SV: [Full-Disclosure] New malware to infect IIS and from there jump to clients
Hi Nick, >It does this via the now very old ms-its: protocol zone-handling bug... >Apparently someone needs to decode a few more levels of JavaScript, etc >to work this all out... I don´t think so. This looks a lot like the unpatched IE bug that was also exploited by the Ilookup trojan. See http://62.131.86.111/analysis.htm. >> Consider to deny access to http://217.107.218.147 in your firewall. This >> will at least prevent client PCs from getting infected. > >Thanks Peter, but what about all the _other_ servers out there also >hosting more or less exactly the same files? Are you going to provide >a list of all those IPs too? Why should I? I think you should look at the code again, Nick. When the javascript runs it will try to redirect you to a remote server http://217.107.218.147. This is where the MSITS.EXE and the javascripts are stored. As far as I know they do not reside on the compromised IIS servers, but simply pulls of the the payload from the remote host. Meanwhile the host is no longer available. Regards Peter Kruse ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] server administration
> we have some 100+ servers here, and we would like to make an inventory > of all the servers. each server has a service tag etc... all servers > have one or more services running on it. > > the idea is: we would like everything (config, static information, > dynamic info,...) on a central server in a secure intranet. > the first problem: > how do you collect the data, how do you store it,what software do you > use to get info out of a server (static info as wel as dynamic info). > ^^^^^ > a script? snmp > second problem: > what soft can you use for pushing the config to the servers and > restarting servers, without having to log in to each one individually > (something like rdist?) sshkeys? > Hi, I just reply 'cause I think there are more people that like to know this... If you have a lot of servers to work on, try the "Distributed Shell" one command on all servers at the same time. check http://www.netfort.gr.jp/~dancer/software/dsh.html later @ll misiu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Evidence of a ISC being hacked?
--- Eric Paynter <[EMAIL PROTECTED]> wrote: > On Thu, June 24, 2004 11:22 am, VX Dude said: > > Good point, personally I wouldn't think that > making a > > small wrapper would take that long, but then again > I > > havent done it, and I havent done it under stress > and > > a time crunch. I code for fun and not profit > which is > > pretty stress free. > > Isn't the software we're talking about open source? > Where the profit and > time crunch? If it's a real concern, just fix it and > submit your patch... > > -Eric the profit and time crunch was in reference to Valdis.Kletnieks who said the following words (probably out of context please read the thread for full value) "...and the build broke on OTHER systems because there wasn't a vsnprintf() in the vendor libc - and your boss is telling you TO GET THE THING TO BUILD, NOW The programmer who is willing to swear on a Bible that they have *never* in their professional careers done something like this because they were in a time crunch is either a newbie or a complete liar." The word "boss" give me the illusion of some profit being made. Once again I could just be paranoid. Apparently the idea of people patching open source products just shows how much of a newbs we are. -stiny __ Do you Yahoo!? New and Improved Yahoo! Mail - 100MB free storage! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] defamatory joe job attack by botnet
I can also confirm that this is continuing from one of my many email adresses also. Regards, Kane Lightowler Network Security Consultant Content Security Level 4, Suite 42c 203 Castlereagh Street Sydney 2000 > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of lsi > Sent: Friday, June 25, 2004 1:43 PM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] defamatory joe job attack by botnet > > > On June 11 it was reported that Dutch mailboxes were flooded > with racist > hatemail sent via the Sobig worm. > > http://www.theregister.co.uk/2004/06/11/german_hate_mail_virus/ > > I can report that not only is this activity continuing, but it is > doing so under the names of ... well, me, at least - I have received > several bounces indicating that my email address is being used as the > "from" address. > > I include the fulltext of a sample bounce below. Note: the text is > reportedly racist in nature. I include it for forensic purposes. > This is the full disclosure list, right? > > Maybe it was just me who got joe-jobbed by Sobig in this way? Or > maybe there are some other posters to the security conferences who > are being toasted too? > > Note: 82.3.47.243 is apparently a cable connection owned by NTL UK. > Probably just an owned box though. And probably a dynamic IP as > well. > > Stuart > > [ok, I trimmed these headers, irrelevant] > Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST) > From: [EMAIL PROTECTED] (Mail > Delivery System) > Subject: Undelivered Mail Returned to Sender > To: [EMAIL PROTECTED] > > This is a MIME-encapsulated message. > > --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com > Content-Description: Notification > Content-Type: text/plain > > This is the Postfix program at host pfmx1.pop.uk.netscalibur.com. > > I'm sorry to have to inform you that the message returned > below could not be delivered to one or more destinations. > > For further assistance, please send mail to > > If you do so, please include this problem report. You can > delete your own text from the message returned below. > > The Postfix program > > <[EMAIL PROTECTED]>: host > cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said: > 552 5.2.2 Over > quota (in reply to RCPT TO command) > > --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com > Content-Description: Delivery error report > Content-Type: message/delivery-status > > Reporting-MTA: dns; pfmx1.pop.uk.netscalibur.com > Arrival-Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST) > > Final-Recipient: rfc822; [EMAIL PROTECTED] > Action: failed > Status: 5.0.0 > Diagnostic-Code: X-Postfix; host > cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said: > 552 5.2.2 Over > quota (in reply to RCPT TO command) > > --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com > Content-Description: Undelivered Message > Content-Type: message/rfc822 > Content-Transfer-Encoding: 8bit > > Received: from rmx5.dircon.net (rmx5.dircon.net [195.157.4.7]) > by pfmx1.pop.uk.netscalibur.com (Postfix) with ESMTP id > 69D9D6749F5 > for <[EMAIL PROTECTED]>; Thu, 24 Jun 2004 13:05:42 +0100 (BST) > Received: from qmx0.uk.netscalibur.com > (qmx0.uk.netscalibur.com [194.112.32.44]) > by rmx5.dircon.net (Mirapoint Messaging Server MOS 3.3.5-GR) > with SMTP id AVI60539; > Thu, 24 Jun 2004 13:04:08 +0100 (BST) > Received: (qmail 95729 invoked from network); 24 Jun 2004 > 12:04:33 - > Cc: recipient list not shown: ; > Received: from unknown (HELO yddcfxtx.net) (82.3.47.243) > by 194.112.32.44 with SMTP id 1088078670X93760X0; 24 Jun > 2004 12:04:30 - > From: [EMAIL PROTECTED] > Date: Thu, 24 Jun 2004 11:33:35 GMT > MIME-Version: 1.0 > Subject: EU Beitritt der Tuerkei ? (Id:9951) > Importance: Normal > X-Priority: 3 (Normal) > Message-ID: <[EMAIL PROTECTED]> > Content-Transfer-Encoding: 7bit > Content-Type: text/plain; charset="us-ascii" > > Aufnahme der Beitrittsverhandlungen mit der Tuerkei oder > nicht - eine Entscheidung, die 'das Ende Europas' bedeuten > koennte. Dieses Wort stammt vom frueheren franzoesischen > Praesidenten Giscard d'Estaing. > Schon 2002 hatte er davor gewarnt, dass ein Beitritt der > Tuerkei zur EU dem 'Ende Europas' gleichkaeme. Die > bundesdeutschen Beitrittsbefuerworter verdraengen und > verschweigen die unabsehbaren Folgen dieser Entscheidung: > > (1) Die Tuerkei hat schon jetzt 70 Millionen Einwohner. Sie > wird bis zu ihrem EU-Beitritt die BRD in der > Bevoelkerungszahl ueberholt haben und in den EU-Institutionen > das entsprechende Stimmengewicht erhalten. > (2) Die Tuerkei passt wirtschaftlich nicht in die EU. Das > Land ist hoffnungslos ueberschuldet und waere ohne staendige > internationalen Kredite laengst bankrott. Das > Pro-Kopf-Einkommen betraegt nur 23% des EU-Durchschnitts. Die > EU-Subventionen, auf die die Tuerkei Anspruch haette, wuerden > nicht nur den Bruesseler Haushalt s
[Full-Disclosure] defamatory joe job attack by botnet
On June 11 it was reported that Dutch mailboxes were flooded with racist hatemail sent via the Sobig worm. http://www.theregister.co.uk/2004/06/11/german_hate_mail_virus/ I can report that not only is this activity continuing, but it is doing so under the names of ... well, me, at least - I have received several bounces indicating that my email address is being used as the "from" address. I include the fulltext of a sample bounce below. Note: the text is reportedly racist in nature. I include it for forensic purposes. This is the full disclosure list, right? Maybe it was just me who got joe-jobbed by Sobig in this way? Or maybe there are some other posters to the security conferences who are being toasted too? Note: 82.3.47.243 is apparently a cable connection owned by NTL UK. Probably just an owned box though. And probably a dynamic IP as well. Stuart [ok, I trimmed these headers, irrelevant] Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST) From: [EMAIL PROTECTED] (Mail Delivery System) Subject: Undelivered Mail Returned to Sender To: [EMAIL PROTECTED] This is a MIME-encapsulated message. --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com Content-Description: Notification Content-Type: text/plain This is the Postfix program at host pfmx1.pop.uk.netscalibur.com. I'm sorry to have to inform you that the message returned below could not be delivered to one or more destinations. For further assistance, please send mail to If you do so, please include this problem report. You can delete your own text from the message returned below. The Postfix program <[EMAIL PROTECTED]>: host cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said: 552 5.2.2 Over quota (in reply to RCPT TO command) --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com Content-Description: Delivery error report Content-Type: message/delivery-status Reporting-MTA: dns; pfmx1.pop.uk.netscalibur.com Arrival-Date: Thu, 24 Jun 2004 13:05:42 +0100 (BST) Final-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 5.0.0 Diagnostic-Code: X-Postfix; host cyrus02.store.pop.uk.netscalibur.com[194.112.32.39] said: 552 5.2.2 Over quota (in reply to RCPT TO command) --69D9D6749F5.1088078742/pfmx1.pop.uk.netscalibur.com Content-Description: Undelivered Message Content-Type: message/rfc822 Content-Transfer-Encoding: 8bit Received: from rmx5.dircon.net (rmx5.dircon.net [195.157.4.7]) by pfmx1.pop.uk.netscalibur.com (Postfix) with ESMTP id 69D9D6749F5 for <[EMAIL PROTECTED]>; Thu, 24 Jun 2004 13:05:42 +0100 (BST) Received: from qmx0.uk.netscalibur.com (qmx0.uk.netscalibur.com [194.112.32.44]) by rmx5.dircon.net (Mirapoint Messaging Server MOS 3.3.5-GR) with SMTP id AVI60539; Thu, 24 Jun 2004 13:04:08 +0100 (BST) Received: (qmail 95729 invoked from network); 24 Jun 2004 12:04:33 - Cc: recipient list not shown: ; Received: from unknown (HELO yddcfxtx.net) (82.3.47.243) by 194.112.32.44 with SMTP id 1088078670X93760X0; 24 Jun 2004 12:04:30 - From: [EMAIL PROTECTED] Date: Thu, 24 Jun 2004 11:33:35 GMT MIME-Version: 1.0 Subject: EU Beitritt der Tuerkei ? (Id:9951) Importance: Normal X-Priority: 3 (Normal) Message-ID: <[EMAIL PROTECTED]> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii" Aufnahme der Beitrittsverhandlungen mit der Tuerkei oder nicht - eine Entscheidung, die 'das Ende Europas' bedeuten koennte. Dieses Wort stammt vom frueheren franzoesischen Praesidenten Giscard d'Estaing. Schon 2002 hatte er davor gewarnt, dass ein Beitritt der Tuerkei zur EU dem 'Ende Europas' gleichkaeme. Die bundesdeutschen Beitrittsbefuerworter verdraengen und verschweigen die unabsehbaren Folgen dieser Entscheidung: (1) Die Tuerkei hat schon jetzt 70 Millionen Einwohner. Sie wird bis zu ihrem EU-Beitritt die BRD in der Bevoelkerungszahl ueberholt haben und in den EU-Institutionen das entsprechende Stimmengewicht erhalten. (2) Die Tuerkei passt wirtschaftlich nicht in die EU. Das Land ist hoffnungslos ueberschuldet und waere ohne staendige internationalen Kredite laengst bankrott. Das Pro-Kopf-Einkommen betraegt nur 23% des EU-Durchschnitts. Die EU-Subventionen, auf die die Tuerkei Anspruch haette, wuerden nicht nur den Bruesseler Haushalt sprengen, sondern auch die heute schon ueberschuldeten 'Geberlaender' wie die BRD gaenzlich ruinieren. (3) Mit der Aufnahme eines asiatischen Landes und dem Verzicht auf vernuenftige Aussengrenzen verliert die EU ihre Identitaet. Trotz dieser unbestreitbaren Sprengsaetze rollt die Kampagne fuer den tuerkischen Beitritt immer schneller und unaufhaltsamer voran: Der tuerkische Regierungschef Erdogan nimmt bereits an den Konferenzen der EU-Regierungschefs teil, freilich noch ohne Stimmrecht und die Tuerkei erhaelt jetzt schon EU-Gelder zur 'Beitrittsvorbereitung'. Es ist alles wie bei der Euro-Einfuehrung: Erst erscheint der ganze Plan unrealistisch und wird von vielen f
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to locate any information on this worm. From what we have discovered, the main process is ‘VDisp.exe’. It is spreading through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen ports. The worm creates randomly generated services that initialize the process, and also creates a registry entry in RunServices and Run to load. I am anxious to hear any feedback anyone has regarding this issue as we are still attempting to reduce network traffic and alleviate any remaining issues. I have attached a copy of the executable (rename to .exe). Where is the .exe file ? if possible write a snort sig for this to isolate which machines are infected and patch them ! for the services if you find any unfamiliar services simply stop them and set the autostart to disables also make a script like this and just run it from the login script and have that script run on all the machies also if possible put the patch in this script also. -Aditya
RE: [Full-Disclosure] IE exploit runs code from graphics?
>>Without having access to any of the information as to what web pages NetSec thinks is involved, >>but having seen many recent posts about the so-called "RFI - Russian IIS Hacks" I'd suggest >>that both reports are referring to one and the same, or at least, very closely related, things. >>... >>That is hardly the same thing as "embedded code hidden in graphics on Web pages"... Yup, once I saw the SANS writeups I came to the same conclusion. So there's nothing really new in the client-side exploit and what's happening on the server hasn't been figured out yet, right? And it sounds like if you're up to date on patches and antivirus you're probably protected against the client-side exploit. Larry Seltzer ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE exploit runs code from graphics?
"Larry Seltzer" <[EMAIL PROTECTED]> wrote: > From http://www.eweek.com/article2/0,,1617045,00.asp: > > "Analysts at NetSec Inc., a managed security services provider, > began seeing indications of the compromises early Thursday morning > and have since seen a large number of identical attacks on their > customers' networks. The attack uses a novel vector: embedded code > hidden in graphics on Web pages... NetSec officials said the attack > seems to exploit a vulnerability in Internet Explorer." Without having access to any of the information as to what web pages NetSec thinks is involved, but having seen many recent posts about the so-called "RFI - Russian IIS Hacks" I'd suggest that both reports are referring to one and the same, or at least, very closely related, things. Common exploits of the ms-its: (etc) protocol download compiled help files (.CHM) from some web site, causing the HTML code inside the .CHM to be run in the "My Computer" security zone. Typically (like all but one of _dozens and dozens_ of these I've seen) the "inner" HTML run from the .CHM then uses a lightly modified form of one of the common ADODB.Stream PoC exploits to download yet another file, save it as a .EXE and run it. Sometimes the file the ADODB exploit code pulls down will be named with a .GIF or .JPG extension (it can be _any_ extension the attacker likes as the ADODB.Stream vuln allows the attacker to specifiy the target filename and path on the new victim machine _in full_). That is hardly the same thing as "embedded code hidden in graphics on Web pages", but I can easily imagine a naïve journalist getting confused over such technical issues or a company representative hankering for some media exposure over-selling the seriousness or novelty of what they "discovered"... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: IE exploit runs code from graphics?
On Thu, 24 Jun 2004 19:02:01, [EMAIL PROTECTED] wrote: > From http://www.eweek.com/article2/0,,1617045,00.asp: > > "Analysts at NetSec Inc., a managed security services provider, began > seeing indications of the compromises early Thursday morning and have > since seen a large number of identical attacks on their customers' networks. > The attack uses a novel vector: embedded code hidden in graphics on Web > pages... NetSec officials said the attack seems to exploit a vulnerability > in Internet Explorer." This is somewhat misleading. The attack is appending javascript footers to every file served by the IIS server, including image files. This isn't a new vector, it's just a side-effect. More information at http://isc.sans.org/ -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ http://www.lurhq.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New malware to infect IIS and from there jump to clients
"Peter Kruse" <[EMAIL PROTECTED]> wrote: > This is a heads up. Or... PANIC, PANIC, PANIC... > A new malware has been reported from several sources so it appears to be > fairly widespread already. > > The malware spreads from infected IIS servers to clients that visit the > webpage of the infected server. How the IIS servers was compromised in the > first place is unfortunately still unknown (any info on that would be > appreciated). There is _no_ evidence (yet) that this is spreading from "infected" IIS servers. _Some_ IIS admins whose servers are involved don't know how the content got on their servers, but that is far from grounds for claiming said servers are, or even may be, "infected". Of course they might be, but history suggests that slack admin'ing is at least as likely as an explanation... > The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does > so by running a javascript that apparently gets appended to several files in > the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http:// > 217.107.218.147/xxx.html that contains the following code: > >
RE: [Full-Disclosure] IE exploit runs code from graphics?
Is this related to the diary entry on: http://www.incidents.org -Original Message- From: Larry Seltzer [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 6:02 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] IE exploit runs code from graphics? >From http://www.eweek.com/article2/0,,1617045,00.asp: "Analysts at NetSec Inc., a managed security services provider, began seeing indications of the compromises early Thursday morning and have since seen a large number of identical attacks on their customers' networks. The attack uses a novel vector: embedded code hidden in graphics on Web pages... NetSec officials said the attack seems to exploit a vulnerability in Internet Explorer." ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] New malware to infect IIS and from there jump to clients
Hi all, This is a heads up. A new malware has been reported from several sources so it appears to be fairly widespread already. The malware spreads from infected IIS servers to clients that visit the webpage of the infected server. How the IIS servers was compromised in the first place is unfortunately still unknown (any info on that would be appreciated). The malware redirects a visitor to http: //217.107.218.147/xxx.php. It does so by running a javascript that apparently gets appended to several files in the webfolder of IIS (eg. html, .txt, .gif). The webpage loads http:// 217.107.218.147/xxx.html that contains the following code:
[Full-Disclosure] Re: [FD] Evidence of a ISC being hacked?
Hi! On Thu, Jun 24, 2004 at 03:38:27PM -0400, [EMAIL PROTECTED] wrote: > 1) The wrapper/define/handwaving discards it and prays. > > 2) The replacement function does a proper job of doing a full enough > emulation of vsnprintf to keep track of "length so far" and stop > when it gets full (not as easy as you might think - for fun, compute > how many bytes this takes: 3) Only useable on systems with /dev/null: fopen() /dev/null, vfprintf() to that handle and take the return value - it contains the number of characters written (or -1 on error). Then malloc() a temporary buffer to hold the complete output, vsprintf() to it and strncpy() to the destination array. Of course, this might not be a suitable solution in a performance sensitive application, but it's only a workaround for a missing function anyway. Ciao Thomas pgpL83N77dgEx.pgp Description: PGP signature
[Full-Disclosure] IE exploit runs code from graphics?
>From http://www.eweek.com/article2/0,,1617045,00.asp: "Analysts at NetSec Inc., a managed security services provider, began seeing indications of the compromises early Thursday morning and have since seen a large number of identical attacks on their customers' networks. The attack uses a novel vector: embedded code hidden in graphics on Web pages... NetSec officials said the attack seems to exploit a vulnerability in Internet Explorer." ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Evidence of a ISC being hacked?
On Thu, June 24, 2004 11:22 am, VX Dude said: > Good point, personally I wouldn't think that making a > small wrapper would take that long, but then again I > havent done it, and I havent done it under stress and > a time crunch. I code for fun and not profit which is > pretty stress free. Isn't the software we're talking about open source? Where the profit and time crunch? If it's a real concern, just fix it and submit your patch... -Eric -- arctic bears - affordable email and name services @yourdomain.com http://www.arcticbears.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Evidence of a ISC being hacked?
On Thu, 24 Jun 2004 [EMAIL PROTECTED] wrote: > It's easier to just #define the critter than to re-re-invent the C code > for vsnprintf() (which isn't always trivial, as your vsnprintf() has to play > nice with the vendor's stdio - this can be .. umm... "interesting" if the > innards of the vendor stdio are more bizzare than usual... vsnprintf() does not have to "play nice" with stdio. It does not have to play with stdio at all. You don't need to mess with stdio in order to stuff some characters into an array. > Go ahead - go and re-write a vsnprintf, and compare that to the time it > takes to do the #define It is rather easy as long as everything you need are common string and integer directives. Indeed, floats are tricky. Exotic C99 is even more tricky. But I think the set of printf features required by dhcpd and similar programs is (or should be) pretty small. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200406-19 ] giFT-FastTrack: remote denial of service attack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: giFT-FastTrack: remote denial of service attack Date: June 24, 2004 Bugs: #54452 ID: 200406-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There is a vulnerability where a carefully crafted signal sent to the giFT-FastTrack plugin will cause the giFT daemon to crash. Background == giFT-FastTrack is a plugin for the giFT file-sharing application. It allows giFT users to connect to the fasttrack network to share files. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-p2p/gift-fasttrack <= 0.8.6>= 0.8.7 Description === Alan Fitton found a vulnerability in the giFT-FastTrack plugin in version 0.8.6 and earlier. It can be used to remotely crash the giFT daemon. Impact == Attackers may use this vulnerability to perform a Denial of Service attack against the giFT daemon. There is no risk of code execution. Workaround == There is no known workaround at this time. All users are encouraged to upgrade to the latest available version. Resolution == All users should upgrade to the latest available version of gift-fasttrack: # emerge sync # emerge -pv ">=net-p2p/gift-fasttrack-0.8.7" # emerge ">=net-p2p/gift-fasttrack-0.8.7" References == [ 1 ] giFT-FastTrack announcement http://gift-fasttrack.berlios.de/ Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA2zv6vcL1obalX08RAvglAJ9ps20fsJt68KOm66rRk/9W3KZfGQCZAQ83 ZcoXMOoCfk3geRVrx6Y2MqY= =ikRU -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Evidence of a ISC being hacked?
On Thu, 24 Jun 2004 11:22:18 PDT, VX Dude said: > Good point, personally I wouldn't think that making a > small wrapper would take that long, but then again I > havent done it, and I havent done it under stress and > a time crunch. I code for fun and not profit which is > pretty stress free. Writing a small wrapper doesn't do anything any better than just using a #define - the *basic* problem is that there's no way for any wrapper or preprocessor magic to know the "right" answer to the most crucial difference - vsnprintf takes a 'length' parameter, and you have 2 basic choices: 1) The wrapper/define/handwaving discards it and prays. 2) The replacement function does a proper job of doing a full enough emulation of vsnprintf to keep track of "length so far" and stop when it gets full (not as easy as you might think - for fun, compute how many bytes this takes: vsprintf(target,"%#'LG",foo); (Note the evilness involved in the ' flag, which is locale-dependent ;) pgp0YTuQUNcRZ.pgp Description: PGP signature
Re: [Full-Disclosure] Evidence of a ISC being hacked?
--- [EMAIL PROTECTED] wrote: > It's easier to just #define the critter than to > re-re-invent the C code > for vsnprintf() (which isn't always trivial, as your > vsnprintf() has to play > nice with the vendor's stdio - this can be .. umm... > "interesting" if the > innards of the vendor stdio are more bizzare than > usual... Good point, personally I wouldn't think that making a small wrapper would take that long, but then again I havent done it, and I havent done it under stress and a time crunch. I code for fun and not profit which is pretty stress free. -Stiny __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Evidence of a ISC being hacked?
On Thu, 24 Jun 2004 08:27:11 PDT, VX Dude <[EMAIL PROTECTED]> said: > http://www.kb.cert.org/vuls/id/654390 > > Apparently one of the new DHCP vulnerabilities stems > from the following code found in a header file. > > #define vsnprintf(buf, size, fmt, list) vsprintf (buf, > fmt, list) > > Why would any coder replace a more secure function > with a less secure function? Personally I don't see > any reason except to backdoor the software. Hmm.. are you perchance new to software development? ;) Quoting one of the advisories: VU#654390 discusses C include files for systems that do not support the bounds checking vsnprintf() function. These files define the bounds checking vsnprintf() to the non-bounds checking vsprintf() function. Since vsprintf() is a function that does not check bounds, the size is discarded, creating the potential for a buffer overflow when client data is supplied. Note that the vsnprintf() statements are defined after the vulnerable code that is discussed in VU#317350. It's easier to just #define the critter than to re-re-invent the C code for vsnprintf() (which isn't always trivial, as your vsnprintf() has to play nice with the vendor's stdio - this can be .. umm... "interesting" if the innards of the vendor stdio are more bizzare than usual... Go ahead - go and re-write a vsnprintf, and compare that to the time it takes to do the #define, and remember that this situation almost certainly came up because some *other* coder had changed a vsprintf() to a vsnprintf() for the obvious security reasons, it built OK on the other coder's test box, they released a -rc release candidate, and the build broke on OTHER systems because there wasn't a vsnprintf() in the vendor libc - and your boss is telling you TO GET THE THING TO BUILD, NOW The programmer who is willing to swear on a Bible that they have *never* in their professional careers done something like this because they were in a time crunch is either a newbie or a complete liar. pgpmgwvequMv5.pgp Description: PGP signature
[Full-Disclosure] Re: New Worm Discovery - Potential Korgo Variant
In my opinion this is an unknown Agobot variant [as told from NAI] TrendMicro calls it: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=DOS_AGOBOT%2EGEN (it changes the host file) It is packed with one of the latest PECompact. Put itself in the usual suspect run keys + services as Display Driver VDisp.exe Run autoruns from www.sysinternals.com, there are the entries for startup Would it never stop ? The author of agobot was (thankfully) arrested, but the source is in the wild and some script kiddies are still there :( Helmut Hauser ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
SV: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT
Hi, >McAfee says Yes, this is indeed a new Gaobot/Agobot variant. Regards Peter Kruse http://www.csis.dk ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - POTENTIAL KORGO VARIANT
McAfee says > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Young > Sent: Thursday, June 24, 2004 5:39 PM > To: 'Peter Kosinar'; [EMAIL PROTECTED] > Subject: MCAFEE E-MAIL SCAN ALERT!~RE: [FULL-DISCLOSURE] NEW WORM DISCOVERY - > POTENTIAL KORGO VARIANT > > > Attachment file : VDisp.save > Virus name: W32/Gaobot.worm.gen.j > Action taken : Unable to Clean... > > Attachment file : VDisp.save > Virus name: W32/Gaobot.worm.gen.j > Secondary Action taken : Moved... > > Thank you for bringing that to my attention. Here is the attachment. > Again, rename to .exe > > -Original Message- > From: Peter Kosinar [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 24, 2004 10:36 AM > To: Michael Young > Subject: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant > > > creates a registry entry in RunServices and Run to load. I am anxious to > > hear any feedback anyone has regarding this issue as we are still > attempting > > to reduce network traffic and alleviate any remaining issues. I have > > attached a copy of the executable (rename to .exe). > > Are you sure you didn't forget to attach the attachment ? Or was it > stripped from the mail somewhere on the route ? > > Your sincerely, > > Peter Kosinar > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] New Viruses
Could you guys stop sending me Beagle.X? I already have enough copies of that. Could I make requests of which viriises I would like to receive? hahahahahahahahahahahahahahhohohohohohohohoh Crapfully yours, Stiny ___ Full-Disclosure - We belive in it cause we're evil. Charter: http://lists.netsys.cn/full-disclosure-charter.html __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Hello, we also came across a system with a variant of Korgo/Padobot that was NOT infected with sasser before! Infection possibly took place via HTTP, a file containing the virus was found in the temporary internet files. Looks like this new padobot is also able to spread via Internet Expolrer vulnerabilities . Regards, Oliver Heinz - | arago, | Oliver Heinz | | Institut fuer komplexes| Bereichsleiter Systembetrieb & Security | | Datenmanagement AG | eMail: [EMAIL PROTECTED] | | Am Niddatal 3 || | 60488 Frankfurt am Main| http://www.arago.de/ | | Tel: +49-69-40568-401 | PGP-Fingerprint: a5de d4b4 46b3 4d8b 2646 | | Fax: +49-69-40568-111 | d4d0 e5fd d842 cc4e 7315 | - Testen Sie jetzt Ihre IT-Sicherheit: http://portscan.netlimes.de/ On Thu, 24 Jun 2004, Cedric Blancher wrote: > Date: Thu, 24 Jun 2004 16:03:47 +0200 > From: Cedric Blancher <[EMAIL PROTECTED]> > To: Michael Young <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo > Variant > > Le jeu 24/06/2004 à 14:57, Michael Young a écrit : > > Yesterday a large client of ours was taken down by what appears to be > > a Korgo variant, but I have been unable to locate any information on > > this worm. From what we have discovered, the main process is > > ‘VDisp.exe’. It is spreading through unpatched systems vulnerable to > > the LSASS exploit, and propagates itself through a serious of randomly > > chosen ports. > > Korgo exploits a buffer overflow within FTP daemon installed by Sasser. > That would mean your client systems were previously infected by > Sasser... > > -- > http://www.netexit.com/~sid/ > PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE > >> Hi! I'm your friendly neighbourhood signature virus. > >> Copy me to your signature file and help me spread! > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] flaw in php_exec_dir patch
is your safe mode on? .. whats ur platorm. give more details! On Wednesday 23 June 2004 07:05 am, VeNoMouS wrote: > Found a issue last night while testing php_exec_dir patch > > if you do the following > > $blah=`ps aux`; > echo nl2br($blah); > > php_exec_dir will block the call if you have set the exec_dir parm in php > or apache > > anyway if you do this > > $blah=`;ps aux`; > echo nl2br($blah); > > it bypasses the exec block and excutes the ps due to the ';', as bash > interrupts ';' as a new cmd, ive emailed the author but no response. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Kaspersky detect it as Backdoor.Agobot.gen. So another one of the many other Agobot variants. Michael Young wrote: Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to locate any information on this worm. From what we have discovered, the main process is âVDisp.exeâ. It is spreading through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen ports. The worm creates randomly generated services that initialize the process, and also creates a registry entry in RunServices and Run to load. I am anxious to hear any feedback anyone has regarding this issue as we are still attempting to reduce network traffic and alleviate any remaining issues. I have attached a copy of the executable (rename to .exe). Thank you, Michael Young IT Consultant Miles Technologies (800)-496-8001 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Evidence of a ISC being hacked?
http://www.kb.cert.org/vuls/id/654390 Apparently one of the new DHCP vulnerabilities stems from the following code found in a header file. #define vsnprintf(buf, size, fmt, list) vsprintf (buf, fmt, list) Why would any coder replace a more secure function with a less secure function? Personally I don't see any reason except to backdoor the software. If so, then is this evidence that ISC has been hacked and there backdoored? Are they keeping the incident quiet? Yeah I'm paranoid, but someone has to be ^_* __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200406-18 ] gzip: Insecure creation of temporary files
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200406-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: gzip: Insecure creation of temporary files Date: June 24, 2004 Bugs: #54890 ID: 200406-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis gzip contain a bug potentially allowing an attacker to execute arbitrary commands. Background == gzip (GNU zip) is popular compression program. The included gzexe utility allows you to compress executables in place and have them automatically uncompress and execute when you run them. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 app-arch/gzip <= 1.3.3-r3>= 1.3.3-r4 Description === The script gzexe included with gzip contains a bug in the code that handles tempfile creation. If the creation of a temp file fails when using gzexe fails instead of bailing out it executes the command given as argument. Impact == This could lead to priviege escalation by running commands under the rights of the user running the self extracting file. Workaround == There is no known workaround at this time. All users are encouraged to upgrade to the latest available version. Resolution == All gzip users should upgrade to the latest stable version: # emerge sync # emerge -pv ">=app-arch/gzip-1.3.3-r4" # emerge ">=app-arch/gzip-1.3.3-r4" Additionally, once the upgrade is complete, all self extracting files created with earlier versions gzexe should be recreated, since the vulnerability is actually embedded in those executables. Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200406-18.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpPHtWMBUVY3.pgp Description: PGP signature
RE: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Le jeu 24/06/2004 à 16:14, Michael Young a écrit : > The worm clearly exploits the LSASS overflow and is not spreading through > the FTP dameon left by Sasser. Oups... My mistake... I messed with Korgo and Dabber... -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
The worm clearly exploits the LSASS overflow and is not spreading through the FTP dameon left by Sasser. -Original Message- From: Cedric Blancher [mailto:[EMAIL PROTECTED] Sent: Thursday, June 24, 2004 10:04 AM To: Michael Young Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant Le jeu 24/06/2004 à 14:57, Michael Young a écrit : > Yesterday a large client of ours was taken down by what appears to be > a Korgo variant, but I have been unable to locate any information on > this worm. From what we have discovered, the main process is > VDisp.exe. It is spreading through unpatched systems vulnerable to > the LSASS exploit, and propagates itself through a serious of randomly > chosen ports. Korgo exploits a buffer overflow within FTP daemon installed by Sasser. That would mean your client systems were previously infected by Sasser... -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Le jeu 24/06/2004 Ã 14:57, Michael Young a Ãcrit : > Yesterday a large client of ours was taken down by what appears to be > a Korgo variant, but I have been unable to locate any information on > this worm. From what we have discovered, the main process is > âVDisp.exeâ. It is spreading through unpatched systems vulnerable to > the LSASS exploit, and propagates itself through a serious of randomly > chosen ports. Korgo exploits a buffer overflow within FTP daemon installed by Sasser. That would mean your client systems were previously infected by Sasser... -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant
http://www.f-secure.com/weblog/ -Original Message-From: Michael Young [mailto:[EMAIL PROTECTED]Sent: Thursday, June 24, 2004 7:57 AMTo: [EMAIL PROTECTED]Subject: [Full-Disclosure] New Worm Discovery - Potential Korgo Variant Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to locate any information on this worm. From what we have discovered, the main process is 'VDisp.exe'. It is spreading through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen ports. The worm creates randomly generated services that initialize the process, and also creates a registry entry in RunServices and Run to load. I am anxious to hear any feedback anyone has regarding this issue as we are still attempting to reduce network traffic and alleviate any remaining issues. I have attached a copy of the executable (rename to .exe). Thank you, Michael Young IT Consultant Miles Technologies (800)-496-8001
Re: [Full-Disclosure] Re: your mail
Unitl your crappy office filter is smart
enough to know that that is a potential anonymizer and blocks it as well...like
ours does.
Cheers
Bart Lansing
Manager, Desktop Services
Kohl's IT
[EMAIL PROTECTED] wrote on 06/23/2004
12:04:01 PM:
>
>
> This really isn't that new.
> For years you have been able to do this with babelfish.altavista.com
also.
>
> Simply goto translat.google.com or babelfish.altavista.com type in
the
> website you would like to visit and select a language to translate
from ->
> to the langauge you know the website is currently written in and when
you
> submit your query it should by default notice it doesn't need to translate
> the site or it thinks the site has been translated fairly quickly
and it
> hands you the website.
>
>
> This is great for your crappy corporate filters.
>
> :)
>
> > http://exploit.wox.org/tools/googleproxy.html
>
> -Daniel Uriah Clemens
>
> Esse quam videra
> (to be, rather than to appear)
> -Moments of
Sorrow are Moments of Sobriety
>
{ o)2059686335 c)2055676850
}
>
> ___
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
CONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc.and may contain information which is confidential and proprietary.If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited.If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000.CAUTION:Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any timewithout any further consent.
[Full-Disclosure] New Worm Discovery - Potential Korgo Variant
Yesterday a large client of ours was taken down by what appears to be a Korgo variant, but I have been unable to locate any information on this worm. From what we have discovered, the main process is ‘VDisp.exe’. It is spreading through unpatched systems vulnerable to the LSASS exploit, and propagates itself through a serious of randomly chosen ports. The worm creates randomly generated services that initialize the process, and also creates a registry entry in RunServices and Run to load. I am anxious to hear any feedback anyone has regarding this issue as we are still attempting to reduce network traffic and alleviate any remaining issues. I have attached a copy of the executable (rename to .exe). Thank you, Michael Young IT Consultant Miles Technologies (800)-496-8001
[Full-Disclosure] Spammers Using Spyware To Fool Users
Could that be the reason that I see a whole explosion in Spy and Malware infections right now ? http://www.techweb.com/wire/story/TWB20040623S0007 Helmut Hauser ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] trouble with wireless pentest
hi everyone, i have been taking on my first large and blind wireless pentest and i have nearly become lost in the jaws of a wireless network and would appreciate any help. first i'lll state what i have so far done and seen the network was encrypted but with wep and large traffic so i was able to bruteforce the key The network in focus is quite large with multiple subnets and lots of “firewalls” These I did. Using kismet I sniffed a whole lot of packets. And decoded them with the found wep key Then using my conventional ettercap and ethereal I looked through the packets. i sniffed a lot more with ettereal and looked through them for a similar mac address but all packets had i local (destination) ip and mac address Now The Problem. I tried to connect to the net work I used a nice ip to match one on the network (8.5) i changed mac addresses to match the host i was spoofing. then i tried to route packets to another client which failed with the network unreachable error i tried a traceroute to my target client but it failed too with the same error i used ettercap to passively watch traffic and came up with a comprehensive list of ip/mac addresses and tried to spoof most of them but still my packets didn't get routed i tried using etterape to watch traffic flow and come up with a route but i figure out that nearly all traffic was internal most hosts were connecting to each other HELP: HOW CAN I ROUTE PACKETS THROUGH TO OTHER CLIENTS OR BECOME A CLIENT OR IS THERE A BETTER WAY I COULD DO THIS WHOLE PENTEST FROM THE BEGINING PLS ANY HELP WOULD BE APPRECIATED. ZIPPERS CRIPS _ The Zcrips Inc - a man is only limited by his imaginative abilities
Re: [Full-Disclosure] M$ - so what should they do?
On Tue, 22 Jun 2004 09:04:37 +1200, Stuart Fox (DSL AK) <[EMAIL PROTECTED]> wrote: > > > > > > > How about changing the ".exe" convention? Making a file > > executable by it's "extension" probably causes a lot of > > opportunities for problems, doesn't it? > > > > Also, the magic file names, like "CON" and "AUX" should go away. > > > > No way! Am I the only person who still uses "copy con filename.txt" to > create scripts and such at the command line? Please tell me I'm not? > I don't use it to create scripts, but I do use it. Frequently use the filehandles on unix boxen, too, for that matter. Who needs a fullscreen editor? ;) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE: M$ - so what should they do?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 He still does not get it. Despite his bizzare ability to bloat his prose with nothing, probably so from coming from the bloated code school of his principal, and he still says nothing. What he isn't is a professional. A professional anything. Rather a whore from the pimp stable of his bitch master. Hey I go where the money is. It's not a religion. I don't care. Give me the money. Take a 5 minute break. Cool off. I can also switch to where money is today or tomorrow. Exactly like the whore stripper. I am good person, but hey I go where the money is. Relax whoring isn't relgion, take 5 and cool down. I'll make my money now and quit down the road and get married and then really become someone. ha ha ha ha ha These are the words of a professional whore, not a professional admin, security, tech, analysist. The only security that he really nows is about lining his pocket. Give him nickel and he'll say the other systems are the worst. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDaIKQACgkQ9hJzGKhH2Le3BACgrMbcchg3PF5YFH4KIklgc+16EGwA oJi6MRzqW3+oYQoaTfnU1MObUuw8 =aog+ -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about.php?subloc=affiliate&l=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
