Re: [Full-Disclosure] Network Sniffing

Take a look at: http://www.insecure.org/tools.html I've used almost all of the tools on that list at one time or another. A list of my favorites (sniffer-type tools) would include: ntop -- great at getting a good overall picture (top-talkers, etc) ethereal -- good protocol analysis, reads pcap (t

Re: [Full-Disclosure] Network Sniffing

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Take a look at: http://www.insecure.org/tools.html I've used almost all of the tools on that list at one time or another. A list of my favorites (sniffer-type tools) would include: ntop -- great at getting a good overall picture (top-talkers, etc) ether

Re: [Full-Disclosure] PIX vs CheckPoint

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You must have some static's in place then, which is a static 'NAT' translation. Cyril Guibourg wrote: | "Otero, Hernan (EDS)" <[EMAIL PROTECTED]> writes: | | |>I think you do, because at least a nat 0 it´s needed to get traffic passing |>through

Re: [Full-Disclosure] Akamai

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Keep in mind that the term 'DOS' doesn't necessarily mean 'flood of traffic'. A denial of service is just that..a _denial of service_ by any means, and I'd say that there was definitlely some service being denied. Don't think so?.ask Google or

Re: [Full-Disclosure] User bypass privs for Mysql??

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Esler, Joel - Contractor wrote: | I did not have the grant priv, I had select, insert on mysql db. (I did | log in as a different user --i.e. not root) Using MysqlCC I changed the | Grant field from N to Y, and then could grand myself all privs to eve

Re: [Full-Disclosure] User bypass privs for Mysql??

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 What permissions DID you have prior to editing your grants. How did you edit the grant (i.e. update user set Grant_priv = 'Y' where user = 'floobie' ). What version of mysql? Did you log in as yourself to edit the grants, or as another user? Also,

Re: [Full-Disclosure] NEVER open attachments

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think you're MUA is interpreting signed mail as simply a blank email with a text attachment (the PGP signed message). Many people on this list PGP sign their messages, so if your MUA is mis-interpreting these messages as text attachments, you need to

Re: [Full-Disclosure] a question about e-mails

o maybe 'broken' is an unfair description. 'Poorly configured' may be a better choice of words. - --Ben Nico Golde wrote: | Hallo Ben, | | * Ben Nelson <[EMAIL PROTECTED]> [2004-02-27 22:28]: | |>Hash: SHA1 |> |>Sounds like a broken MTA to me. | | | why? | rega

[Full-Disclosure] OpenPGP (GnuPG) vs. S/MIME

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'd like to open a discussion about PGP vs. S/MIME . I've been pondering secure (or at least verifiable) mail lately and I see these two standards as the main options available at this point. It seems to me that PGP is the better of the two options bec

Re: [Full-Disclosure] a question about e-mails

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sounds like a broken MTA to me. Nico Golde wrote: | Hallo Chris, | | * Chris Smith <[EMAIL PROTECTED]> [2004-02-26 13:50]: | |>>I have a question for it experts. I want to learn if there is any way of |>>understanding/finding the e-mail addresses at BC

Re: [Full-Disclosure] Sample of Mydoom A & B

Nick FitzGerald wrote: ":-\)" <[EMAIL PROTECTED]> wrote: Ok I am a bit late into this game, been caught up doing other work in office and skipped through the whole Mydoom experience. I am hoping someone here has a copy of Mydoom A and B. If so, please contact me off-line. THANK YOU Oh good,

Re: [Full-Disclosure] MyDoom bios infection

Frank Knobbe wrote: On Thu, 2004-01-29 at 03:14, Ferris, Robin wrote: It was also unknown that the virus infects the BIOS of the computer it infects by injecting a 624bytes backdoor written in FORTH which will open port tcp when Mydoom will be executed AFTER febuary 12. Although code in BIOS cou

Re: [Full-Disclosure] Security conferences

www.sans.org n30 wrote: Guys, Anybody aware of calender / list of security related conferences worldwide?? Any links / pointers helpful Thanks in advance -N ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-chart

Re: [Full-Disclosure] Is the FBI using email Web bugs?

rtainly can't hurt and is good security policy in general. --Ben ~ -Original Message- From: [EMAIL PROTECTED] [mailto:full-disclosure- [EMAIL PROTECTED] On Behalf Of Ben Nelson Sent: Wednesday, January 07, 2004 7:34 PM To: Gregh Cc: [EMAIL PROTECTED] Subject: Re: [Full-Disclosure] I

Re: [Full-Disclosure] Is the FBI using email Web bugs?

Gregh wrote: wont listen. In Zone Alarm you can tell it to DISALLOW Outlook Express (or whatever you like) access to different ports. So, I tell it to disallow access to or from port 80 by OE. Thus, a received HTML email with pics and such in it just shows blanks, "x" or placeholders, really. Now,

Re: [Full-Disclosure] Re: Remote root exploit for mod_gzip (with debug_mode)

I s'pose it's only a 'root' exploit if you're running your webserver as root. --Ben martin f krafft wrote: also sprach Alexander Antipov <[EMAIL PROTECTED]> [2003.11.20.2028 +0100]: / uid=99(nobody) gid=99(nobody) groups=99(nobody) where is the root exploit?

Re: [Full-Disclosure] syslog consolidation

I've had pretty good luck with syslog-ng . Easy to configure and pattern matching for log separation works great in my situation. --Ben Ivan Coric wrote: Hi List, I am looking into consolidation tools for syslog and syslog daemon replacement and would like to hear from the list on your experie

Re: [Full-Disclosure] Proxies

only understands HTTP (to prevent other services from being tunneled over port 80), you should be good to go. That isn't going to stop other services from being tunneled over port 80. There quite a few ways to do this. See Firepass. It is a tunneling tool, allowing one to bypass firewall restrict

Re: [Full-Disclosure] Proxies

Blocking all internal->external traffic and then allowing ONLY the needed services from the necessary hosts is the best way to stop this sort of abuse. Then, using a web proxy that filters web content and only understands HTTP (to prevent other services from being tunneled over port 80), you s

Re: [Full-Disclosure] Proxies

Blocking all internal->external traffic and then allowing ONLY the needed services from the necessary hosts is the best way to stop this sort of abuse. Then, using a web proxy that filters web content and only understands HTTP (to prevent other services from being tunneled over port 80), you s

Re: [Full-Disclosure] 27347

http://www.iss.net/security_center/advice/Exploits/Ports/27374/default.htm Joe Blow wrote: Anyone ever find out what this was? Do you Yahoo!? Exclusive Video Premiere - Britney Spears

Re: [Full-Disclosure] Microsoft plans tighter security measures in Windows XP SP2

yossarian wrote: Most of it appears to be tighten the defaults. Usefull, yes, but not very new.. New or not, it is one of the major gripes I always hear from Sys Admins in reference to MS software. No doubt, it should have happened a long time ago, butas they saybetter late than never.

Re: [Full-Disclosure] IDS Evasion

Here's a good start: fragroute -- http://www.monkey.org/~dugsong/fragroute/ snot -- http://www.stolenshoes.net/sniph/index.html stick -- http://www.eurocompton.net/stick/projects8.html whisker and a few IDS evasion papers -- http://www.wiretrip.net/rfp/ --Ben simon wrote: -BEGIN PGP SIGNED MES

Re: [Full-Disclosure] New Microsoft security bulletins today

Well, after installing the patches recommended by Windows Update my machine won't boot. It gives me a stop error complaining about an inaccessible boot device. Ruh-roh Microsoft.. Has anyone else seen this behavior? Thank god I test all patches on a disposable box before applying them el

Re: [Full-Disclosure] New port 901 scans

I can confirm. I've been seeing an increase in TCP/901 scans for the last 4-5 days. --Ben On September 19, 8:52 am "J. Race" <[EMAIL PROTECTED]> wrote: > I'm seeing an increase in port 901 scans this morning starting a little > over 3 hours ago, all from individual IP's outside my netblock > ori

Re: [Full-Disclosure] sans.org

I have 3 geographically dispersed data centers and 2 of the 3 can look up those names successfully. The one that can not look them up can not look up www.giac.org either. On September 2, 1:29 pm "lepkie" <[EMAIL PROTECTED]> wrote: > maybe off topic > > can anyone resolve www.sans.org or www.inci

Re: [Full-Disclosure] Lets discuss, Firewalls...

On August 29, 9:33 pm "Mike @ Suzzal.net" <[EMAIL PROTECTED]> wrote: > > Can you get to it? How? Possibly. Source routed packets. > > Do you still need a firewall? Why? > Yes. To block source routed packets. There may be a registry setting to not accept source routed packets on windows...I'm no

Re: [Full-Disclosure] Authorities eye MSBlaster suspect

You need to keep in mind that affected != infected. Many of us admins who don't even administrate a single windows box were affected by amount of bandwidth consumed by people who were infected. This thing effectively created a denial of service on many networks and any host trying to use that net

Re: [Full-Disclosure] Subject prefix changing! READ THIS! SURVEY!!

Option 1: scrap it --Ben On August 21, 11:43 am Chris Cappuccio <[EMAIL PROTECTED]> wrote: > Hey folks, > > ALL LIST MEMBERS ARE ENCOURAGED TO RESPOND AND MAKE A CHOICE AS TO HOW > THEY WANT THIS BASIC FUNCTION OF THE LIST TO CONTINUE OPERATING. > > The subject header is going to change. > > This

RE: [Full-Disclosure] SoBig.F strange problem

On August 20, 7:09 am "Steve Bremer" <[EMAIL PROTECTED]> wrote: > > line). But it seems to be broken in other areas, I think I'm getting > > We've noticed a few problems with it as well. We've received a few e- > mails with one of the typical Sobig subject lines, only no > attachment. The attach