Nah... nothing happened, for example, to Foundstone after this "scandal":
http://www.fortune.com/fortune/technology/articles/0,15114,457276,00.htm
>Two - if Geer was fired as a result of the report (and only Chris or
>someone equally high up at @stake knows the truth - I invite them to
>comment
At 04:18 PM 9/25/03 -0400, Matsu Kandagawa wrote:
All the while wishing I could spit in your face.
For the life of me, I cannot fathom why people devote so
much time and mental effort to assassinating each others'
character publicly in this forum. Let's just get this
out of the way once and for al
To the skilled but flawed fake at http://www.phrack.nl/phrack62/ and
your mail Mr. Rueubens.
>
>Do any of you have anything to say about that? When you say "look for
>yourself" surely you don't mean to claim that Average Joe Admin has
the
>requisite skillset and detailed knowledge necessary to spo
At 10:08 PM 9/25/2003 -0400, Jonathan A. Zdziarski wrote:
Oddly his leaving the company was effective on the 23rd, but the article
wasn't released to the general public until the 24th (at least that's
how it's dated). I wonder if he may have resigned.
Nah - I hear @stake is trying to make the firi
"Schmehl, Paul L" <[EMAIL PROTECTED]> replied to me:
> > Swen has code to locate the "Default Mail Account" under the Internet
> > Account Manager registry key then to extract the "SMTP Email Address"
> > value appropriately. This is then stored in a variable in the virus
> > that is later use
Two points:
One - Geer's name is only one of many on this report. There are seven
peoples' names, and all command considerable respected in the community.
Therefore I assert that the report will stand any scrutiny, and that
it has merit on its own.
Two - if Geer was fired as a result of the repo
Yep, confirmed by Internet Explorer/Google:
Daniel E. Geer, Jr., Sc.D. Chief Technology Officer.
http://www.atstake.com/company_info/dgeer.html
Object not found!
The requested URL was not found on this server. The link on the
referring page seems to be wrong or outdated. Please inform the author
Oddly his leaving the company was effective on the 23rd, but the article
wasn't released to the general public until the 24th (at least that's
how it's dated). I wonder if he may have resigned.
On Thu, 2003-09-25 at 21:45, Richard M. Smith wrote:
> Yep, confirmed by Internet Explorer/Google:
>
Don't worry, nobody's going to have that referer, except for the
partners Verisign sells advertising to. ;)
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
windows 2000 professional all patches
kaboom:
not only was wmplayer overwritten..with text..
but IE 6 DIED .. then launched a command window
command prompt labelled 'C:\PROGRA~1\WINDOW~1\wmplayer.exe'
followed quickly by ...
--dialog box--
16-bit MS-DOS Subsystem
C:\PROGRA~1\WINDOW~1\wmplaye
Sure enough, this works under most of the browsers I've tried, and at
least shows the pittfalls of not cutting your session cookies short, or at
least periodically killing, at least, login cookies. Damn, even Microsoft
does a better job of it. Dotster and others don't seem to have this
problem with
They are going to need to update Dan Geers title in the report...
Microsoft critic loses job over report
http://www.msnbc.com/news/971914.asp?0si=-
Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
htt
This was released yesterday just incase nobody noticed.
http://www.ccianet.org/papers/cyberinsecurity.pdf
Among the authors are Bruce Schnier, Dan Geer, and Charles Pfleeger.
Interesting read.
___
Full-Disclosure - We believe in it.
Charter: http:/
We have seen a number of infections of Nachi/Welchia on patched systems. Was
told that the MS03-026 patch was only 60% effective, so you still had a 1 in 3
chance of being infected. Apparently the MS03-039 patch fixes the entire
vulnerability and not just some of it. We re-enforced the rule for
> -Original Message-
> From: Nick FitzGerald [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 25, 2003 5:05 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [Full-Disclosure] Swen Really Sucks
>
> Swen has code to locate the "Default Mail Account" under the Internet
> Account Manager regis
> Would you know any good DBSBLs?
Be _very_ careful with some of these. I know one imparticular, Osirus
Relays (relays.osirusoft.com) makes it just about impossible to get off
their list once you're on meaning you risk blackholing legitimate
traffic. To get off this list, they require you email
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thursday 25 September 2003 08:23, SoloNet Newsfeed wrote:
> The example format that Verisign uses whch allows for login-less access
> to the account administration (which, back in the good old days,
> required e-mail verification, Crypt-PW or eve
-BEGIN PGP SIGNED MESSAGE-
From: Schmehl, Paul L (pauls_at_utdallas.edu)
Date: Sep 25 2003
>One more in the idiot bin
The fact that the best you can do is call me an idiot for having the
temerity to raise deadly serious issues says a lot more about you than
it does me. It might be okay
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Curt Purdy
> Sent: Friday, 26 September 2003 2:57 a.m.
> To: 'Jordan Wiens'; 'GARCIA Lionel'
> Cc: 'Full-Disclosure (E-mail)'
> Subject: Re: [Full-Disclosure] What about astalavista.net
>
>
> The
Paul Johnson wrote:
Am getting a Distributed (several diverse net blocks) and fair quantity
(100 packets per min. per IP) of port 6881 hits...
Any idea what this is (other than possibly BT - Snark - per google)...
No I have not run / analysis with a sniffer... Currently hitting the
FW...
TCP, I
"Schmehl, Paul L" <[EMAIL PROTECTED]> to Joe Stewart:
> > The "From" or Return-Path address specified by the MAIL FROM:
> > transaction in the SMTP session is the real email address of the
> > infected user, or at least is what they entered on the fake
> > MAPI dialog
> > that Swen uses to get
Poof,
> Would you know any good DBSBLs?
Presuming you mean DNSBL (DNS Bl[oa]ckList) and that you understand the
requirement to discover and verify the listing and delisting policies
and practices of each, you may want to use:
dnsbl.njabl.org
bl.spamcop.net
sbl.spamhaus.org
list.dsbl.org
blackhol
myServer 0.4.3 Directory Traversal Vulnerability
.oO Overview Oo.
myServer version 0.4.3 shows files and directories that reside outside the
normal web root directory.
Discovered on 2003, August, 23th
Vendor: Myserver (http://myserverweb.sourceforge.net/forum/portal.php)
MyServer is a free, powe
Am getting a Distributed (several diverse net blocks) and fair quantity
(100 packets per min. per IP) of port 6881 hits...
Any idea what this is (other than possibly BT - Snark - per google)...
No I have not run / analysis with a sniffer... Currently hitting the
FW...
Paul
___
I've seen the same thing but BEFORE MS03-039 came out. I've had reports
from users stating that their network port had been turned off a number of
times and they're getting sick of it. To quiet them down I'd add their
network port to an exclude list that wouldn't show up in the IDS (Snort) for
au
On Thu, 25 Sep 2003 12:04:14 -0500, Brian Eckman wrote:
> It is unknown how the audio.exe file got onto the computer hard drive
> in the first place.
It is almost guaranteed to have been via the MS03-032 IE object tag
vulnerability. The trojan you found is a variant of the Autoproxy
trojan, whi
My advice to anyone who gets bounce backs from posting to bugtraq is
to save and forward all bounces to the admin contact for the list.
I usually get a "thank you, they'll be promptly unsubscribed" in
response.
Darren
___
Full-Disclosure - We believe i
f-prot fixed it as of 20:00 GMT and confirmed to me via email that the root
of the problem was found and corrected!
---Mike
At 03:03 PM 25/09/2003, Mike Tancsa wrote:
I have already contacted the vendor, but be careful about your f-prot
updates today. It looks like they put an old def
If you were as annoyed as i was with
your mailboxes being bombarded I looked up native email filtering for microsoft
environments. The link is a basic script to get u started. This
works on the Microsoft SMTP service on NT4,2000, and 2003
http://software.high-pow-er.com/EvenSink.zip
On Thu, 25 Sep 2003, Gerhard den Hollander wrote:
> They are running mailman ... mailman can be horrendously slow (esp with a
> large volume (traffic * number_of_subscribers) .
>
> 3 hour delays with mailman mailinglists is pretty common.
Who "they"?
Hi! This is the ezmlm program. I'm managing th
On Thursday 25 September 2003 12:27 pm, Schmehl, Paul L wrote:
> > The "From" or Return-Path address specified by the MAIL FROM:
> > transaction in the SMTP session is the real email address of the
> > infected user, or at least is what they entered on the fake
> > MAPI dialog
> > that Swen uses to
Thanks ^^
Would you know any good DBSBLs?
I've been looking for some good ones... But since Osiru died... I can't find
a good one *cry*
Also, would it be too much for the mod of this list to just cause new
subscribers to be moderated until their first VALID post?
Just an idea =/
- Original
> I'm thinking that there *has* to be a variant of Nachi/Welchia in the
> wild. We have machines that were patched for MS03-026 (verified by
> scanning with multiple scanners) but not patched for MS03-039 (ditto)
> and they have been infected by something that triggers my Nachi rule in
> snort. T
The increase in volume appears to coincide with
flashky's (xfocus.org) 9/20 post "The Analysis of RPC
Long Filename Heap Overflow AND a Way to Write
Universal Heap Overflow of Windows". Coincidence?
-Original Message-
From: Williams Jon
[mailto:[EMAIL PROTECTED]
Sent: Thursday, Septemb
I found that SAM file could be replaced just like PWL files
in Win9x. I posted the following to Bugtraq, but in spite of
posting twice it never appeared in the list... (possibly moderated)
Folks, go ahead and change the boot options in your BIOS ASAP.
I guess this fallacy will never go away. Ch
Dave Ahmad picked up on my post and responded privately. He doesn't
have any objections to my forwarding his messages to FD, hence
forwarding without prejudice.
-- Raju
--
Raj Mathur[EMAIL PROTECTED] http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF
I have already contacted the vendor, but be careful about your f-prot
updates today. It looks like they put an old def file from May 26th on
their ftp site. The UNIX update script will happily fetch and install this.
avscan2# nslookup -type=ns f-prot.com
Server: resolver1.sentex.ca
Address: 64
If you were as annoyed as i was with your mailboxes being
bombarded I looked up native email filtering for microsoft environments.
Attatched is a basic script to get u started. This works on the Microsoft
SMTP service on NT4,2000, and 2003
Michael Evanchik
www.high-pow-er.com
EventSink.
On Thu, Sep 25, 2003 at 11:34:40AM -0500, Schmehl, Paul L wrote:
> backdoor passwords "in case of emergency", and all BIOSes can be easily
> reset to default passwordless configuration.
Without knowing the password you couldn't put the password back
correctly so it would be obvious that the BIOS
W32.Welchia is in the wild. I have a customer who found it on his
home machine this morning. He is using Norton, which kindly informed
him that it had no way to handle it...
G
On or about 2003.09.25 10:57:12 +, Cael Abal ([EMAIL PROTECTED]) said:
> >I'm thinking that there *has* to be a vari
Working hypothesis is as follows:
Hosts were turned off previously so they didn't show up in routine
scanning. Then they were turned on and got infected with Nachi. Nachi
patched for MS03-026. Then a scan showed them patched for MS03-026 but
not for MS03-039. Then snort reported their infectio
There have been other weekends in the interim with no such surge. Or
rather, there little small surges, but nothing that large. Just check the
graph out: http://isc.incidents.org/port_details.html?port=135
--
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061
On Thu, 25 Sep 2
I discovered a machine in our building spewing Spam on 9/23/2003. It
exhibited behavior similar to other mysterious ones we've seen on
campus. A co-worker and I went and found the machine. It was a Windows
XP machine from the dorms that had been turned in to the helpline staff
to have them clean
> -Original Message-
> From: Cael Abal [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 25, 2003 9:57 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] RE: Probable new MS DCOM RPC
> worm for Windows
>
> Did you use a third-party tool to verify the patches were actually
>
> -Original Message-
> From: Joe Stewart [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 24, 2003 7:50 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: [Full-Disclosure] Swen Really Sucks
>
> The "From" or Return-Path address specified by the MAI
> -Original Message-
> From: Palan [mailto:[EMAIL PROTECTED]
> Sent: Thursday, September 25, 2003 8:33 AM
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] SAM Switch - Win2k/XP password-less login
>
> I found that SAM file could be replaced just like PWL files
> in Win9x. I posted th
One more in the idiot bin.
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
> -Original Message-
> From: Matsu Kandagawa [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 24
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rainer wrote:
> Well, I think I am anyhow not the one talking to them. Why? In the
> past, I tried to contact them with several issues, but besides the
> subscribe/unsubscribe they seem not to accept any mail from me. I also
> tried to mail their pos
Whatever you do…don’t
unsubscribe…
-Original Message-
From: Bassett, Mark
[mailto:[EMAIL PROTECTED]
Sent: Thursday, September 25, 2003
10:10 AM
To:
[EMAIL PROTECTED]
Subject: RE: [Full-Disclosure] new
increase your gas mileage 27%+
Yay.. now I’m getting spam filtered
into
Yes, very interesting Helmut. In fact this has been an interesting month
for email admins with both sobig and swen. Swen hosed up our Postfix server
with millions of messages to newsgroups, had to end up manually blocking
them. Please keep us abreast of your results when you figure out which AV
> http://www.frame4.com/exchange/main.png
> http://www.frame4.com/exchange/directory.png
> http://www.frame4.com/exchange/vulndb.png
> http://www.frame4.com/exchange/forums.png
I got a chuckle out of vulndb.png...
Scanning down the firs column you read:
3COM - 8...ColdFusion - 2... IRC - 23... M
Since I've been watching for a new worm that uses the MS03-039 vulnerability, when I
saw this message, I went over to incidents.org to check out and see if they were
seeing an increase, too. Lo and behold, their charts for both TCP 135 and TCP 80 show
dramatic increases in traffic over the pas
Its likely just everyone getting back to work from the weekend... logging
into their systems and boom... big surge.
- Original Message -
From: "Williams Jon" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>
Sent: Thursday, September 25, 2003 2:01 PM
Sub
> > As it
> > seems that there are lots of people sharing the same
> > experience, one of
> Well, I think I am anyhow not the one talking to them. Why? In the past,
They are running mailman ... mailman can be horrendously slow (esp with a
large volume (traffic * number_of_subscribers) .
3 ho
Hi Jonathan,
> Is anyone seeing anything new out there, or is this just a
> resurgence of Welchia?
Not likely a new RPC DCOM worm.
We will certainly know when it hits the Net. If you look at the amount
of source adresses you will notice that the numbers are actually going
down. The increase in
I am a paid member of astalavista.net and use it quite frequently in
addition to FD, BugTraq, etc., as it represents a gray area (though not in
the line of .box.sk).
My experience is that it is a collection/source of well-maintained
information. There is a Swiss team behind it. Whether it is worth
Yay.. now I’m getting spam filtered
into my FD folder. Who is the jackass who thought it would be funny to sell
[EMAIL PROTECTED]
to the spam fucks?
Spammers should get the death penalty.
-Original Message-
From: Theron Briggs
[mailto:[EMAIL PROTECTED]
Sent: Wednesday,
They are two virtual servers on the same box.
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA
Information Security Engineer
DP Solutions
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
=
FreeBSD-SA-03:14.arpSecurity Advisory
The FreeBSD Project
Topic: d
I'm thinking that there *has* to be a variant of Nachi/Welchia in the
wild. We have machines that were patched for MS03-026 (verified by
scanning with multiple scanners) but not patched for MS03-039 (ditto)
and they have been infected by something that triggers my Nachi rule in
snort. This should
i got a free membership to it which i have never used since i got it..
illwillAnthony Aykut <[EMAIL PROTECTED]> wrote:
I am a paid member of astalavista.net and use it quite frequently inaddition to FD, BugTraq, etc., as it represents a gray area (though not inthe line of .box.sk).My experience is
I recently received an e-mail from a customer I deal with who needed
some technical assistance with a domain hosted on Verisign. He included
his login and password, which was useful, but what threw me for a loop
was the URL from his session which he included. I clicked on it, just
out of morbid
Paul Schmehl wrote:
> Mind you, this is anecdotal and a very small incidence (only three
> machines so far), but it still bears watching IMHO. I've been
surprised
> to not see any discussion on the lists about a new variant. Perhaps
no
> one is looking?
Probably just that...its very small in na
I am a paid member of astalavista.net and use it quite frequently in
addition to FD, BugTraq, etc., as it represents a gray area (though not in
the line of .box.sk).
My experience is that it is a collection/source of well-maintained
information. There is a Swiss team behind it. Whether it is worth
> -Original Message-
> From: Richard Johnson [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, September 24, 2003 10:03 AM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Probable new MS DCOM RPC worm for Windows
>
> We finally had infections occur on Tuesday evening showing the sam
Dunno, but I sure hope it's more than just a pretty frontend to:
http://astalavista.box.sk/
Because that would be a rip if so.
--
Jordan Wiens, CISSP
UF Network Incident Response Team
(352)392-2061
On Thu, 25 Sep 2003, GARCIA Lionel wrote:
> Hi,
>
> This may be a little out of subject, but I'
Hello,
I found that SAM file could be replaced just like PWL files in Win9x. I posted the
following to Bugtraq, but in spite of posting twice it never appeared in the list...
(possibly moderated)
Folks, go ahead and change the boot options in your BIOS ASAP.
>> Original Posting to Bugtraq
As the one who started this thread...
> From my point of view this was no attempt to condemn anyone, but was
> meant as getting a feeling for the situation ("am I the only one who
> feels like this? if so, there is no need to take further
> steps").
Mike hit the target. That was my primary r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenPKG Security AdvisoryThe OpenPKG Project
http://www.openpkg.org/security.html http://www.openpkg.org
[EMAIL PROTECTED]
On Wed, Sep 24, 2003 at 12:48:01PM -0400, [EMAIL PROTECTED] wrote:
> On Wed, 24 Sep 2003 11:12:12 EDT, "Richard M. Smith" <[EMAIL PROTECTED]> said:
>
> > For most Windows users, I bet that the only time DCOM ever gets used, if
> > at all, is to run worms like MSBlaster and Welchia.
>
> Isn't DC
Kristian Hermansen wrote:
Dido.. Everytime I send a post I get about 20 bounce backs.
20? How? At least twice that much... even more if there is vacancy time
in many countries.. summer and the like. They did kick a lot of those
"out of office"-subscribers a few weeks ago, but it did help only
Hi.
Raj Mathur wrote:
Uh, has anyone bothered asking DMA the reason for the delay? You may
not get any reasonable explanation, but at least give the man a chance
to defend himself before condemning him.
From my point of view this was no attempt to condemn anyone, but was
meant as getting a feeli
On Thu, Sep 25, 2003 at 12:08:57PM +0200, Michal Zalewski wrote:
> On Thu, 25 Sep 2003, Florian Weimer wrote:
>
> > Especially as some of the flaws (the replay attacks) are actually
> > documented in the manual.
>
> And correct me if I am wrong, but it appears to me that replay attacks are
> not
On Thu, 25 Sep 2003, Florian Weimer wrote:
> On Thu, Sep 25, 2003 at 03:43:06AM +0200, Jake Appelbaum wrote:
>
> > After reading Gutmann's short but to the point email a few points that
> > he made seemed obvious. Some of the flaws were not so obvious. CIPE
> > seemed to have some very simple fla
On Thu, Sep 25, 2003 at 12:08:57PM +0200, Michal Zalewski wrote:
> > Especially as some of the flaws (the replay attacks) are actually
> > documented in the manual.
>
> And correct me if I am wrong, but it appears to me that replay attacks are
> not that much of a concern when encrypting TCP/IP p
On Thu, 25 Sep 2003, Florian Weimer wrote:
> Especially as some of the flaws (the replay attacks) are actually
> documented in the manual.
And correct me if I am wrong, but it appears to me that replay attacks are
not that much of a concern when encrypting TCP/IP packets?
--
---
Title: What about astalavista.net
Hi,
This may be a little out of subject, but I'm looking for experiences on www.astalavista.net.
Subscription is $29 for a 6 months access, and I'm wondering if it worth it and if I should ask my hierarchy to spend bucks in it.
Thanks by advance.
Lionel G
On Thu, Sep 25, 2003 at 03:43:06AM +0200, Jake Appelbaum wrote:
> After reading Gutmann's short but to the point email a few points that
> he made seemed obvious. Some of the flaws were not so obvious. CIPE
> seemed to have some very simple flaws and some of the fixes were easy to
> implement.
Th
Fact of the matter is that 99.999% of spammers out there have no where
near the ability to figure this out let alone set it up. Besides the
fact that we're really not talking about spam here in the first place
we're talking about virus propagation which I can pretty much guarantee
wont be using a v
Just the sources of the mail are enough to doubt :
https://e-gold%33.com/acct/login.html";>https://www.e-gold.com/acct/login.html
^^^
Regards,
Max
> -Original Message-
> From: Thor Larholm [mailto:[EMAIL PROTECTED]
> Sent: jeudi 25 septembre 2003 01:13
> To: [E
On Wed, 24 Sep 2003 09:57:57 CDT, "Bassett, Mark" <[EMAIL PROTECTED]> said:
> I am patched with MS03-032 ( Q822925 ) but am still vulnerable.
I've seen multiple reports of patches failing to apply correctly in some cases
(often tied to the way it renames files during a reboot to work around lock
theyre moderating...
if any post have "live" sites there rejected, even if it is the vendors own
site that is an issue
and i have noticed more than enough incidents where the latest, nastiest
things dont get put
up on Bugtraq so that contract customers get first dibs before the general
public.
my2
I can confirm too.
For Example : Mail from Oliver Heinz (Arago.de) about Gauntlet firewall DOS :
Received 24 September at 16.01 (GMT-1) from Full-Disclosure and received at 22.32
(GMT-1) from Bugtraq...
Or do I need to assume a voluntary delay from the author??? I doubt.
CHeers
Max
> -O
83 matches
Mail list logo