In article <[EMAIL PROTECTED]>,
Paul Tinsley <[EMAIL PROTECTED]> wrote:
> most if not all of the spikes on that graph can be mapped to a
> worm/virus that was discovered around the same time.
The current port 135 activity appears to be both heavy and more
narrowly targeted than a recent (typi
Dude... Reading your inane posts helps me to better understand why you feel
that sticking an "A+" cert in your signature will make us think you have a
clue.
On 9/22/03 10:04 AM, "security snot" <[EMAIL PROTECTED]> wrote:
> I just finished reading Phrack 62's article on Sneeze, and some of th
ColdFusion cross-site scripting security vulnerability of an error page
>> The outline of vulnerability
Macromedia's ColdFusion can display the various information about an
error at the time of error occurred.
There is information transmitted from a client machine like "Referer".
ColdFusion disp
security snot wrote:
The "code audit" that you guys did to make sure nothing was backdoored was
quite thorough too, considering since then remote bugs in Snort have been
published. If you can't even spot the vulnerable code you introduce into
your source tree by accident, how can you definitively
On Sep 22, 2003, at 11:49 PM, Phrack Staff wrote:
Phrack Magazine, the ONE AND ONLY REAL AND ACTIVE HACKER MAGAZINE is
sending out a call for articles for p63!!!
Guess you never heard of http://www.2600.org ? Last I checked Eric /
Emmanuel was still in business. I'm all for a good hacker mag,
On Tue, 23 Sep 2003 07:46:20 +0545, npguy <[EMAIL PROTECTED]> said:
> trust http://www.phrack.org!
How do we know it hasn't been hacked and a bogus issue put up, or a real issue
suppressed?
(this is where everybody who's not familiar with it should go re-read Ken Thompson's
"Reflections on Trus
Phrack Magazine, the ONE AND ONLY REAL AND ACTIVE HACKER MAGAZINE is sending out a
call for articles for p63!!!
Acceptable are: all REAL HACKING articles!
This also includes anarchy/destruction/phones/etc.
No whitehat crap whatsoever!
Also acceptable are funny irc logs, hacklogs (preferrably wi
On Tuesday 23 September 2003 02:04, Phrack Staff wrote:
> How the hell can people make the claim that p62 is "fake" or a "hoax"?
> Exactly what part of the magazine is "fake" ?
If you write Mercedes-Benz on your car it is no Benz. Maybe it is a real car
but no Benz.
brudy
___
On Mon, Sep 22, 2003 at 08:53:33PM -0400, Geoincidents wrote:
> So bust them at it. Setup some email that is unguessable, send an email to
> [EMAIL PROTECTED] and if your unguessble address gets spammed
^
[EMAIL PROTECTED]
;-)
> you know they did it. If a number of folks here do that and
Personally, I wouldn't trust _any_ pair of breasts to be a reliable
source of security-related information.
On Mon, 2003-09-22 at 21:16, Cael Abal wrote:
> [EMAIL PROTECTED] wrote:
> > How the hell can people make the claim that p62 is "fake" or a "hoax"?
> > Exactly what part of the magazine is "
--On Monday, September 22, 2003 2:13 PM -0700 security snot
<[EMAIL PROTECTED]> wrote:
"Detect intrusions" - if you can set an IDS signature for something, then
you shouldn't be vulnerable to it. So the functionality of IDS is to tell
you when you've been compromised by six-month old public vuln
On Mon, 22 Sep 2003 21:37:33 BST, Dan Rowles said:
> But why they wait until the DATA command is a total mystery to me. It
> seems much more logical to bounce the message after the RCPT TO:
> command.
The cynic in me notes that the RFC2822 From/To/CC can be different from
the RFC2821 MAIL FROM/R
On Mon, 22 Sep 2003 14:13:44 PDT, security snot said:
> "Detect intrusions" - if you can set an IDS signature for something, then
> you shouldn't be vulnerable to it. So the functionality of IDS is to tell
> you when you've been compromised by six-month old public vulnerabilities
> that dvdman has
trust http://www.phrack.org!
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
What about the "'Flexible Response' code, that allows you to cancel hostile
connections
on IP-level when a rule matches."?
Say I want to not allow any packets on port 25 to have ".scr" in plain
text. I write the rule and it gets prevented. Isn't this preventive?
> Intrusion Detection syste
Bassett, Mark wrote:
And just to make the whole thing a little funnier, they've decided not
to
resolve verisignsucks.com anymore =)
$ host verisignsucks.com
Host verisignsucks.com not found: 2(SERVFAIL)
Verisignsucks.com has been registered since 2000, so I doubt it'll be
hitting the wildcard r
Feh indeed! Jesus! I can't believe I'm reading this ... fluff!
I was in London and Rhythms and AmerNet were pulling the plugs on their
DSL services in the US. Russell Lewis was the person that I spoke with
who helped me get my domains in order (after I'd had the trans-oceanic
run-around from vari
[EMAIL PROTECTED] wrote:
How the hell can people make the claim that p62 is "fake" or a "hoax"?
Exactly what part of the magazine is "fake" ?
Exactly! Just like Britney Spears' breasts, p62 is "real". That is,
not otherworldly. Yet, also like Britney Spears' breasts, I fear I
would get in quit
- Original Message -
> Right now they take in the address of who you are sending to and who is
> sending. What a wonderful way to collect valid email addresses. First
> the MAIL FROM will be a correct address most of the time. The RCPT TO
> will be wrong 100% of the time, but they could e
Disappointing:
"As to your call for us to suspend the service, I would respectfully suggest
that it would be premature to decide on any course of action until we first
have had an opportunity to collect and review the available data. "
Cheers,
Geoff Shively, CHO
PivX LABS
Office: 949.720.4628
M
How the hell can people make the claim that p62 is "fake" or a "hoax"?Exactly what part of the magazine is "fake" ?
1. All logged/sniffed AIM/IRC conversations are 100% real and unmodified.2. All logs of people's home dirs/w/who output, etc were 100% real and unmodified.3. REAL working code to prot
feh.
http://www.icann.org/correspondence/lewis-to-twomey-21sep03.htm
-jim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
How the hell can people make the claim that p62 is "fake" or a "hoax"?
Exactly what part of the magazine is "fake" ?
1. All logged/sniffed AIM/IRC conversations are 100% real and unmodified.
2. All logs of people's home dirs/w/who output, etc were 100% real and unmodified
(except for some dates e
On Sep 22, 2003, at 6:45 PM, Jonathan A. Zdziarski wrote:
Synchronize your watches, and tomorrow morning everyone send a 100MB
attachment to someone at lkfjwlfkewjflwef.com.
Almost as much fun as flushing all the toilets in the dorm at 2am :)
Would be a fun experiment if everyone on the list did
On Sep 22, 2003, at 7:50 PM, Richard M. Smith wrote:
I don't think the Verisign SMTP server would suffer. Since it rejects
incoming messages before the message body and attachments are sent.
Darn it.
Another approach might be to start selling CD's with 30 million email
addresses for spaming that
On Mon September 22 2003 19:13, Richard M. Smith wrote:
> Hello,
>
> Does anyone know why Verisign has set up a fake SMTP server at
> their SiteFinder service to bounce email messages sent to
> misspelled or expired domain names? The fake SiteFinder SMTP
> server gives the impression that it is a
"if you can set an IDS signature for something, then
you shouldn't be vulnerable to it. Useless."
I don't know what kind of company you do security for, but mine has these
prevalent security holes, also known as users. My IDS not only looks for
the external attacks, the guy banging away at m
On Mon, 2003-09-22 at 14:13, security snot wrote:
> "Detect intrusions" - if you can set an IDS signature for something, then
> you shouldn't be vulnerable to it. So the functionality of IDS is to tell
> you when you've been compromised by six-month old public vulnerabilities
> that dvdman has fin
So I hate to bring this up but this comment is borderline on the idiotic
side... A quick google search on the meaning of IDS would have explained
to you what IDS means. Incase that isn't something you are versed in I
have done the hard work for you:
http://www.sans.org/resources/idfaq/what_is_id.
Synchronize your watches, and tomorrow morning everyone send a 100MB
attachment to someone at lkfjwlfkewjflwef.com.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
On Sep 22, 2003, at 6:02 PM, Joshua Thomas wrote:
> But why they wait until the DATA command is a total mystery to me. It
> seems much more logical to bounce the message after the RCPT TO:
> command.
To read our mail?
They will read our mail when they accept the DATA command and all a
On Mon, 22 Sep 2003, Pamela Patterson wrote:
> If they had no mail server there at all, mail sent to non-existent
> domains would sit in limbo as the upstream machine tried to deliver it
> to the Verisign machine. How many times it would try and how long it
> would wait would depend on the MTA con
Michal Zalewski said:
>What I find perplexing is the fact ISS was not credited by any major
>player reporting the vulnerability - OpenSSH team, CERT, CVE, Red Hat,
>you name it.
As I have discussed in previous posts, MITRE occasionally distributes
"blank" candidates to Candidate Naming Authoriti
There are many situations where IDS's are your only audit trail long
after your system has been compromised.
Sort of like video surveillance for network security.
.. Rodrick R. Brown - Systems Engineer..
.. Open Systems Group (718) 403-6760
Title: RE: [Full-Disclosure] VeriSign's fake SMTP server for SiteFinder
> But why they wait until the DATA command is a total mystery to me. It
> seems much more logical to bounce the message after the RCPT TO:
> command.
To read our mail?
By the way, looks like they switched to Po
And just to make the whole thing a little funnier, they've decided not
to
resolve verisignsucks.com anymore =)
$ host verisignsucks.com
Host verisignsucks.com not found: 2(SERVFAIL)
$ host verisignsucksdonkeyballs.com
verisignsucksdonkeyballs.com has address 64.94.110.11
verisignsucksdonkey
On Mon, 2003-09-22 at 14:23, Peter Busser wrote:
> The problem with IDS systems is the same problem that currently available
> virus scanners have: They work reactive and not proactive.
>
> Making machines harder to break into and improve ways to enforce a security
> policy (e.g. by using Mandator
"Detect intrusions" - if you can set an IDS signature for something, then
you shouldn't be vulnerable to it. So the functionality of IDS is to tell
you when you've been compromised by six-month old public vulnerabilities
that dvdman has finally gotten his hands on an exploit for, that you never
bo
On Mon, 22 Sep 2003, Richard M. Smith <[EMAIL PROTECTED]> wrote:
> Does anyone know why Verisign has set up a fake SMTP server at their
> SiteFinder service to bounce email messages sent to misspelled or
> expired domain names?
Yeah; it's outlined in their "best practices" document. Here's the e
On Mon, 2003-09-22 at 19:11, Matt Schillinger wrote:
> On Mon, 2003-09-22 at 08:01, Daniele Muscetta wrote:
[...]
> > SNORT, which is actually the ONLY free thing available in the IDS
> > landscape (and moreover IT IS such a GREAT product !).
> Just so the facts are straight, Prelude-IDS is also Op
On Mon, 22 Sep 2003, Richard M. Smith wrote:
> Does anyone know why Verisign has set up a fake SMTP server at their
> SiteFinder service to bounce email messages sent to misspelled or
> expired domain names?
Because otherwise, all the mail traffic would sit in the queues for days
before being bou
They put a bogus SMTP server in place since most MTA's are designed to
fall back to an A record for the domain if no MX records can be
found. So if they didn't put up the SMTP server then mail would sit in
the MTA's queue waiting for delivery until it finally timed out as
undeliverable (which on
Thus spake Richard M. Smith ([EMAIL PROTECTED]) [22/09/03 16:24]:
> Does anyone know why Verisign has set up a fake SMTP server at their
> SiteFinder service to bounce email messages sent to misspelled or
> expired domain names? The fake SiteFinder SMTP server gives the
> impression that it is a r
On Mon, 2003-09-22 at 15:13, Richard M. Smith wrote:
> I've attached an early email from Verisign that gives a bit more
> information about how this fake SMTP server operates but not why it is
> needed.
If they had no mail server there at all, mail sent to non-existent
domains would sit in limbo
I believe they're trying to save bandwidth and minimise (further)
annoyance.
If a mail server can't connect to a server to deliver mail, it will keep
on retrying until some timeout (which is likely to be a few days). The
effect of this would be that you wouldn't get DSN failure notifications
until
Hi!
> Intrusion Detection systems are designed to detect intrusions. Period.
> No one AFAIK has yet developed the Intrusion Prediction system. If you
> have an alpha version lying around, pls respond with a link. I'm sure
> that you will quickly be deluged with download requests =;^)
Systems with
Peter:
Intrusion Detection systems are designed to detect intrusions. Period.
No one AFAIK has yet developed the Intrusion Prediction system. If you
have an alpha version lying around, pls respond with a link. I'm sure
that you will quickly be deluged with download requests =;^)
Reactive is the n
On Mon, Sep 22, 2003 at 09:23:52PM +0200, Peter Busser said:
>
> The problem with IDS systems is the same problem that currently available
> virus scanners have: They work reactive and not proactive.
So does a hammer.
--
Shawn McMahon | Let every nation know, whether it wishes us well or i
- Original Message -
From: "security snot" <[EMAIL PROTECTED]>
: You are a security expert, right?
:
All I can say is snot is in my kill fill now.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charte
Starting last Thursday evening, yes. Quite annoying, as they're usually
around 150k in size. MailScanner makes short work of them though ;-)
--
Todd Fries .. [EMAIL PROTECTED]
Free Daemon Consulting, LLCLand: 405-748-4596
http://FreeDaemonConsulting.com Mobile:
Hello,
Does anyone know why Verisign has set up a fake SMTP server at their
SiteFinder service to bounce email messages sent to misspelled or
expired domain names? The fake SiteFinder SMTP server gives the
impression that it is a real SMTP server and happily accepts "To" and
"From" email addresse
Hi!
> > 3) Why the fuck do people still thing signature-based IDS is worthwhile?
> Give us another solution. Are you saying anomoly based ids signatures are
> _worthwhile_?
The problem with IDS systems is the same problem that currently available
virus scanners have: They work reactive and not pr
On Sep 22, 2003, at 12:49 PM, Fabio Gomes de Souza wrote:
Are you receiving lots of fake Microsoft fancy HTML e-mails claiming
that the attached file is an urgent update?
http://www.sarc.com/avcenter/venc/data/[EMAIL PROTECTED]
--
Joshua Levitsky, CISSP, MCSE, EMTD
System Engineer
Time Warner
Dear security snot,
> I just finished reading Phrack 62's article on Sneeze, and some of the
> threads here concerning the matter, and I must admit that I am bothered by
> some of the responses. There is nothing I hate quite as much as vendors
> who lie to their customers, except perhaps vendors
Thank you all!
I figured it out just before my message was effectively posted. Shame on
me. :)
Fabio Gomes de Souza escreveu:
Guys,
Are you receiving lots of fake Microsoft fancy HTML e-mails claiming
that the attached file is an urgent update?
Regards,
Fabio
___
On Mon, 22 Sep 2003 [EMAIL PROTECTED] wrote:
> Charles Darwin and Alfred Wallace independently came up with
> the concept of natural selection.
The cycle of a vulnerability from discovery to publication (or leak) is
probably around two weeks to one month on average, which is a fairly short
timefr
Marty,
You failed to address the other points.
If your shell server was compromised, and people were logging into
sourcefire boxes from it (as the log shows, my friend!) then what
prevented them from abusing the access to your shellbox to gain access to
your corporate machines?
The "code audit"
Guys,
Are you receiving lots of fake Microsoft fancy HTML e-mails claiming
that the attached file is an urgent update?
Regards,
Fabio
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Hi!
If someone on the list is still thinking that Snort is backdoored and
Sourcefire compromised, please read this stuff if you can read German language:
Gefälschtes Phrack-Magazin stiftet Verwirrung
http://www.heise.de/newsticker/data/pab-22.09.03-000/
To make it short: This phrack issue is FAK
On Mon, 22 Sep 2003 07:04:04 PDT, security snot <[EMAIL PROTECTED]> said:
> 1) If the intrusion were limited to a single "shellbox" then why did they
> need to audit the code in CVS to see if it was backdoored?
Would you rather they just said "Oh, since we *KNOW* the intrusion was
only on one sh
I'm not going to engage in tit-for-tat on this stuff, so let me get
right to it.
stupid to think independantly to arrive to a conclusion to what most
likely did happen with the Snort.org compromise.
Snort.org wasn't compromised, a shell server was.
Some good questions are:
1) If the intrusion we
On Mon, 22 Sep 2003 12:06:03 +0200, Michal Zalewski said:
> ...why would there be any exploits in the wild if they have
> indeed discovered the flaw on their own? Though I'm trying
> really hard, I can't read "we discovered a flaw" as "we have
> overheard about a flaw" or "we are a
On Sun, 21 Sep 2003 [EMAIL PROTECTED] wrote:
> In my projects, I was hoping to find plan9 shellcode. The p62 article
> (http://www.phrack.nl/phrack62/p62-0x09.txt) provides a good start, but
> it is not quit enough for what I want to do (bind a port to execute rc).
> Does anybody have any more
> I knew it wasn't true :-)
Yeah, me too, it smelled very fishy as from the beginning.
What's even worse is that this kind of FAKE full-disclosure actually does
not even target the security industry it SAYS it wants to target...
These "supposedly dangerous" blackhat do not even behave the way
I just finished reading Phrack 62's article on Sneeze, and some of the
threads here concerning the matter, and I must admit that I am bothered by
some of the responses. There is nothing I hate quite as much as vendors
who lie to their customers, except perhaps vendors that are too stupid to
realiz
There isn't much, apart from obscurity.
Reordering cyphertext blocks might help a little in crypto terms, since
there's then a pretty large number of potential arrangements (the
factorial of the number of blocks) but you'd have to work the arrangement
you were using into a key somehow, and use som
Now that the hype is over, I have a question. Would anyone happen to know
what's the origin of the OpenSSH buffer allocation stuff? The reason I'm
asking is a claim made by X-Force at ISS:
http://xforce.iss.net/xforce/alerts/id/144
"ISS X-Force has discovered a flaw in the OpenSSH server devel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You know whats ironic about this? Maybe snort.org wasnt owned (ha! for
the sake of argument now) but we know that some affiliated machines where
indeed 0wn3d. Wait a minute I said the plural of 'machine' now didnt
I BMC? Chough cough. Oh, that wasn't
I knew it wasn't true :-)
Although I did think the phrack 62 was real until I actually took the time
to read some of it after getting some sleep. I even sent the sneeze article
to my IDS guru, talk about having egg on my face for a bit, he'll rag on me
for a few days due to this!
Thanks for
Now for a somewhat different perspective on the whole thing
I guess now that we have this incident validated as positively true from
the main Snort/SourceFire IT person, it lends a lot of credibility to
the Snort/SourceFire "backdoor" rumor.
Hmmm. So, "guess"+"validated"+"positively true
On Sat September 20 2003 23:55, Richard M. Smith wrote:
> My understanding is that most of the spammers are selling pirated
> versions of Norton. Symantec has every incentive to shut these
> spammers down.
What ship did they steal them from?
___
Full-D
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Red Hat Security Advisory
Synopsis: Updated Apache and mod_ssl packages fix security vulnerabilities
Advisory ID: RHSA-2003:243-01
Issue date:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -
Red Hat Security Advisory
Synopsis: Updated Perl packages fix security issues.
Advisory ID: RHSA-2003:256-01
Issue date:2003-09-22
Update
http://www.phrack.nl/phrack62/p62-0x06.txt
Well, we are here to fully disclose, that indeed b0f did sell dtors
warez to iDefense. b0f did receive 300 dollars in his paypal account
([EMAIL PROTECTED]) on March 4th, 2003.
anyone want a copy of proof of payment to a dtors member??
or unrealsed explo
Adam wrote:
> Probably a scriptkiddie or some random idiot. The fun part
> was it came up totally different offsets then i mean TOTALLY
> different each time you ran it and if you gave it a offset it
> would "work" no matter what. For those people who ran it..
> change all your
> passwords. :
> In my projects, I was hoping to find plan9 shellcode. The p62 article
> (http://www.phrack.nl/phrack62/p62-0x09.txt) provides a good start, but
> it is not quit enough for what I want to do (bind a port to execute rc).
http://www.phrack.nl/phrack62/p62-0x02.txt
- snip ---
its l
76 matches
Mail list logo
