Asunto: Re: [Full-Disclosure] viruses being sent to this list
Asunto: Re: [Full-Disclosure] viruses being sent to this list
Asunto: Re: [Full-Disclosure] viruses being sent to this list
Asunto: Re: [Full-Disclosure] viruses being sent to this list
Asunto: Re: [Full-Disclosure] viruses
from http://ecompute.org/th-list/FAQ/ : (your site)
Simply put, the TH-Research Mailing List is a place for the exchange of
ideas, information and cooperation between anti-malware researchers,
reverse-engineers and other professionals in related fields. While its focus
is not on sample exchanges
On Mon, 22 Mar 2004, Paul Schmehl wrote:
This is a small sample of what I have found in the archives:
message.pif - 5 copies
your_details.pif - 2 copies
attachment.htm.pif - 1 copies
file.pif - 1 copies
test.pif - 1 copies
readme.scr - 1 copies
Yeah, that's pretty close to my
On Tue, 23 Mar 2004 04:46:02 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
In that case, I wonder why spam doesn't get to the list?
Most spammers aren't going to go through the hassle of subscribing to
the list to send messages when they can send email directly to people
with little effort.
Is
On Tue, 23 Mar 2004 02:49:55 +0200, Gadi Evron [EMAIL PROTECTED] wrote:
Need or no need, the fact is that after this started happening, the
volume of it happening, and with new malware, increased dramatically and
close to the release dates. Usually after the worm is already well-seeded.
Its obvious that the author of the quote meant that after the initial
programmer that sends out the virus everything else it automated, the
virus sends out copies of itself, generally not the person that it
appears to be from.
On Mar 22, 2004, at 11:08 PM, Jason Slagle wrote:
On Tue, 23 Mar
Luke Scharf wrote:
On Mon, 2004-03-22 at 17:13, Jay Beale wrote:
You may find this discussion academic. But the exploit writers and the
worm writers are getting faster. And that's what should scare us into
moving beyond patches. That's what should get us moving to better
network and host
john is your best bet
Just trow at it all the boxes you have on hand.
Get good dictionaries if you think it's a normal word.
Max
On Monday 22 March 2004 10:51 am, Richard Stevens wrote:
I have an md5 hash I need to crack, left john the ripper on it for a few
days without success and gave up.
Hello Richard,
I haven't read the whole thread yet, but if this is what you came
to, then there are a couple of other options;
plJohn
http://www.hick.org/~johnycsh/code/
CHAOS
http://itsecurity.mq.edu.au/chaos/
plJohn is a perl wrapper for piping one dictionary combo out
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| I don't disagree with you. While I am extremely hesitant to agree to
| any type of automated filtering (be it spam or virus), I do agree that
| broadcasting virus messages to a large subscriber base is a bad idea (if
| for the bandwidth consumption
If you haven't already signed the recall registry.
Unless you don't care if Verislim messes with .COM and .NET again
https://www.recallverisign.com/index.php
___
Full-Disclosure - We believe in it.
Charter:
BoneMachine wrote:
I was browsing the SecurityFocus vulnerability database and found the following:
http://www.securityfocus.com/bid/9903
Because the make utility is reported to run with setGID root privileges, a local attacker
may potentially exploit this condition to gain access to the root
~~~
Advisory Name: How to crash a harddisk - the Ipswitch WS_FTP Server way
Impact : Denial of Service
Discovered by: Hugh Mann [EMAIL PROTECTED]
Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL
Product: FirstClass HTTP Server
Developer: Centrinity
URL: http://www.centrinity.com
Description: Injected code is rendered in the context of the vulnerable
page.
Exploit:
http://[TARGET]/.Templates/Commands/Upload.shtml?TargetName=scriptalert('XSS')/script
It may be possible to steal cookies
~~~
Advisory Name: Open the WS_FTP Server backdoor to SYSTEM
Impact : Privilege escalation
Discovered by: Hugh Mann [EMAIL PROTECTED]
Tested progs : Ipswitch WS_FTP Server 4.0.2.EVAL
Dear Lists,
I have completed an analysis of the 'Witty' worm that impacts multiple ISS
products. The worm is spreading via a very simple UDP propagation
algorithm. The unique nature of this worm made it a fascinating piece of
code to analyze. The analysis gets into the details of the worm's
On Mon, Mar 22, 2004 at 09:28:12PM -, Richard Stevens wrote:
thanks to all for the input., looks like john it is, with a little more patience :)
out of interest, anyone think a distributed project using john would be useful?
something like the SETI screen saver thing...
Check out
Definitely
BLOCKED by ISP
I don't have to pay extra for this ;-P
They still want me to buy $4.99 monthly protection from them
They appear to be running BRIGHTMAIL [with no mention to customers, to
ruin income potential]
steve menard
Dave Horsfall wrote:
On Mon, 22 Mar 2004, Paul Schmehl
--
Information
--
It may be possible to redirect a naive .Mac webmail
user, to another site, possibly, one mocked up as
webmail (a user may ignore the fact SSL is not
present).
http://webmail.mac.com/redirect/http://your url
Using unicode representations of the word redirect,
may aid an
I assume the law enforcement authorities OR Microsoft's lawyers would be
interested to see any evidence one way or the other ...
Unless you're talking about the normal stuff that gets sent if anyone types
http://www.microsoft.com into their web browser.
See:
Yes Gadi,
It was a joke , I forgot the Smileys ;-P
[normally I watch my spelling, I thought it'd be a dead giveaway]
And you'll note I didn't spell your name right
I was talking to the spoofer
steve
Gadi Evron wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Gadi Evron wrote:
-BEGIN
You've completely missed what I was talking about. I said I have seen
those dump, disassemblies and stuff.
On Mon, 2004-03-22 at 23:32, Disclosure From OSSI wrote:
Com'on. This is a worm. SQL Slamme binary is widely available on the net and
its dissembly (or its source code) is everywhere
do we really need the list to be addressed everytime one of these scams
occurs, they are common occurance now, for fucks sake
maybe we add this to the lists charter not to send any scram untill they are
exploiting some new method, useing the users stupidity does not count
-aditya
opinion
I think Gadi is being maligned.
He has raised a few questions relevant to the purpose of this list and
instead of curteous helpful replies has received (mostly) abuse.
My responses:
FD probably can't be filtered to remove viruses without also removing other
code, etc., the
HTTP 403.9 - Access Forbidden: Too many users are connected
Internet Information Services
Way to go man, you just DOS'ed yourself...
Jos
___
Full-Disclosure - We believe
Mike,
That's a good point you raise there. The only way to protect yourself from
this isto be carefull where you post you e-mail address and even as to who
you give your e-mail address.
I have difrent aliases for mailing groups, another address I use on forums
another one I give to co-workers
Hi all,
just had a mail throught that NAV has detected as being Netsky.P, the text
of the mail was:
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 23 March 2004 08:24
To:
Subject: Re: approved information
Authentication required.
+++ Attachment: No Virus found
+++ MC-Afee
According to http://www.sophos.com/virusinfo/analyses/w32netskyp.html, there's quite a
few claims its makes to being clean:
+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++
On Mon, Mar 22, 2004 at 11:36:18PM +0200, Gadi Evron wrote:
Viruses must not be spread, especially on a security mailing list and to
such a huge audience.
It is my opinion that it is the _duty_ of the list owners to do
something about this, as it is not only illegal, but it is
At 05:44 AM 3/23/2004, Andrew Aris wrote:
Hi all,
just had a mail throught that NAV has detected as being Netsky.P, the text
of the mail was:
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: 23 March 2004 08:24
To:
Subject: Re: approved information
Authentication required.
+++
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Steve Menard wrote:
| gady stop sending the list spam
|
| also, on an unrelated note
| why doesn't the unsubscribe link work
| is ti brkoen
| doh
|
| [EMAIL PROTECTED] wrote:
Obviously, that was not me who sent this.
Gadi.
-BEGIN PGP
Jos Osborne wrote:
HTTP 403.9 - Access Forbidden: Too many users are connected
Internet Information Services
This is why god invented P2P networks. Matthew, post your (plain text,
non-interpreted) analysis to eDonkey, por favor?
--
On the moon, we have evolved beyond rules... and manners.
Richard Maudsley wrote:
The VNC server runs as a system service. It is able to function when there
are no users logged on.
What do you mean 'how bad'?
bad in security perspective - there are alot of 'rummors' and online
articles about winXP home edition being the worst case for use in
local area
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Steve Menard wrote:
| Yes Gadi,
| It was a joke , I forgot the Smileys ;-P
| [normally I watch my spelling, I thought it'd be a dead giveaway]
|
| And you'll note I didn't spell your name right
|
| I was talking to the spoofer
Okay. I already emailed
Someone posted that they were having problems with version 7.0. Care to
elaborate?
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
___
--On Tuesday, March 23, 2004 05:30:34 PM +1100 Dave Horsfall
[EMAIL PROTECTED] wrote:
On Mon, 22 Mar 2004, Paul Schmehl wrote:
This is a small sample of what I have found in the archives:
message.pif - 5 copies
your_details.pif - 2 copies
attachment.htm.pif - 1 copies
file.pif - 1 copies
Personal responsibility seems to be missing from all of the people
complaining about a list infecting them or somehow causing them harm.
Get over it.
We use Microsoft products as well as other products and we have very strong
security policies -- firewall, server antivirus, blocking attachments,
This is a small sample of what I have found in the archives:
message.pif - 5 copies
your_details.pif - 2 copies
attachment.htm.pif - 1 copies
file.pif - 1 copies
test.pif - 1 copies
readme.scr - 1 copies
Yeah, that's pretty close to my recollection. I thought it ironic
that
this list
John Cartwright [EMAIL PROTECTED] wrote:
As I see it, there are two means of regulating malicious content
from spoofed subscribed addresses. One, we moderate the list. Two, we
use anti-virus or other scanning to try to prevent this data flow.
Let's consider the effect of these options:
On
Something different about netsky.p vs all the other variants: I'm
seeing this one spread evenly across all my mail gateways. Earlier
variants only hit my first MX record, this one is either ignoring MX
weights or getting them backwards. Maybe that's why this one's making
the rounds a bit more
I don't know why a simple question like this has to turn into a
Microsoft is the most evil and deceitful company that ever existed
debate, but that seems to just be the nature of this list.
WinXP Home is called home edition for a reason. It's not designed to be
used in a corporate network, it
GreyMagic Security Advisory GM#005-MC
=
By GreyMagic Software, Israel.
23 Mar 2004.
Available in HTML format at
http://www.greymagic.com/security/advisories/gm005-mc/.
Topic: Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo.
Discovery date: 06
--On Tuesday, March 23, 2004 8:58 AM + rabbit food
[EMAIL PROTECTED] wrote:
Useless
Information
It may be possible to redirect a naive .Mac webmail
user, to another site, possibly, one mocked up as
webmail (a user may ignore the fact SSL is not
present).
The make to worry about
appears to be the one in /usr/local/bin, not /usr/ccs/bin. See the
sample exploit script at the usual spot.
The problem appears to be with GNU's
make, which is installed setgid (by default) on AIX so as to enable the
-l load option. This option is used to throttle the
- = Dude...Your mom lied your NOT special ! = -
Go join another list which is moderated and protects your from yourself.
On Mon, 22 Mar 2004 22:06:04 -0800 Gadi Evron [EMAIL PROTECTED]
wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
| based on this snippet, your previous posts are
Mike Smith said:
Doesn't that depend on if you think stupid people are worse
than malicious people?
opinion
Stupid people are often (always?) more dangerous than malicious people
/opinion
Iñigo Koch
Red Segura
___
Full-Disclosure - We believe in
On Tue, 2004-03-23 at 12:00, [EMAIL PROTECTED] wrote:
Ok everybody let's send our LM Hashes and email addresses to this group of
complete strangers. Sounds like a great idea.
1) It wouldn't be MY hashes: email address != LM hashes
2) They still don't have the user account name: email address
On Tue, 2004-03-23 at 11:34, Alerta Redsegura wrote:
Stupid people are often (always?) more dangerous than malicious people
Question then: Do stupid malicious people cancel themselves out?
signature.asc
Description: This is a digitally signed message part
At 12:48 PM 3/23/2004 -0600, Frank Knobbe wrote:
Question then: Do stupid malicious people cancel themselves out?
No, they get elected to Congress.
m5x
___
Full-Disclosure - We believe in it.
Charter:
Dameware Mini Remote Control version 4.1.0.0 and presumably previous
versions pass a Blowfish encryption key over the wire in the clear. It is
bad enough that they appear to be using Blowfish in Electronic Codebook
Mode; but they compound their errors by the following two vulnerabilities.
The
pretty big discussion going on here:
I would say dont run windows on this list and you wont get
infected.. heh im ready bring the flames on ! ;)
I would also thing as a security person you would be keeping your dat
files up to date under windows.
~!D
Frank Knobbe wrote:
On Tue,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
...
And if I 0wn your box, do you not think that my keylogger can get your
passcode? Good grief! If the box is hacked, I can get any information I
need from you to screw you up further. Passcodes or anything else you have
*or* type are
On Tue, 23 Mar 2004 17:30:34 +1100, Dave Horsfall [EMAIL PROTECTED] said:
Someone said that they haven't seen any virus postings; you sure they
are not being dumped by your ISP? They are *definitely* there.
I know many get dumped by my mail server, which is why I went and checked the
actual
At 01:02 PM 3/23/2004, [EMAIL PROTECTED] said:
On Tue, 23 Mar 2004 17:30:34 +1100, Dave Horsfall [EMAIL PROTECTED] said:
Someone said that they haven't seen any virus postings; you sure they
are not being dumped by your ISP? They are *definitely* there.
I know many get dumped by my mail
This is why god invented P2P networks. Matthew, post your (plain text,
non-interpreted) analysis to eDonkey, por favor?
Or, host it on a bittorrent tracker and post a torrent link. :-)
--
Jordan Klein ~ Beware of dragons
[EMAIL PROTECTED] ~ for you are crunchy
To some degree.
At the very least, they have a higher conviction rate...
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Frank Knobbe
Sent: Tuesday, March 23, 2004 10:48
To: Full-Disclosure
Subject: RE: [Full-Disclosure] viruses being sent to this list
On
On Tue, 23 Mar 2004 19:23:45 +0100, Caraciola [EMAIL PROTECTED] said:
One measure to enhance security would be externel storage of keys, on a smart
card like in secure internet banking where an external reader has to have a
keypad, so a pass doesn't travel anywhere on the computer ... with
###
Luigi Auriemma
Application: The Rage
http://www.therageonline.com
Versions: = 1.01
Platforms:Windows
Bug: server freeze
Risk: low
Exploitation: remote,
e-matters GmbH
www.e-matters.de
-= Security Advisory =-
Advisory: Multiple (13) Ethereal remote overflows
Release Date: 2004/03/23
Last Modified: 2004/03/23
Author: Stefan Esser [EMAIL PROTECTED]
I don't see the date you contacted Ipswitch. Did they respond?
Do they have an estemate on when this will be addressed?
-tidd
On Tue, Mar 23, 2004 at 07:11:58AM +, Hugh Mann wrote:
~~~
Advisory Name: Open the WS_FTP
Ok everybody let's send our LM Hashes and email addresses to this group of
complete strangers. Sounds like a great idea.
Not that the concept isn't cool and I am sure the program is great but one
would have to be an idiot to do it.
James Cupps
-Original Message-
From: Inode
Security Advisory
Software:
Dark Age of Camelot from Mythic Entertainment
including Shrouded Isles Trials of Atlantis Expansion Packs
http://www.darkageofcamelot.com
Affected Version:
North America
Paul Schmehl [EMAIL PROTECTED] to Dave Horsfall:
Yeah, that's pretty close to my recollection. I thought it ironic that
this list -- a security list -- is populated by some infected idiots,
but there you go.
Why leap to that conclusion? There are two more plausible possibilities.
1)
On Tuesday 23 Mar 2004 21:26, [EMAIL PROTECTED] wrote:
On Tue, 23 Mar 2004 19:23:45 +0100, Caraciola [EMAIL PROTECTED] said:
One measure to enhance security would be externel storage of keys, on a
smart card
These are indeed a good idea for some environments - the big question is
whether
not ignore the importance of such exchanges in combating the spread of
malicious software and technology
hey these exchanges were intentional and viruses send to this list are unintentional
-aditya
Delivered using the
Le mar 23/03/2004 à 23:15, Sam Sharpe a écrit :
I figured I needed a new watch, so i might as well get one that was
useful. I realise that this doesn't provide the security of a
smartcard, however a USB flash key is a damn sight cheaper. (except
when it's built into a watch)
Just to justify
Hey all,
I'm looking for information on decrypting a kerberos database. Basically, I
want to follow the steps a hacker would use to obtain passwords in the event of
a root compromise of a master KDC. Googling doesn't seem to turn up much, but
maybe I'm not entering in the right keywords...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Rapid7, Inc. Security Advisory
Visit http://www.rapid7.com/ to download NeXpose,
the world's most advanced vulnerability scanner.
Linux
On Tue, 23 Mar 2004, Paul Schmehl wrote:
Yeah, that's pretty close to my recollection. I thought it ironic that
this list -- a security list -- is populated by some infected idiots,
but there you go.
Why leap to that conclusion? There are two more plausible possibilities.
1) Viruses
On Tue, 2004-03-23 at 19:20, Tobias Weisserth wrote:
Hi Byron,
Am Di, den 23.03.2004 schrieb Byron Sonne um 23:14:
Proof of Concept:
e-matters is not going to release an exploit for any of these
vulnerabilities to the public.
So why should we believe you then?
Nobody
--On Wednesday, March 24, 2004 11:03 AM +1100 Dave Horsfall
[EMAIL PROTECTED] wrote:
Because I'd take stupidity over malice any day; it's much more abundant.
Depending upon who you ask, 100% of the people in the world are stupid.
Stupidity is in the eye of the beholder. It actually *is*
-- Original message --
From: FirstClass Mail Tech [EMAIL PROTECTED]
To: Richard Maudsley [EMAIL PROTECTED]
Date:
Subject: Re: Centrinity FirstClass HTTP Server Cross Site Scripting
---
Hello Richard,
Sorry if you get this twice. This is a response directly from our
Hi again List
I saw some answers about my problem concerning snaplen, I've already
considered and rechecked that. The problem is, everything works fine.
I first thought about libpcap-problems, but it would not only have influence
on the telnet password, if this would be the cause. I can use
On Tue, 23 Mar 2004, Paul Schmehl wrote:
Because I'd take stupidity over malice any day; it's much more abundant.
Depending upon who you ask, 100% of the people in the world are stupid.
Stupidity is in the eye of the beholder. It actually *is* possible to
approach people with the
This message has been automatically *** Expunged ***
Reason: Dubious stupidity.
On Tue, 2004-03-23 at 21:50, Dave Horsfall wrote:
On Tue, 23 Mar 2004, Paul Schmehl wrote:
Because I'd take stupidity over malice any day; it's much more abundant.
Depending upon who you ask, 100% of the
hmm..
On Mon, Mar 22, 2004 at 11:32:53PM -0600, Paul Schmehl wrote:
From: Paul Schmehl [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: Re: [Full-Disclosure] viruses being sent to this list
Date: Mon, 22 Mar 2004 23:32:53 -0600
/* snippage */
Not picking on you, your post is just a
This message has not been *** Expunged ***
Reason: Because your a God!
But, non the less, truthfully, it isn't any fault of any list managers
here.
-b
On Tue, 2004-03-23 at 23:22, John Sage wrote:
hmm..
On Mon, Mar 22, 2004 at 11:32:53PM -0600, Paul Schmehl wrote:
From: Paul Schmehl
On Tue, 23 Mar 2004 [EMAIL PROTECTED] wrote:
Someone said that they haven't seen any virus postings; you sure they
are not being dumped by your ISP? They are *definitely* there.
I know many get dumped by my mail server, which is why I went and checked the
actual list archives, and I
What does this tell us? Virii are getting out via the list; whether
they are being transmitted inadvertently or deliberately is
still open
to question...
Hi all
I've ranted on this thread offline and on, and I still would really like
to know what the issue is? Viruses run
Dear Lists,
I have had an incredible surge in demand following my recent post of the
analysis of the 'Witty' worm. Initially, some of you were able to access
it now, but most of you were not. For those of you who were not able to
obtain a copy, a mirror has been made available. Tremaine Lea
Hi,
Matt Murphy sent me the HTML file as an attachment after I offered to put it
online here.
I hope our server can withstand it :) ...
!!! I'd like you to download the ZIPped file if possible ...!!!
http://ftp.erm.tu-cottbus.de/security/witty-analysis.zip
Proof of Concept:
e-matters is not going to release an exploit for any of these
vulnerabilities to the public.
So why should we believe you then?
--
For Good, return Good. For Evil, return Justice.
___
Full-Disclosure - We believe in it.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- --
Debian Security Advisory DSA 467-1 [EMAIL PROTECTED]
http://www.debian.org/security/ Matt Zimmerman
March 23rd, 2004
From: exon [EMAIL PROTECTED]
This is old news.
It is also RFC compliant behaviour, even though admitted silly.
You say this is old news. Can you tell me where this WS_FTP server
vulnerability has been published before? I always search google and BugTraq
before posting anything to make sure
84 matches
Mail list logo
