Re: [Full-Disclosure] Undetectable Virus from CANADA ISP 69.197.83.68
Andrew Smith wrote: Today I got e-mail from 69.197.83.68 CANADA ISP which has undetectable virus. Threat: [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [OT] Re: [Full-Disclosure] lame bitching about xpsp2
- Original Message - From: Barry Fitzgerald [EMAIL PROTECTED] Sent: Wednesday, August 18, 2004 11:56 AM Subject: [OT] Re: [Full-Disclosure] lame bitching about xpsp2 OK - put your money where your mouth is. Pretend I'm a consumer. I have 2000 USD to spend and want a good PC with a good warranty with GNU/Linux on it. Find me a link to a major OEM that will ship me a PC within those specs with decent hardware and a generally recognized name (Dell, Gateway, HP, IBM...). The PC must be listed as a desktop system and must be easy to find. I went to www.dell.com. Typed Linux in the search. Clicked on Systems (because it defaults to the OS itself because it's the best match) and found this in Desktops... http://www1.us.dell.com/content/products/features.aspx/precn_370n?c=uscs=l=ens=bsd; Dell PrecisionTM 370n with Linux NEW! Small Mini-Tower $979 Monitor not included. Processor/Display Intel® Pentium® 4 Processor 2.80GHz, 1MB/800 Operating System Red Hat Enterprise Linux WS (V.3) with one year RHN Memory 512MB, 400MHz, DDR2 SDRAM Memory, NECC (2 DIMMS) Boot Hard Drive 40GB SATA, 7200 RPM Hard Drive without RAID CD-ROM, DVD, and Read-Write Devices 48X CD-ROM Hardware Support Services 3 Year Basic Plan (No Mail-In Rebate offered with this Plan) -- Joshua Levitsky, MCSE, CISSP System Engineer http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] spacer.gif
Re: [Full-Disclosure] lame b!tching about xpsp2
- Original Message - From: James Patterson Wicks [EMAIL PROTECTED] Sent: Friday, August 13, 2004 5:22 PM All references to command-line were in direct reference to Devis' comment . . nothing more and shows how the typical M$ user is scared as hell of having ever one day to learn Unix, go through RFCs ( what for ? M$ don't even read em themselves ), and use the command line. And they should not have to any more than someone should need to understand how their car or dish washer works. These devices should serve their function without needing to know in-depth how they work. Sure there will be experts just like you have mechanics and home appliance repair people, but thinking that a lawyer should need to know command line or what an RFC is... well that's just foolish. Do you know how to rebuild your car engine when 150,000 miles comes around and you need to do it? Or do you send it off to be rebuilt by experts? -- Joshua Levitsky, MCSE, CISSP System Engineer http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] MS Anti Virus?
- Original Message - From: DAN MORRILL [EMAIL PROTECTED] Sent: Thursday, June 17, 2004 11:51 AM Subject: Re: [Full-Disclosure] MS Anti Virus? You make anti virus software sound like a gun lock on a 9MM. Does it really matter who is in the anti-virus market? If Microsoft goes that way, and they have the best knowledge of what they created, what we can reasonably expect to see in the words of Bill Gates Innovation, with rich user features, deeply embeded in our software. Wonder if Microsoft will give their new AV product the same crappy treatment they gave their past AV product... http://home.pmt.org/~drose/aw-win3x-31.html Perhaps they will release it during XP SP2 and then kill it just in time for Longhorn. Anyone that puts any faith in this new AV from Microsoft is a fool. -- Joshua Levitsky, MCSE, CISSP System Engineer http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] anyone seen this worm/trojan before?
On Jun 3, 2004, at 1:54 PM, Perrymon, Josh L. wrote: I found this worm/ trojan on a laptop. Ran FPort and found the .exe. Doesn't look like it propagates to other machines but rather communicates with a compromised web companies server using IRC. The compromised server has removed the IRC service. Only sends RST packets back. I put it on my site. http://www.packetfocus.com/analysis.htm I would like to know the attack vectors. I'm guessing LSASS. It's a variant of W32.Spybot.Worm aparently. Symantec AntiVirus Defs as of 6/3/04 Rev 36 (just created) detect it. ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/ norton_antivirus/rapidrelease/symcrapidreleasedefsi32.exe -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Full-Disclosure YOU know what blows me away.
- Original Message - From: RandallM [EMAIL PROTECTED] Sent: Monday, May 03, 2004 8:20 PM Subject: [Full-Disclosure] RE: Full-Disclosure YOU know what blows me away. I play CounterStrike on hacking servers and it blows me away that some of these 14yr olds are writing in C+ to code their own hacks. You know what I did when I was 14? I don't. G.I Joes humping my sister's Barbie's I guess. Myself I was writing code to gateway USENET and FidoNet to other networks. Oh and making it so files could be reliably sent via e-mail on the OggNet and I think also on FutureNet. (When I say I wrote code i'm using the term very loosely because this was all in MAcos and METAL which honestly were very simplistic, but then again... what was complicated about TURBO Pascal?) Having G.I. Joes hump Barbies.. that seems slightly more entertaining than what I was doing. :) -- Joshua Levitsky, MCSE, CISSP System Engineer http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Trojan Horse for Mac OS X
On Apr 9, 2004, at 1:41 PM, Alerta Redsegura wrote: From Intego's press release (April 8 2004): ...the first Trojan horse that affects Mac OS X. This Trojan horse, MP3Concept (MP3Virus.Gen), exploits a weakness in Mac OS X where applications can appear to be other types of files... (http://www.intego.com/news/pr40.html) Anyone aware of previous Trojan horses for OS X? I had made something a little bit ago... http://www.foist.org/modules.php? op=modloadname=Newsfile=articlesid=52mode=threadorder=0thold=0 It was just meant to show that a trojan was possible. It was a silly little thing to demo the concept of a Trojan to a macintosh email list I participate in. It is not harmful on purpose because it was a simple educational thing. -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Trojan Horse for Mac OS X
On Apr 9, 2004, at 2:41 PM, Thomas Vincent wrote: This technique wouldn't work now because Mail.app, and probably all modern mail client. Will not let you execute code from within the mail client. Completely untrue. Mail.app will ask you if you want to open the app just like Outlook Express on Windows does. -Josh -- Joshua Levitsky, MCSE, CISSP System Engineer http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Trojan Horse for Mac OS X
On Apr 9, 2004, at 6:53 PM, Larry Seltzer wrote: This technique wouldn't work now because Mail.app, and probably all modern mail client. Will not let you execute code from within the mail client. Completely untrue. Mail.app will ask you if you want to open the app just like Outlook Express on Windows does. Actually, Outlook Express and Outlook will (by default) strip all executable attachments before you even get them. They've done this for some time. Actually this is not correct. By default they will deny you the ability to save or open the attachments, but they do not strip anything. My experience is that users almost always turn off that feature so they can save those questionable file types again. The feature on or off will still leave the attachments on the emails. -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Trojan Horse for Mac OS X
On Apr 9, 2004, at 7:33 PM, Larry Seltzer wrote: Actually this is not correct. By default they will deny you the ability to save or open the attachments, but they do not strip anything. Same difference, and in any event Outlook/OE sounds nothing like Mail.app, but very much like what the person you corrected said. Not the same. If you see the file there (which you do when the security option is on) then you absolutely know what you are missing, and that can lead to someone going to the options and turning the feature off. Perhaps if the option wasn't in the GUI, but instead was a registry hack then I would agree with you, but it's in the GUI to disable it and you do see the file attachments exist when the option is on so it's not really such a good feature. Personally on my own mail servers I simply block all attachments that could be executable as well as those same files in zip archives because email is not the proper means of transmission for such files. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Scary Question
- Original Message - From: Uday Moorjani [EMAIL PROTECTED] Sent: Sunday, February 29, 2004 9:11 PM Subject: [Full-Disclosure] Scary Question I heard that it was possible to cause irrepareable damage to any electronic circuit through certain waves or radio emissions ( I'm not qualified in this subject ). And I'm afraid I have even found some ready made gadgets being sold on the internet. Like this? http://www.globalsecurity.org/military/systems/munitions/hpm.htm -- Joshua Levitsky, MCSE, CISSP System Engineer http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Windows 98 vulnerable to ASN.1
- Original Message - From: Daniel H. Renner [EMAIL PROTECTED] Sent: Wednesday, February 18, 2004 3:33 AM Subject: Re: [Full-Disclosure] Windows 98 vulnerable to ASN.1 _Most_ Win98 users can also simply rename the file (%WINDIR%\system\msasn1.dll) without repercusions. This is true unless you use 98 in a business and have the AD client... which many of my colegues still have... sadly... I just found out today that the patch will not be on Windows Update ever, and you have to call in for it. It's free but you have to call in. I'm deploying it at work since yesterday. -- Joshua Levitsky, MCSE, CISSP http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution
- Original Message - From: Cael Abal [EMAIL PROTECTED] Sent: Wednesday, February 18, 2004 10:53 AM Subject: Re: [Full-Disclosure] GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution To be honest, I'm a bit concerned that we've only seen one publically-released exploit so far. Maybe it's like legalization of drugs.. once they will be legal nobody will care any more.. :) Personally I hope someone is writing an OS X virus / worm to shut those people up about how secure the 3% using Macs are. How hard is it for someone to write a freaking osascript that tell application Address Book.app ... and then tell application Mail.app ... and you would have the same problems as windows. It would be nice to have a little less stress with Windows and let the others suffer for a while. -- Joshua Levitsky, MCSE, CISSP http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Windows 98 vulnerable to ASN.1
Huray! Windows 98 is vulnerable to ASN.1, and there is a patch. It's not on Windows Update as of yet, but it was finished today at Microsoft. If you don't believe me... ask your TAM. -- Joshua Levitsky, MCSE, CISSP http://www.foist.org/ [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Microsoft source code leak
- Original Message - From: Exibar [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 15, 2004 12:39 PM Subject: [Full-Disclosure] Microsoft source code leak Microsoft can't pay to have this kind of QA done in house (who could?), so why not release a piece of source and let everyone do it for them? Ok, sounds like a conspiracy theroys doesn't it? And it probably isn't true, but stranger things have happened :-) Sounds like a good reason to buy a Macintosh. (or Linux/BSD) At least there you can roll your own patches, and the source is already out there. -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Where is the exploit code for MS04-007
http://linuxfromscratch.org/~devine/MS04-007-dos.c --Joshua Levitsky, MCSE, CISSPSystem EngineerTime Inc. Information Technology[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] - Original Message - From: :-) To: [EMAIL PROTECTED] Sent: Sunday, February 15, 2004 2:52 PM Subject: [Full-Disclosure] Where is the exploit code for MS04-007 Has anyone actually found the expliot code for MS04-007? I had been searching all morning and came empty handed... Do you Yahoo!?Yahoo! Finance: Get your refund fast by filing online
Re: [Full-Disclosure] anti-adware and false positives (was: Virus infect on single user)
- Original Message - From: Spiro Trikaliotis [EMAIL PROTECTED] Sent: Tuesday, February 10, 2004 3:55 AM Yes, you get rid of EVERYTHING - especially of things you still need. :-( Is there any developper on this list who uses a Microsoft DDK für NT4, 2000 or XP? You cannot use Adaware on such a machine, as it always stumbles on the headers and source files of the provided examples, especially the network examples. It tells me they would be part of some malware. Ad-Aware has a nice thing where you can pick to ignore certain files. Do a scan of your system and be very careful on the first scan to go through and see what each thing is. Mark all your DDK stuff as ignore. All done. And seperately you might want to email the LavaSoft guys and let them know about the false positive. -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] anti-adware and false positives (was: Virusinfect on single user)
- Original Message - From: Byron Copeland [EMAIL PROTECTED] Sent: Tuesday, February 10, 2004 9:56 PM Subject: Re: [Full-Disclosure] anti-adware and false positives (was: Virusinfect on single user) Cool, so DoomShiza deposits itself in the development libs we're golden right? If you didn't run anti-virus why would you bother with anti-malware? And the exclusion would be per file. So if you didn't run anti-virus I suppose there would be a way for the virus to save itself over one of your DDK files, but that would be an awfully specific virus... but then ... you're just trolling so I don't know why I'm writing this. -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Nortons Liveupdate - problem?
- Original Message - From: Gregh [EMAIL PROTECTED] Sent: Monday, January 19, 2004 11:08 PM Subject: Re: [Full-Disclosure] Nortons Liveupdate - problem? Well, if you read the letter I posted, it was obviously not aimed at corporate America, UK, Canada or even Australia. It was actually for the benefit of most of the world from home user to medium business and others, some who dont know how to set up a server and some who dont want to yet have 30 or so lans in workgroups etc. That isnt big. Umm... I was simply clarifying in case anyone came to wonder if the corp edition might be subject to the same problem. G-d forbid anyone should try to be fucking helpful. It was just a warning for heck's sake. I have noticed in 3 different locations that damed Symantec Update, since the day of the redirection debacle, hadnt AUTO updated though set to do so. A MANUAL update later and it now all auto updates perfectly but it takes intervention. And all I was saying was it didn't apply to Corp Edition in an effort to make your warning more specific. Surely you realise that if this is happening elsewhere in the world, it was a worthwhile warning? And yes it is worthwhile. However this nonsense on FD is not needed. All I was trying to do was to give another detail to your report. Eg, 3 different locations, Nortons 2000, 2002 and 2004 and they ALL do the same thing from the exact same date? You don't think that may mean it is happening on a much broader scale? Previous to that date, all were working flawlessly. Well actually it is possible for a coincidence like that to happen. I think they probably are related. Silly me. I was just trying to point out that the problem wasn't on the CE side so perhaps it's the scheduler that has a flaw. See rather than just put out a warning that something might be wrong with it... why not try to figure out what is broken and let the vendor know? Would that be so hard? Geez even you must know SOMEONE with Nortons AV on a home computer somewhere who may fall foul of Bagle, for example, simply because they aren't that computer literate and their AV didn't update (if what I suspect is correct)? Holy crap. Guess I've learned not to offer any help. -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Symantec AntiVirus and AOL
Symantec AntiVirus 8.1.1 build 319 addresses the problem below. It is now available from Symantec. -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] - Original Message - NOTE: This is not an exploit. This is not a vulnerability. This is simply a bug that makes management of clients more difficult / broken. Posting this to hopefully bring a bug in to the open that may not have been discovered yet at companies other than my own. If this was a flaw that allowed an exploit or if this allowed a system compromise then I would not post this. If anyone knows of other virtual adapters that cause this problem then I would appreciate emails listing the product and the MAC address that the product uses. --- I have a question for all of you about something I noticed with Symantec AntiVirus Corporate Edition. The SAV CE client uses a GUID (unique identifier) that is generated based on the MAC address of the Ethernet adapter on the machine SAV CE is running on. This GUID is then used by the SAV CE Parent Server that the managed client checks in to. If more than one machine has the same MAC address then in the SSC (Symantec System Console) you will only see 1 machine even if 50 machines have the same GUID and check in to the Parent. If you think that your SSC is showing less clients than it should then you should possibly read this document to see if this affects you. What I noticed was that this problem was not in my corporate image at first but then it happened, and finally enough machines have been replaced / reimaged that I noticed I was short on clients in the SSC. What is a GUID? Where is the GUID found? A GUID is a Global Unique ID. Well at least it is supposed to be unique. It is found in the key below. It is generated using a Microsoft library that is part of RPC. It is based on the MAC address of an Ethernet adapter and your current IP address. Is the IP address enough to make it unique even when the MAC is the same? I do not know. I have been unable to find the answer. If the IP is enough to make this value unique then remediation of this issue is as simple as deleting the GUID key on all workstations that are not showing up in the SSC. [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion] GUID=hex:3b,13,fe,fd,4c,6f,cc,4c,89,5b,82,1f,2b,c4,a0,43 How does SAV CE pick which adapter to make a GUID from? It picks the first thing that looks like an Ethernet adapter by going through the binding order in windows. How can multiple machines end up with the same GUID? Imagine a corporate standard image that might include the AOL client which adds a hidden adapter to the system. Now when you ghost that image to a new machine and the machine goes through sysprep it will add the Ethernet card of the machine you are putting your image on. Since the AOL adapter never goes away then the AOL adapter of course comes before the real Ethernet adapter. This means that if the AOL adapter was selected by SAV CE in the master image then no new GUID will generate because the GUID only changes when an adapter is added or removed. Since the AOL adapter never leaves then it has a good chance of coming before real adapters in the binding order. If the AOL adapter was not selected in the master image by the LocalMAC registry key then a GUID should be generated when you image a new target machine because SAV CE sees that the old adapter leaves the machine and then it will look to the binding order to pick a new adapter. SAV CE hopes to get a real Ethernet card and a GUID should be generated based on the MAC address. So this problem happens most when the AOL Adapter is watched by SAV, and that never leaves so LocalMAC will always watch it and a new GUID never is generated. How can you see machines with duplicate GUIDs if you think they are not showing up in your SSC? Delete the key below using whatever you have like SMS / NetOctopus / etc. The GUID will regenerate and maybe you won't have duplicate GUIDs, but if you are generating the GUID from the AOL MAC address then the potential for duplicates continues to exist. Note that you want to probably clear out all the host records in the SSC if you do this because you will see duplicates because the GUID is how the SSC tracks records, and it takes 30 days for a stale record to purge out of the SSC with the current version of SAV CE. [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\LANDesk\VirusProtect6\CurrentVersion] GUID=hex:3b,13,fe,fd,4c,6f,cc,4c,89,5b,82,1f,2b,c4,a0,43 How can you know that you are using the AOL MAC address instead of the real one? It would seem that AOL 7.x, 8.x, and 9.x all use 00-03-8a-00-00-15 as the MAC address for the virtual adapter. This aparently is the pseudo-VPN adapter used when you connect to AOL over IP. Deleting this key and rebooting will simply result in the same MAC
Re: [Full-Disclosure] Re:
- Original Message - From: Timothy J.Miller [EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 3:02 PM Subject: Re: [Full-Disclosure] Re: On Nov 4, 2003, at 12:15 PM, Joshua Levitsky wrote: Interesting. How does Slackware or Debian make money? You *are* aware, I hope, that the Debian Project isn't a company? It's an association of people who collaborate on making a completely open and free distribution. Making money isn't part of it. Oh, you didn't? Well now you do. I did know, and that was the point of the question. That the distro is maintained without the greed that Red Hat has been showing. -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re:
- Original Message - From: Wolfram Schlickenrieder [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, November 04, 2003 4:25 PM Subject: Re: [Full-Disclosure] Re: talking about greed... It's *late*! Oh my god! :) It's not greed to want to see what you're going to have to deal with when your OS is EOL in 6 months. Even if I wanted to pay Red Hat for the enterprise server I still would need to see the blasted thing in non-beta form. If Fedora is the core of Red Hat ES then if Fedora's core release is late doesn't it mean that ES is now late? Sorry if I expect promises to be met. I have open projects I work on and I try to make sure I do good by everyone that uses the things I make. -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Fw: Red Hat Linux end-of-life update and transition planning
It's happened. Red Hat has officially said [EMAIL PROTECTED] YOU to us all. Hey Red Hat.. I've got a migration plan for you... it's called BSD / SuSE / Mandrake. -Josh -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] - Original Message - From: Red Hat Network [EMAIL PROTECTED] Sent: Monday, November 03, 2003 12:50 PM Subject: Red Hat Linux end-of-life update and transition planning Dear jlevitsk, Thank you for being a Red Hat Network customer. This e-mail provides you with important information about the upcoming discontinuation of Red Hat Linux, and resources to assist you with your migration to another Red Hat solution. As previously communicated, Red Hat will discontinue maintenance and errata support for Red Hat Linux 7.1, 7.2, 7.3 and 8.0 as of December 31, 2003. Red Hat will discontinue maintenance and errata support for Red Hat Linux 9 as of April 30, 2004. Red Hat does not plan to release another product in the Red Hat Linux line. With the recent announcement of Red Hat Enterprise Linux v.3, you'll find migrating to Enterprise Linux appealing. We understand that transitioning to another Red Hat solution requires careful planning and implementation. We have created a migration plan for Red Hat Network customers to help make the transition as simple and seamless as possible. Details: If you purchase Red Hat Enterprise Linux WS or ES Basic before February 28, 2004, you will receive 50% off the price for two years.[*] (That's two years for the price of one.) In addition, we have created a Red Hat Linux Migration Resource Center to address your migration planning and other questions, such as: * What are best practices for implementing the migration to Red Hat Enterprise Linux? * Are there other migration alternatives? * How do I purchase Red Hat Enterprise Linux WS or ES Basic at the price above? * What if my paid subscription to RHN extends past April 30, 2004? Find out more about your migration options with product comparisons, whitepapers and documentation at the Red Hat Linux Migration Resource Center: http://www.redhat.com/solutions/migration/rhl/rhn Or read the FAQ written especially for Red Hat Network customers: https://rhn.redhat.com/help/rhlmigrationfaq/ Sincerely, Red Hat, Inc. [*] Limit 10 units. Higher volume purchase inquiries should contact a regional Red Hat sales representative. Contact numbers available at http://www.redhat.com/solutions/migration/rhl/rhn --the Red Hat Network Team ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: Fw: Red Hat Linux end-of-life update and transition planning
- Original Message - From: [EMAIL PROTECTED] To: Joshua Levitsky [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Monday, November 03, 2003 2:41 PM Subject: Re: Fw: Red Hat Linux end-of-life update and transition planning Were you a customer? Was Red Hat actually deriving any revenue from the machines you were running Red Hat Linux on besides a trickle of money for Red Hat Network subscriptions? If not, why do you think they should be concerned about what you run now? $300 a year for my up2date subscriptions. So yes. They were on my 5 boxes. $300/year when all I need is up2date access for patches seems like they could make a profit off me. Also I do consulting for many companies, and in every case I would tell them to use up2date. And how does this have anything to do with full-disclosure? You might want to take discussions like this to an appropriate Red Hat mailing list, not a security discussion list. Because as of December there will be no security fixes for RH 7.x / 8.x so it is as on topic as some of the other stuff on this list. -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Fw: Red Hat Linux end-of-life update and transition planning
- Original Message - From: Michael Gale [EMAIL PROTECTED] Sent: Monday, November 03, 2003 11:51 PM Subject: Re: [Full-Disclosure] Fw: Red Hat Linux end-of-life update and transition planning So you are saying you trust up2date to take care of all your machine updates ? That is like saying you trust Microsoft auto update to handle your servers. What happens when they release a bad patch ? or one that hoses your machine. That's why Red Hat network has an interface where you pick what updates get deployed to each machine or to each group of machines. You authorize / schedule a patch on up2date and it will grab it. Alternatively you can run up2date --update on your boxes if you just want to fetch everything if you know all existing patches are good for your environment. This way I can test and packages before they get installed and I KNOW THE SOURCE of the packages. There is no ops .. RedHat servers have been hacked and I just installed up2date uses GPG signatures to ensure the content is signed by Red Hat. Are you saying they would hack the up2date servers and compromise the private key? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Port 27347 concerns
Has anyone here captured any of this traffic? It's come up last week, but I didn't see anyone actually say they had a sample of the traffic or a honeypot they let get infected. Someone has to have a sample or a log they can share that has more detail than just blocking the attacker. http://isc.incidents.org/port_details.html?port=27347 If you look at the table below you will see this is something building that will explode soon. 11/01 - Saturday is low because it is a weekend and less machines are on. The 11/02 - Sunday stats will be low as well I believe. 10/25 and 10/26 you can see the same weekend dip. If on 10/24 we have 389 sources, and on 10/31 there are 709 sources then we should be well over 1000 sources by next Friday. This trend is concerning me because it could become very bad rapidly. Just don't want us all to be caught off guard by whatever this is. Some people seem to think it's a SubSeven trojan that has the port number flipped from 27374 to 27347, but if it is then someone has a delivery mechanism that is working very well if you look at the table below which goes from 7 hosts to 709 hosts on Friday. Date Sources Targets Records 2003-11-02 33 33399 33518 2003-11-01 456 68165 320465 2003-10-31 709 68764 323829 2003-10-30 699 68522 658366 2003-10-29 580 67878 802494 2003-10-28 356 67157 1362930 2003-10-27 204 67643 781985 2003-10-26 135 733 7830 2003-10-25 216 736 11622 2003-10-24 389 1068 13989 2003-10-23 244 328 2539 2003-10-22 7 4 78 --Joshua Levitsky, MCSE, CISSPSystem EngineerTime Inc. Information Technology[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
Re: [Full-Disclosure] sharp increase on 27347/TCP
http://isc.incidents.org/port_details.html?port=27347 I'd say probably something is coming... that's a pretty sharp spike on the graph. -Josh -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] - Original Message - From: Eric Bowser [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 28, 2003 12:44 PM Subject: [Full-Disclosure] sharp increase on 27347/TCP I've noticed a sharp increase in probes of port 27347/TCP against our equipment over the past couple of days. Zero hits for weeks, 58 yesterday, and 224 so far today. Incidents.org seems to confirm this, very light activity for weeks, and suddenly 781,000 yesterday and 938,000 so far today. Has anybody else seen this? -- Eric J. Bowser 330.658.9858 direct 330.658.0123 fax i-TRAP Internet Security Services 888-658-TRAP toll-free 330.658.1040 local www.i-trap.net ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Symantec AntiVirus and AOL
sion] "LocalMAC"=hex:00,03,8a,00,00,15 Can't I just change the binding order in Properties for My Network Places in the Advanced Options? No. The AOL adapter does not appear there for AOL 7.x, 8.x and 9.x. The adapter does not exist like it did in AOL 6.x. The only way to remove the adapter is to uninstall AOL, and even then if you re-install AOL it appears that it can come first again in the binding order. You will get a new GUID, but since it is based on the AOL MAC addres then it is possibly you will get a duplicate GUID again. Doesn't the Parent Server resolve GUID conflicts and tell a client to make a new one if there is a conflict? No. Because the GUID is based on the MAC address, and the MAC address should never be the same from machine to machine, the Parent Server does not do conflict resolution of GUIDs. I am filing this idea as a RFE however with Symantec because if the server simply did this then it would fix issues with other adapters. Is this problem AOL's because of the adapter? No. AOL is creating a virtual adapter just like a VPN client might. In concept what AOL is doing is fine. The potential for this problem with other pre-loaded software on a master image is great if that software makes a virtual adapter. In fact if your company pre-loads VPN software or such then I would encourage you to look at the LocalMAC value listed above and see if it matches your real Ethernet adapter that you can see by going to Start - Run and typing "cmd /k ipconfig /all" What versions of SAV CE does this affect, and what operating systems? It affects everything from NAV 7.61 through SAV 8.1.1 that I've looked at, and has the same problem on Windows 2000 and XP. It appears to be a universal problem. (Windows NT and 98 were not looked at because they are dead products.) Is this problem Symantec's because they bind to a VPN adapter? Sort of but not really. Symantec could have tested for more things like default route or adapter able to reach the Parent server when doing the figuring out, but they seem to have a pretty good detection system.It would seem to me that the burden is on Symantec to put in an exclusion for the AOL MAC address just like any other adapter found to cause similar problems. How critical is this? It appears to be more of an annoyance than anything else. If you turn on debugging on your clients then you will see the clients check in with "mommy" and it seems likepolicies are being communicated from the Parent servers to their children. So it makes it so that you can't really tell if your environment is protected. Depending on how you view this to be critical will make it more or less important to you. What can you do to fix this? I opened a ticket with Symantec Platinum support a week ago. They said they have not seen other customers with this issue. They are working on it though and understand the issue, but I think they might not be 100% on board with this being something for Symantec to fix. If you find that this issue affects you then I encourage you to open a ticket with Symantec so that they can find out if this affects more people than just my 10,000 clients. While 10,000 is a nice big number, it is only one company so it is understandable that Symantec would wonder why no other incidents were filed. If you have this problem then it is urgent that you make a ticket. If you do not have support and it would cost you money to make a ticket then please just email me how many clients you have and what company you are with, and I will tell Symantec so you do not have to pay for support on this issue. Should you be angry with Symantec about this? No. Seriously. There's no way they could have seen this bug. I just wanted to post this document out there so that perhaps more feedback could come in to the Symantec support system so that perhaps the issue would be given the proper treatment when it gets to the programming staff as a bugfix. Should you be angry with AOL about this? No. Seriously. They make a VPNish adapter to tunnel you in to the network. They do everything in a pretty legitimate way, and because they use the same MAC address from version to version it is pretty simple to code an exclusion for that MAC address. One could argue that AOL should be using unique MAC addresses, but imagine all the MAC addresses that would be burned up by every single install of AOL on every OS using up a MAC address. It would be very wasteful. --Joshua Levitsky, MCSE, CISSPSystem EngineerTime Inc. Information Technology[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
Re: [Full-Disclosure] Windows hosts file changing.
- Original Message - From: Kevin Gerry [EMAIL PROTECTED] Sent: Wednesday, October 22, 2003 4:01 AM Subject: [Full-Disclosure] Windows hosts file changing. Does -ANYBODY- know how it occurs? I've had this happen to a couple boxes of mine now... New one: -- 127.0.0.1 localhost 66.40.16.131 livesexlist.com 66.40.16.131 lanasbigboobs.com 66.40.16.131 thumbnailpost.com Perhaps a variant of the QHosts virus which just exploits an IE vulnerability. Perhaps not even a virus per say. (It's kind of sketchy anyways to call Qhosts a virus.) Perhaps a user got an email and clicked on the URL and it sent them to a site that took advantage of their IE not being patched. http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html http://vil.nai.com/vil/content/v_100719.htm The MS03-040 patch addresses this type of attack on a system. -Josh -- Joshua Levitsky, MCSE, CISSP System Engineer Time Inc. Information Technology [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Anyone running SUS see the content update today?
Seems like tonight Microsoft re-released all the updates from last week. Anyone else see this? Anyone know why all the updates from last week got re-released and some of them show up as new rather than updated even though the KB articles in the description are last weeks patches. -Josh
Re: [Full-Disclosure] Anyone running SUS see the content update today?
Here are all the new patches in case anyone is curious what has changed since last week. Looks like all Win 2k and Windows Media player updates got refreshed. Note that on Friday the 824141 patches got re-released also. See below. -Josh Manual Sync Started- Wednesday, October 22, 2003 7:28:09 PM Successful Updates Added: Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ARA-CSP_9f86f61d518c3c04d09cb309a6f4314.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-CHS-CSP_a0f795892ba29283bbaf19b54fe6d6e.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-CHT-CSP_8316e7a45f07e1c2aabc06ca8025d8d.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-CSY-CSP_92fcf7aeea87ea9e6ce456a647e9602.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-DAN-CSP_c6542f7ecb807f261c5a0bf2a0d6843.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-NLD-CSP_d30aadd797f110bb219c72d0b10c79d.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ENU-CSP_7c15826110e3809bbe56ff478e68d84.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-FIN-CSP_7ec5cfa361a5cca3e05572805fee2fd.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-FRA-CSP_759ecb8dc05687ad75e93904a622064.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-DEU-CSP_795ae167382abba0add7f6fc3930045.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ELL-CSP_2ef9ce508b31d7bdf63d309df68ea66.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-HEB-CSP_ef9288fd08f8113ca348bc12179a945.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-HUN-CSP_23382aeb237ed4441a5edd1fb7eeb9c.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ITA-CSP_8492978f87c2366cb3b46e05e95ccb6.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-JPN-CSP_d71d4ef366a244a7ff2362e65c74cb5.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-nec98-JPN-CSP_5bdc8e9232757259bfc77b27883e3bb.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-KOR-CSP_dab23f0acea1af7ee0aef3df851e5ae.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-NOR-CSP_411c192ee67cf05c6b32be9b11cf31b.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-PLK-CSP_9941238f212e886594c3ab81852365f.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-PTB-CSP_57e25d000792f5341ed582e83f3df1d.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-PTG-CSP_defaea55e88f0f651881e6cc88a0ea4.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-RUS-CSP_7382ff4150f0ad6251d0a7fdd55871a.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-ESN-CSP_8fd65bdae48134879516a1af13dbcf9.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-SVE-CSP_fb576380a844da17913393b0d8c0d78.EXE Security Update for Microsoft Windows (KB823182) - Windows2000-KB823182-x86-TRK-CSP_63dc9cc87c9adb9746cd829a04b699b.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-ARA-CSP_784a1fedd6bdc1697e33571c2b341d4.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-CHS-CSP_a66d05069bd431e298b26c9d8fb30f4.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-CHT-CSP_a7f97cbefba389828aafb7960a2e11c.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-NLD-CSP_97be6324bf658e20377258083ab24dd.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-ENU-CSP_baec16e62a678728e8ca57a1f732287.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-FRA-CSP_b54624745fbbcadb4dab82f438cd225.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-DEU-CSP_550af394ce8ea3d3b95fc873f5b91de.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-ELL-CSP_60923bbb9b8b74b4a02255500388bb5.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-HEB-CSP_7f2a6eae9948832c7d6ae4c04fa945a.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-JPN-CSP_58f19cfbf84285430b2bf267151cd14.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-x86-KOR-CSP_75fa97cbfd7bc6d6ac894bc9a1dd507.EXE Security Update for Microsoft Windows (KB824141) - Windows2000-KB824141-nec98-JPN-CSP_7198f76a3660579bf8bc7a052d54efa.EXE Security Update for
Re: [Full-Disclosure] New Microsoft security bulletins today
On Oct 16, 2003, at 8:48 AM, Cael Abal wrote: I'm dissatisfied with both. With the first one, you're sending your logs out for remote processing -- that's just silly. The second requires all sorts of fiddling around with sql / iis which doesn't seem like it's worth the effort. I've been meaning to throw together something more streamlined (and with fewer prereqs) for a while now -- I guess it's time. Wait for SUS 2.x to go in to beta. Displaying log information is one area where I'd imagine Microsoft knows they have a weakness on SUS 1.x -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen withinmy household
On Oct 15, 2003, at 3:34 PM, Jonathan A. Zdziarski wrote: I took several years of french and came to admire the solidity of their language. This, to me, is why English is such a gutter language; lack of any real consistency. We'll all be speaking ebonics in a few years anyway, so it won't really matter. Yes, but without the english speakers you would not have any courriel to be checking. :) -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
Re: [Full-Disclosure] New Microsoft security bulletins today
On Oct 15, 2003, at 3:06 PM, Jerry Heidtke wrote: Microsoft just issued 7 new security bulletins: 5 for various Windows version and 2 for Exchange. Six are rated critical, one is important. Just to refresh your memory, a critical vulnerability is one that can be exploited remotely and automatically (such as by a worm) and gives complete system control. An important vulnerability is one can be exploited remotely and gives complete system control, but cannot be exploited automatically or without some user action. Ah what's to worry about. Exploits against Exchange / OWA / Messenger Service / Authenticode / Active X can't harm anyone. :) Bring em on. Luckily I deployed my SUS boxes at work and all I had to do to deploy the patches was check a few little boxes on my SUS servers. -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Microsoft security bulletins today
On Oct 15, 2003, at 10:00 PM, Zach Forsyth wrote: This tool is not bad for some *basic* monitoring: http://www.pdxconsulting.com/sus/ /paranoia mode off Grab your SUS log files and parse them through that web site... /paranoia mode returned to normal That's what I've been using. It works well to see that all seems to be working as expected. I was going to setup another tool that sends the log data in to a SQL server so you can have all the data in one place and work with it. (I have 2 SUS boxes so 2 sets of logs.) -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New MS Patch - Any Idea What This Is
- Original Message - From: Anthony Aykut [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 4:41 PM Subject: [Full-Disclosure] New MS Patch - Any Idea What This Is Hi, Anyone come across this one?? I have *just* received this - yet another email claiming to be from MS (showing initially as being from [EMAIL PROTECTED]), titled 'New Patch'. Same nice HTML page, with message body... Swen virus. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen within my household
- Original Message - From: Georgi Guninski [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 12:23 PM Subject: Re: [Full-Disclosure] OT: An odd question that has arrisen within my household Sorry for the rant, but what's wrong with being anti-social? Nothing so much the matter with it, but the anti-social ones I probably wouldn't have met, and if I have met them then I haven't spoken much with them... due to their anti-socialness :) And I much prefered the friends of mine that liked to hang out and such. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen withinmy household
- Original Message - From: Jonathan A. Zdziarski [EMAIL PROTECTED] Sent: Tuesday, October 14, 2003 6:42 PM Subject: Re: [Full-Disclosure] OT: An odd question that has arrisen withinmy household The term anti-social is used a bit too loosely these days. removed text Not wanting to talk to people in general is just filtering. Arrogant at the most, but definitely not anti-social. First that is not a comparison that makes me comfortable, but you knew that you were being extreme when you wrote it. The below definition says to me that someone could be not sociable or be hermit-like and shun society without becoming the unibomber. Anti-social doesn't have to be so extreme. Anyways you are just playing semantics. an·ti·so·cial adj. 1) Shunning the society of others; not sociable. 2) Hostile to or disruptive of the established social order; marked by or engaging in behavior that violates accepted mores: gangs engaging in vandalism and other antisocial behavior. 3) Antagonistic toward or disrespectful of others; rude. Source: The American Heritage® Dictionary of the English Language, Fourth Edition ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hacker suspect says his PC was hijacked
On Oct 13, 2003, at 2:15 AM, Mike wrote: I really wish people would stop comparing software agreements to car warrantees, cars verses software?? Cars will always win, it's a hardware thing. And Windows runs on magic dust? Last I checked Windows ran on hardware and my car has software in it. The last time I checked, the author of the ABS, Airbag, Cruise Control, and diagnostic software had no responsibility to let me know about critical updates for said software. -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen within my household
I would add a tier before Tier I that would be hackers that do not believe in full disclosure, do not share exploits outside their close knit circle of friends, do not support the man. A lot of these guys are better than The best of the best, but nobody knows because they don't make themselves public. Maybe you could call it T13r Z3r0 :) Seriously... there are people out there that have tons of free time to learn, and possibly monitor lists like this, and laugh at the silly people that disclose vulnerabilities and share information. They aren't necessarily out doing damage. They just don't play with strangers because they choose not to. Some of these people are damn cool. Some are just anti-social, but that really isn't the norm so far as I can tell. Of the people I've ever met they seem to have personalities, and usually have more going on than I do socially. If you met them you wouldn't think hacker or even know they are in to computers. I dunno... just my observations here in New York City. Perhaps it's different elsewhere. -Josh On Oct 13, 2003, at 1:02 AM, Joel R. Helgeson wrote: Tier I - The best of the best - Ability to find new vulnerabilities - Ability to write exploit code and tools Tier II - IT savvy - Ability to program or script - Understand wht the vulnerability is and how it works - Intelligent enough to use the exploit code and tools with precision Tier III - Script Kiddies - Inexpert - Ability to download exploit code and tools - Very little understanding of the actual vulnerability (launching Linux attacks against MS boxes) - Randomly fire off scripts until something works -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hacker suspect says his PC was hijacked
On Oct 13, 2003, at 10:12 AM, [EMAIL PROTECTED] wrote: http://www.cpsc.gov/cpscpub/prerel/prerel.html Look under search by company. Ford is listed, GMC is listed, Honda is listed. Microsoft isn't listed. What exactly is the point? Way to just dismiss my point with nonsense. ... Now lissen here, witch! All you do is yap-yap, and bitch-bitch-bitch-bitch! - The Lorax -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
Re: [Full-Disclosure] Hacker suspect says his PC was hijacked
On Oct 13, 2003, at 10:57 AM, Joshua Levitsky wrote: ... Now lissen here, witch! All you do is yap-yap, and bitch-bitch-bitch-bitch! - The Lorax Realizing that someone here might have actually read The Lorax, yes.. it is a bogus quote... for a bogus argument... Just wanted to clear that up before the literate people thought they might correct me... Carry on. -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
Re: [Full-Disclosure] OT: An odd question that has arrisen within my household
On Oct 13, 2003, at 9:37 AM, henry j. mason wrote: you say these 'uber-hackers' don't believe in full- disclosure, but you say they use it to learn? or, without full-disclosure (or any disclosure at all) they would learn anyway? care to posit some theories as to how? They use FD to just watch what is going on. Not to learn per-say. Just to watch how the wind is blowing in computer-land. And they would learn without FD because they try things on their own and they work with their friends to test theories, but then keep it to themselves and use the information to gain social status among their groups, and have no care about social status among those of us that have sold out. these people have tons of free time, yet a lot going on socially? i find those two mutually exclusive, unless you don't have a job, and job-less twenty- somethings are hardly the most motivated of people. All I can say is I have met some very smart people in my past that have managed to hang out in the cool places and hang out with the cool people and still they somehow can find the time to learn more about almost every aspect of technology than I have been able to. Of course I could be not bright, but my work experience has told me I'm at least smarter than a lot of people in the industry. i do grant you that there is a very small quiet minority of very skilled hackers. but they aren't t13r anything because they just do it because they have to, not for l33t recognition. I agree 100% that they don't do it for public recognition, but inside their social group they gain status because of knowledge. Again... this is just my opinion and my experiences here in New York City... and experience has told me that what is true in NYC is not always true for anywhere else so perhaps elsewhere in the world I'm completely off-base. ... and that is a-ok. -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hacker suspect says his PC was hijacked
On Oct 13, 2003, at 11:58 AM, [EMAIL PROTECTED] wrote: The point is that cars *can* and *have been* recalled because of defects in computer-controlled systems. Here's 2 that 5 minutes with Google found. And they came and fixed it at your house for you? How lovely. You didn't have to take action and bring the car to a dealership to be fixed? Wow. Microsoft sends out notes if you subscribe to mail lists. If you move to a new address and don't tell your auto maker then will you get recall notices? -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hacker suspect says his PC was hijacked
On Oct 12, 2003, at 5:15 AM, Steve Wray wrote: Will Knowingly allowing a computer under your control to remain in an exploitable state become a crime? (if it isn't already...) If you never get your brakes inspected, and one day you crash in to someone and kill them because your brakes fail. Is it your fault for not ever getting your brakes checked? Or should the blame lie with the brakes that wore themselves down and never fixed themselves on their own? When you drive a car you have maintenance responsibilities. Somehow with computers people don't come to the same conclusion. -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hacker suspect says his PC was hijacked
On Oct 12, 2003, at 2:36 PM, [EMAIL PROTECTED] wrote: The average car manufacturer doesn't try as hard as they possibly could to make sure you never visit the dealership for regularly scheduled maintenance I drive a Ford truck. The Ford dealer I bought it from never told me when to come in to service my brakes. They just tell me to come in every so often. If you brought your computer in to where you bought it every 3 months and paid them an hour labor ($89.00 US where I live for an hour of auto labor) then I suspect your computer would be in pretty good shape. They would turn on Auto Updating and they would verify that your Anti Virus updates automatically and that there is no SpyWare on your system. Microsoft doesn't stop anyone from bringing machines in to the seller of Windows based machines. It's really the seller that has failed you in my scenario. They sell you a computer at CompUSA or wherever, and they never tell you at the dealer that you need to do certain things. And even if you are right, and Microsoft somehow works so that you won't update your machine. If a car dealer sold you a car and said come back in 100,000 miles for a checkup. Wouldn't it still be you that's a fool for not doing some research in to what is needed to keep your car properly maintained? If people took personal responsibility for the upkeep of their cars, computers, houses, etc... then we would all be in a better place. Modern society has a sickness. That sickness is stupidity. Sadly everyone keeps feeding that stupidity so it's only going to get worse from generation to generation. H.G. Wells wasn't too far off with his idea of the Eloi. It's makes me a little bit sad that the world is coming to this. -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Hacker suspect says his PC was hijacked
On Oct 12, 2003, at 4:48 PM, Paul Tinsley wrote: I have a Honda Accord and a Mini Cooper, prior to that a Mazda and an Oldsmobile and I get/got reminders from all of those companies pretty regularly with coupons, suggested maintenance flyers and the like... I put car manufacturers right behind my dentist in reminders, well lawn care is somewhere in the middle me thinks That was your particular dealer sending the flyers no? The only notes I've ever gotten from Ford were things that my dealer sent. So I've always taken it upon myself to make sure I understood when my vehicle needed service based on how it is used. That's why I equate CompUSA with my Ford dealer. CompUSA could send notes to people they sold computers to saying You need to update x, y, and z. If you bring your PC in for service then we will happily update it for you. -Josh -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] OT: An odd question that has arrisen within my household
On Oct 12, 2003, at 10:40 PM, Matt Carlson wrote: 1. What exactly defines a script kiddie? 2. Does using a port scanner make you a script kiddie since you yourself did not write the code? 3. Does it make you a script kiddie because it is a means of exploitation? script kiddies pl.n. 1. The lowest form of cracker; script kiddies do mischief with scripts and programs written by others, often without understanding the exploit.2. People who cannot program, but who create tacky HTML pages by copying JavaScript routines from other tacky HTML pages. More generally, a script kiddie writes (or more likely cuts and pastes) code without either having or desiring to have a mental model of what the code does; someone who thinks of code as magical incantations and asks only what do I need to type to make this happen? x-tad-bigger http://info.astrian.net/jargon/terms/s/script_kiddies.html/x-tad-bigger -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
Re: [Full-Disclosure] Political Posts
On Oct 5, 2003, at 12:50 PM, J.A. Terranson wrote: Nobody gives a fuck what *you* signed up for. Don't like it? Get the fuck out. This is Full Disclosure - *Everything* is disclosed: favorite Presidents, latest 'sploits, Ice Cream recipies... If you want a good S/N ratio, you are in the wrong fucking place. I'm getting a quick picture on this thread of who on this list has nothing of substance to contribute. Thanks for helping me to make a quick filter of who to ignore on the list. (And thanks for Disclosing that you are an asshole. I'm sure your friends already knew it, but I didn't know it until just now. So thanks for the Full Disclosure.) Treat others as you would like to be treated. Don't like my words then don't treat other people like crap on the list. It's not needed. -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bush Bashing (use to be Has Verisign time arrived ?)
On Oct 5, 2003, at 2:45 PM, William Warren wrote: interesting..since so called right-wing radio is many times more popular than liberal radio..which one needs to join the real world? The real world is contained in the bibleGod is on your side..you just have to choose to believe...it really is that simple. Not to encourage religious debate here, but you do know that Judaism in the time of Jesus was accepting of Pagans right? and you know that is was ok if your non-Jewish neighbor worshiped the regional Pagan god right? And that Jesus never claimed to be god and it wasn't until a hundred years after his death (2nd century) that Christians decided he was right? Wasn't until they accepted goyim in and Christianity became distorted from what Jesus intended. And that denying the existance of other gods wasn't until Deuteronomy was discovered during the renovation of a building in 622 b.c. by a man that had an agenda? (Hilkiah) And even 600 years later Jesus was accepting to all, and he didn't want people to think he was god and he didn't ever claim to be... and so I don't know how you can say that God is on your side like there is only one god and you need him on your side. Judaism / Buddhism / original Christianity / Greek culture and such all support the idea that there are many gods. Jews are only permitted to pray to the one god, but it is clear that there are others. Modern Christianity is seriously flawed in the fact that many Christians worship Jesus as if he was god, Catholics worship idols by having Jesus on the cross at church, Christians make the false claim that there is no path to heaven except through Jesus. I could go on, but I won't. This is way too complicated to cover on a mail list that is for computer discussions. I just couldn't let you spout that nonsense that there is one god, and the implication that someone needs your god on his side. -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Bush Bashing (use to be Has Verisign time arrived ?)
On Oct 4, 2003, at 9:51 PM, Dark Avenger wrote: This isn't the place to discuss political and personal views of our country and leadership, but you 2 just opened the door. This is typical liberal dribble attacking our president for an immoral war and being weird. Your only agenda is to try to discredit an administration that finally has some morals and integrity and does what's right for the country (and even for the ungrateful world community), unlike the prior administration. Bla bla bla.. nothing to do with computers... bla bla bla Let's please talk about computers. I am on 10 different active lists and none of them have anything to do with politics... mostly because I have no interest in them. All politicians are slime-bags. All of them say what their party wants them to. None of your points will be resolved on the Full-Disclosure list unless someone is writing about an exploit that gets us access to George Bush's porn collection. Please... no more bla bla bla... politics ... bla bla bla -- Joshua Levitsky, CISSP, MCSE System Engineer AOL Time Warner [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1] ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] New Hacking Zine: p62 (formatting corrected)
On Sep 23, 2003, at 4:48 AM, Andreas Marx wrote: The official Phrack website and the only website you can trust is http://www.phrack.org/ !!! And the last official release is * 2003/08/13 - PHRACK #61 IS OUT * There is not Phrack 62 available yet. All people who claim that Phrack 62 is out are cheaters. Look at the e-mail addresses of these posters to this mailing list -- they do not use the official ones, so don't trust their postings. Would be nice if they used a PGP / GPG key. Would make it easy then if they signed the documents. Then if the documents were tampered, or not official then it would be reflected by the signature not matching or the key not being right. Then nobody could say anything about a Phrack being valid or not. Might make things easier and make for less arguing. -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Fake Microsoft update e-mail
On Sep 22, 2003, at 12:49 PM, Fabio Gomes de Souza wrote: Are you receiving lots of fake Microsoft fancy HTML e-mails claiming that the attached file is an urgent update? http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED] -- Joshua Levitsky, CISSP, MCSE, EMTD System Engineer Time Warner ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] VeriSign's fake SMTP server for SiteFinder
On Sep 22, 2003, at 6:02 PM, Joshua Thomas wrote: > But why they wait until the DATA command is a total mystery to me. It > seems much more logical to bounce the message after the RCPT TO: > command. conspiracy theory> To read our mail? /conspiracy theory> They will read our mail when they accept the DATA command and all after it. This will happen. You will see. Right now they take in the address of who you are sending to and who is sending. What a wonderful way to collect valid email addresses. First the MAIL FROM will be a correct address most of the time. The RCPT TO will be wrong 100% of the time, but they could employ scripts with some logic to see things like[EMAIL PROTECTED] is really [EMAIL PROTECTED] and such. Many typos are repeated in the same way by many people. Can't wait for the spam to start flowing from that list of users they are collecting. Of course Verisign will protect their customers from the spam. That'll be part of the deal with the spammers they sell to.
Re: [Full-Disclosure] VeriSign's fake SMTP server for SiteFinder
On Sep 22, 2003, at 7:50 PM, Richard M. Smith wrote: I don't think the Verisign SMTP server would suffer. Since it rejects incoming messages before the message body and attachments are sent. Darn it. Another approach might be to start selling CD's with 30 million email addresses for spaming that have nothing but bad domain names. Of course, all this would be wrong anyway. We don't really want to be following Verisign's bad example and hacking the Internet. ;-) Damn.. I must be sleepy since I just told someone that they error out before you hit the DATA portion of the transaction. I like the CD idea... tho yes.. it would be in poor taste... and probably less fun than flushing all the toilets in the dorm at 2am... -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Sample of Swen/Gibe.F Worm
On Sep 18, 2003, at 11:58 PM, = wrote: Hello, If someone has a copy of this virus, please contact me off the list. Like to get a sample of it and test it against my AV... THANKS It was posted to the list earlier today. 9:51pm Eastern .. the subject was [Full-Disclosure] FW: New Net Security Upgrade I assume the EXE and all are in the list archive. Snatch it from there. -Josh
Re: [Full-Disclosure] new virus:
It was Swen. He sent me the file. F-Prot caught it on my mail gateway. -Josh On Sep 19, 2003, at 11:27 AM, Cael Abal wrote: You're going to have to give us more than a vague subject line and what looks like a randomly-generated filename, Ron. Have you tried any of the major AV tools? take care, Cael Has anyone seen an email going around with subject bug message containing a supposed audio attachment that is really an exe named ckcwr.exe. Is this a possible new virus? I have recieved numerous cpoies of this email since last night. Ron Clark System Administrator Armstrong Atlantic State University ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
On Sep 17, 2003, at 5:37 AM, jamie rishaw wrote: Please proviede code / config (explain). On Wed, Sep 17, 2003 at 12:42:19AM -0400, Joshua Levitsky wrote: On Sep 16, 2003, at 11:16 PM, Thor Larholm wrote: Mail administrators who use any non-existant DNSBL to mark email as spam suddenly has all their mails deleted, Actually I figured out how to use it to my advantage. I query . which is my own DNS server of course as a ip4r blacklist and if the IP for verisign's site is returned then I give the spam a very high score. Any domain that doesn't exist would fail this, but any other domain would not return that IP, but rather the proper IP. I'm still pissed at Verisign, but I always try to turn a problem in to an opportunity so now I'm using their greed to block spam. I use Declude which is a plugin to IPSwitch's IMail product. VERISCAMrhsbl.64.94.110.1110 Above is the config line I am using. Basically VERISCAM is the name of my test. It's a rhsbl test which is a Right Hand Side test. Your Spam filter software needs to be able to RHS style lookups where it's looking at what is to the right of the @ sign. So [EMAIL PROTECTED] could come from an AOL mail server, but my RHS test looks at joshie.com rather than the AOL server that handed the mail to your server. The next field is . which is normally where I put like orbs.dorkslayers.com or such... the zone that I'm going to query. By putting a . in then it is checking my local zone and so the query hits my own DNS. That's just where the query goes. 64.94.110.11 is the result I'm looking for from the server. Various ip4r tests result in like 127.0.0.2 or 127.0.0.3 and different values normally mean different kinds of listings like open relay vs. porn spam ... you get the idea. In this case a 64.94.110.11 would return from my own DNS server for any @bla.com that did not resolve. This test catches anyone using phoney domains that don't exist. -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: Verisign abusing .COM/.NET monopoly, BIND releases new
On Sep 17, 2003, at 6:44 PM, D. Ian Miller wrote: FYI ... looks like Verisign has pulled the wildcard A record as we have not patched but invalid domain searches no longer go to verisign ... sitefinder-idn.verisign.com is no longer responding to queries ... maybe someone got the message ... wonder how they will explain this one ... At 21:26 Eastern it is still going to the sitefinder site here when I try random strings. However I have heard that they are being hit by a DDoS attack. Perhaps they couldn't handle the load when you went there. -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
On Sep 17, 2003, at 12:42 AM, Joshua Levitsky wrote: On Sep 16, 2003, at 11:16 PM, Thor Larholm wrote: Mail administrators who use any non-existant DNSBL to mark email as spam suddenly has all their mails deleted, Actually I figured out how to use it to my advantage. I query . which is my own DNS server of course as a ip4r blacklist and if the IP for verisign's site is returned then I give the spam a very high score. Any domain that doesn't exist would fail this, but any other domain would not return that IP, but rather the proper IP. I'm still pissed at Verisign, but I always try to turn a problem in to an opportunity so now I'm using their greed to block spam. Just to clarify my own post. I meant a right hand side test so it is checking the address that the sender is claiming is theirs rather than how you typically check the host that is handing the mail to you. (It's late and I clicked send too quick.) -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Verisign abusing .COM/.NET monopoly, BIND releases new
On Sep 16, 2003, at 11:16 PM, Thor Larholm wrote: Mail administrators who use any non-existant DNSBL to mark email as spam suddenly has all their mails deleted, Actually I figured out how to use it to my advantage. I query . which is my own DNS server of course as a ip4r blacklist and if the IP for verisign's site is returned then I give the spam a very high score. Any domain that doesn't exist would fail this, but any other domain would not return that IP, but rather the proper IP. I'm still pissed at Verisign, but I always try to turn a problem in to an opportunity so now I'm using their greed to block spam. -Josh ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html