Date: Wed Apr  5 21:25:51 2006
From: ian.t7 at hotmail.co.uk (Ian stuart Turnbull)
Subject: obtai an IP of an MSN Messenger contact

Many thanks for that. In fact I should've known this myself [rap over 
knuckles with ruler] as its the Apache logs that started me on this hacking 
thing. After checking my logs I noticed some strange entries and I believe 
on this post I posted some of these strange HTTP requests. I was tols that 
they were known exploits in AWSTATS which I fortunately don't have 
installed. Funny because the IP's of these attackers were in the log as 
well.
Now I feel just a little foolish.

Still thanks for the good info - nice one

Ian t

>From: n3td3v <n3td3v@...il.com>
>To: full-disclosure@...ts.grok.org.uk
>Subject: Re: [Full-disclosure] obtai an IP of an MSN Messenger contact
>Date: Wed, 5 Apr 2006 21:01:13 +0100
>MIME-Version: 1.0
>Received: from lists.grok.org.uk ([195.184.125.51]) by 
>bay0-pamc1-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 
>5 Apr 2006 13:02:29 -0700
>Received: from lists.grok.org.uk (localhost [127.0.0.1])by 
>lists.grok.org.uk (Postfix) with ESMTP id EE8F49B8;Wed,  5 Apr 2006 
>21:01:36 +0100 (BST)
>Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.196])by 
>lists.grok.org.uk (Postfix) with ESMTP id 4AFD4861for 
><full-disclosure@...ts.grok.org.uk>;Wed,  5 Apr 2006 21:01:14 +0100 (BST)
>Received: by zproxy.gmail.com with SMTP id x3so18967nzdfor 
><full-disclosure@...ts.grok.org.uk>;Wed, 05 Apr 2006 13:01:14 -0700 (PDT)
>Received: by 10.35.39.2 with SMTP id r2mr1632pyj;Wed, 05 Apr 2006 13:01:14 
>-0700 (PDT)
>Received: by 10.35.81.8 with HTTP; Wed, 5 Apr 2006 13:01:13 -0700 (PDT)
>X-Message-Info: JGTYoYF78jF1123Vdz1Tm0nLIjUyMP7/Ma7BNwoBhSo=
>X-Original-To: full-disclosure@...ts.grok.org.uk
>Delivered-To: full-disclosure@...ts.grok.org.uk
>DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; 
>d=gmail.com;h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;b=pAUwF0M5GrJQx7gfHZS304dsuhu2C0dFRaUjwIBXJY7t+M6ZiEsveZgY6xUKtvJaBGER0G1PYsIHWlsVTPukUAqIr6DbpGkMzbiwkJngIx3iqzG9oscibFVGNolh/aAyxsJ7i8Dnx6B583FCU/4ILI9jN5B+UpCeZeq+mASl3AA=
>References: 
><BAY112-F27B14A594D5CB1C1C6771F99CA0@....gbl><C6DE7C2B-BDD2-47AE-8890-ED1C9F54E578@...erpix.com><4433052D.1010805@...il.com><3a166c090604051059l39c0fcbfk42c3c9ca523e74d0@...l.gmail.com><Pine.LNX.4.63.0604052009520.6721@...se.vidarlo.net><200604051823.k35IN0FJ015763@...ing-police.cc.vt.edu><3a166c090604051150m5193994wfa5b029813231b87@...l.gmail.com><3a166c090604051222q431c8cd7p2aa49f77f053237c@...l.gmail.com><18f211400604051234p4784cc46o2ca7a1d9226d11c7@...l.gmail.com>
>X-BeenThere: full-disclosure@...ts.grok.org.uk
>X-Mailman-Version: 2.1.5
>Precedence: list
>List-Id: An unmoderated mailing list for the discussion of security 
>issues<full-disclosure.lists.grok.org.uk>
>List-Unsubscribe: 
><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
><mailto:full-disclosure-request@...ts.grok.org.uk?subject=unsubscribe>
>List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
>List-Post: <mailto:full-disclosure@...ts.grok.org.uk>
>List-Help: <mailto:full-disclosure-request@...ts.grok.org.uk?subject=help>
>List-Subscribe: 
><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
><mailto:full-disclosure-request@...ts.grok.org.uk?subject=subscribe>
>Errors-To: full-disclosure-bounces@...ts.grok.org.uk
>Return-Path: full-disclosure-bounces@...ts.grok.org.uk
>X-OriginalArrivalTime: 05 Apr 2006 20:02:29.0538 (UTC) 
>FILETIME=[DE379020:01C658EB]
>
>On messenger though, not even corporate users use a proxy, even though 
>Yahoo
>offer their employees the "socks.yahoo.com" network. This is because using 
>a
>proxy over messenger really does affect the whole operation of refresh ping
>times on your messenger list status of users going on and offline etc. With
>your method of just getting someone to view a file hosted on a webserver
>wouldn't work if you were trying to hack Yahoo, because all employees, for
>the internet explorer, firefox browser, they all use the socks, socks1,
>socks2,socks3 and so on, so you would be in a highly unlikely position to
>actually getting their actual hostname. On messenger its different, the
>social psychology of corporate users is that they believe they are in a
>false sense of security, wrapped in cotton wool, because by adding you to
>their messenger list, you've already got by that "trust" element, and as
>soon as you do get on a messenger list of a corporate user then you have
>more or less suceeded in completing the most sicnificant part of the attack
>to steal corporate data from an individual within a major dot-com. If you
>want a non-proxy IP from a corporate user, messenger is the application 
>they
>very rarely use with their corporate proxy, trust me, I know about this
>stuff.
>
>On 4/5/06, Octal <octetstream@...il.com> wrote:
> >
> > If you have control over a webserver, send the friend a link to an 
>invalid
> > image on that webserver and tell them to click on it.  Once they've 
>clicked
> > the link check your server logs for that invalid image and you should 
>have
> > their IP address (unless they're using a proxy like mentioned before).  
>You
> > can also do this with an email if your "victim's" email client is 
>configured
> > to automatically render images when an email is opened.  This technique 
>has
> > been referred to as a "web bug".
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >


>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

_________________________________________________________________
Are you using the latest version of MSN Messenger? Download MSN Messenger 
7.5 today! http://join.msn.com/messenger/overview

Powered by blists - more mailing lists