lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <001e01c3d7fb$d0945110$800101df@yaar>
From: dfbarth at akiva.com (David Bartholomew)
Subject: 3 new MS patches next week... but none fix 0x01!

It's interesting, too. I grabbed up both the login.htm and tried to get the
form.php (which redirected wget to logged.html) files. Picked through them,
and I've got this question for the list:

This really long 'form action' item
http://www.citibank.com:achaaa9uwdtyazjwvwaaaa9p398haaa9uwdtyazjwvwaboundpyw
wgc2l6zt00pjxtvgc2l6zt00pjxywwgc2l6zt00pjxt398haaa9uwdtyazjwvwaaoundpywwgc2l
6zt00pjxtvgc2l6zt00pjxvgc2l6zt00pjxt@....239.150.170/login/form.php

obviously contains the 0x01 exploit. What I'm curious about is the HUGE
amount of crap in between the : and the @ sign. I mean, if the 0x01 exploit
is 'good enough', what's with the extra characters?

.dfbarth

***
David Bartholomew, MCSE, MCSA, MCP, Net+, A+
Technical Lead - Akiva, Inc.
***

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of J G
Sent: Saturday, January 10, 2004 9:10 PM
To: mlande@...lsouth.net; nick@...us-l.demon.co.uk;
full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] 3 new MS patches next week... but none
fix 0x01!


Hi Mary,

What's the subject of the Citibank email you just received? I'd like to
block it on our SMTP gateways.

Thanks,

Ray

>From: "Mary Landesman" <mlande@...lsouth.net>
>To: <nick@...us-l.demon.co.uk>, <full-disclosure@...ts.netsys.com>
>Subject: Re: [Full-Disclosure] 3 new MS patches next week... but none fix
>0x01!
>Date: Sat, 10 Jan 2004 20:26:20 -0500
>
>There now seems to be an active Citibank phishing email exploiting the 0x01
>vulnerability. The message states in part:
>------------------------
>On January 10th 2004 Citibank had to block some accounts in our system
>connected with money laundering, credit card fraud, terrorism and check
>fraud activity. The information in regards to those accounts has been
>passed
>to our correspondent banks, local, federal and international authorities.
>
>Due to our extensive database operations some accounts may have been
>changed. We are asking our customers to check their checking and savings
>accounts if they are active or if their current balance is correct.
>
>Citibank notifies all it's customers in cases of high fraud or criminal
>activity and asks you to check your account's balances. If you suspect or
>have found any fraud activity on your account please let us know by logging
>in at the link below.
>------------------------
>
>The link is a button. When clicked, it takes the user to an address that
>"seems" to be citibank.com. Instead it is really
>http://211.239.150.170/login/login.htm. I've just received a copy of it and
>verified that the site is still active.
>
>The IP resolves to:
>
>[ ISP Organization Information ]
>Org Name      : Enterprise Networks
>Service Name  : ENTERPRISENET
>Org Address   : GNG IDC B/D, 343-1 Yhatap-dong, Pundang-gu, Seongnam
>
>[ ISP IP Admin Contact Information ]
>Name          : Hyo-Sun, Chang
>Phone         : +82-2-2105-6082
>Fax           : +82-2-2105-6100
>E-Mail        : ip@...etworks.co.kr
>
>[ ISP IP Tech Contact Information ]
>Name          : IP
>Phone         : +82-2-2105-6016
>Fax           : +82-2-2105-6100
>E-mail        : ip@...etworks.co.kr
>
>[ ISP Network Abuse Contact Information ]
>Name          : Postmaster
>Phone         : +82-2-2105-6075
>Fax           : +82-2-2105-6100
>E-mail        : abuse@...etworks.co.kr
>
>Regards,
>Mary Landesman
>Antivirus About.com Guide
>http://antivirus.about.com
>
>
>----- Original Message -----
>From: "Nick FitzGerald" asked:
>
> > OK -- is HSBC bank a large enough client of Microsoft's??
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html

_________________________________________________________________
Learn how to choose, serve, and enjoy wine at Wine @ MSN.
http://wine.msn.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ