[Full-Disclosure] Re: Terminal Server vulnerabilities
Original message: Date: Mon, 24 Jan 2005 15:52:55 -0800 From: Daniel Sichel [EMAIL PROTECTED] Subject: [Full-Disclosure] Terminal Server vulnerabilities To: full-disclosure@lists.netsys.com Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=us-ascii I am currently locked in a death struggle with Microsoft's server product group. They have dropped support for the IAS (RADIUS) mmc in server 2003 and the 2000 version won't work under XP SP2. Their solution is to user terminal server to control the server remotely to manage RADIUS. Naturally I don't like this answer because of horror stories I have heard about Terminal server. They claim there are no unfixed vulnerabilities to Terminal Server on Windows Server 2000 Service Pack 4. I find that hard to believe and I know you guys will know if they are full of it, or they are correct. Please let me know ASAP of any CURRENT vulnerabilities int Terminal Server. Dan Sichel Network Engineer Ponderosa Telephone [EMAIL PROTECTED] (559) 868-6367 P.S. the MMC is worse, it requires that port 139 or 445 be opened, but that is not the point, I suspect they are feeding me a line and I want to prove it. Thanks. Dan, Try here for starters: http://www.google.com/search?q=%22windows+terminal+server%22+exploitsourceid=mozillastart=0start=0ie=utf-8oe=utf-8 (2,310 results) Then pick one and try it out... -- Cheers, Dan Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] 0102_msbro?
Most excellent! Thanks to Frank, Stef and noconflic! Cheers! Da On Fri, 2004-11-26 at 17:42, Stef wrote: http://www.petri.co.il/registration_of_netbios_names.htm ?!? On Fri, 26 Nov 2004 16:50:47 -0800, Daniel H. Renner [EMAIL PROTECTED] wrote: Hey guys, Anyone have any idea what the heck 0102_msbro is? I have seen it as a connection point in EtherApe running under either a DSL box connected to a hub with a Win2000 SBS box and a Internet connection on the uplink, and an Ubuntu Linux box connected to a switch and the connection was come from a WinXP box and a SimplyMepis box running SaMBa on the LAN. I've tried to Google it with absolutely no results, and no results on simply _msbro either... -- Cheers, Dan Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] 0102_msbro?
Hey guys, Anyone have any idea what the heck 0102_msbro is? I have seen it as a connection point in EtherApe running under either a DSL box connected to a hub with a Win2000 SBS box and a Internet connection on the uplink, and an Ubuntu Linux box connected to a switch and the connection was come from a WinXP box and a SimplyMepis box running SaMBa on the LAN. I've tried to Google it with absolutely no results, and no results on simply _msbro either... -- Cheers, Dan Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Possibly a stupid question RPC over HTTP
Daniel, Could you please point out where you read this data? I would like to see this one... -- Daniel H. Renner [EMAIL PROTECTED] Los Angeles Computerhelp On Tue, 2004-10-12 at 20:54, [EMAIL PROTECTED] wrote: Message: 18 Date: Tue, 12 Oct 2004 12:41:56 -0700 From: Daniel Sichel [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Possibly a stupid question RPC over HTTP This may just reflect my ignorance, but I read (and found hard to believe) that Microsoft has implemented RPC over HTTP. Is this not a HUGE security hole? If I understand it correctly it means that good old HTML or XML can invoke a process using standard web traffic (port 80)? Is there any permission checking done? what things can be invoked by RPC over HTTP? Jeeze, to me it looks like the barn door is now wide open. Am I right, and if so, how can I detect RPCs in web traffic to block this junk? Can ANY stateful packet filter see this stuff or is the pattern too broad in allowed RPCs? Again, I hope this is not a stupid question or inappropriate format for this, as somebody else recently said, there is already enough noise on this list. I would hate to see this list degenerate, it has been REALLY valuable to me as a network engineer on occaison. Thanks all, Dan Sichel Ponderosa telephone [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] How big is the danger of IE?
Message: 3 Date: Fri, 09 Jul 2004 13:03:22 +1200 From: Nick FitzGerald [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] How big is the danger of IE? To: [EMAIL PROTECTED] Reply-to: [EMAIL PROTECTED] Organization: Personal account snip http://www.kb.cert.org/vuls/id/713878 ... Use a different web browser /snip Admittedly number 6 of 6 solutions, but the fact that CERT suggests it at all makes it big news in these circles. However, I've see people debate the use of such an action where IE is built into the operating system and will conitue to operate regards of another brower being installed. I thought I might mention to you that there is an easy handling for using another browser and disabling IE. After downloading and installing another browser, open IE, go to Tools, Options (or Internet Options in the Control Panel) Connections, LAN Settings. Check the Use a proxy (Auto detect must be unchecked) and set the addressas 0.0.0.0 and the port as 1. IE and any program, script, etc. that wants to use it has now been effectively sent into a black hole, and any sane program that can be configured to access the Internet on it's own will do fine. This technique works especially well if you have a LAN proxy for your Internet access, and can be auto-configured so that the workstations on the company Intranet use it, but don't use the black hole proxy address for the internal company website(s). Note though, that this will also disable Outlook or Outlook Express from displaying web-based HTML email, but will not stop similar internal company emails from displaying correctly. -- Cheers, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results
On Fri, 2004-04-16 at 06:59, [EMAIL PROTECTED] wrote: Reply-To: Rafel Ivgi, The-Insider [EMAIL PROTECTED] From: Rafel Ivgi, The-Insider [EMAIL PROTECTED] To: bugtraq [EMAIL PROTECTED] Date: Fri, 16 Apr 2004 13:47:59 +0200 Subject: [Full-Disclosure] Hi! Antiviruses Comparison - A Little Research Results Hi everyone! Just wanted to say to all of you that Mcafee(Pro 8) seems to be the best antivirus around. Mcafee auto updates itself without asking(norton asks). And displays It is the only one(from norton 2004,panda and mcafee) who identifies the following as viruses/backdoors: 1. VBS/Inor.B 2. VBS/Psyme 3. Exploit -CodeBase.Gen 4. JS/Exploit-FileProxy 5. JV/ShinWow 6. X-Wreck(my own - unpublished backdoor - identified by the huristic engine) 7. http://www.realtime-spy.com keylogger 8. Cain Abel(which is a trijan) - as possibly evil tool 9. Nmap - as possibly evil tool As the facts proove mcafee is the best for now, though i saw a research claiming BitDefender as the best. BitDefender is great, but comparing it with mcafee is a little hard task to do. Rafel Ivgi, The-Insider. The test results (sponsored by PC Utilities mag) at this site agree with most of your observations: http://www.virus.gr/english/fullxml/default.asp?id=62mnu=62 -- Cheers, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Delete anti-virus and firewall software --Microsoft
MS has not removed the page from their Japanese pages which can be found here: http://support.microsoft.com/default.aspx?scid=kb;ja;820673 Translation via Bablefish can be done with cut-paste of the article itself here: http://babelfish.altavista.com/ -- Cheers, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 On Fri, 2004-04-16 at 15:13, [EMAIL PROTECTED] wrote: Date: Fri, 16 Apr 2004 16:08:25 -0500 From: hggdh [EMAIL PROTECTED] Reply-To: hggdh [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Re: Delete anti-virus and firewall software --Microsoft F34E1119A12EE Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Hello Kim, Friday, April 16, 2004, 12:00:37 PM, you wrote: KS Isn't the Resolution in this Knowledge Base article a little, uh, ill= -advised: KS http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;820673 Alas, it seems Microsoft has been reading full-disclosure lately... the page seems to have been taken off-line. --=20 ..hggdh.. F34E1119A12EE Content-Type: application/pgp-signature -BEGIN PGP MESSAGE- Version: GnuPG v1.2.2 (MingW32) iD8DBQFAgEtJVFMjkob7xf8RAh0UAJ4rXL+navoH2Jk4qsBTUdhy31/yTACgghBI rKRVEgWlxGGitSQUfzD5kpQ= =xWF1 -END PGP MESSAGE- F34E1119A12EE-- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Reverse flow RPC?
Hello list, We're running IPCop v1.4.0a10 on a DHCP ADSL connection. Snort is the IDS software installed. I took a look-see at my firewall log for yesterday and saw four instances of what appears to be reversed incoming RPC traffic on the Red (WAN/eth2) side. I had this sort of a scenario before, but it was reversed port 80 traffic. I Googled to no avail, and I also reported it to this list and never was able to figure our what the heck causes this type of traffic, so when it cropped up again I'm still at a loss - any clues? Time Chain Iface Proto Source Src Port MAC Address Destination Dst Port 21:01:42 NEW not SYN? eth2 TCP 4.62.174.132 1025 00:02:3b:01:6b:ed 4.62.xxx.xxx 1820 20:29:44 NEW not SYN? eth2 TCP 4.62.174.132 1025 00:02:3b:01:6b:ed 4.62.xxx.xxx 1509 19:57:13 NEW not SYN? eth2 TCP 4.62.174.132 1025 00:02:3b:01:6b:ed 4.62.xxx.xxx 1206 19:57:47 NEW not SYN? eth2 TCP 4.62.174.132 1025 00:02:3b:01:6b:ed 4.62.xxx.xxx 1966 -- TIA, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1522 - 45 msgs
On Fri, 2004-03-19 at 06:16, [EMAIL PROTECTED] wrote: Date: Fri, 19 Mar 2004 11:04:49 +0100 From: Paolo A. Gallenga [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Organization: Atlantica Sistemi S.r.l. To: Jos Osborne [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] New Virus under way ... -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You forgot Bagle'95 SR-1, Bagle'98 and Bagle'98SE! :-D Jos Osborne wrote: |How about Bagle2.x ? | | | Or Bagle3.11, Bagle'95, BagleMe, Bagle2000, BagleXP... | | ; | | Jos - -- Paolo A. Gallenga System Administrator Atlantica Sistemi S.r.l. [EMAIL PROTECTED] - http://www.atlantica.it/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) iD8DBQFAWsW/wreiUCR0oIoRAvvNAKC2MK5HXaWC8uGeijFTYy7TeePTTgCgwpy4 t4y24tNGPQBr8L/MLUtOolc= =So2D -END PGP SIGNATURE- And then the mighty Bagle.Longhorn will smite you all!!! Bru-haw-haw-haw!!! -- Thank you, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows 98 vulnerable to ASN.1
Josh, _Most_ Win98 users can also simply rename the file (%WINDIR%\system\msasn1.dll) without repercusions. Don't try that on a WinXP system however... -- Cheers, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 On Tue, 2004-02-17 at 12:58, Joshua Levitsky wrote: Huray! Windows 98 is vulnerable to ASN.1, and there is a patch. It's not on Windows Update as of yet, but it was finished today at Microsoft. If you don't believe me... ask your TAM. -- Joshua Levitsky, MCSE, CISSP http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Fwd: [Full-Disclosure] ASN vulerability question]
William, I know that on a 98 system you can rename the file with no adverse effects - the one we did it to is running IE v5.5, Access 97 QuickBooks 2002 just fine. However, if you do this on a WinXP system, you'd first have to deal with the dllcache file (which I don't suggest you do) and then the system32 file - which I also don't suggest you do - because you will BSOD your computer when you try to reboot... Cheers, Dan -Forwarded Message- From: William Warren [EMAIL PROTECTED] To: Full_Dsiclosure [EMAIL PROTECTED] Subject: [Full-Disclosure] ASN vulerability question Date: 11 Feb 2004 17:50:20 -0500 A user of a much less technical list I am a member of asked a very interesting question I quote it below: I am well aware that Windows Update and the Microsoft Security bulletins do not indicate that Win98 is affected by this ASN vulnerability. But I did read that on an NT4.0 system, searching for msasn1.dll would let you know if you were affected. Well, for grins, I did this on my 98se machine. Bam; I have it. So my question is this: Is there not an update because the implementation of asn is different in Win98, or is it because the product life cycle for Windows 98 has ended, and the vulnerability really does affect 98 users--there's just nothing they can do about it? What's the verdict on this one? -- May God Bless you and everything you touch. My foundation verse: Isaiah 54:17 No weapon that is formed against thee shall prosper; and every tongue that shall rise against thee in judgment thou shalt condemn. This is the heritage of the servants of the LORD, and their righteousness is of me, saith the LORD. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Fwd: Re: [Full-Disclosure] Virus infect on single user]
How did you find out they are pink? :) -Forwarded Message- From: Cael Abal [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Virus infect on single user Date: 09 Feb 2004 19:41:46 -0500 -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 |Spybot Search and Destroy is much better. | | I find that you should run both spybot SD *AND* adaware together for the | best possible adware/malware/spyware protection. they both catch stuff | that the other does not. between the two though, you get rid of | EVERYTHING. CHS, It's entirely plausible that neither adaware nor spybot might detect a particular piece of malware. 'Everything' (especially in all-caps) is an awfully strong word. Won't someone please think of the invisible pink unicorns? C -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAKCjKR2vQ2HfQHfsRAskaAKCJmDSHiE61E/ZzLU+Ee9KfY+Oh+QCgpQMN vRIxDYCOq4FNsFOjyNuqCpM= =X2ob -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Fwd: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story]
Doesn't work in Mozilla v1.3.1 on Xandros v1.1 either, though the message was (111) Connection refused by http://mitglied.lycos.de/mycutewebspace, maybe they don't like Mozilla? :-) Our proxy shows the following path when you click the link: http://freedns.afraid.org/blank.html http://mitglied.lycos.de/mycutewebspace http://207.46.110.24/gateway/gateway.dll? Cheers, Dan -Forwarded Message- From: Paul Schmehl [EMAIL PROTECTED] To: Gadi Evron [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] another Trojan with the ADO hole? + a twist in the story Date: 31 Jan 2004 14:24:21 -0600 --On Saturday, January 31, 2004 7:35 PM +0200 Gadi Evron [EMAIL PROTECTED] wrote: The past Trojan horses which spread this way took advantage of the fact web servers send an HTML 404 message if a file doesn't exist. The original sample - britney.jpg - was simply an html file itself, and using that fact, and IE loading it. It was combined with one of the latest exploits of the time (I don't think MS patched it yet), and downloaded the Trojan horses. This time around there is actually a picture on the web page, of a real honest to God girl. But in another frame.. the same story all over again. For blocking purposes, the (un-safe) URL is: http://ut.uk.to/cs.jpg . Didn't work on my Titanium using Safari. The girl wasuhwell-endowed. :-) Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Port scans from a Dedicated Micro Digital Sprite II
A client of ours had a Dedicated Micro Digital Sprite II multiple camera monitor with web server system installed. Manufacturer product details are here: http://dedicatedmicros.com/dedicatedmicros/product/ds2/ds2_main.html The unit's setup was changed from the original as below to as follows in an attempt to remove the router from the equation: Internet --- DSL modem --- switch --- DS2 with public IP Concurrent with EVERY attempt to access the DS2, a port scan was initiated from the DS2's address at the visiting address, and this can be reproduced at will. For scan logs, see original email to vendor below. (Public IPs modified.) The emails which follow this bit of rambling were sent to the correct tech support email address per the support webpage: http://dedicatedmicros.com/dedicatedmicros/support/supindex.html with the addres of: [EMAIL PROTECTED] On 21 Jan 2004 11:56:49 and again on 25 Jan 2004 22:58:45 with no response whatsoever. Cheers, Dan Renner -Forwarded Message- From: Daniel H. Renner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Fwd: Port scans from a DS2] Date: 25 Jan 2004 22:58:45 -0800 I have received no answer whatsoever on this email - this is not exactly professional treatment. Would you please tell me what is going on and why I should be receiving port scans from this device? -- Thank you, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 -Forwarded Message- From: Daniel H. Renner [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Port scans from a DS2 Date: 21 Jan 2004 11:56:49 -0800 Hello, One of our clients has had your Digital Sprite 2 installed and we have connected it to the network for the owner's remote viewing. In our testing of the setup, we noticed that the unit was port-scanning our location during the connection. Full firewall IDS log entries during the effected time follow. EVERY SINGLE ONE of the portscans were from the IP address of the DS2. And EVERY SINGLE ONE of the port-scans were immediately after connection to the DS2. The network layout is as follows: Internet -- hardware router (TCP 80 port-forwarded to DS2) -- DS2 What the heck is going on here!? Also, once one is logged into the server, one is logged in forever, even after reboot there is no login required... That doesn't seem too healthy if the owner wants to check from an Internet cafe... -- Thank you, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 Date: 01/21 12:15:25 Name: (spp_portscan2) Portscan detected from xxx.xxx.xxx.xxx: 1 targets 21 ports in 31 seconds Priority: n/a Type: n/a IP info:xxx.xxx.xxx.xxx:80 - xxx.xxx.xxx.xxx:1614 References: none found SID:n/a Date: 01/21 12:15:35 Name: (spp_portscan2) Portscan detected from xxx.xxx.xxx.xxx: 1 targets 21 ports in 5 seconds Priority: n/a Type: n/a IP info:xxx.xxx.xxx.xxx:80 - xxx.xxx.xxx.xxx:1647 References: none found SID:n/a Date: 01/21 12:18:21 Name: (spp_portscan2) Portscan detected from xxx.xxx.xxx.xxx: 1 targets 21 ports in 11 seconds Priority: n/a Type: n/a IP info:xxx.xxx.xxx.xxx:80 - xxx.xxx.xxx.xxx:1690 References: none found SID:n/a Date: 01/21 12:19:39 Name: (spp_portscan2) Portscan detected from xxx.xxx.xxx.xxx: 1 targets 21 ports in 28 seconds Priority: n/a Type: n/a IP info:xxx.xxx.xxx.xxx:80 - xxx.xxx.xxx.xxx:1757 References: none found SID:n/a Date: 01/21 12:23:40 Name: (spp_portscan2) Portscan detected from xxx.xxx.xxx.xxx: 1 targets 21 ports in 24 seconds Priority: n/a Type: n/a IP info:xxx.xxx.xxx.xxx:80 - xxx.xxx.xxx.xxx:1790 References: none found SID:n/a Date: 01/21 12:24:51 Name: (spp_portscan2) Portscan detected from xxx.xxx.xxx.xxx: 1 targets 21 ports in 6 seconds Priority: n/a Type: n/a IP info:xxx.xxx.xxx.xxx:80 - xxx.xxx.xxx.xxx:1876 References: none found SID:n/a Date: 01/21 12:25:46 Name: ICMP PING CyberKit 2.2 Windows Priority: 3 Type: Misc activity IP info:4.60.201.59:n/a - xxx.xxx.xxx.xxx:n/a References: none found SID:483 Date: 01/21 12:25:55 Name: ICMP PING CyberKit 2.2 Windows Priority: 3 Type: Misc activity IP info:4.63.151.175:n/a - xxx.xxx.xxx.xxx:n/a References: none found SID:483 Date: 01/21 12:25:58 Name: (spp_portscan2) Portscan detected from xxx.xxx.xxx.xxx: 1 targets 21 ports in 13 seconds Priority: n/a Type: n/a IP info:xxx.xxx.xxx.xxx:80 - xxx.xxx.xxx.xxx:1916 References: none found SID:n/a Date: 01/21 12:26:41 Name: ICMP PING CyberKit 2.2 Windows Priority: 3 Type: Misc activity IP info:4.63.99.139:n/a - xxx.xxx.xxx.xxx:n/a References: none found SID:483 Date: 01/21 12:27
Re: Fw: [Full-Disclosure] [TOTALLY OT] Google fun
Of course they deserve everthing they get, but I hope whoever backed them up gets it too... Let's see - ONE MONTH after being in office then new CEO decides to go on a rampage - if that doesn't smell of a pre-planned action I've been watching too many consipracy theory shows! Cheers! Dan On Wed, 2004-01-28 at 09:29, vuln wrote: hahaha definately some funny shit... although i personally think the pricks deserve everything they get LOL...anyone else see this? Do a seach on google for the word bastardssee what the first entry is..ha! James Lay Network Manager/Security Officer AmeriBen Solutions/IEC Group Semper Vigilans!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Fwd: [Full-Disclosure] Yes another phishing scam]
If you go to the base address, you get this page: -- FD Network Server 14 Administrator: [EMAIL PROTECTED] -- Cheers, Dan -Forwarded Message- From: 404 [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [Full-Disclosure] Yes another phishing scam Date: 25 Jan 2004 11:15:36 -0500 ::sigh:: http://www.paypal.com%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01 %01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01 %01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01%01 [EMAIL PROTECTED]/f/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Fwd: Re: [Full-Disclosure] Anti-MS drivel]
Yo guys, How do you keep a group of people from attaining any sort of goal whatsoever? How do you make any group smaller and less powerfull? SIMPLE. Keep them bickering about ANYTHING. Which color, creed, beer, pizza, or operating system is better than the other. Fall into that trap and you've made your group that much smaller, that much less powerfull because instead of doing what they like to do - they're bickering about something. And even a newbie can see that nothing gets handled, fixed or done when you're wasting time bickering like a bunch of fish-wives... I'm not saying that these things can't be discussed, but when it goes on for rediculous lengths of time, it's only bickering and nothing more. Cheers, Dan From: Dave Sherohman [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Anti-MS drivel Date: 20 Jan 2004 12:01:09 -0600 On Tue, Jan 20, 2004 at 12:12:46PM -0500, Mary Landesman wrote: On January 20, 2004 11:55 AM, Tobias Weisserth claimed: And the blame goes on MS for this. Nobody else. There is absolutely nothing I can do to secure my home from break-in. I can minimize the risks, but I cannot alleviate the risk entirely. However, we don't blame the builders when a home invasion occurs. We rightfully blame the burglar. If a builder sold you a home with no locks on the doors and no latches on the windows, I suspect that he could be successfully sued in the modern blame everyone in sight environment of the U.S. And, unlike a number of other cases, I would agree with that, on the basis that (unless the home was in an extremely remote location) the builder was intolerably negligent to omit those locks and latches. -- The freedoms that we enjoy presently are the most important victories of the White Hats over the past several millennia, and it is vitally important that we don't give them up now, only because we are frightened. - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Reverse http traffic revisited
Hello guys,
On my last foray on this subject, I had no specifics to back up what I
had witnessed - this time I offer the following.
Originally, on a client's LAN, I had spotted mulitple inbound traffic
ORIGINATING from port 80 and arriving on port in the temporary range of
1024-5000.
Steve S. sent the following email which could have explained this phenomenon as coming
from Akamia:
--
Sounds a lot like an Akamai setup, see their FAQ:
http://www.akamai.com/en/html/misc/support_faq.html
Without seeing more complete information such as the protocol or flags
it's impossible to tell for sure.
Steve
--
Since the destination ports in that traffic were in the 3000 range, I believe this
could have explained the previous traffic.
However...
We now have a log from another network that shows a similar bit of reverse http
traffic, except that:
1) no HTTP outbound browsing was active at the time of the incoming port 80 traffic
(Al's Messenger was active on one Linux workstation, hence the Squid log -
207.46.110.21 belongs to Hotmail)
2) after a WHOIS and traceroute, the IP address that the traffic came from does not
appear to belong to Akamai
3) the destination port is far outside of the temporary port range associated with
the previous, or normal traffic
The 2nd line in the 'firewall log' below is the culprit. All logs below are complete
for the start-end times seen and originate from an IPCop v1.3 Linux firewall/proxy
with all patches installed, and which is the only connection for this LAN to the
Internet. All browsers and media players use the Squid proxy. All internal IPs, the
gateway and DNSs are hard-coded on all workstations (no DHCP server running.)
I have 'Googled' for reverse http traffic and have found nothing but messages from
my previous post of the same title.
I'm back in Eh? mode...
--
Cheers,
Dan Renner
President
Los Angeles Computerhelp
http://losangelescomputerhelp.com
818.352.8700
FIREWALL LOG:
TimeChain Iface Proto Source Src PortDestination
Dst Port
23:49:31INPUT eth2TCP 4.62.83.225 11564.62.xxx.xxx
135
-- 23:52:02INPUT eth2TCP 211.152.51.13 80(HTTP)4.62.xxx.xxx
24875
23:53:46INPUT eth2TCP 4.65.99.99 32124.62.xxx.xxx
135
SNORT LOG:
Date: 01/17 23:50:57 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info:4.65.252.212:n/a - 4.62.xxx.xxx:n/a
References: none found SID:483
Date: 01/17 23:52:56 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info:4.64.84.115:n/a - 4.62.xxx.xxx:n/a
References: none found SID:483
Date: 01/17 23:53:44 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info:4.65.99.99:n/a - 4.62.xxx.xxx:n/a
References: none found SID:483
SQUID LOG:
TimeSource IP Website
23:51:01{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:07{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:13{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:18{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:24{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:29{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:34{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:39{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:44{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:49{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:51:55{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:00{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:05{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:10{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:15{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:20{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:25{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:31{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:36{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:41{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:46{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:51{internal IP} http://207.46.110.21/gateway/gateway.dll?
23:52:56{internal IP} http://207.46.110.21/gateway/gateway.dll?
According to http://www.apnic.net/apnic-bin/whois.pl IP address 211.152.51.13 belongs
to Beijing Lexun network corp. along with the rest of the 211.152.51.0 -
211.152.52.255 range which appears to be connected to www.21vianet.com (English
version of the site
Re: [Full-Disclosure] Reverse http traffic
Hello Ron, If I appeared to be a newbie with a problem - I am not, nor am I an expert who might know what that type of traffic could be. There currently is no problem with this guy's LAN, nor with his Internet connection. The problem was handled with the installation of the firewall as I mentioned in my post - I was simply wondering if this was some sort of attack as it was wierd traffic, from the OUTSIDE of the LAN to the firewall. Your snide little comment does no-one any good at all. If you think my post is OT, then tell me - I'm a big boy and I can handle it. Dan On Tue, 2003-12-30 at 07:33, Ron DuFresne wrote: Can anyone tell me what actually could cause this? most likely poor networking skills and improper network configuration. But, looks like a new list is needed, with the influx of can anyone define my problem messages being tossed to this list, which is *not* internet-help-line. Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Reverse http traffic
On Tue, 2003-12-30 at 13:22, Ron DuFresne wrote: Dan, snip comments inline On 30 Dec 2003, Daniel H. Renner wrote: Hello Ron, If I appeared to be a newbie with a problem - I am not, nor am I an expert who might know what that type of traffic could be. There currently is no problem with this guy's LAN, nor with his Internet connection. The problem was handled with the installation of the firewall as I mentioned in my post - I was simply wondering if this was some sort of attack as it was wierd traffic, from the OUTSIDE of the LAN to the firewall. I seriously doubt that there was an issue solved by the replacement of the dsl lynksys if I recall correctly router with a firewall, as all the other system plugged into the router worked fine, only a single host was having troubles, which were poorly identified and presented for 'discussion' here. If I appear that much of a numbnutz that you can't take my word for a simple situation, then I will have to work on my English a bit I think... But in fact the problem was indeed handled immediately after replacing the Linksys with a IPCop firewall. Since you somehow missed my description of the events, at the risk of being rude, I will copy from my original post: /start clip I had a case recently wherein one of a client's systems (Win2k) could not access http, or mail traffic. At the same time, 2 other systems (Win95 and Xandros) could, and yet he could access all of the other network shares via TCP. (* Definition: 'he' above meaning the Win2k system.) He brought it to my shop, it was patched up, already had the latest anti-virus defs, and it got on the 'net fine here. He returned with it and set it up - and could not get any http or email. (* Clarification: This should have ended with ... on his LAN.) I went to his office to see what was up, hooked in my little 'kneetop' (Sony Picturebook) and browsed just fine. I then installed a Linux firewall on a spare computer, replaced the Linksys router with it and instantly his Win2k was able to browse and get email. /end clip (* Clarification: At this point I had already changed the Win2k's IP to match the internal IP of the IPCop system.) And to re-state, there is no current problem with this fellow's LAN - I was simply looking to see if anyone knows what could cause the afformentioned type of traffic that was stopped by IPCop. If you need more data, simply ask and I will be more than willing to reply. Cheers, Dan snip Thanks, Ron DuFresne ~~ Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation. -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE: Reverse http traffic
Thank you for your reply James - I've put my answers below yours: On Tue, 2003-12-30 at 14:18, James C Slora Jr wrote: Daniel H. Renner wrote Tuesday, December 30, 2003 15:33 I had a case recently wherein one of a client's systems (Win2k) could not access http, or mail traffic. At the same time, 2 other systems (Win95 and Xandros) could, and yet he could access all of the other network shares via TCP. snip I then installed a Linux firewall on a spare computer, replaced the Linksys router with it and instantly his Win2k was able to browse and get email. This sounds like it was a config problem on the Linksys router - dmz setup or port forwarding or something. Could have been, but it was set for DHCP, and any other computer on the LAN had no problem, and there was no dmz or port-forwarding setup in the router. I checked the firewall logs and saw quite a few attempts from a Google IP address (whois-ed, but I'm not ignoring that it was possibly spoofed) that was sending IN traffic with a source port of 80 and a destination port in the temporary range (33xx) - eh??? Which firewall logs and what time frame? The Linksys before the switchout, the Linux-based firewall after the switchout, or something else? My appologies, since I never considered the Linksys/DLink/etc. routers to be firewalls I've not addressed them as such - but I see others do (remind self that other's terminologies must be used when talking to them... :) The firewall in question is an IPCop machine (this is a fork of the Smoothwall firewall project - www.ipcop.org) with no DHCP server, port-forwarding or HTTP proxy running - just a plain brown box... The incomings I saw were within approx. a 1-minute timeframe. A lot of things could cause incoming 80 - 33xx traffic, most of them benign. Do you have any packet captures with flags and ACKs, etc? Were the mystery packets directed to the problem machine or to the router address? Can you give more details about which machines have private addresses and which have public Internet addresses? Was the Linksys firmware up to rev? Unfortunately I am still enough of a Linux newbie that I have not figured out how to add a sniffer into IPCop (I could install ntop though...) but according to the firewall logs the traffic was pointed to the external NIC on the IPCop computer specifically which is the only public IP address on the LAN. All others are behind the IPCop's internal/private IP addressed NIC, and there is no DMZ NIC on the system, nor is it setup software-wise for one at the moment. Also, all 6 updates of IPCop had been performed on the machine before installation. If what could cause this sort of traffic is mostly benign then I'll have my goose-pimples set to chill - if not, then I'm still in Eh? mode... -- Thank you, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability
On Wed, 2003-12-10 at 08:54, John Sage wrote: Re: disclosure vs. non-disclosure and M$ On Wed, Dec 10, 2003 at 05:44:35AM -0800, S G Masood wrote: From: S G Masood [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Re: Internet Explorer URL parsing vulnerability To: Feher Tamas [EMAIL PROTECTED], [EMAIL PROTECTED] Date: Wed, 10 Dec 2003 05:44:35 -0800 (PST) --- Feher Tamas [EMAIL PROTECTED] wrote: Hello, don't start a disclosure - non disclosure thread again and again and again please... snip PLEASE! However, unfortunately, if you are familiar with the pattern in which MS handled the previous unpatched IE vulns, this looks like one of those IE vulns. that MS *WONT* patch. With the virtually unlimited resources (financially and staff-wise) available to Micro$oft, why has this sort of vulnerability been left undiscovered and unpatched by Micro$oft itself? Put a hundred people on the task of identifying any URL oddities that IE currently accepts, and patch, patch, patch. It would take less than a week to fix *all* of this sort of crap. The fact that someone out in the community at large (once again) discovers a vuln and publishes it is just an ongoing symptom of the fundamental problem: snip - John Why can't most people see the obvious? Known facts: a) Company A has the resources to fix ANYTHING on this planet. b) _MANY_ people complain that company A's product is broken. c) Company A doesn't fix the product. Conclusion? Company A DOESN'T WANT IT'S PRODUCT FIXED. No esoteric or underlying marketing ploys or conspiracy theories need apply (not that they don't, they just don't need to for these purposes.) Think about it - if you had a car that smoked like crazy, and your neighbors, the Clean Air Board and Mothers Against Drunk Driving were ragging on you to fix it, and you had the money and time to do so, but you still didn't - the _ONLY_ logical reason could be that you just plain didn't want to. You could put out PLENTY of good reasons (know in the corporate world as Marketing) why you hadn't - but the bottom line is that you just don't want to. They simply don't want it fixed. We can guess why, but they know why - and they aren't telling. Not a good sign... -- Cheers, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] IE Unpatched Vuln Site?
Here is one that I know of: http://www.safecenter.net/UMBRELLAWEBV4/ie_unpatched/index.html -- Thank you, Dan Renner President Los Angeles Computerhelp http://losangelescomputerhelp.com 818.352.8700 On Wed, 2003-12-10 at 00:22, Ferruh Mavituna wrote: That site should be this; http://www.pivx.com/larholm/unpatched/ Also here we have still a list; http://die.leox.com/ie_unpatched/index.html Ferruh.Mavituna http://ferruh.mavituna.com PGP PublicKey [ http://ferruh.mavituna.com/fmPGP.asc ] - Original Message - From: Joel R. Helgeson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 8:44 AM Subject: [Full-Disclosure] IE Unpatched Vuln Site? I remember there being a website that was dedicated to publishing information about unpatched IE vulnerabilities. I also seem to recall that the site was voluntarily shut down at the request of Microsoft for a period of time? Can anyone offer any detail about this issue? What is/was the site? Is it down? Regards, Joel R. Helgeson Director of Networking Security Services SymetriQ Corporation Give a man fire, and he'll be warm for a day; set a man on fire, and he'll be warm for the rest of his life. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Re: [Full-Disclosure] Hotmail Passport (.NET Accounts) Vulnerability]
It does work, however, I believe you still need to know your old password to kick it over. -- Thanks, Dan Renner President Los Angeles Computerhelp 818-352-8700 http://losangelescomputerhelp.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] MSN appears to be being a bit snoopy via a Hotmail server...
We are running a Linux floppyfw on the outside, splitting into an unrestricted work space, and a stronger firewall to protect the office side of things. A computer was being setup that is running MSN software, and during it's 1 day on the benches, our good firewall recorded the following hits from the below noted site, all of which were aimed * directly * at the IP address of the internal firewall's NIC (represented by xxx.xxx.xxx.xxx below) climbing over the floppyfw to do so... TimeChain Iface Proto Source Src Port Destination Dst Port 11:34:12INPUT eth2 UDP64.4.12.201 7001xxx.xxx.xxx.xxx 1075 11:34:13INPUT eth2 UDP 64.4.12.201 7001xxx.xxx.xxx.xxx 1075 11:34:14INPUT eth2 UDP 64.4.12.201 7001xxx.xxx.xxx.xxx 1075 11:34:15INPUT eth2 UDP 64.4.12.201 7001xxx.xxx.xxx.xxx 1075 14:31:43INPUT eth2 UDP 64.4.12.201 7001xxx.xxx.xxx.xxx 1075 14:31:43INPUT eth2 UDP 64.4.12.201 7001xxx.xxx.xxx.xxx 1075 14:31:44INPUT eth2 UDP 64.4.12.201 7001xxx.xxx.xxx.xxx 1075 14:31:45INPUT eth2 UDP 64.4.12.201 7001xxx.xxx.xxx.xxx 1075 Trying whois -h whois.arin.net 64.4.12.201 OrgName:MS Hotmail OrgID: MSHOTM Address:1065 La Avenida City: Mountain View StateProv: CA PostalCode: 94043 Country:US NetRange: 64.4.0.0 - 64.4.63.255 CIDR: 64.4.0.0/18 NetName:HOTMAIL NetHandle: NET-64-4-0-0-1 Parent: NET-64-0-0-0-0 NetType:Direct Assignment NameServer: NS1.HOTMAIL.COM NameServer: NS3.HOTMAIL.COM NameServer: NS2.HOTMAIL.COM NameServer: NS4.HOTMAIL.COM Comment: RegDate:1999-11-24 Updated:2003-06-27 TechHandle: MSFTP-ARIN TechName: MSFT-POC TechPhone: +1-425-882-8080 TechEmail: [EMAIL PROTECTED] OrgTechHandle: MSFTP-ARIN OrgTechName: MSFT-POC OrgTechPhone: +1-425-882-8080 OrgTechEmail: [EMAIL PROTECTED] And from our internal firewall's proxy logs, noone here was logged into Hotmail or MSN servers during these times... The above mentioned computer's time in our shop is the only thing I can relate this traffic to, as noone is allowed to run MSN software on any of our Linux workstations... ;-) -- Cheers, Dan Renner President Los Angeles Computerhelp 818-352-8700 http://losangelescomputerhelp.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
