On Tue, 29 Jul 2003, Andy Wood wrote:
You're absolutely kidding, right? Downtime doesn't equate to $$$? How
wrong can that mentality be? I've seen it first hand without a worm
(well, an worthless admin...the same destructive tendencies as a
worm)one system down costing over a hundred
Your questions are intriguing. Anyone who answers the first yes can't answer
any of the others.
I subscribed to bugtraq before this list was created. Then it was bought up
and posts started getting dropped. My own posts were dropped without reason
(in some cases they cleared up FUD, which is
-Original Message-
From: Jason [mailto:[EMAIL PROTECTED]
Sent: 29 July 2003 18:15
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Avoiding being a good admin - was DCOM
RPC exploit (dcom.c)
[snip]
It can be done and it is hard and it cold be expensive but the
alternative is
- Forwarded message from Last Stage of Delirium [EMAIL PROTECTED] -
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
X-Authentication-Warning: ix.put.poznan.pl: lsd owned process doing -bs
Date: Tue, 29 Jul 2003 23:57:48 -0700
From: Last Stage of Delirium [EMAIL PROTECTED]
i think the severity of the RPC exploit cannot be diminished.. this is the
worst remote root compromise i have ever seen and i am literlaly screaming
at everyone i know to patch ASAP. the thought of media attention sonded
plausable.. this should be on the nightly news for the next 2 days minumum.
On Tue, Jul 29, 2003 at 10:29:21PM -0400, Len Rose wrote:
There were about 10 messages (some delayed as much as 5 hours)
that were langushing in the moderation queue because they were
sent from folks who didn't post using their subscribed-from address.
As a followup I'd also like to mention
On Tue, 29 Jul 2003, Schmehl, Paul L wrote:
Anyone else know what the last column of the output means?
i.e. '5.6' or '0.0'?
I've been playing with the underlying RPC calls a bit, which make me think
that maybe it's the 'COMVERSION' structure that's returned in the
'ServerVersion' parameter of
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Ron DuFresne
Sent: Wednesday, 30 July 2003 8:51 a.m.
To: [EMAIL PROTECTED]
Cc: Jason; [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] Avoiding being a good admin -
was DCOM RPC exploit (dcom.c)
Hash: SHA1
holos F D SUBS,
i must give a little talk about the like of the list - -
AMEN!
Well put. I do not think that pure oxford english could have expressed it
any better.
(or any well put, or )
___
Full-Disclosure - We believe in it.
please find the attatched log for the aid in developing IDS detection /
scanners for the RPC vunerability
etc.. have phun..
Donnie Werner
http://e2-labs.com
http://exploitlabs.com
rpc-dump.log
Description: Binary data
A man named Tom once bragged:
I used nmap to scan a random /16 for systems with
port 135 open,
Then I ran the win32 binary I compiled from from
the c code posted to this list
against that list of ips.
I got 156 command prompts.
Then Donny chimed in with:
i too have experienced these
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
This is an announcement only email list for the x86 architecture.
Turbolinux Security Announcement 30/Jul/2003
The following
NT 4.0? hah, yeah I guess it still is.
I have a couple of NT servers and clients in my own lab, just for Sh*ts and
grins.
Question is?
Has anyone developed an rpc dcom vector list for NT 4.0 yet? Or better yet,
does anyone know of any tools (free or not) that can look at the processes
Along the same line read The Cuckoo's Egg by Stoll to see where a $.25
discrepency can lead you when you have enough time and brains to dig.
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
[EMAIL PROTECTED]
If you spend more on
On Wed, Jul 30, 2003 at 12:37:44PM -0400, Rukshin, David wrote:
Modify the command (you need to add a trailing slash) to be the following:
LD_PRELOAD=/`perl -e 'print Ax2000'`/ passwd
and try it again.
That's right, my original message had a typo, the trailing slash was
missing. Thanks
Sorry for being a little late in this discussion - was out there being a
good admin.\
But viz-a-viz cost calculation caused by worm or mass-mail - i remember when
in '97 at a bank I worked at then, people found the Reply All feature in
Exchange client. It took down the network for some 5 hours,
Hi i found these offsets after so much tiring work anyways here is my first post with my proof of concept code i did tried on my network and all worked so please check and send me the suggestions and improvements
thank you
Sami Anwer Dhillon
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use
This tool is quite detectable on NT systems. Ran it against one of our
NT farms and here is the info that showed up in the NT system log
Event ID: 10003
User: n/a
Source: DCOM
Type: Error
Access denied attempting to launch a DCOM Server using
DefaultLaunchPermission
The server is:
###ThreeZee
Technology, Inc. Security
Advisory
#TZT002###
Advisory:
GameSpy Arcade Arbitrary File Writing
Discovered: July 26,
2003Released: July 31,
2003
Risk:
there is no exploit code attached to your message... i too have the universal offsets for win2k and xp wondering if we can match them... also i was informed froman associate by the handle of 'harq' that dcom is also bound to port 80
"Component Object Model (COM) Internet Services (CIS) introduces
Hi i found these offsets after so much tiring workanyways here is my first post with my proof ofconcept code i did tried on my network and allworked so please check and send me the suggestionsand improvements thank you Sami Anwer Dhillon
here it goes
POC CODE
/*++ ++ Windows RPC DCOM (POC)++
Title: DCOM RPC exploit IDS rule?
Two questions:
1) Are there IDS rules out for the DCOM RPC exploit yet?
2) If so, how much activity in the wild has anyone seen on their IDS of choice for this exploit?
Cheers,
Joshua Thomas
Network Operations Engineer
PowerOne Media, Inc.
tel:
Updated sigs for snort were released today. If you're using oinkmaster,
you can retrieve them that way.
We're not seeing any, but the ports are closed and the IDSes are behind
the firewall, so I wouldn't expect to see any. The various places I
monitor seem to indicate that activity on those
Someone just called my attention to an alleged Foundstone internal memo
advocating that Foundstone employees engage in anonymous astroturfing
to recommend Foundstone security products.
http://www.internalmemos.com/memos/memodetails.php?memo_id=1739
| If and when you come across a thread like
NetScreen IDP has it in this week's signature update, already out.
When placed in in-line mode and with a rule set to 'drop connection' it
denies the exploit before it reaches into the network.
Sorry for the corporate plug, but someone asked.
I'm not in Support, so I haven't heard from
For all those experts who have mastered patching your networks, please
ignore this post.
For the rest of you, testing has shown that some patch management tools
are incorrectly reporting that MS03-026 is installed when it's not
(notably Windows Update and Update Expert, among others.) The
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Come on Donald, settle down. You've only got a month before you head
back middle school. Get out in the sun a bit!
Weak argument? I don't believe I made any argument at all. I was merely
questioning your obvious flare for mellowdramatics and asking
On 29 Jul 2003, Darren Bennett wrote:
***BEGIN RANT***
The current IT attitude is really frustrating!
A good admin is one that ENABLES services and systems to be USED by
individuals. This relatively new attitude of disable/disallow/distrust
is a bad way for the IT world to be
I thought this would be an informative list, or rather a discussion
forum. Sad to find out it is NOT.
Even though the list gets recommended by some sites, I'm just about to
drop out again and get back to more professional information sources. I
don't really care for flame wars, thanks.
Mark
Still the best defensive porture is taken at the entrance and exit points
as pertains to most all these 'services'. If the ports 135 and 1433 etc
are blocked, both tcp and udp protocols, then patching becomes far less
dramatic, even if a few machines inside get infected due to laptops or
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 355-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
July 30th, 2003
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wed, 30 Jul 2003 12:18:01 -0700 Sami Dhillon [EMAIL PROTECTED]
wrote:
Hi i found these offsets after so much tiring work anyways here
is my first post with my proof of concept code i did tried on my
network and all worked so please check and send
On Wed, Jul 30, 2003 at 07:49:28PM +0300, Jouko Pynnonen wrote:
On Wed, Jul 30, 2003 at 12:37:44PM -0400, Rukshin, David wrote:
Modify the command (you need to add a trailing slash) to be the following:
LD_PRELOAD=/`perl -e 'print Ax2000'`/ passwd
and try it again.
this segfaults
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cleaned up the code a bit as it was messy - well for me anyways
:)
-Original Message-
From: Stephen [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 July 2003 6:09 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: rpcdcom Universal
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
then forgot to attach it like a smacktard :(
- - Forwarded Message from [EMAIL PROTECTED] -
Cleaned up the code a bit as it was messy - well for me anyways
:)
-Original Message-
From: Stephen [mailto:[EMAIL PROTECTED]
Sent:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Cleaned up the code a bit as it was messy - well for me anyways
:)
-Original Message-
From: Stephen [mailto:[EMAIL PROTECTED]
Sent: Thursday, 31 July 2003 6:09 AM
To: [EMAIL PROTECTED]
Subject: [Full-Disclosure] Re: rpcdcom Universal
36 matches
Mail list logo