to say... But no filesharing software is installed on this computer. And only legal software is installed. So... Nice try? =p Also, AdAware is installed. Along with an up to date virus scanner. Plus all email is scanned before it enters. (Up to date too). AdAware was run BEFORE the hosts file changed. Without any spyware found. And -AFTER- it was changed. Without any mention of any spyware (It was updated both times) So... Hrm? =/ > -Original Message- > From: V.O. [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 22, 2003 3:06 AM > To: Kevin Gerry; [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Windows hosts file changing. > > spyware... brought in by kazaa or something similar :) > > http://www.google.com.au/search?q=66.40.16.131+thumbnailpost.com&ie=UTF- > 8&oe=UTF-8&hl=en&btnG=Google+Search&meta= > > check this - > http://miataru.computing.net/security/wwwboard/forum/6491.html > > dont download illegal files :))) > and install a virus scanner, or at least AdAware > > - Original Message - > From: "Kevin Gerry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, October 22, 2003 6:01 PM > Subject: [Full-Disclosure] Windows hosts file changing. > > > > Does -ANYBODY- know how it occurs? > > > > I've had this happen to a couple boxes of mine now... > > > > New one: > > -- > > 127.0.0.1 localhost > > 66.40.16.131 livesexlist.com > > 66.40.16.131 lanasbigboobs.com > > 66.40.16.131 thumbnailpost.com > > 66.40.16.131 adult-series.com > > 66.40.16.131 www.livesexlist.com > > 66.40.16.131 www.lanasbigboobs.com > > 66.40.16.131 www.thumbnailpost.com > > 66.40.16.131 www.adult-series.com > > -- > > > > Any idea how the search site is replacing that? =/ It's starting to piss > me > > off =/ I had some custom information in there that's now overwritten > (Not > > backed up) > > > > Thanks =/ > > > > ___ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Windows hosts file changing.
(Sending from the right email addy now) Anyhow... I just didn't expect it? And... What the HECK is with these bounces? -_- Can't people subscribe to FD on email accounts that aren't secured to hell? Gets quite annoying. =/ (Bounce message I just got:) Your mail to [EMAIL PROTECTED]; was filtered because of the potential spam or virus keyword [boobs] please contact the user by fax or telephone thank you. For this email filter system and other powerful software visit http://software.high-pow-er.com Meh. Doesn't even give me the person it's happening on. Nice software! > -Original Message- > From: gregh [mailto:[EMAIL PROTECTED] > Sent: Wednesday, October 22, 2003 2:44 AM > To: Kevin Gerry; [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] Windows hosts file changing. > > > - Original Message - > From: "Kevin Gerry" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, October 22, 2003 6:01 PM > Subject: [Full-Disclosure] Windows hosts file changing. > > > > Does -ANYBODY- know how it occurs? > > > > I've had this happen to a couple boxes of mine now... > > > > New one: > > -- > > 127.0.0.1 localhost > > 66.40.16.131 livesexlist.com > > 66.40.16.131 lanasbigboobs.com > > 66.40.16.131 thumbnailpost.com > > 66.40.16.131 adult-series.com > > 66.40.16.131 www.livesexlist.com > > 66.40.16.131 www.lanasbigboobs.com > > 66.40.16.131 www.thumbnailpost.com > > 66.40.16.131 www.adult-series.com > > -- > > > > Any idea how the search site is replacing that? =/ It's starting to piss > me > > off =/ I had some custom information in there that's now overwritten > (Not > > backed up) > > > > > Not to answer your question directly but ask another - why don't you just > set your hosts file to what you want and then just lock it so it cant ever > be hijacked again? Easy to do even with Windows. > > Regards, Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
spyware... brought in by kazaa or something similar :) http://www.google.com.au/search?q=66.40.16.131+thumbnailpost.com&ie=UTF-8&oe=UTF-8&hl=en&btnG=Google+Search&meta= check this - http://miataru.computing.net/security/wwwboard/forum/6491.html dont download illegal files :))) and install a virus scanner, or at least AdAware - Original Message - From: "Kevin Gerry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 6:01 PM Subject: [Full-Disclosure] Windows hosts file changing. > Does -ANYBODY- know how it occurs? > > I've had this happen to a couple boxes of mine now... > > New one: > -- > 127.0.0.1 localhost > 66.40.16.131 livesexlist.com > 66.40.16.131 lanasbigboobs.com > 66.40.16.131 thumbnailpost.com > 66.40.16.131 adult-series.com > 66.40.16.131 www.livesexlist.com > 66.40.16.131 www.lanasbigboobs.com > 66.40.16.131 www.thumbnailpost.com > 66.40.16.131 www.adult-series.com > -- > > Any idea how the search site is replacing that? =/ It's starting to piss me > off =/ I had some custom information in there that's now overwritten (Not > backed up) > > Thanks =/ > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows hosts file changing.
- Original Message - From: "Kevin Gerry" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, October 22, 2003 6:01 PM Subject: [Full-Disclosure] Windows hosts file changing. > Does -ANYBODY- know how it occurs? > > I've had this happen to a couple boxes of mine now... > > New one: > -- > 127.0.0.1 localhost > 66.40.16.131 livesexlist.com > 66.40.16.131 lanasbigboobs.com > 66.40.16.131 thumbnailpost.com > 66.40.16.131 adult-series.com > 66.40.16.131 www.livesexlist.com > 66.40.16.131 www.lanasbigboobs.com > 66.40.16.131 www.thumbnailpost.com > 66.40.16.131 www.adult-series.com > -- > > Any idea how the search site is replacing that? =/ It's starting to piss me > off =/ I had some custom information in there that's now overwritten (Not > backed up) > Not to answer your question directly but ask another - why don't you just set your hosts file to what you want and then just lock it so it cant ever be hijacked again? Easy to do even with Windows. Regards, Greg. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: NGSEC's SG #1 [SPOILER] (was: Tanato WarGame , notes and news)
On Tue, Oct 21, 2003 at 09:42:16PM +0200, Lorenzo Hernandez Garcia-Hierro wrote: > PS: Mark , remember that you can include any local file , you have the > example auth data file with example username and password , so , use it for > authenticate ;-) > Header: Spoiler follows! . . . . . . . . . Not as elegant as Lorenzos solution, but it uses a "standard" unix-file: auth_file=/etc/X11/rgb.txt login=! password=$Xorg: :) -- +--* .-. |Martin SchusterMicrosoft is not the answer /v\ | <[EMAIL PROTECTED]> http://www.tabr.org/ Microsoft is the question // \\ | <[EMAIL PROTECTED]> ICQ# 2057"Linux!" is the answer /( )\ +--*^^-^^ pgp0.pgp Description: PGP signature
[Full-Disclosure] Windows hosts file changing.
Does -ANYBODY- know how it occurs? I've had this happen to a couple boxes of mine now... New one: -- 127.0.0.1 localhost 66.40.16.131livesexlist.com 66.40.16.131lanasbigboobs.com 66.40.16.131thumbnailpost.com 66.40.16.131adult-series.com 66.40.16.131www.livesexlist.com 66.40.16.131www.lanasbigboobs.com 66.40.16.131www.thumbnailpost.com 66.40.16.131www.adult-series.com -- Any idea how the search site is replacing that? =/ It's starting to piss me off =/ I had some custom information in there that's now overwritten (Not backed up) Thanks =/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] No Subject (re: openssh exploit code?)
Hi! > As far as it being "easy" to exploit. No it isn't. You have to > abuse a lesser issue, a memory leak to be more precise, to get > a heap layout that will allow you to survive the initial memset > without landing in bad memory. Now without going into details > anyone who manages to survive the initial memset should be able > to debug the crash to the point of exploitation. This is managable > on atleast Linux IA32 systems. > There is no need for anyone to release this exploit. It will change > nothing about the fact that you need to upgrade your daemons. It > will change nothing about the bugdetails already published. There > is no reasoning for it other than "but I want to learn how to do it". > And sorry but that's just not good enough to warrant the mayhem that > will ensue when an exploit like this is released. I think you are right here. Having the exploit doesn't make the bug more or less exploitable. I'm really impressed that people are able to exploit such a bug. However, it still makes me wonder: What to do about this kind of problems? Patching OpenSSH is one thing of course, but there are bound to be more problems like this that are not known at this moment. Would it be sufficient to tighten up the malloc implementation? Or is more than that needed? > Now on a larger scale, I think it's rather foolish to cop an attitude > that assumes anything that doesn't exist in the public eye isn't > possible. It reeks of the same arrogance I'm accused off. Is it > arrogant to step forward to try and explain why noone who managed > to exploit ossh is willing to step forward? Maybe it is. No that is not arrogant. But so far there have been personal attacks on Theo de Raadt by someone who calls himself ``Theo rapist'' and many accusations about bug ridden privsep code and what not. Big words, but without any technical details. Or at any technical explanation for that matter. People on this list are simply trying to figure out wether this is a troll (or FUD) or not. At least that is my impression. Words are cheap, it is proof that counts. A working exploit is of course the ultimate proof, that's a fact. Therefore it shouldn't be surprising that people ask for exploit code. If you have such a code, but do not want to release it, fine. I could claim to have such an exploit too. But I wouldn't be able to explain any technical details about it. So I guess that disclosing (some) technical details about it is the second best proof. > Fact > remains that exploiting this issue requires creativity beyond > the pre-chewed papers. And that's why you're not seeing the regular > array of mediocre "hackers" producing exploit code. Right, it is very impressive. > I'd like to > think that anyone who was capable of writing this exploit also > recognises the potential impact of releasing it. True and I think it is good that you are so conscientious about it. > I'm talking about the apaches, the openssh's and the ms rpc's. Time and time > again it's become apparent that full disclosure simply does not > function. I think people take ``full disclosure'' too literally or too seriously. There is a need for more knowledge about why and how certain bugs are exploitable. Working exploits are one way to distribute this knowledge. But IMHO it is more useful to share technical analyses of the problems and ways to prevent such problems from happening again than exploit code. > And allthough I realise that there will always be people supporting > full disclosure, I think even with the disclosure of vulnerability > information releasing exploits is something that's not justifiable > in any way. Agreed. > There is simply no need for exploits, especially not one that would > affect people and nations around the globe. You have to look beyond > your own little egocentric world of friendly exploit dev and "but it's fun", > and take a look at the bigger picture. Agreed. Groetjes, Peter Busser -- The Adamantix Project Taking trustworthy software out of the labs, and into the real world http://www.adamantix.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Linux (in)security (Was: Re: [Full-Disclosure] Re: No Subject)
Hi! > That brings up a good point. If this issue is not exploitable on *BSD > but on Linux due to a different implementation of memory handling, > doesn't that mean that Linux is generally less secure than *BSD just for > that reason? And if so, why haven't the Linux memory handling routines > been fixed/strengthened? Because Linux people in general seem to be more concerned about speed and features than about security. For example, the only reason Linux Security Modules (LSM) have been included in the kernel, is that they don't have a performance impact on users who do not load any security modules. People have objected to some of the proposed LSM networking hooks, because they could impact performance. From a performance point of view, this provides a nice way to have more security without sacrificing performance. From a security point of view, the result is not exactly what you would hope for. Obviously this affects programs that use the LSM interface. Either you limit the security functionality to what the LSM interface provides, or you forget about the LSM interface. People who maintain Linux security patches complain about it. Amon Ott, who wrote RSBAC, ported it to LSM. But he is thinking about reverting to his self-made hooks like he has done so far. The drawbacks of maintaining and applying your own hooks to the kernel more or less outweighs the drawbacks of the LSM interface. And Amon is not the only security patch maintainer to come to this conclusion. I think that is saying something about LSM. In general people seem to believe that Linux is either secure or can be made secure by removing packages and unused services. This believe that Linus is already secure makes people uninterested in security. Why improve something that is already sufficient? Besides that, it is more rewarding to write a new window manager providing more and faster flashy eye candy than to fix potential memory allocation problems that noone ever notices. Well, until it becomes a problem that is. Contrary to common believe, keeping up to date with the latest security patches is not sufficient: http://groups.google.com/groups?selm=20030525190037%2470c6%40gated-at.bofh.it If you think this is purely a Debian related problem, think again. Most software found in a Linux distribution can be found in every other Linux distribution and on *BSD too for that matter. People have argued against the effectiveness of patches like PaX ever since Linus pointed out that they do not provide protection against return to function attacks. This is probably one of the reasons that their adoption in Linux distributions has been next to zero. Stuff like RSBAC, gr-security and LIDS are nice. But one kernel bug and they are useless. Examples like the Linux ptrace() bug and the OpenBSD kernel bug where root could circumvent securelevel are examples. Kernels tend to become bigger and more complex, so the possibility for security related bugs will likely grow. People apparently do not realise that a wooden house is not sufficient to protect against the big bad wolf. And there is currently no brick house to flee to when the wolf comes... Groetjes, Peter Busser -- The Adamantix Project Taking trustworthy software out of the labs, and into the real world http://www.adamantix.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: No Subject
On Tue, Oct 21, 2003 at 08:41:59PM -0500, Paul Schmehl wrote: > --On Wednesday, October 22, 2003 1:20 AM +0200 Michal Zalewski > <[EMAIL PROTECTED]> wrote: > > > >Rant: mainstream Linux is generally not all that enthusiastic about > >implementing security features (even non-executable stack or using some > >feeble but standard kernel security capabilities is quite unpopular in > >major distributions). Adding transcluent buttons to KDE/GNOME seems to be > >the top priority. > > > Am I the only one on the list who immediately thought of Microsoft when > reading this rant? > :-) The big difference here is that you _can_ choose for a distribution that provides more security if you want. You just have to search a bit and you can find about a dozen security related Linux and *BSD projects/products. Groetjes, Peter Busser -- The Adamantix Project Taking trustworthy software out of the labs, and into the real world http://www.adamantix.org/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
