[Full-Disclosure] [SECURITY] [DSA 604-1] New hpsockd packages fix denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 604-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze December 3rd, 2004 http://www.debian.org/security/faq - -- Package: hpsockd Vulnerability : missing input sanitising Problem-Type : remote Debian-specific: no CVE ID : CAN-2004-0993 "infamous41md" discovered a buffer overflow condition in hpsockd, the socks server written at Hewlett-Packard. An exploit could cause the program to crash or may have worse effect. For the stable distribution (woody) this problem has been fixed in version 0.6.woody1. For the unstable distribution (sid) this problem has been fixed in version 0.14. We recommend that you upgrade your hpsockd package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - Source archives: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1.dsc Size/MD5 checksum: 526 d5ac263f8a527e97c8d707977351805a http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1.tar.gz Size/MD5 checksum: 127019 2de411d806f925658b771ffb1c974c41 Alpha architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_alpha.deb Size/MD5 checksum: 115444 65338a0efb88db831b690a4c76d70997 ARM architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_arm.deb Size/MD5 checksum: 104214 fdd81a813a8023b9585603cf53610616 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_i386.deb Size/MD5 checksum:98588 805aef90031fa41a3cca9fa28b26d508 Intel IA-64 architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_ia64.deb Size/MD5 checksum: 140132 0f8a29392e10ae44652f76534a420b0a HP Precision architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_hppa.deb Size/MD5 checksum: 111672 b643ff9b7e5964592b3c194b8fe7203b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_m68k.deb Size/MD5 checksum:94430 911addc14236228693687c303788ad3a Big endian MIPS architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_mips.deb Size/MD5 checksum: 110742 63e55da32013613da6e69b7f9a84b97d Little endian MIPS architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_mipsel.deb Size/MD5 checksum: 72 7c82b76671b118ca734f48c5e22e3245 PowerPC architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_powerpc.deb Size/MD5 checksum: 101516 7447d074ff41cc3ad6873d2f423cc4fd IBM S/390 architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_s390.deb Size/MD5 checksum: 101594 add45d166bf0c926e143fd70c5a09ab1 Sun Sparc architecture: http://security.debian.org/pool/updates/main/h/hpsockd/hpsockd_0.6.woody1_sparc.deb Size/MD5 checksum: 114216 510aca051ce938553e20af4f53104f46 These files will probably be moved into the stable distribution on its next update. - - For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: [EMAIL PROTECTED] Package info: `apt-cache show ' and http://packages.debian.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBsCFuW5ql+IAeqTIRAneqAJ9u031JQ7QCQVkLGW0VmGbSIjTmuACgoNdl JZvvyfXhWJsLWoKJVoJO8a4= =mql1 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] If Lycos can attack spammer sites, can we all start doing it?
On Thu, Dec 02, 2004 at 05:54:57PM +, Jason Coombs wrote: > Even without explicit language in the EULA, Lycos is just a software maker in > this case. It is the end user who is guilty of an abusive attack -- if anyone > is. The rate limit per client is set to prevent a single client from crossing > the attack threshold, so this could be the first test of product liability > for the intentional creation of zombie armies. Not the first test. This is already underway in court. The current pitched battle in Kazaa vs. the RIAA is that Kazaa is just making software, and thus, is not liable for unlawful usage by the users. The RIAA happens to "strongly disagree". -- Vincent ARCHER [EMAIL PROTECTED] Tel : +33 (0)1 40 07 47 14 Fax : +33 (0)1 40 07 47 27 Deny All - 5, rue Scribe - 75009 Paris - France www.denyall.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Fwd: How many backbones here are filtering the makelovenotspam screensaver site?
At 02:49 2004-12-02, n3td3v wrote: >[EMAIL PROTECTED] 07:01:16 [~]$ dnsname 213.115.182.123 >ua-213-115-182-123.cust.bredbandsbolaget.se > >Hosted on a cablemodem? Tch, tch, how the mighty have fallen Just to pick that little nit: That particular provider does not do "cable", they have only recently begun to sell xDSL, most of the installed base is still 10 Mbit/s Ethernet shared among all tenants in one building. Shared 100 Mbit/s is being deployed, but that is progressing slowly. They do also sell connectivity to businesses, but those does typically not have reverse names like the one above. Whatever relevance this may have... 8^) -- . /Ake Nordin +46704-660199 [EMAIL PROTECTED] Duston Sickler: "There are only 10 types of people in the world, those who understand binary and those who don't." ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Remote Mercury32 Imap exploit
The patched version of Mercury32 can be found here: ftp://ftp.usm.maine.edu/pegasus/mercury32/m32-401b.zip Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK > -Original Message- > From: JohnH [mailto:[EMAIL PROTECTED] > Sent: 01 December 2004 23:29 > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Remote Mercury32 Imap exploit > > Here you go guys. A fully working Remote Mercury32 Imap > exploit. This will work on any windows OS. 100% universal. > And now it has 14 possible targets. > > Again, Someone posted some dos code :( > > > Cheers, > > > [EMAIL PROTECTED] > Security Researcher > VISIT: www.secnetops.com > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Remote Mercury32 Imap exploit
WOW, 14 Targets now You are soo 1337 dude !!! LOL, poor farmer. Greets to only muts on that discovery , and fuck to the secnetops kiddies :) Greetz whitehat.co.il ;) - class101 Hat-Squad.com - ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] SUSE Security Announcement: cyrus-imapd (SUSE-SA:2004:043)
-BEGIN PGP SIGNED MESSAGE- __ SUSE Security Announcement Package:cyrus-imapd Announcement-ID:SUSE-SA:2004:043 Date: Friday, Dec 3rd 2004 13:00 MEST Affected products: 8.1, 8.2, 9.0, 9.1, 9.2 SUSE Linux Enterprise Server 8, 9 SuSE-Linux-Standard-Server 8 SuSE Linux Openexchange Server 4 Vulnerability Type: remote command execution Severity (1-10):5 SUSE default package: No Cross References: CAN-2004-1011 CAN-2004-1012 CAN-2004-1013 Content of this advisory: 1) security vulnerability resolved: - buffer overflow and out of bounds access in cyrus imapd problem description 2) solution/workaround 3) special instructions and notes 4) package location and checksums 5) pending vulnerabilities, solutions, workarounds: - suidperl - putty 6) standard appendix (further information) __ 1) problem description, brief discussion Stefan Esser reported various bugs within the Cyrus IMAP Server. These include buffer overflows and out-of-bounds memory access which could allow remote attackers to execute arbitrary commands as root. The bugs occur in the pre-authentication phase, therefore an update is strongly recommended. 2) solution/workaround There is no temporary workaround except shutting down the IMAP server. 3) special instructions and notes After successfully updating the cyrus-imapd package you have to issue the following command as root: /sbin/rccyrus restart 4) package location and checksums Download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered for installation from the maintenance web. x86 Platform: SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/cyrus-imapd-2.2.8-6.3.i586.rpm 563c7c359df3e4572c27bccd1c4962eb patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/cyrus-imapd-2.2.8-6.3.i586.patch.rpm ceee2a62831855a563c56a0d7be12a6d source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/src/cyrus-imapd-2.2.8-6.3.src.rpm c24904edebe628e9dab9b805af56359a SUSE Linux 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cyrus-imapd-2.2.3-83.19.i586.rpm 53af4c594493abca71bd2789c6599019 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/cyrus-imapd-2.2.3-83.19.i586.patch.rpm 2c596ce65de5d13c0ca14459e0462bd9 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/src/cyrus-imapd-2.2.3-83.19.src.rpm 015268204791fc27c128705b1a22ca37 SUSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cyrus-imapd-2.1.15-89.i586.rpm ed3c4bc9178eea7ad5a8a406d53a230d patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/cyrus-imapd-2.1.15-89.i586.patch.rpm b1ddc189663da719ec5d55ea186b795b source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/src/cyrus-imapd-2.1.15-89.src.rpm 6692959f014ed63d0c83ca02632e456b SUSE Linux 8.2: ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cyrus-imapd-2.1.12-75.i586.rpm 09223533665db543be3e85b53b89b50a patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/cyrus-imapd-2.1.12-75.i586.patch.rpm c4606d6b48577af54486c40fb35a31b9 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/cyrus-imapd-2.1.12-75.src.rpm beb341ef93888c1f1e3f6e6532109b0d SUSE Linux 8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cyrus-imapd-2.1.16-56.i586.rpm 2d5c5cc7de173ff8153544166a19533c patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/cyrus-imapd-2.1.16-56.i586.patch.rpm 8d1cc9bea8f323c15b982dfc43df7b6c source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/cyrus-imapd-2.1.16-56.src.rpm bd1e20bd42974bbe9f8e3aee826a x86-64 Platform: SUSE Linux 9.2: ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/cyrus-imapd-2.2.8-6.3.x86_64.rpm 57bd598694d82f7f52af34659773d890 patch rpm(s): ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/cyrus-imapd-2.2.8-6.3.x86_64.patch.rpm 9702a054
[Full-Disclosure] Gaim Festival Logoff Vulnerability <= 0.81 (1.03)
DATE: Friday, December 3, 2004
After some playing around this week, there seems to be vulnerabilities
in the Festival plugin (/usr/lib/gaim/festival.so) for Gaim. I tested
version 0.81 in Gaim 1.03 with the ked_diphone voice. I'm not sure if
these are already known and remain unpatched. Basically, by sending
certain strings you can exploit it in various ways. ratjed and I ran
into this last night while passing some code back and forth. For the
most simple example try sending it these two strings concurrently:
--snip--
##printf("%s", "%s", "hello world");
##printf("%s", "hello world");
--snip--
It should close down Gaim immediately. You might be able to get it to
delete files, but I have not put more than five minutes into analyzing
it yet. I publish this in the event that there are other more dangerous
strings that could be sent. Any feedback is greatly appreciated and if
anyone has a patch please make it available...
CREDITS: ratjed and netsniper
--
Kristian Hermansen <[EMAIL PROTECTED]>
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Official IFRAME patch - make sure it installs correctly
Same happened to me. I went to WindowsUpdate, patched it and run MBSA, who told it wasn't patched. I had to download the .EXE and run again. After the reboot, MBSA told I was safe. -Mensaje original- De: Berend-Jan Wever [mailto:[EMAIL PROTECTED] Enviado el: jueves, 02 de diciembre de 2004 1:50 Para: [EMAIL PROTECTED]; [EMAIL PROTECTED] Asunto: Official IFRAME patch - make sure it installs correctly The IFRAME vulnerability has been patched, see http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx *** Make sure you are patched after installing *** I installed it using "Automatic Updates" (on Win2ksp4), rebooted and loaded my InternetExploiter.html: IT STILL WORKED!! Even though both "Automatic Updates" and "http://windowsupdate.microsoft.com"; reported that I was patched!?! I manually downloaded the exe and ran it, rebooted and now I'm finally truely patched. It might just have been a glitch on my system, but you might wanna check anyway: InternetExploiter.html can still be downloaded from my website. Berend-Jan Wever <[EMAIL PROTECTED]> http://www.edup.tudelft.nl/~bjwever SkyLined in #SkyLined on EFNET = Este mensaje se dirige exclusivamente a su destinatario. Puede contener informacion confidencial sometida a secreto profesional o cuya divulgacion este prohibida, en virtud de la legislacion vigente. No esta permitida su divulgacion, copia o distribucion a terceros sin la autorizacion previa y por escrito de Iberdrola. Si ha recibido este mensaje por error, le rogamos nos lo comunique inmediatamente por esta misma via y proceda a su destruccion. This e-mail is intended exclusively for the individual or entity to which it is addressed and may contain confidential or legally privileged information, which may not be disclosed under current legislation. Any form of disclosure, copying or distribution of this e-mail is strictly prohibited, save with written authorisation from Iberdrola. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message. = ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Tool Announcement: AIRT -- the Advanced Incident Response Tool (linux)
hey all, I'm proud to announce that the AIRT 0.1 is now available: http://159.226.5.93/projects/airt-0.1.tar.bz2 AIRT (Advanced incident response tool) is a set of incident response assistant tools on linux platform. It's useful when you want to know what evil program is resident on your broken system and what the hell it is. It consists of 5 useful tools now: mod_hunter: looks for hidden module on the suspect system. process_hunter: looks for hidden process from kernel on the suspect system. sock_hunter: looks for hidden port from kernel on the suspect system. modumper: dumps the hidden module into file. dismod: trys to analyze the dumped module. Note: it only supports 2.6 kernel now, will support 2.4 kernel later. We will be happy to get any suggestion and bug report ;-P madsys ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Network Sniffing
Bear in mind my original message pertained to log files. You brought politics into this. So yes, I agree my response to your post did not belong in FD, nor did your post. Perhaps, though, your message was more important. After all, you are from the census bureau right? Yes, people line up to hear your opinion on topics ranging from Nixon to Iraq. If Nixon's actions weren't underhanded political subterfuge, what exactly would you call them? Standard US Government operating procedure? Do they teach you those tricks at census camp? Buhbye then. xtrecate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, December 02, 2004 6:36 PM To: xtrecate Cc: 'Florian Streck' Subject: RE: [Full-Disclosure] Network Sniffing Your perspective sounds awfully naive. Which is not surprising considering you put Nixon's actions in the category of "underhanded political subterfuge" and don't even mention J. Edgar's actions. There's a reason for the checks and balances we have - and it isn't paranoia. Please take a look at the list charter. Regardless of how important you think your message is, if it's off-topic it doesn't belong on FD. Regards, Lee |-+--> | | "xtrecate" | | | <[EMAIL PROTECTED]> | | | Sent by: | | | [EMAIL PROTECTED]| | | .netsys.com| | | | | | | | | 12/02/2004 04:45 PM| | | | |-+--> >--- --| | | | To: <[EMAIL PROTECTED]> | | cc: "'Florian Streck'" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> | | Subject: RE: [Full-Disclosure] Network Sniffing | >--- --| I wasn't alive during the Nixon's reign of wtfs, but I don't think Nixon, or indeed anyone engaging in underhanded political subterfuge, would be particularly worried about the log files at insecure.org, which is what my commentary pertained to. "This depends heavily on who decides what a felony is. Just consider free speech in China. Brings you right into jail. And I wouldn't go as far as to put the FBI (or any other such agency) beyond doubt. Same applies to our (german) authorities as well." I was not instilling blind faith into the FBI, more trying to provide a perspective not so tainted by the paranoia intrinsic to many of the messages I see pass through FD. --xtrecate -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 01, 2004 8:47 AM To: xtrecate Subject: RE: [Full-Disclosure] Network Sniffing > People intending to commit felonies over the internet, obviously, have > something to worry about... though I'm not sure why anyone would be > sympathetic to their plight. It's not only felons or even just people that intend to commit felonies that the FBI investigates. Are you old enough to remember Nixon & Hoover? -Other Original Message I'm Replying Too- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Florian Streck Sent: Wednesday, December 01, 2004 11:57 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Network Sniffing On Tue, Nov 30, 2004 at 08:26:41PM -0800, xtrecate wrote: > The article states that the FBI served subpoenas for specific information > from insecure.org, likely after finding evidence that some specific attacker > (who, no doubt, did something which deserves to be investigated) retrieved > data from insecure.org. It would appear they are simply trying to > cross-reference logs to discover an attacker's real IP address. This is > pretty legitimate, and Fyodor was apparently very diligent in ensuring all > information was retrieved via legal methods. > > People intending to commit felonies over the internet, obviously, have > something to worry about... though I'm not sure why anyone would be > sympathetic to their plight. This depends heavily on who decides what a felony is. Just consider free speech in China. Brings you right into jail. And I wouldn't go as far as to put the FBI (or any other such agency) beyond doubt. Same applies to our (german) authorities as well. > > > Take a look at: > > http://www.insecure.org/tools.html > [...] > Note: The FBI is monitoring HTTP logs from insecure.org. > > http://slashdot.org/article.pl?sid=04/11/25/1835238&from=rss > Florian -- Memory fault -- core...uh...um...core... Oh dammit, I forget! ___ Full-Disc
[Full-Disclosure] iDEFENSE Security Advisory 12.03.2004: Apple Darwin Streaming Server DESCRIBE Null Byte Denial of Service Vulnerability
Apple Darwin Streaming Server DESCRIBE Null Byte Denial of Service Vulnerability iDEFENSE Security Advisory 12.03.2004 www.idefense.com/application/poi/display?id=159&type=vulnerabilities December 03, 2004 I. BACKGROUND Darwin Streaming Server is an open source version of Apple's QuickTime Streaming Server technology that allows you to send streaming media to clients across the Internet using the industry standard RTP and RTSP protocols. II. DESCRIPTION Remote exploitation of an input validation vulnerability in Apple Computer Inc.'s Darwin Streaming Server allows attackers to cause a denial of service condition. The vulnerability specifically occurs due to insufficient sanity checking on arguments to DESCRIBE requests. A remote attacker can send a request for a location containing a null byte to cause a denial of service condition resulting in the following backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1026 (LWP 9648)] 0x4207ac9e in chunk_free () from /lib/i686/libc.so.6 (gdb) bt #0 0x4207ac9e in chunk_free () from /lib/i686/libc.so.6 #1 0x4207ac24 in free () from /lib/i686/libc.so.6 #2 0x08096406 in FindOrCreateSession (inPath=0x408caf3c, inParams=0x81746f0, inData=0x0, isPush=0, foundSessionPtr=0x0) at APIModules/QTSSReflectorModule/QTSSReflectorModule.cpp:1262 III. ANALYSIS Successful exploitation allows any remote unauthenticated attacker to crash the targeted server, thereby preventing legitimate users from accessing streamed content. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Darwin Streaming Server 5.0.1. It is suspected that earlier versions are also vulnerable. V. WORKAROUND Employ firewalls, access control lists or other TCP/UDP restriction mechanisms to limit access to systems and services. VI. VENDOR RESPONSE The following updates are available from Apple Downloads (http://www.apple.com/support/downloads//) to address this vulnerability: Mac OS X 10.2.8 Client http://www.apple.com/support/downloads//securityupdate_2004-12-02_v_1_0_ (Mac_OS_X_10_2_8_Client).html Mac OS X 10.2.8 Server http://www.apple.com/support/downloads//securityupdate_2004-12-02_v_1_0_ (Mac_OS_X_10_2_8_Server).html Mac OS X 10.3.6 Client http://www.apple.com/support/downloads//securityupdate_2004-12-02_v_1_0_ (Mac_OS_X_10_3_6_Client).html Mac OS X 10.3.6 Server http://www.apple.com/support/downloads//securityupdate_2004-12-02_v_1_0_ (Mac_OS_X_10_3_6_Server).html VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-1123 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/10/2004 Initial vendor notification 09/15/2004 Initial vendor response 12/03/2004 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] What to do with bot networks
It all started yesterday when one of my servers got hacked. An ssh phisher got lucky and found an account with a weak password open on my server. Two shellcode attempts later they had full access via root. They ran a super scanner and started an Energy Mech variant which connected back to their bot network. This is where my dilemma startedâ so I logged onto the bot network and lo-and-behold hundreds start responding. I'm reasonably sure that this network will be used "4-3v1l && !G00D" so, the question I am asking myself is: "What next". -Do I disable the network This is a huge network that is likely used for DDOSing. If you've ever been DOSed... it sux. -Do I report to ISP or authorities The ISP is in an eastern European country and I don't know if the local authorities would do anything let alone care. -Do I do nothing This option sucks but it sure is the easiest ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200412-01 ] rssh, scponly: Unrestricted command execution
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200412-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: rssh, scponly: Unrestricted command execution Date: December 03, 2004 Bugs: #72815, #72816 ID: 200412-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis rssh and scponly do not filter command-line options that can be exploited to execute any command, thereby allowing a remote user to completely bypass the restricted shell. Background == rssh and scponly are two restricted shells, allowing only a few predefined commands. They are often used as a complement to OpenSSH to provide access to remote users without providing any remote execution privileges. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-misc/scponly< 4.0 >= 4.0 2 app-shells/rssh <= 2.2.2Vulnerable! --- NOTE: Certain packages are still vulnerable. Users should migrate to another package if one is available or wait for the existing packages to be marked stable by their architecture maintainers. --- 2 affected packages on all of their supported architectures. --- Description === Jason Wies discovered that when receiving an authorized command from an authorized user, rssh and scponly do not filter command-line options that can be used to execute any command on the target host. Impact == Using a malicious command, it is possible for a remote authenticated user to execute any command (or upload and execute any file) on the target machine with user rights, effectively bypassing any restriction of scponly or rssh. Workaround == There is no known workaround at this time. Resolution == All scponly users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=net-misc/scponly-4.0" Currently, there is no released version of rssh that contains a fix for these issues. The author declared that he cannot provide a fixed version at this time. Therefore, the rssh package has been hard-masked prior to complete removal from Portage, and current users are advised to unmerge the package. References == [ 1 ] BugTraq Posting http://www.securityfocus.com/archive/1/383046/2004-11-30/2004-12-06/0 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200412-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature
Re: [Full-Disclosure] Network Sniffing
On Thu, 02 Dec 2004 13:45:37 PST, xtrecate said: > I wasn't alive during the Nixon's reign of wtfs, but I don't think Nixon, or > indeed anyone engaging in underhanded political subterfuge, would be > particularly worried about the log files at insecure.org, which is what my > commentary pertained to. Just because they *weren't* worried about the logfiles doesn't mean that they *shouldn't* be worried about the log files. For those who weren't around at the time - the only reason the whole Watergate mess unfolded was because a Watergate security guard saw where one of the burglars had taped a door latch open. Only reason the guard saw it was because the dumb burglar had run the tape horizontally, not vertically. Most crooks, be they burglars trying to score enough money for their next hit of crack, or heads of state, end up getting caught because of stupid things like masking tape put on wrong or a logfile entry for their wget command... pgp3YJDIAI6fP.pgp Description: PGP signature
Re: [Full-Disclosure] What to do with bot networks
--On Friday, December 03, 2004 12:27:20 PM -0500 Conor Sibley
<[EMAIL PROTECTED]> wrote:
-Do I disable the network
This is a huge network that is likely used for DDOSing. If you've
ever been DOSed... it sux.
-Do I report to ISP or authorities
The ISP is in an eastern European country and I don't know if the
local authorities would do anything let alone care.
-Do I do nothing
This option sucks but it sure is the easiest
The answer to this question is inversely proportional to the amount of time
you have to screw with it.
case "$1" in
no_time)
OPTION=3
;;
some_time)
OPTION=1
;;
lots_of_time)
OPTION=2
;;
*)
echo $"Usage: 0$ {no_time|some_time|lots_of_time}"
exit 1
esac
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
AW: [Full-Disclosure] What to do with bot networks
I fully agree Paul.
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Im Auftrag von Paul Schmehl
Gesendet: Freitag, 3. Dezember 2004 19:52
An: Conor Sibley; [EMAIL PROTECTED]
Betreff: Re: [Full-Disclosure] What to do with bot networks
--On Friday, December 03, 2004 12:27:20 PM -0500 Conor Sibley
<[EMAIL PROTECTED]> wrote:
>
> -Do I disable the network
> This is a huge network that is likely used for DDOSing. If you've
> ever been DOSed... it sux.
>
> -Do I report to ISP or authorities
> The ISP is in an eastern European country and I don't know if the
> local authorities would do anything let alone care.
>
> -Do I do nothing
> This option sucks but it sure is the easiest
>
The answer to this question is inversely proportional to the amount of time
you have to screw with it.
case "$1" in
no_time)
OPTION=3
;;
some_time)
OPTION=1
;;
lots_of_time)
OPTION=2
;;
*)
echo $"Usage: 0$ {no_time|some_time|lots_of_time}"
exit 1
esac
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
I think heads should roll over this. I think its the worst act a corporation has ever undertaken in the history of the internet. I think it sends out a bad example to the rest of the security community that DDoS is acceptable. It is and never will be an acceptable and effective way to beat spam or any other misuse of the internet. I therefore ask people in high places and the media to call for the top people who gave this idea the go ahead to resign or be sacked. Spammers and hax0rs will not allow Lycos EU to build its bot network of screensavers, if and when the site comes back online again. I plead with Lycos EU to not bring the project back online for the sake of everyone and the wider internet. If Lycos EU bring the screensaver site back online, I ask everyone to isolate them and I suggest business partners of Lycos EU do the same. The screensaver can't be allowed to be a socially acceptable way to solve any internet based problem. If you don't then, you have just justified the use of DoSS to be an acceptable solution to a given problem, and nobody will be able to say its wrong for a script kiddie to DDoS anything to solve a given problem they have with X location and person. The argument that Lycos EU are not DDos'ing is not washable. Its DDoS plain and simple. Yep exactly what script kiddies do when they have a grudge over someone ;-) Lycos EU don't have grudges do they? Resign or be sacked. Thanks, n3td3v security enthusiast ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
> I think heads should roll over this. I think its the worst act a corporation > has ever undertaken in the history of the internet. So speaketh n3td3v, prohpet, visionary, lord and leader of Full Disclosure. The Internet has always been about vigilante justice. Aside from exceptionally egregious cases of wrongdoing, like sexually explicit material with children, fraud, or flagrant piracy, the Internet exists and operates beyond the boundaries of any one nation's laws. It is up to the people to self regulate. We have tried politely reasoning with spammers, we have tried ignoring spammers, we have tried _suing_ spammers. We've leisurely worked our way down the tree and are well past any sort of rational recourse. Now people are willing to resort to brute retaliation. When you sign on to the Internet, you accept this implicitly, to some degree or another. If you screw up, people will blackhole you, flood you, or isolate you. Spammers have been lapping us in the face for too long, and now the Internet reacts and fights back. Everyone who downloaded that screensaver did so intentionally, this wasn't a trojan operating behind the scenes. The participants were willing combatants. The engine for the battle happened to come from Lycos this time, but there have been other efforts in the past as well. And if the spammers don't like my packets being sent to their system, all they have to do is send me a polite e-mail asking to be removed from my flood-list. It is really quite simple! -Taters ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
> I think heads should roll over this. I think its the worst act a corporation has ever undertaken in the history of the internet. So speaketh n3td3v, prohpet, visionary, lord and leader of Full Disclosure. The Internet has always been about vigilante justice. Aside from exceptionally egregious cases of wrongdoing, like child pornography, fraud, or flagrant piracy, the Internet exists and operates beyond the boundaries of any one nation's laws. It is up to the people to self regulate. We have tried politely reasoning with spammers, we have tried ignoring spammers, we have tried _suing_ spammers. We've leisurely worked our way down the tree and are well past any sort of rational recourse. Now people are willing to resort to brute retaliation. When you sign on to the Internet, you accept this implicitly, to some degree or another. Spammers have been slapping us in the face for too long, and now the Internet reacts and fights back. Everyone who downloaded that screensaver did so intentionally, this wasn't a trojan operating behind the scenes. The participants were willing combatants, the engine happened to come from Lycos this time, but there have been other efforts in the past as well. And if the spammers don't like my packets being sent to their system, all they have to do is send me a polite e-mail asking to be removed. It is really quite simple. -Taters ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
On 03 Dec 2004, at 16:38, Bob Smith wrote: Everyone who downloaded that screensaver did so intentionally, this wasn't a trojan operating behind the scenes. The participants were willing combatants, the engine happened to come from Lycos this time, but there have been other efforts in the past as well. And if the spammers don't like my packets being sent to their system, all they have to do is send me a polite e-mail asking to be removed. It is really quite simple. You really think generating *terabytes* of junk traffic is a good way to solve problems? As n3td3v said, legitimizing this sort of attack would be a justification of DDoSes of all sorts. Someone has a web site you don't like? DDoS it! Idiot on IRC? DDoS him! Who cares if it slows down traffic all over the net - this is vigilante justice, man! (I'm purposefully ignoring the fact that this already happens in some circles. My point is that DDoS would be more widely used.) And the argument that these people "deserved" the DDoS they got is partially flawed, too. For example, one of the sites targeted (http://www.artofsense.com/) appears to have been an accidental casualty - an affiliate sent spam with images from their site. PGP.sig Description: This is a digitally signed message part
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
> And if the spammers don't like my packets being sent to their system, > all they have to do is send me a polite e-mail asking to be removed > from my flood-list. It is really quite simple! Wow. Obviously you are not responsible for authorizing payment to transit providers and have no idea how much bandwidth actually might cost an organization on a perMonth/perMeg basis. This would have never had any SERIOUS effect on backbone providers but many of their customers who don't even KNOW they have someone generating spam from their network would unfortunately see a great deal of money lost. Why don't you go physically assault a spammer. Do you physically assault door-to-door solicitors or do you have a sign on your front porch. Obviously spam costs all of us $ in some form or another but incurring rapidly generated expenses for non-responsible parties to me seems a bit cruel. Do you assault the mailman for delivering junkmail that companies actually pay the USPS to deliver? /m - Original Message - From: "Bob Smith" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, December 03, 2004 5:11 PM Subject: Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked > > I think heads should roll over this. I think its the worst act a corporation has ever undertaken in the history of the internet. > > So speaketh n3td3v, prohpet, visionary, lord and leader of Full Disclosure. > > The Internet has always been about vigilante justice. Aside from > exceptionally egregious cases of wrongdoing, like sexually explicit > material with children, fraud, or flagrant piracy, the Internet exists > and operates beyond the boundaries of any one nation's laws. It is up > to the people to self regulate. > > We have tried politely reasoning with spammers, we have tried ignoring > spammers, we have tried _suing_ spammers. We've leisurely worked our > way down the tree and are well past any sort of rational recourse. Now > people are willing to resort to brute retaliation. > > When you sign on to the Internet, you accept this implicitly, to some > degree or another. If you screw up, people will blackhole you, flood > you, or isolate you. Spammers have been lapping us in the face for > too long, and now the Internet reacts and fights back. > > Everyone who downloaded that screensaver did so intentionally, this > wasn't a trojan operating behind the scenes. The participants were > willing combatants. The engine for the battle happened to come from > Lycos this time, but there have been other efforts in the past as > well. > > And if the spammers don't like my packets being sent to their system, > all they have to do is send me a polite e-mail asking to be removed > from my flood-list. It is really quite simple! > > -Taters > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
For those who don't want to figure it out for themselves, here's a diff from this to the second message. Go figure. On 03 Dec 2004, at 16:38, Bob Smith wrote: I think heads should roll over this. I think its the worst act a corporation has ever undertaken in the history of the internet. So speaketh n3td3v, prohpet, visionary, lord and leader of Full Disclosure. The Internet has always been about vigilante justice. Aside from exceptionally egregious cases of wrongdoing, like - child pornography, + sexually explicit material with children, fraud, or flagrant piracy, the Internet exists and operates beyond the boundaries of any one nation's laws. It is up to the people to self regulate. We have tried politely reasoning with spammers, we have tried ignoring spammers, we have tried _suing_ spammers. We've leisurely worked our way down the tree and are well past any sort of rational recourse. Now people are willing to resort to brute retaliation. When you sign on to the Internet, you accept this implicitly, to some degree or another. + If you screw up, people will blackhole you, flood you, or isolate you. Spammers have been - slapping + lapping us in the face for too long, and now the Internet reacts and fights back. Everyone who downloaded that screensaver did so intentionally, this wasn't a trojan operating behind the scenes. The participants were willing - combatants, the engine + combatants. The engine for the battle happened to come from Lycos this time, but there have been other efforts in the past as well. And if the spammers don't like my packets being sent to their system, all they have to do is send me a polite e-mail asking to be - removed. + removed from my flood-list. It is really quite simple. -Taters PGP.sig Description: This is a digitally signed message part
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
> You really think generating *terabytes* of junk traffic is a good way to solve problems? > As n3td3v said, legitimizing this sort of attack would be a justification of DDoSes of all sorts. Someone has a web site you don't like? DDoS it! Idiot on IRC? DDoS him! Who cares if it slows down traffic all over the net - this is vigilante justice, man! Yes, I do think this is a good way to solve _this_ problem. If you would read what I posted, we have exhausted rational means of dealing with spammers. We have tried talking with them, we have tried legistlating them, we have tried taking them to courts. We are now at the stage where we are physically fighting. Some groups (SPEWS, NANAE?) have been at this level for some time now. This tool gives the common user the means to join their struggle. > Why don't you go physically assault a spammer. Do you physically assault door-to-door solicitors or do you have a sign on your front porch. Do you assault the mailman for delivering junkmail that companies actually pay the USPS to deliver? Let's draw analogies! Maybe we can work in something about Nazis or drug dealers while we're at it? Hey, computers are just like cars, so we'll go assault our mechanics.. Wait a minute, I just realized those analogies have nothing to do with it. We're talking about flooding spammers off the internet, not mugging door to door salesmen (although that's not a bad idea)... > Wow. Obviously you are not responsible for authorizing payment to transit providers and have no idea how much bandwidth actually might cost an organization on a perMonth/perMeg basis. Any carrier that supports a spammer deserves to carry the extra traffic. I waste hours a week deleting spam. I'll fight a war of attrition, if nothing else works. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [FLSA-2004:2148] Updated httpd, apache and mod_ssl packages fix security issues
--- Fedora Legacy Update Advisory Synopsis: Updated httpd, apache and mod_ssl packages fix security issues Advisory ID: FLSA:2148 Issue date:2004-12-03 Product: Red Hat Linux, Fedora Core Keywords: Bugfix Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=2148 CVE Names: CAN-2004-0885 CAN-2004-0940 CAN-2004-0942 --- --- 1. Topic: Updated httpd packages that include fixes for security issues are now available. The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. 2. Relevant releases/architectures: Red Hat Linux 7.3 - i386 Red Hat Linux 9 - i386 Fedora Core 1 - i386 3. Problem description: An issue has been discovered in the mod_ssl module when configured to use the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0885 to this issue. Problems that apply to Red Hat Linux 7.3 only: A buffer overflow in mod_include could allow a local user who is authorised to create server side include (SSI) files to gain the privileges of a httpd child. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0940 to this issue. Problems that apply to Red Hat Linux 9 and Fedora Core 1 only: An issue has been discovered in the handling of white space in request header lines using MIME folding. A malicious client could send a carefully crafted request, forcing the server to consume large amounts of memory, leading to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0942 to this issue. Users of the Apache HTTP server should upgrade to these updated packages, which contain patches that address these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via yum and apt. Many people find this an easier way to apply updates. To use yum issue: yum update or to use apt: apt-get update; apt-get upgrade This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. This assumes that you have yum or apt-get configured for obtaining Fedora Legacy content. Please visit http://www fedoralegacy.org/docs for directions on how to configure yum and apt-get. 5. Bug IDs fixed: http://bugzilla.fedora.us - 2148 - Apache httpd Vulnerabilities 6. RPMs required: Red Hat Linux 7.3: SRPM: http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/apache-1.3.27-6.legacy.src.rpm http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/mod_ssl-2.8.12-7.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-1.3.27-6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-devel-1.3.27-6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/apache-manual-1.3.27-6.legacy.i386.rpm http://download.fedoralegacy.org/redhat/7.3/updates/i386/mod_ssl-2.8.12-7.legacy.i386.rpm Red Hat Linux 9: SRPM: http://download.fedoralegacy.org/redhat/9/updates/SRPMS/httpd-2.0.40-21.17.legacy.src.rpm i386: http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-2.0.40-21.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-devel-2.0.40-21.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/httpd-manual-2.0.40-21.17.legacy.i386.rpm http://download.fedoralegacy.org/redhat/9/updates/i386/mod_ssl-2.0.40-21.17.legacy.i386.rpm Fedora Core 1: SRPM: http://download.fedoralegacy.org/fedora/1/updates/SRPMS/httpd-2.0.51-1.6.legacy.src.rpm i386: http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-2.0.51-1.6.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-devel-2.0.51-1.6.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/httpd-manual-2.0.51-1.6.legacy.i386.rpm http://download.fedoralegacy.org/fedora/1/updates/i386/mod_ssl-2.0.51-1.6.legacy.i386.rpm 7. Verification: SHA1 sum
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
>For those who don't want to figure it out for themselves, here's a
diff from this to the second message. Go figure.
Stupid mistake. I got a bounce saying that my first message contained
restricted words ("porn"), so I took the opportunity to revise it a
bit. After I sent the second message, I realized it was an individual
list subscriber bouncing my message not the list itself. Oh well.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
On Fri, 3 Dec 2004, n3td3v wrote: > I think heads should roll over this. Excuse me, but who misinformed you that Lycos (a) gives a shit what you (or I, or anyone else) thinks, or (b) that Lycos is going to listen to [you||me||anyone] when it comes to personnel decisions? > I think its the worst act a > corporation has ever undertaken in the history of the internet. Really? That's pretty strong language. If this is "the worst act a corporation has *ever* [emphasis my own] undertaken " then you don't get out much. > I > think it sends out a bad example to the rest of the security community > that DDoS is acceptable. Agreed. This is the first coherent thing you have posted on this. > It is and never will be an acceptable Agreed to here, but... > and > effective way to beat spam or any other misuse of the internet. That is an unknown variable as yet. Some things can be both wrong and efficacious at the same time. > I > therefore ask people in high places and the media to call for the top > people who gave this idea the go ahead to resign or be sacked. Yawn. > Spammers and hax0rs will not allow Lycos EU to build its bot network > of screensavers, And you know this, how? > if and when the site comes back online again. I plead > with Lycos EU to not bring the project back online for the sake of > everyone and the wider internet. More of this and less of the histrionics would bolster your case. > If Lycos EU bring the screensaver site back online, I ask everyone to > isolate them and I suggest business partners of Lycos EU do the same. And why are you not also calling for the complete isolation of those who are the root cause of this in the first place? > The screensaver can't be allowed to be a socially acceptable way to > solve any internet based problem. Social acceptability is, by definition, unique to each society: what's acceptable here may not be across the street||river||pond||ocean, etc. That does not mean that it would not be efficacious ;-) > If you don't then, you have just justified the use of DoSS to be an > acceptable solution to a given problem, and nobody will be able to say > its wrong for a script kiddie to DDoS anything to solve a given > problem they have with X location and person. OOOpps! That logic is peeking out again! Quick, call out the histrionics to hide it before someone thinks you have more than two axons. > The argument that Lycos EU are not DDos'ing is not washable. Its DDoS > plain and simple. Yep exactly what script kiddies do when they have a > grudge over someone ;-) Lycos EU don't have grudges do they? You bet they have grudges. So do a lot of people. There is also a very legitimate self defense argument to be made here. the fact that it is being completely ignored is almost as scary as the fact that many people think this DDoS is acceptable. Do the math (and use both of those axons) before you open your mouth to answer this one. > Resign or be sacked. OOo! I'm sure they're just shakin' in their boots now! > Thanks, n3td3v > security enthusiast "Enthusiast"? Gimme a break... -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF Civilization is in a tailspin - everything is backwards, everything is upside down- doctors destroy health, psychiatrists destroy minds, lawyers destroy justice, the major media destroy information, governments destroy freedom and religions destroy spirituality - yet it is claimed to be healthy, just, informed, free and spiritual. We live in a social system whose community, wealth, love and life is derived from alienation, poverty, self-hate and medical murder - yet we tell ourselves that it is biologically and ecologically sustainable. The Bush plan to screen whole US population for mental illness clearly indicates that mental illness starts at the top. Rev Dr Michael Ellner ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
Yes when n3td3v says jump, major corporations around the world say how high. Lol. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of n3td3v Sent: Friday, December 03, 2004 1:53 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked I think heads should roll over this. I think its the worst act a corporation has ever undertaken in the history of the internet. I think it sends out a bad example to the rest of the security community that DDoS is acceptable. It is and never will be an acceptable and effective way to beat spam or any other misuse of the internet. I therefore ask people in high places and the media to call for the top people who gave this idea the go ahead to resign or be sacked. Spammers and hax0rs will not allow Lycos EU to build its bot network of screensavers, if and when the site comes back online again. I plead with Lycos EU to not bring the project back online for the sake of everyone and the wider internet. If Lycos EU bring the screensaver site back online, I ask everyone to isolate them and I suggest business partners of Lycos EU do the same. The screensaver can't be allowed to be a socially acceptable way to solve any internet based problem. If you don't then, you have just justified the use of DoSS to be an acceptable solution to a given problem, and nobody will be able to say its wrong for a script kiddie to DDoS anything to solve a given problem they have with X location and person. The argument that Lycos EU are not DDos'ing is not washable. Its DDoS plain and simple. Yep exactly what script kiddies do when they have a grudge over someone ;-) Lycos EU don't have grudges do they? Resign or be sacked. Thanks, n3td3v security enthusiast ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
IANAL The screensaver can't be allowed to be a socially acceptable way to solve any internet based problem. Social acceptability is, by definition, unique to each society: what's acceptable here may not be across the street||river||pond||ocean, etc. That does not mean that it would not be efficacious ;-) Not only is it socially acceptable it could be legal in the US and potentially considered a constitutional issue. There are also these laws that have something to do with nuisance which might also provide a vehicle for it. This is not a DDoS like what would be launched through an automated bot network controlled by nefarious entities which neither asked for permission or provide for removal. This is an opt-[in|out] system and I find it to be as socially acceptable as fax bombing or mail ( as in snail ) bombing to get your point across. It is more like peaceful protest on the internet than it is DDoS. This is identical to people preventing access to the building spam is sent from by clogging the roadways with slow moving cars all day. Some will say that clogging the roadways does not cost innocent people but it well could if they worked in an unrelated part of that building... It is an effective method to make your voice heard using a different form and it is not only acceptable it is a form of peaceful protest IMHO. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] I'm calling for LycosEU heads and team to resign or be sacked
Micah McNelly wrote: many of their customers who don't even KNOW they have someone generating spam from their network would unfortunately see a great deal of money lost. Oh well. Maybe they'll be more careful with who they let on their network next time. If you're not actively making sure that your computer is not spamming me, then I really don't care about you. For a home user, this means using virus protection, firewalls, and keeping everything up to date. For ISPs, this means taking a closer look if one of your customers, be it a business or a home user, is generating an abnormally large amount of SMTP traffic. Why don't you go physically assault a spammer. Gladly. Unfortunately, tracking them down to a physical location so I can physically bash their skulls in with a physical baseball bat is a bit hard. Do you physically assault door-to-door solicitors or do you have a sign on your front porch. I have a fence with a locked gate. Only those who I want getting in can do so, and if someone tried to jump the fence, then they are trespassing, and my dog and weapons would come out. On my network, I have a firewall, IDS, and spam filter. That's the fence. Anyone who tries to get through the fence, either with brute force (rapid-fire worm attacks) or sneakiness (Én1ârgë yôùr pënïs, etc...) has now trespassed, when it was clear that I don't want them there. I'm not saying I support the use of a DDoS attack against them, I'm just saying that I'm not going to feel sorry if a few big-time spammers get a hefty bandwidth bill at the end of the month. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
