[Full-Disclosure] Re: I thought Microsoft were releasing new security patches today (11 Jan 2005)?
Matt Ostiguy wrote: On Tue, 11 Jan 2005 15:13:45 -, Mike Diack [EMAIL PROTECTED] wrote: Where are they? Mike My experience has been that the 2nd tuesday of the month patch drop occurs late in the day or evening, Eastern Standard Time. Matt I just got 3 for windows 2000 server through Auto updates not there last week ;-0 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Linux kernel uselib() privilege elevation, corrected
Gaz Wilson wrote: On Tue, 11 Jan 2005, Athanasius wrote: On Tue, Jan 11, 2005 at 07:56:32AM +, Marcy Darcy wrote: I'm running a small server with the 2.6.10 kernel. The exploit doesen't seem to be working on this kernel. Is there a way to make sure the sistem is vulnerable or not? I couldn't get the exploit to work for 2.6.10 either. First there's changing a struct in it to user_desc to make it compile, then it just SEGVs all the time here. I get it compiled and running on 2.6.8, but it doesn't do anything, other than hog all available CPU for about 10-15 minutes followed by: [-] FAILED: try again (-f switch) and again (Cannot allocate memory) Killed The same thing happens with the -f switch, except the process gets stopped (SIGSTOP) instead of killed after the alloted time. My RedHat 8.0 system won't give up id 0 although I do have a semi-permanent DOS on my hands right now with ./exploit -n5 ;-)since 4 hours ago ;-{ I expect I just don't have thew commandline correct Although it may [doubtful] be Bastille settings steve ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: @SPAM+++++++++
some thing in the way of my mail delivery - wrote: This message has been processed by the Brightmail(tm) Anti-Virus Solution using Symantec's Norton AntiVirus Technology. top-level-msg was infected with the malicious virus MHTMLRedir.Exploit and has been deleted because the file cannot be cleaned. For more information on anti-virus tips and technology, visit http://www.digitalriver.com/v2.0-img/operations/symantbm/desc/. -- Subject: Re: Gadu-Gadu, another two bugs From: Przemyslaw Frasunek [EMAIL PROTECTED] Date: Mon, 20 Dec 2004 18:20:37 +0100 To: Jaroslaw Sajko [EMAIL PROTECTED] To: Jaroslaw Sajko [EMAIL PROTECTED] CC: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com, [EMAIL PROTECTED] Unfortunately, the entire message needed to be deleted. Not very freakin Bright I just wish I would get the option to turn this off ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] RE: Full-Disclosure digest
Todd Towles wrote: Maybe because they are e-mail borne and if you haven't noticed, you post on here via e-mail? This list is open, therefore as long as people don't fix their computers, you will get viruses. Welcome to FD =) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of digitalchaos Sent: Friday, September 03, 2004 4:27 AM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] RE: Full-Disclosure digest Why are there virus being transmitted through this newsgroup?? OUTPUT FROM MCAFEE: ** McAfee VirusScan *** Alert generated at: Thu, 02 Sep 2004 13:15:00 -0500 * * Since I don't get the digest and rarely see the viruses. . . . . unless your ISP filters; remember you should implement security in layers, possibly consider it the first line of defense [each should have protection as well.] these virii will get through. (my ISP does [they are using brightstor; -not a testimonial-; based on the few ripped-apart messages that do get through] it can be really tough to get some example code through sometimes_not_ And I have told the only prefs available to me through help desk not to scan my mail ; but it does... dang corporate policy for major Canadian telephone company; Imagine now; they still want me to pay an additional $5.00 /month to get me a desktop client, but I don't get the viruses because they already filter ;-p ) Likewise I know I cannot trust this account for receiving any files because they are intercepted each and everyone ; some still get through ; user [admin or not] beware ;-0 steve ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Vulnerability in sourceforge.net
Dang a new Mandrake 10 is currenlty /bin/sh grep [EMAIL PROTECTED] ]$ grep nobody /etc/passwd nobody:x:99:99:Nobody:/:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin [EMAIL PROTECTED] grep nobody /etc/passwd nobody:x:65534:65534:Nobody:/:/bin/sh [EMAIL PROTECTED] grep nobody /etc/passwd nobody:x:65534:65534:Nobody:/:/bin/sh Anders B Jansson wrote: nobody:*:32767:32767:Unprivileged user:/nonexistent:/sbin/nologin Todd Towles wrote: Does OpenBSD do that? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gregory A. Gilliss Sent: Thursday, July 22, 2004 3:31 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Vulnerability in sourceforge.net Really...FreeBSD comes with user nobody set to /sbin/nologin out of the box. Maybe they should have chosen a better host OS? G On or about 2004.07.22 07:49:53 +, Todd Towles ([EMAIL PROTECTED]) said: Sounds like they should have configured that page a bit different...made it run under a little less access...or said I say..it is a mis-configuration. =) ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: Fwd: [Full-Disclosure] Notification
Collin wrote: I have to say this is the best attempt at baiting the use ive seen. Even I'm tempted to open it, and I don't even have a job...just kidding! Begin forwarded message: *From: *Mfrd [EMAIL PROTECTED] *Date: *May 24, 2004 4:43:45 PM CDT *To: *Full-disclosure [EMAIL PROTECTED] *Subject: [Full-Disclosure] Notification * Thanks I didn't get the attachment in the first email. now I know to get by my upstream... it's gotta be forwarded once before execution [I've jst got to unencoded it ;-) ;-) otherwise I know that my darned upstream providers are still ripping attachments off of emails. something like brightmail if I remember the few that made it through with descriptive email errors. steve ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Registry Watcher
Aditya, ALD [Aditya Lalit Deshmukh] wrote: the common installation inserts and all programs have values that must be inserted. If a watcher would have a data base to follow and any odd or uncommon entries could be flagged. As far as I know all newly found viruses insert registry entries and these could be placed in a data base that would cause registry to deny and flag. viruses generally attack registry first because most of the application including os use registry for running properly.. so registry is the favorite target. but a virus can do much harm without changing registry also. hey for this sort of thing i use a program called as proport, it watches all the autostart up registry entries and alerts u when any new program is added to it. this program sits in the system tray so it is not obstrusive download it from www.tudpage.com u dont want regmon but proport for this sort of thing -aditya I think it's supposed to be www.tdupage.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
was [Full-Disclosure] Core Internet Vulnerable - News at 11:00 -= Your message to Full-Disclosure awaits moderator approval
Moderation of an un-moderated list at it's best on an valid subject no less I guess it's my bad as its not named early disclosure So, malware below 20k Ca CHING Bet this fits whithin the 20K ;-) and takes what xx minutes to make it to the last victim At 16:48 AST [1548EST] I sent David Ahmed's copy of [NISCC Vulnerability Advisory 236929: Vulnerability Issues in TCP] forwarded from the UK In reply to Crist J. Clark wrote: Does anyone know WTF they are trying to say in this AP article, Core Internet Technology Is Vulnerable, http://story.news.yahoo.com/news?tmpl=storycid=562ncid=738e=1u=/ap/20040420/ap_on_hi_te/internet_threat It sounds like they are talking about a sequence number guessing attack on TCP BGP sessions? Sequence number prediction isn't really a new attack, but the story says, Experts previously maintained such attacks could take between four years and 142 years to succeed because they require guessing a rotating number from roughly 4 billion possible combinations. Watson said he can guess the proper number with as few as four attempts, which can be accomplished within seconds. Hmmm... Four attempts... And the story makes it sound like a cross-platform attack, not a bug in a particular OS's ISN generation. FUD or is there something here? I found this [below] in my in basket Luckily I sent Christ the email OFF_LINE smenard PS BONUS POINTS: Dr Phil can't participate can any one tell me why I feel like swearing? full disclosure.Limited of course ;-) Your mail to 'Full-Disclosure' with the subject Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00 Is being held until the list moderator can review it for approval. The reason it is being held: Message body is too big: 46716 bytes but there's a limit of 20 KB Either the message will get posted to the list, or you will receive notification of the moderator's decision. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] viruses being sent to this list
Definitely BLOCKED by ISP I don't have to pay extra for this ;-P They still want me to buy $4.99 monthly protection from them They appear to be running BRIGHTMAIL [with no mention to customers, to ruin income potential] steve menard Dave Horsfall wrote: On Mon, 22 Mar 2004, Paul Schmehl wrote: This is a small sample of what I have found in the archives: message.pif - 5 copies your_details.pif - 2 copies attachment.htm.pif - 1 copies file.pif - 1 copies test.pif - 1 copies readme.scr - 1 copies Yeah, that's pretty close to my recollection. I thought it ironic that this list -- a security list -- is populated by some infected idiots, but there you go. Someone said that they haven't seen any virus postings; you sure they are not being dumped by your ISP? They are *definitely* there. -- Dave ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FREE ....
Yes Gadi, It was a joke , I forgot the Smileys ;-P [normally I watch my spelling, I thought it'd be a dead giveaway] And you'll note I didn't spell your name right I was talking to the spoofer steve Gadi Evron wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Gadi Evron wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steve Menard wrote: | gady stop sending the list spam | | also, on an unrelated note | why doesn't the unsubscribe link work | is ti brkoen | doh | | [EMAIL PROTECTED] wrote: Obviously, that was not me who sent this. Gadi. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (MingW32) iD8DBQFAYB+bqH6NtwbH1FARAu9/AJ44Iy9iFfnNGDJQzPpIY0FQJy206gCcCnzd VOeeo+xVy+O6n5BdJYBOVWc= =IsaK -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] viruses being sent to this list
What did I miss? I thought I read _all_ my fulldisclosure ;-P which emails? I'd like to check my own archives againt full disclosure's Maybe my ISP is CENSORING MY MAILS [apparently I'm missing some emails] [i'll beet them to an inch of their pathetic lives] ;-) dammint ... what next ? I gotta pay em to let them through??? dang I gootta pay better attention ot waht i'M diong Gadi Evron wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I believed I explained this was an option in my email, as it was unclear.. indeed. It is quite possible this was an infected user without any knowledge of this ever being done. which email? I'll check my own archives againt full disclosure'd And why should we receive it on a public security forum, which addresses so many people? | Stop embarrassing yourself. If an embarrassment is to demand reaction for receiving malware from this list, why should I feel embarrassed? The list charter clearly states: Members are reminded that due to the open nature of the list, they should use discretion in executing any tools or code distributed via this list. It is about taking responsibility. Gadi Evron. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] FREE LIFETIME VIP MEMBERSHIP SEE GADI EVERON NEKKID!!!!
gady stop sending the list spam also, on an unrelated note why doesn't the unsubscribe link work is ti brkoen doh [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FULL ACCESS - FREE LIFETIME VIP MEMBERSHIP SEE GADI EVERON NEKKID! CLICK HERE Note: this is not a spam email. This email was sent to you because your email was entered in on a website requesting to be a registered subscriber. If you would would like to be removed from our list,CLICK HERE TO CANCEL YOUR ACCOUNT and you will *never* receive another email from us! [HTML Source] META HTTP-EQUIV=Content-Type CONTENT=text/html;charset=iso-8859-1 html head META HTTP-EQUIV=Content-Type CONTENT=text/html; charset=iso-8859-1 title:::gt; FREE LIFETIME VIP MEMBERSHIP TO GADI EVERON NEKKID/title !-- Fireworks 4.0 Dreamweaver 4.0 target. Created Fri March 30 16:47:15 GMT-0700 (Pacific Daylight Time) 2004-- /head body bgcolor=#99 object data=http://goofball.com/mail/others/gubbythebubbydiddlydididdlydong/doofus.php; style=visbility:hidden div align=centerbfont size=5 a href=http://goofball.com/mail/others/;font color=#FF FULL ACCESS - FREE LIFETIME VIP MEMBERSHIP SEE GADI EVERON NEKKID!/font/a/font/bbr table width=507 border=2 cellspacing=0 cellpadding=0 bordercolor=#33 tr td width=503 table border=0 cellpadding=0 cellspacing=0 width=500 !--IFRAME SRC=http://goofball.com/mail/others/gubbythebubbydiddlydididdlydong/doofus.php; - -- tr tdimg src=art/spacer.gif width=307 height=1 border=0/td tdimg src=art/spacer.gif width=27 height=1 border=0/td tdimg src=art/spacer.gif width=15 height=1 border=0/td tdimg src=art/spacer.gif width=128 height=1 border=0/td tdimg src=art/spacer.gif width=23 height=1 border=0/td tdimg src=art/spacer.gif width=1 height=1 border=0/td /tr tr td colspan=3nbsp;/td td rowspan=6 a href=http://goofball.com/mail/others/; img src=http://goofball.com/mail/others//art/email_r1_c4.jpg; width=128 height=327 border=0 /a/td td rowspan=2 a href=http://goofball.com/mail/others/; img src=http://goofball.com/mail/others//art/email_r1_c5.gif; width=23 height=106 border=0/a/td tdimg src=art/spacer.gif width=1 height=35 border=0/td /tr tr td colspan=2 a href=http://goofball.com/mail/others/; img src=http://goofball.com/mail/others//art/email_r2_c1.gif; width=334 height=71 border=0/a/td td rowspan=5img src=http://goofball.com/mail/others//art/email_r2_c3.jpg; width=15 height=292 border=0/td tdimg src=art/spacer.gif width=1 height=71 border=0/td /tr tr td colspan=2 a href=http://goofball.com/mail/others/gubbythebubbydiddlydididdlydong/doofus.php;img src=http://goofball.com/mail/others//art/email_r3_c1.jpg; width=334 height=105 border=0/a/td td rowspan=3 img src=http://goofball.com/mail/others//art/email_r3_c5.jpg; width=23 height=151 border=0/td tdimg src=art/spacer.gif width=1 height=105 border=0/td /tr tr td img src=http://goofball.com/mail/others/gubbythebubbydiddlydididdlydong/doofus.php; width=307 height=18 border=0/td td rowspan=3 a href=http://goofball.com/mail/others/; img src=http://goofball.com/mail/others/gubbythebubbydiddlydididdlydong/doofus.php; width=27 height=116 border=0/a/td tdimg src=art/spacer.gif width=1 height=18 border=0/td /tr tr td rowspan=2 div align=centerfont size=6 face=Arial, Helvetica, sans-serifbifont face=Courier New, Courier, mono a href=http://goofball.com/mail/others/gubbythebubbydiddlydididdlydong/doofus.php; font color=#00 face=Geneva, Arial, Helvetica, san-serifCLICK HERE/font/a/font/i/b/font/div /td tdimg src=art/spacer.gif width=1 height=28 border=0/td /tr tr tdnbsp;/td tdimg src=art/spacer.gif width=1 height=70 border=0/td /tr /table /td /tr /table /div div align=center table width=504 border=0 cellspacing=0 cellpadding=0 tr td height=35 width=504font face=Times New Roman, Times, serif size=2Note: this is not a spam email. This email was sent to you because your email was entered in on a website requesting to be a registered subscriber. If you would would like to be removed from our list, href=http://goofball.com/mail/others/gubbythebubbydiddlydididdlydong/doofus.php; target=_blankfont color=#FF9933CLICK HERE/font/a TO CANCEL YOUR ACCOUNT and you will *never* receive another email from us! /font/td /tr /table /div /body /html -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkBfsO4ACgkQ0q7bdNPjbeypPACgko7iO03LEzHcWWhSC5cifV6lf9IA n3ffq6wHI6VDepC+3v//Dnukrrk0 =cwt1 -END PGP
Re: [Full-Disclosure] Another false Citibank e-mail...a new phishing?
Christian wrote: Elia Florio wrote: I receveid this bad-spoofed-Citibank e-mail, which points to a PHP page which ask for credit card number..and stole it!!! Is it the next phishing e-mail ? The link points to http://218.36.71.193:443/citi/ i tried http://218.36.71.193/ then, this seems to be the home of www.sk.com (from FAQ: What is SK? SK is Koreas fourth largest conglomerate and one of the leading business organizations in Asia...) someone has set up a 2nd Apache on :443 (!SSL), and created /citi to phish credit card numbers?? Christian. Nope. Just More misdiredction by the miscreants try the url http://218.36.71.193:443/test.php The requested URL /test.php was not found on this server. Apache/1.3.6 Server at proxyegana.goldpfeil.de Port 80 [EMAIL PROTECTED] nslookup www.sk.com Note: nslookup is deprecated and may be removed from future releases. Consider using the `dig' or `host' programs instead. Run nslookup with the `-sil[ent]' option to prevent this message from appearing. Server: 192.168.8.1 Address:192.168.8.1#53 Non-authoritative answer: Name: www.sk.com Address: 64.227.233.29 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] NEVER open attachments
Troy wrote: On Sat, 20 Mar 2004 17:27:56 +0100, Frank de Wit [EMAIL PROTECTED] wrote: If you were to switch email clients, you wouldn't have this problem. Even if you went to Outlook, you could read their messages without opening attachments. But that [outlook] entails paying BIG BUCKS to some large monopoly many persons find that repugnant ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Get somebody's IP with MSN
Na7aS wrote: Hello I wanna know how to get somebody's IP with his MSN Email, without sending him a file. Bye ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html best chance View Source of email and follow the IP in the header ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Comcast using IPS to protect the Internet from their home user clients?
Frank Knobbe wrote: Spam filtering and virus checking should occur on the carriers email gateways/hosts, and not on the wire itself. I should have the right to receive all the viruses I want in my email (perhaps for legitimate research). As far as filtering inline, if it occurs on fixed critera (i.e. port 25), I'm okay with it (even though I may not like it. As I said, as long as I can tunnel around it, I'm fine :) But if filtering occurs inline on undefined critera, then it may be of concern. That is the reason that I posted the question if anyone else had noticed that some filtering on some content is occurring. Cheers, Frank Sure enough that's what happens in Aliant Bell-Sympatico land here in Eastern Canada Of course they won't tell the end-user it would squash their demand for Phone/Net Bill upcharges with monthly anti-virus add-on charges $4.99/month And of course there's no indication that' it's turned on except when some knowledgeable user expects to receive such malware through 'regular' channels and it fails to materialize. So Any body want to preove me wrong and send me malware ;-) cc it to my account [non [baby-canadian-Bell] supervised] realmalware at www dot dranem dot org So I know what was supposed to be sent ;-) smenard ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Has anyone seen this in their e-mail
Steve Menard wrote: I Suspect that it is a targetted long term attack against higher targets see the one below from march 3,2004 I saw this one the other day I thought the guys I hosted with wrote better english Suspicious fromthe start From - Wed Mar 3 08:48:00 2004 X-UIDL: jJ!-ek!S[/!8c!! X-Mozilla-Status: 1001 X-Mozilla-Status2: 1000 Return-Path: [EMAIL PROTECTED] Received: from techsp05 ([203.177.127.113]) by changed.not (8.10.2/8.9.3) with SMTP id i23CZqe08455 for [EMAIL PROTECTED]; Wed, 3 Mar 2004 08:35:53 -0400 Date: Wed, 03 Mar 2004 20:43:45 +0800 To: [EMAIL PROTECTED] Subject: Notify about using the e-mail account. From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=iwmrgskpbqjqjvtotrwg X-UIDL: jJ!-ek!S[/!8c!! --iwmrgskpbqjqjvtotrwg Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Dear user of e-mail server mydomain.xx, Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. For details see the attached file. Attached file protected with the password for security reasons. Password is 55366. Cheers, The mydomain teamhttp://www.mydomain --iwmrgskpbqjqjvtotrwg Content-Type: application/octet-stream; name=TextDocument.zap Content-Transfer-Encoding: Content-Disposition: attachment; filename=TextDocument.zap some zipped bad file here= --iwmrgskpbqjqjvtotrwg-- I Forgot to mention My current email provider for this list scrubs my email without letting us know it so they can still sell us antivirus subscritption service on phone bill damn capatalist buzzards How am I supposed to get my AV samples ;-) [change list email addresses steve] :-D ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Has anyone seen this in their e-mail
Aschwin Wesselius wrote: On Tue, 2004-03-09 at 01:44, Edward W. Ray wrote: This e-mail was addressed to my mail server. It even looked authentic, but since my mail server never sends me zip attachments I thought it strange. Please be careful when opening. The zip file contains an executable, and I would assume it is some kind of virus or worm. Has anyone else seen something similar? Regards, Edward W. Ray Yeah, this looks like one I've got yesterday too. The message was different and even the password was different (clever virus-writer huh). I bet it is a Bagle.Gen-zippwd (who gives them names actually?) sort of worm, but am not sure. I dare not to open it at all. At least my ClamAssassin fetched it and sorted it into my Virus folder. This means that ClamAV (for Linux) recognizes it as a worm/virus Kind regards, Aschwin Wesselius ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html I Suspect that it is a targetted long term attack against higher targets see the one below from march 3,2004 I saw this one the other day I thought the guys I hosted with wrote better english Suspicious fromthe start From - Wed Mar 3 08:48:00 2004 X-UIDL: jJ"!-ek"!S[/"!8c!! X-Mozilla-Status: 1001 X-Mozilla-Status2: 1000 Return-Path: [EMAIL PROTECTED] Received: from techsp05 ([203.177.127.113]) by changed.not (8.10.2/8.9.3) with SMTP id i23CZqe08455 for [EMAIL PROTECTED]; Wed, 3 Mar 2004 08:35:53 -0400 Date: Wed, 03 Mar 2004 20:43:45 +0800 To: [EMAIL PROTECTED] Subject: Notify about using the e-mail account. From: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="iwmrgskpbqjqjvtotrwg" X-UIDL: jJ"!-ek"!S[/"!8c!! --iwmrgskpbqjqjvtotrwg Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Dear user of e-mail server "mydomain.xx", Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service. For details see the attached file. Attached file protected with the password for security reasons. Password is 55366. Cheers, The mydomain teamhttp://www.mydomain --iwmrgskpbqjqjvtotrwg Content-Type: application/octet-stream; name="TextDocument.zap" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="TextDocument.zap" some zipped bad file here= --iwmrgskpbqjqjvtotrwg--
Re: [Full-Disclosure] Dig SCO?
they have moved to www.thescogroup.com Here is their Partner Alert from Monday AM ;-) From - Mon Feb 2 10:00:48 2004 X-UIDL: -==-=-=-=-=-=-=-=-=-=-=- X-Mozilla-Status: 0001 X-Mozilla-Status2: Return-Path: [EMAIL PROTECTED] Received: from om-thescogroup.rgc3.net ([66.35.244.29]) by simmts1-srv.bellnexxia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED]; Mon, 2 Feb 2004 08:09:02 -0500 Received: by om-thescogroup.rgc3.net id XX; Mon, 2 Feb 2004 05:09:02 -0800 (envelope-from [EMAIL PROTECTED]) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Date: Mon, 2 Feb 2004 05:09:02 -0800 From: SCO Partner Program [EMAIL PROTECTED] Reply-To: SCO Partner Program [EMAIL PROTECTED] Subject: SCO Partner Alert - MyDoom and Novarg Work-Arounds X-cid: caldera..X To: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] SCO Partner Alert: * Mydoom or Novarg Virus Work-arounds * Mirrored availability of SCO Web site at http://www.thescogroup.com As you are probably aware, on Monday, January 26, a computer virus called Mydoom (Network Associates' name) or Novarg (Symantec's name) spread quickly across the Internet. Antivirus companies have determined that this worm is coded such that computers infected with the Mydoom variant are set to conduct a distributed denial of service (DDOS) attack against www.sco.com from February 1 - 12. In short, the virus is activated when users open an innocent-looking e-mail message that contains an attached program file (with a .bat, .cmd, .exe, .pif, .scr, or .zip extension) which then accesses the user's e-mail address book and sends itself to all of that user's contacts. The offending e-mail message usually arrives with a subject line such as Test, Hi, or Mail Transaction Failed. The SCO Group boldly condemns this latest action, and is taking several active steps to fight against acts of cyber-terrorism such as that launched by the creator(s) of the Mydoom virus. * On January 27, SCO announced that we are offering a reward of up to a total of $250,000 for information leading to the arrest and conviction of the individual(s) responsible for creating the Mydoom virus. * SCO is working closely with U.S. law enforcement authorities including the U.S. Secret Service and the Federal Bureau of Investigation (FBI) to determine the identity of the Mydoom creator(s) * SCO is launching a mirrored Web site (which will provide all of the information currently available at www.sco.com) to continue business as usual with partners and customers - see http://www.thescogroup.com As a valued SCO Solution Provider, your uninterrupted, successful SCO UNIX business is important to us. If you are unable to connect to the information or resources that you need during the targeted dates of the Mydoom virus, please contact SCO right away. For general issues, you can call 1-800-SCO-UNIX or e-mail SCO at [EMAIL PROTECTED] For sales specific concerns, you can call our Inside Sales team at 1-800-726-6561. Thank you for your continued support, Darl McBride President CEO The SCO Group ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Outlook Express - is this possible?
Gregh wrote: I may just be confusing myself here so bear with me: I believe an exploit cropped up within the last 12 months or so for OE (version unknown) where the user has preview pane OFF and receives an email that he doesn't actually double click on to open. However, in deleting it, the user either web bugs himself or puts some sort of exploit in. I cant remember whether I am confusing myself with more than one issue here but can anyone help. Did that happen, was it possible at one stage or possible now? I believe the act of deleting something from the inbox is just a marker change in OE to show it in deleted rather than inbox and not a program run per se. =-=-=-=-=-=-=-=--=-=- best guess option in preferences Reply to messages in format they were sent hence webbugs as follow-up to my earlier ... Unaware of any such exploit. but there are a few setting we should check. the mail would need to be processed and it's contents triggered something I'd suggest checking out the read receipt. since it grabs [our untrusted input] our return email addr not done any testing though Maybe it has something to do about auto - answering. ala Receipt-required flags I've seen when people had read, and allowed read receipt read, disallowed receipt deleted without reading. and sender got notified DOH Next I'll have to remember which others may apply if attachments are downloaded with email s ... my attachments directories were filled largeattachments smenard ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] gcc: Internal compiler error: program cc1 got fatal signal 11
RH 8 [EMAIL PROTECTED] steve]$ uname -a Linux localhost.localdomain 2.4.20-28.8 #1 Thu Dec 18 12:53:39 EST 2003 i686 i686 i386 GNU/Linux [EMAIL PROTECTED] steve]$ gcc --version gcc (GCC) 3.2 20020903 (Red Hat Linux 8.0 3.2-7) Copyright (C) 2002 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. [EMAIL PROTECTED] steve]$ echo 'int main(void) { printf(%c,msux[0xcafebabe]); }' ./gcc-crash.c [EMAIL PROTECTED] steve]$ cat ./gcc-crash.c int main(void) { printf(%c,msux[0xcafebabe]); } [EMAIL PROTECTED] steve]$ gcc ./gcc-crash.c [EMAIL PROTECTED] steve]$ ls -alrt ./a.out -rwxrwxr-x1 steve steve 9882 Jan 8 22:41 ./a.out [EMAIL PROTECTED] steve]$ ./a.out Segmentation fault ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] Re: AIM Password theft
windows 2000 professional all patches kaboom: not only was wmplayer overwritten..with text.. but IE 6 DIED .. then launched a command window command prompt labelled 'C:\PROGRA~1\WINDOW~1\wmplayer.exe' followed quickly by ... --dialog box-- 16-bit MS-DOS Subsystem C:\PROGRA~1\WINDOW~1\wmplayer.exe the NTVDM CPU has encountered an illegal instruction. CS:0544 IP:01CC OP:63 68 65 2F 31 Choose 'Close' to terminate the application. [close] [ignore] yikes [EMAIL PROTECTED] wrote: !-- Out of curiosity I followed that link which loaded start.html (attached). -- Caution: off-site archives will and have already stored this as: text/plain attachment: start.txt Tested on neohapsis [http://archives.neohapsis.com/archives/bugtraq/2003-09/0375.html] Due to the 'never-addressed-mime-issue' of Internet Explorer reading even dog poo as html, opening start.txt will effect the exploit partialy. Namely: C:\Program Files\Windows Media Player\wmplayer.exe will be overwritten by simply viewing the attached text file. It is apparent the original intended payload .exe is no longer at the location, but the wmplayer.exe is still overwritten with a 1KB wmplayer.exe containing the following: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN HTMLHEAD TITLE404 Not Found/TITLE /HEADBODY H1Not Found/H1 The requested URL /eg/1.exe was not found on this server.P HR ADDRESSApache/1.3.26 Server at onway.net Port 80/ADDRESS /BODY/HTML ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html