Secure Network Operations, Inc. http://www.secnetopscom/research
Strategic Reconnaissance Team research[at]secnetops[.]com
Team Lead Contact kf[at]secnetops[.]com
Spam Contact`rm -rf /[EMAIL PROTECTED]
Our
Secure Network Operations, Inc. http://www.secnetopscom/research
Strategic Reconnaissance Team research[at]secnetops[.]com
Team Lead Contact kf[at]secnetops[.]com
Spam Contact`rm -rf /[EMAIL PROTECTED]
Our
Remko Lodder [EMAIL PROTECTED] to me:
even if it was a prefixed size.
one 'creative CRACKER or other lame person' would change
the virus with a single bit which makes it a bit larger,
and all the previous detects are USELESS , eventhough it
perhaps has the same sig as before
Did you read
Johnson, April [EMAIL PROTECTED] wrote:
How hard would it be to have the AV software actually check the source
email smtp host, and send an email to [EMAIL PROTECTED] for the *actual*
offending smtp server?
Probably not terribly...
Of course, you immediately turn any massively fast,
From: Ferris, Robin [EMAIL PROTECTED]
Date sent: Tue, 27 Jan 2004 10:10:39 -
Does any one know what the size of the attachment is when is comes in as a
zip file?
About the same size, 22, 23K. Actually, the zip file is ever so slightly larger,
since
the UPX
Couple of questions someone on this is likley to be privy to:
does mydoom respond to SYN scans on ports 3127 - 3198 ?
what is the contruction of the special packets used to transfer files to
the daemon?
-Jason Ellison
___
Full-Disclosure - We believe
I have just spotted an infected email to another list that I am on that
purported to come from me. It hadn't even touched my system. It looks like
it doesn't just pick out emails that you have sent, but emails that you have
received and fakes that From address.
Therefore, those who have been
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
DOTNETNUKE MULTIPLE VULNERABILITIES
- --
Online URL : http://ferruh.mavituna.com/?429
1) Source Code File Access;
Severity : Highly
Hi,
Gregh wrote:
Sorry old son but the engine is NOT a beta. The Mcafee I have is Mcafee VSO
(now called Version 8) and I *ONLY* allow it to be updated normally because
like most of us here, if it stuffs up, I want to be prepared as a lot of my
customers use it. This is a stock standard web
We've has Sales@ hit repeatedly. Not sure if that's cos it's in people's address books
or not - there definitely haven't been any e-mails sent out from Sales recently.
Jos
-Original Message-
From: madsaxon [mailto:[EMAIL PROTECTED]
Sent: 27 January 2004 18:03
To: [EMAIL PROTECTED]
Hi,
I'd check out clamav (http://www.clamav.net/)- it's been I've found it to be a
fantastic product. You have all the usual autoupdate, on-access scanning, nice
integration with amavis for mailscanning @ gateway, daemon or commandline
scanning, support for zips, bzips, et al and its GPLed.
I
Hi, Due to the many user requests, Mixter and I have conceded to make
further short penetration tests of well-used personal firewalls.
Today's Target: ZoneAlarm Pro 4.5.532.000,
download on 01/27/04 from the official homepage.
Tester:
Mixter: 55Mbit/s connectivity, Attacking System: Gentoo Linux
The world could be a better place if more ISP's would query Spamcop or
cbl.abuseat.org (which includes the Spamhaus.org XBL). Also ISP's
could block egress 25/tcp for dialups/dsl's that are not supposed to
run their own MTA. SPF and RMX may help (but do have nuisances - we
may have to accept).
This has really gotten out of hand. The symantec has found a virus
notifications are worse than the damn virus. So with that in mind may I
suggest the following:
Since the AV folks know which virus spoof the FROM address, how about
disabling these stupid notifications for those particular virus?
There is a port of the freebsd heap to linux at:
http://www.guninski.com/wares/free10.tar.gz
md5sum free10.tar.gz
c20d5f2d4790fdecc6d1f0005aaa9d2d free10.tar.gz
The README:
Port of FreeBSD's heap implementation to Linux.
This is a linux port of the heap implementation originally written
by
Excellent. Is it kernel specific? Also, is it kosher to mix freebsd
license with GPL? (stand back while flame throwers are cranked up ;-)
But I'd really be interested if anyone has tried porting 'pf' as a
netfilter kernel module. I can't stomach iptables anymore, but short of
using something
On Wed, 28 Jan 2004 08:57:49 -0700
Burnes, James [EMAIL PROTECTED] wrote:
Excellent. Is it kernel specific? Also, is it kosher to mix freebsd
license with GPL? (stand back while flame throwers are cranked up ;-)
I won't engage in open source holy wars until we fix the m$ problem.
This is
Excellent. Is it kernel specific? Also, is it kosher to mix freebsd
license with GPL? (stand back while flame throwers are cranked up
;-)
Actually Georgi, neither was I. I was only anticipating the holy war
;-)
I won't engage in open source holy wars until we fix the m$ problem.
LOL...anyone else see this? Do a seach on google for the word
bastardssee what the first entry is..ha!
James Lay
Network Manager/Security Officer
AmeriBen Solutions/IEC Group
Semper Vigilans!!!
___
Full-Disclosure - We believe in it.
Charter:
Zach Forsyth wrote:
And for people saying don't use IE, if you aren't the sole admin on the
server you don't have the choice to install other apps.
Believe me if I could install something else I would just put a real ftp
app and firebird on there and not have to ask silly questions on FD.
Please
Sorry if this was suggested before.
If major sites like Google, MSN etc. would query rapid DSL and dialup
blacklists, they could visually inform the visitor that their PC is
listed (+ inform them what to do, direct them to online AV etc).
Spamcop.net and cbl.abuseat.org come into mind. If Bill
Now thats just dam dam funny :D Irony , got to love it :D
Regards
- Original Message -
From: James Lay [EMAIL PROTECTED]
To: Full-Disclosure (E-mail) [EMAIL PROTECTED]
Sent: Wednesday, January 28, 2004 3:54 PM
Subject: [Full-Disclosure] [TOTALLY OT] Google fun
LOL...anyone else see
On Tue, 2004-01-27 at 21:36, Zach Forsyth wrote:
After reading through the MS advisory in more detail it doesn't actually
mention ftp at all.
This was kindly pointed out by several FD readers :)
I will wait and see if the patch just fixes http and https before
worrying about it in earnest.
The message contains Unicode characters and has been sent as a binary attachment.
lwljnu.zip
Description: Binary data
Hallo Remko,
* Remko Lodder [EMAIL PROTECTED] [2004-01-28 13:17]:
you sure that an wine emulated windows+outlook cannot be infected?
test it and you will see.
since it emulates windows and 'offers' almost the same functionality
as normal windows..
yes, but not completly.
regards nico
--
I found a notable string in this virus:
(sync.c,v 0.1 2004/01/xx xx:xx:xx andy)
I googled for it and found enormous possibillities even for an imap source.
Can anyone verify this or can do further investigation ?
Helmut
___
Full-Disclosure - We
Am Wed, 28 Jan 2004 14:30:46 +0100, schrieb Erik van Straten [EMAIL PROTECTED]:
Hi,
If major sites like Google, MSN etc. would query rapid DSL and dialup
blacklists, they could visually inform the visitor that their PC is
listed (+ inform them what to do, direct them to online AV etc).
Bad
There is a new variant of mydoom in the wild, much harder - overwrites the
hosts file and therefore gives the victims no chance to update their virus
defs ...
and the second target is now microsoft.
Trend-Micro has it first:
here is the link:
We can thank /. for the Google Bombing/Poisoning:
http://slashdot.org/comments.pl?sid=92569cid=7955668
"James Lay" [EMAIL PROTECTED] 1/28/2004 10:54:39 AM
LOL...anyone else see this? Do a seach on google for the word"bastards"see what the first entry is..ha!James LayNetwork
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wednesday 28 January 2004 19:46, Helmut Hauser wrote:
(sync.c,v 0.1 2004/01/xx xx:xx:xx andy)
It's an CVS version string of a file called sync.c having version 0.1 check in
2004/01 (January) by user andy.
This reads:
Most likely private use of an
Hello Golde
2004. janur 28., 13:33:13, rtad:
NG Hallo Remko,
NG * Remko Lodder [EMAIL PROTECTED] [2004-01-28 13:17]:
you sure that an wine emulated windows+outlook cannot be infected?
NG test it and you will see.
since it emulates windows and 'offers' almost the same functionality
as
You can track widespread virii breakout without running manual
blacklists. We're working on a streamlined (machine automated)
blackhole list server at http://www.nuclearelephant.com/projects/sbl/.
It is originally designed to identify spammer IPs within minutes of a
new distribution based on how
If anyone is currently working on this I'd like to hear from them.
I thought the ANU guys had made an ipfilter port to linux at about
(linux) kernel 2.0 (it was an option against ipfwadm) .. but I have
just done a quick search and I can't see any reference to that.
It's not that I don't like
On Wed, 28 Jan 2004 17:19:08 +0100 Thomas Zangl wrote:
Erik van Straten wrote:
If major sites like Google, MSN etc. would query rapid DSL and dialup
blacklists, they could visually inform the visitor that their PC is
listed (+ inform them what to do, direct them to online AV etc).
Bad idea! Think
At 05:39 PM 1/28/2004 -0500, Juari Bosnikovich wrote:
It was also unknown that the virus infects the BIOS of the computer it
infects by injecting a 624bytes backdoor written in FORTH which will open
port tcp when Mydoom will be executed AFTER febuary 12.
Nice analysis, Juari. Thanks.
m5x
A client of ours had a Dedicated Micro Digital Sprite II multiple camera
monitor with web server system installed. Manufacturer product details
are here:
http://dedicatedmicros.com/dedicatedmicros/product/ds2/ds2_main.html
The unit's setup was changed from the original as below to as follows in
Does anybody know what happened to packetstorm (all mirrors)? It has
not been updated since Jan 8th?!?
TIA,
Stef
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
When I disassembled the virus I found new information that haven't came up
anywhere else to this time.
Here is the information that is beleived...
1. use restricted usernames to send email to and from
2. encode strings with ROT13 method
3. create a mutex called 'SwebSipcSmtxSO' when ran
4.
What I'd like to know is if they'll do this IN ADDITION to fixing the
bug or not.
Bobby Brown wrote:
Summary
Microsoft plans to release a software update that removes support for handling user names and passwords in HTTP and HTTP with Secure Sockets Layer (SSL) or HTTPS URLs in Microsoft
hey all:
Has anyone seen the new Mydoom variant? If so, could someone forward a
new copy to this address? I doesn't look like this one will be too bad,
but it never hurts to be prepared!
-cheers
Andrew
___
Full-Disclosure - We believe in it.
Cael Abal [EMAIL PROTECTED] wrote:
Please tell me you don't do a lot of web browsing from your server.
IE being required on a Windows server (for SUS management, etc.) is
one of my pet peeves -- but folks who browse the internet from their
server actively freak me out.
(This isn't
Of course they deserve everthing they get, but I hope whoever backed
them up gets it too...
Let's see - ONE MONTH after being in office then new CEO decides to go
on a rampage - if that doesn't smell of a pre-planned action I've been
watching too many consipracy theory shows!
Cheers!
Dan
On
http://www.internetnews.com/dev-news/article.php/3305191
snip
The new National Cyber Alert System plans to issue free e-mail alerts...
/snip
Dear User, Please click the attachment below to view your free National
Cyber Alert.
...uh, is it just me or does this sound really dumb?
[SNIP]
This is being asked in all seriousness and helpfulness... Do you have
access to a command line? You could the command line FTP, it's way
better than IE.
STOP! You'll confuse all those MCSE's out there that have learned, rather
then a tool to fit the job, use the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Similar to the G.W. Bush prank , type miserable failure and click on i'm
feeling lucky button.
On Wednesday 28 January 2004 17:54, James Lay wrote:
LOL...anyone else see this? Do a seach on google for the word
bastardssee what the first
On Wed, Jan 28, 2004 at 05:19:08PM +0100, Thomas Zangl - Mobil wrote:
A working solution (practiced at the TU Graz / Austria) would be an open
mail relay for every user in the ISPs address space and block all outgoing
connections to port 25. The users will be forced to use the ISPs relay and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wednesday 28 January 2004 13:15, Ian Latter wrote:
What could you get from pf that you couldn't get from iptables (I've
not played with the little devil yet)?
Human-readable syntax.
Lucid syntax is an indispensable security measure. Errors
Explaination:
A person could gain useful info. about
[EMAIL PROTECTED] that could be used in password
recovery... even by a unlegimate user by simply
getting a LEGIMATE reply from [EMAIL PROTECTED]
;o)
Strange!
Firstly, the simple trick is to make him/her
[EMAIL PROTECTED] just reply you...
indeed i also object to these issues, i dont want to be dependant on my ISP
when
it comes to sending email from my domains, i want to send and block whoever
i want
to block, and i want the ability host these stuff myself on my home ADSL
line.
currently my users can only use webmail, so no
On Wed, Jan 28, 2004 at 08:57:49AM -0700, Burnes, James wrote:
it's just that there are some projects
where I need a decent firewall to be co-resident with Linux. IPTables
is not an option unless it's my only option.
Do you require co-residence in order to run some Linux software which is
Human-readable syntax.
Lucid syntax is an indispensable security measure. Errors should be GLARING
and obvious!
Ok - Fair enuff.
Though there's nothing quite as obvious as a new home page painted
by your fav' 1337 cr3w to show holes in firewall rules ;o]
--
Ian Latter
IT Security
Here, GNU/Linux experienced user but newbie about ADSL modems.
If one wish to choose an ADSL modem with security in mind... a router
one (with NAT).
Imagine that one hack into de modem itself, as the admin.
Imagine that behind the modem is a GNU/Linux box as the default
destination of all
In some mail from Ian Latter, sie said:
If anyone is currently working on this I'd like to hear from them.
I thought the ANU guys had made an ipfilter port to linux at about
Heh. That's a funny categorisation of people :)
(linux) kernel 2.0 (it was an option against ipfwadm) .. but I
Am Wed, 28 Jan 2004 18:36:34 +, schrieb petard [EMAIL PROTECTED]:
Hi,
I left my ISP about 9 months ago because they implemented this very
policy. It entirely destroyed my ability to send email from my preferred
address. Our SMTP setup at example.com relays mail from people
claiming to be
On Thu, 29 Jan 2004, Ian Latter wrote:
Human-readable syntax.
Lucid syntax is an indispensable security measure. Errors should be GLARING
and obvious!
Ok - Fair enuff.
Though there's nothing quite as obvious as a new home page painted
by your fav' 1337 cr3w to show holes in
On Jan 28, 2004, at 11:59 AM, Daniel H. Renner wrote:
The unit's setup was changed from the original as below to as follows
in
an attempt to remove the router from the equation:
Internet --- DSL modem --- switch --- DS2 with public IP
first of all i wouldn't connect a sprite to the internet...
Am Wed, 28 Jan 2004 18:36:34 +, schrieb petard [EMAIL PROTECTED]:
Hi,
I left my ISP about 9 months ago because they implemented this very
policy. It entirely destroyed my ability to send email from my preferred
address. Our SMTP setup at example.com relays mail from people
claiming to be
On Wednesday 28 January 2004 16:46, Jeremiah Cornelius wrote:
Human-readable syntax.
Have you tried Firehol http://firehol.sf.net at all? A nice IPTables
generator with human readable syntax. Provided me with plenty of power and
has a lot of security features (e.g. rate limiting) built in.
petard wrote:
Sorry for a borderline off-topic reply, but I'm cc-ing the list so this
is in the archives, in case any stupid ISP reads this and thinks it's a
good idea. It isn't.
sending this to the list as well, since not enough people are doing the
proper research
I left my ISP about 9 months
In some mail from Jeremiah Cornelius, sie said:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Wednesday 28 January 2004 17:59, Darren Reed wrote:
Now if someone wanted
a *real* 2.7 feature to add to linux, it'd be supporting building a
kernel module without requiring /usr/src/linux
On Wed, Jan 28, 2004 at 09:20:24PM +0100, Thomas Zangl - Mobil wrote:
As I said before, the ISP _HAS_ to provide an alternative mail relay, open
for every FROM address the user whishes to use. (If it?s legal or not thats
another point). If you really need access to YOUR smtp server, it should
Title: Mydoom: Perfect Storm Averted or Just Ahead?
Worms traveling across the Internet are like waves rolling and swelling across an ocean. Just because the first swell does not catch inundate a network, one should not assume invincibility to next wave in the perfect storm.
Report vary in
Chris == Chris Smith [EMAIL PROTECTED] writes:
Chris Have you tried Firehol http://firehol.sf.net at all? A nice IPTables
Chris generator with human readable syntax. Provided me with plenty of power and
Chris has a lot of security features (e.g. rate limiting) built in.
There's no excuse
On Wed, 28 Jan 2004 23:08:57 +0100 Thomas Zangl wrote:
Am Wed, 28 Jan 2004 21:27:33 +0100, schrieb Remko Lodder:
i want the ability host these stuff myself on my home ADSL
line.
And this is the point. Most ISP (here in Austria) doesn't allow its end
users to have public servers open. SSH is
On Wed, Jan 28, 2004 at 05:37:59PM -0600, Phil Brutsche wrote:
sending this to the list as well, since not enough people are doing the
proper research
I left my ISP about 9 months ago because they implemented this very
policy. It entirely destroyed my ability to send email from my preferred
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 430-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Martin Schulze
January 28th, 2004
-BEGIN PGP SIGNED MESSAGE-
__
SGI Security Advisory
Title : SGI Advanced Linux Environment security update #9
Number: 20040103-01-U
Date : January 28, 2004
You can find information on Symantec's web page.
Blocking: same port as last time, 3127.
Gadi Evron
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Does the new version affect users who have updated their virus defs?
-Original Message-
From: Gadi Evron [mailto:[EMAIL PROTECTED]
Sent: Wednesday, January 28, 2004 10:34 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [Full-Disclosure] outbreak warning: new Myydoom.B is out
You
69 matches
Mail list logo