Mister Coffee wrote:
Simon Lorentsen wrote:
Hi guys / gals,
Had a conversation tonight, and have been reading the IRC threads and
wondered if anyone could answer the following.
In the following scenario; you are a business, is IRC logs of
conversations and lists of hosts be help up in a court of
d educate myself.
No hard feelings n3td3v, this isn't a flame.
Jim Tuttle
Tuttle Information Systems.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of n3td3v
Sent: Wednesday, November 17, 2004 10:06 AM
To: Todd Towles; [EMAIL PROTECTED]
Subject: Re: FW:
Curt Purdy wrote:
Upgrade W2K to XP? I call that a downgrade! I won't allow XP (sp2 or not)
on my network. All new boxes must be reformatted and W2K or SuSE Linux or
BSD installed (unless of course it is a Mac with OpenBSD kernel that is
always welcome).
Interesting. Do you know where I can get a
* [EMAIL PROTECTED] ([EMAIL PROTECTED]) wrote:
> On Mon, 08 Nov 2004 09:00:03 +0100, patryn said:
>
> > "Microsoft is concerned that this new report of a vulnerability in
> > Internet Explorer was not disclosed responsibly, potentially putting
> > computer users at risk"
>
> Is a black hat who
J.A. Terranson wrote:
Getting this angry little bully away from both the nuclear and
conventional triggers should be a top priority for *every* country.
That's _nuclular_. I have no idea how he pronounces conventional.
-jim
___
Full-Disclosure
http://www.loganalysis.org
Check the library section.
Jim B.
Note: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering th
. Pick a "small" offense. Maybe child molestation.
Then come back, sit down in front of your computer (ouch!) and report to
us how fun it was, and how you think it's a fine idea as a career path.
We'll be waiting...
-jim
___
Full-Dis
http://isatools.org/block_fake_google.vbs is the link of choice...
Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)
"The last 10 years of Internet usage has disproven
the theory that a million monkeys typing on a million
typewriters would eventually produce the com
Did you advise Google as well?
Look for an ISA 2004 blocking filter today...
Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)
"The last 10 years of Internet usage has disproven
the theory that a million monkeys typing on a million
typewriters would eventually produc
e's even GUI tools like
fwbuilder to do things GUI style. I've had some performance issues on
iptables though when the data starts moving fast, but those are likely
due to the slow machine I use it on (P133) and/or the old kernel and
iptables implementation I'm using (needs upgra
long as it passes through the PIX and exits a different
interface. Always seemed kind of silly to me.
- Jim
Ben Nelson wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
You must have some static's in place then, which is a static 'NAT'
translation.
Cyril Guibourg wrote:
| "Otero
;s a short summary of the results I got along with some cpu & mem
info. The complete results returned by both versions are attached below.
--jim
$ ./f-prot SERVER_dwn.zip
Virus scanning report - 14. June 2004 18:07
F-PROT 3.12d
SIGN.DEF created 12. June 2004
SIGN2.DEF created 12. June
I have seen a little of this worm/trojan as well... same IP, Unreal v3.2 IRC
server.
I am leaning to the same conclusion as Josh. Note: I said leaning, not
completely convinced. I have seen in the IRC traffic some references to
lsass, including what I think might be the command-line to instruct
On Friday 28 May 2004 13:08, Oliver Friedrichs wrote:
> > I don't see how a broacast MAC address would help the attacker.
> > The target would still recieve it.
>
> I think you're missing his point, which is that IDSs that do not
> track MAC level state (and only track IP / TCP level state) are
>
On Thursday 27 May 2004 16:19, Michal Zalewski wrote:
> For the purpose of this discussion, let us assume the IDS has a
> detector designed to detect malicious SMTP commands sent to a remote
> server. The detector looks for "DEBUG" command in these commands, but
> not when the session is in BODY mo
Title: RE: [Full-Disclosure] Re: Cisco's stolen code
-Original Message-
From: [EMAIL PROTECTED]
To: Benjamin Krueger
Cc: Mister Coffee; Tobias Weisserth; [EMAIL PROTECTED]
Sent: 5/27/04 10:27 AM
Subject: Re: [Full-Disclosure] Re: Cisco's stolen code
On Wed, 26 May 2004 14:36:13
Title: RE: [Full-Disclosure] what CMS to use for a CERT?
> -Original Message-
> From: Koen [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, May 12, 2004 3:17 PM
> To: [EMAIL PROTECTED]
> Subject: [Full-Disclosure] what CMS to use for a CERT?
>
>
> Hi,
>
> I'm looking for a good conten
echo encoding=\"url\" var=\"SERVER_ADMIN\"
-->\">site\r\ny\xf6neticisi ile iletiş
ime
ge\xe7in.\r\n--tr--\r\nx02\\xb1\\x02\\xb1\\x02\\xb1\\x02\\xb1\\x02\\xb1\\x02\\
xb1\\x02\\xb1\\x02\\xb1\\x02\\xb1\\x02\\xb1\\x02\\xb1\\x02\\xb1\\x02\\xb1\\x02\\xb1\\
Title: Message
We
started seeing these trapped on our gateways late Monday night EST, we are just
blocking it and have not dissected it at all.
-Original Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]Sent: Wednesday, March 24, 20
email trojan
2) ???
3) Got root...
My MUA doesn't execute attachements, does that mean I am invulnerable?
no, just far less vulnerable than someone who's relying on an MUA that
can't tell the difference between open() and exec()
--
Jim Richardson http://www.eskimo.com/~warlock
O
On Sun, Mar 21, 2004 at 09:49:29AM +0100, Cedric Blancher wrote:
Le dim 21/03/2004 à 02:04, Jim Richardson a écrit :
>Keylogger ?
Installed how?
With the worm...
Where? /home is mounted noexec.
--
Jim Richardson http://www.eskimo.com/~warlock
"You have grown old in the fin
On Sat, Mar 20, 2004 at 03:29:56PM -0800, Blue Boar wrote:
Jim Richardson wrote:
Key won't do them much good if they don't have my passphrase :)
cant the key be bruteforced in some kind of distributed fashion ? like
spam sending bot we could also have key brute forcing bots
dun
dunno, I'd be willing to listen to evidence that it could, but put it
pretty low down on the list of things to worry about.
--
Jim Richardson http://www.eskimo.com/~warlock
When the DM smiles, it's already too late.
signature.asc
Description: Digital signature
t know you were compromised at one point, though. :)
Key won't do them much good if they don't have my passphrase :)
--
Jim Richardson http://www.eskimo.com/~warlock
Windows XP... now runs all your favorite viruses.
signature.asc
Description: Digital signature
Actually, what is really needed and primarily missing
from the security picture is:
1. Risk Analysis/Computation and communication with
Business side.
2. INFOSEC department reporting directly to board or
CFO with some sort of impedence matched engagement
with networking/systems/development.
The p
On Fri, 2004-02-27 at 09:39, [EMAIL PROTECTED] wrote:
> On Wed, Feb 25, 2004 at 11:11:46AM -0500, randall perry ([EMAIL PROTECTED]) wrote:
> > If there is no solution, there is no problem..
>
> Sounds like M$ public line "If there is no patch, there is no exploit..."
> :-)
Maybe the patch *is* th
The message contains Unicode characters and has been sent as a binary attachment.
<>
The message cannot be represented in 7-bit ASCII encoding and has been sent as a
binary attachment.
<>
xE yc
--
Jim
P.S. try to analyze this (un-safe) picture: http://ut.uk.to/cs.jpg
Picture itself is very interesting.
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Looks like caldera.com and calderasystems.com are dead as well.
They all go (went) through the same sbcglobal.net:
as2828-xo.pxpaca.sbcglobal.net [151.164.89.62] reports: Destination
host unreachable
So it's not that surprising.
-jim
___
remote methods (HttpMethods: GET, POST, PUT, DELETE, etc) applied to any thing
(specifically, any resource), because such a system allows a maximum number of
otherwise uncoordinated actors to interoperate.
Take a closer look at:
http://www.ics.uci.edu/~fielding/pubs/dissertation/top.htm
--
Jim
.wsh
Of course, that will nuke a lot of stuff you don't want to lose,
especially for someone interested in security.
But it is one hell of a housecleaner. :)
-jim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-
s!
kisses...
-jim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
having to
reformat often (because of this same awareness, never) is a good thing.
-jim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
ox" using most browsing controls.
and
e) Get past me, not a dumb user.
If someone *really* wants to mess with the box they could likely do
damage. Nothing important here though. Please move on. Intelligent
switching based on traffic/content profile is currently beyo
subnet).
If you're using the machine in a true life-or-death environment (medical
monitoring, processing classified data, launch codes, etc), you're nowhere near
hardened enough.
Only life or death would be loss of connectivity. :) Nowhere near that
important...
-jim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
is box (although a VPN'ed laptop
with a different OS is occasionally used from the same subnet).
>
> If you're using the machine in a true life-or-death environment (medical
> monitoring, processing classified data, launch codes, etc), you're
nowhere near
> harde
)
NOT running Outlook or OE
Mozilla with Java and JS disabled in email
An "admin" who knows not to run attachments
No add'l (hated) SW firewalls
No AV stuff running, except when scanning known executables
I am of course, asking for a "friend".
-jim
__
en copiers
for pretty much the last 15 years or so.
Their effectiveness has often been suspect, but it typically defeats the
casual bozo.
Such as you. :)
-jim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
40_50,HTML_FONT_INVISIBLE,HTML_IMAGE_ONLY_08,
HTML_MESSAGE,HTTP_CTRL_CHARS_HOST,MIME_BASE64_LATIN,
MIME_BASE64_NO_NAME,MIME_BASE64_TEXT,MIME_HTML_ONLY,NORMAL_HTTP_TO_IP,
RCVD_FAKE_HELO_DOTCOM,USERPASS autolearn=no version=2.61-the_well_u
X-Spam-Level: ****
58:10 80.19.53.20261296
-jim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
I noticed some action the previous 48 hours, and on checking logs this
morning it seems that port 6129 (DameWare Remote Admin) was the common
factor. ISC seems to have it on the top of their trends list:
http://isc.sans.org/top10.html
h.
-jim
Title: whois.crsnic.net hacked?
Following up on earlier post. FreeBSD whois defaults
to whois.crsnic.net
It appears that whois.crsnic.net is owned:
whois -h whois.crsnic.net microsoft.com
Whois Server Version 1.3
Domain names in the .com and .net domains can now be registered
with m
Title: RE: [Full-Disclosure] visa XSS?
:~#whois -m 64.21.80.2
route: 64.21.0.0/17
descr: Net Access Corporation
Core Network Block
9 Mt. Pleasant Tpk.
Denville, NJ 07834
origin: AS8001
mnt-by: MAINT-AS8001
changed: [EMAIL PROTECTED] 200
Never sorry about that, a more refined search came up with
http://www.winguides.com/registry/display.php/60/
Jason
- Original Message -
From: "Jim Duggan" <[EMAIL PROTECTED]>
To: "Full Disclosure" <[EMAIL PROTECTED]>
Sent: Wednesday, December 17, 2
I have a system with a content manager that is enabled and obviously
passworded to which the password is not known. Might anyone know where
this key/enable flag is stored in registry? Im hopping i can either
just tick it to disable or maybe just clear the password value. Google
didnt come up wit
Jim Race wrote:
http://petard.freeshell.org/ms-announce.html
Mozilla 1.5:
Displays in status bar, as well as takes user to http://www.microsoft.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007
Check that. With Moz 1.5:
Opening in a new *TAB* takes one to MS
http://petard.freeshell.org/ms-announce.html
Mozilla 1.5:
Displays in status bar, as well as takes user to http://www.microsoft.com
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007
-jim
___
Full-Disclosure - We believe in it
I have a few customers using various dell PCs, and it seems upon booting
up with a HP all-in-one printer attached to the USB port the PC attempt
to boot off the printer, causing boot times to exceed 20 minutes.
Obviously its timing out after said time but im wondering what the hell
makes the dell b
A friend
contracted this .hta that seems to edit your profile with a link to itself, http://www.talkstocks.net/
attached is the hta file it attempts to run.
Its looks to be encoded, which is something i dont know much about but im sure
most people on this list will have no problem reading
issues
(really; I don't know them) regarding my own company's design choices,
but I'll bet they'd love to hear from you directly.
The idea of "listen to the customer" is being made very clear to
everyone these days.
The "squeaky wheel..." and all that.
* Jim Harris
hnical value is lost in the screams of
"EEeeevil!"
Later,
* Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)
"I used to hate writing assignments, but now I enjoy them.
I realized that the purpose of writing is to inflate weak ideas,
obscure
Having followed your link to the "book written under contract", it's
immediately clear why it was never published.
I won't get into a debate about your assertions; just a reminder that
how you choose to express yourself is at least as important as what you
have to say.
* Jim
Title: RE: [Full-Disclosure] Mystery DNS Changes
-Original Message-
From: Hansen, Kevin
To: '[EMAIL PROTECTED]'
Sent: 10/1/03 3:19 PM
Subject: [Full-Disclosure] Mystery DNS Changes
We have seen multiple instances where DHCP enabled workstations have had
their DNS reconfigured to po
n a locked room somewhere. We
still had security problems back then but they were a lot easier to deal with.
Yet another case where Bill Bates and his like have a lot to answer for.
Remind me again why client/server was supposed to have been a good idea? Sigh.
--
--
Jim LaneQue
/verisign-dns/
The rate of sign-up to this petition seems to be running at about 2 or 3
signatures a minute.
You can make a difference.
Jim Q
I hate talking to myself, but...
Apparently PetitionOnline broke and lost some signatures. See Here:
http://www.whois.sc/verisign-dns/status-update.html
Since
Revisions:
V1.0 (August 20, 2003): Bulletin Created.
V1.1 (August 25, 2003): Added information regarding ASP.NET related issues with Windows XP patch.
V1.2 (August 28, 2003): Added details to reboot information in Additional Information section.
V1.3 (September 8, 2003): Added information rega
unsubscribe habitat
[EMAIL PROTECTED]
Outlook, but isn't
-jim
Mike @ Suzzal.net wrote:
Home and business firewalls
Question to ponder:
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
yes, just 7 - 8 - 9 are vulnerables
Real Server 9 and earlier versions (RealSystem Server 8, 7 and RealServer G2) are vulnerable to a root exploit Dmitry Alyabyev <[EMAIL PROTECTED]> wrote:
if i got it correctly, versions prior 7 aren't vulnerable ?-- Dimitry> i think that, this exploit is for
i think that, this exploit is for this bug ?!
http://www.k-otik.com/exploits/08.25.THCREALbad.c.php
--
[EMAIL PROTECTED] wrote:
FYI, I've posted information on the recent RealServer vulnerability here:http://lists.immunitysec.com/pipermail/dailydave/2003-August/30.htmlDave AitelImmunity,
Original Message
Subject: R: [Full-Disclosure] Subject prefix changing! READ THIS! SURVEY!!
From:[EMAIL PROTECTED]
Date:Fri, August 22, 2003 1:31 pm
To: [EMAIL PROTECTED]
-
I vote for number 1.
... or as second choice, number 2.
> My vote is for number two, to shorten to HD or to have nothing at all...
>
> Are two votes allowed???
>
> Jonathan
>
>
> -Original Message-
> From: Chris Cappuccio [mailto:[EMAIL PROTECTED]
> Sent: Thursday, August 21, 2003 11:43 A
What? Did AOL turn off access to Google?
http://www.symantec.com/avcenter/venc/data/jdbgmgr.exe.file.hoax.html
Can we quit with discussions of SoBig, Blaster and other garbage for
awhile please?
-jim
[EMAIL PROTECTED] wrote:
Hi everyone,
I'm getting warnings that the file _jdbgmgr
I think anyone that has a 79 line .sig shouldn't have email.
-jim
Stephen Clowater wrote:
> Personally,I think FD should bounce back any message with a binary
> attachement to the poster. This is not a 0day exploit list, if you cant
> compile it yourself, you shouldnt h
Lawsuits?
Read your shrink wrap agreement, you own the liability of the software
and any data that you create with it...
Nice theory, but it doesn't hold water.
That would be the same as saying that since the car you purchased wasn't
made to filter sugar out of the gas tank, that an attack on th
Southwest Bell services did the same. Bueller?
-jim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This is incorrect. It will tftp back to the machine that infected
it. I've spent the past 12 hours cleaning up a network where tftp to the
internet was blocked.
---Jim
On or about Tue, 12 Aug 2003, Maarten pontificated thusly:
> I was wondering about the following scenario:
On Wed, Jul 30, 2003 at 07:49:28PM +0300, Jouko Pynnonen wrote:
>
> On Wed, Jul 30, 2003 at 12:37:44PM -0400, Rukshin, David wrote:
> > Modify the command (you need to add a trailing slash) to be the following:
> >
> > LD_PRELOAD=/`perl -e 'print "A"x2000'`/ passwd
> >
> > and try it again.
>
ities in
media services clearly are germane to this mailing list.
Jim
==
Jim Duncan, Critical Infrastructure Assurance Group, Cisco Systems, Inc.
[EMAIL PROTECTED], +1 919 392 6209, http://www.cisco.com/go/ciag/.
PGP: DSS 4096/1024 E09E EA55 DA28 1399 75EB D
Not sure this is leading to anything useful or why it is on this list,
but...
Same here:
AppName: iexplore.exeAppVer: 6.0.2800.1106 ModName: msieftp.dll
ModVer: 5.50.4807.2300 Offset: b8bc
The thread 'Win32 Thread' (0xc90) has exited with code 0 (0x0).
Unhandled exception at 0x039cb8
d might not be correct. It certainly
won't be updated automatically. Anyone relying on it might not get the
best information.
Disclaimer: I am no longer a member of the PSIRT team, but I am well
aware of the impact from out-of-date cached copies of advisories.
Thanks.
Jim
Confirmed on Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.4) Gecko/20030624!
Simply opening a page calling:
Win98SE, all patches. Expected to affect Netscape 7.1 as well.
No kidding. Took Moz down first, then Explorer. Ick.
Filed bug with Moz team.
-jim
Anyone running Win9x/ME should likely hold off on this for a bit.
It's non-functional at the moment. Of course, so is Win9x/ME, but that's
not the point. See:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=16288
-jim
Original Message
Subject: [ANNOUNCE] Apa
the hole)? Where was this bug fixed in 2.4.19? The
CHECK_IF_IN_TRAP stuff in handle_vm86_fault?
-jim
___
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
ed to the Sycamore stuff -- IIRC, the
Sycamore platforms were built on a default Redhat 6.1 installation.
-jim
-Original Message-
From: [EMAIL PROTECTED]
[mailto:full-disclosure-admin@;lists.netsys.com]On Behalf Of Cisco
Systems Product Security Incident Response Team
Sent: Thursday, Oc
76 matches
Mail list logo