lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3a166c090604051344o31784ee2mca5a35ffa89671f@mail.gmail.com>
Date: Wed Apr  5 21:44:13 2006
From: n3td3v at gmail.com (n3td3v)
Subject: obtai an IP of an MSN Messenger contact

Funny you should mention awstats vulnerabilities, jeremy zawodny's domain (
zawodny.com) was hacked using an awstats vulnerability (by Infektion Group).
To this day, this yahoo employee offers great tips for international hackers
to target individual employees. Not only from the intelligence his blog
offers from his posts, but by the countless corporate users who post in his
comments section, and of course, his backend logs for his site are a wealth
of information on corporate users, but we won't go into the detaills of how
the logs of his site might be compromised and how they would be used to
attack the yahoo dot com domain right now. And Yahoo's word on Yahoo
employees blogging and the relation to major cyber attacks against Yahoo dot
com infrastructure, along with its domain name servers, a lot of the time
provided by "aka" is of course complete silence. How cute.

On 4/5/06, Ian stuart Turnbull <ian.t7@...mail.co.uk> wrote:

> Many thanks for that. In fact I should've known this myself [rap over
> knuckles with ruler] as its the Apache logs that started me on this
> hacking
> thing. After checking my logs I noticed some strange entries and I believe
> on this post I posted some of these strange HTTP requests. I was tols that
> they were known exploits in AWSTATS which I fortunately don't have
> installed. Funny because the IP's of these attackers were in the log as
> well.
> Now I feel just a little foolish.
>
> Still thanks for the good info - nice one
>
> Ian t
>
> >From: n3td3v <n3td3v@...il.com>
> >To: full-disclosure@...ts.grok.org.uk
> >Subject: Re: [Full-disclosure] obtai an IP of an MSN Messenger contact
> >Date: Wed, 5 Apr 2006 21:01:13 +0100
> >MIME-Version: 1.0
> >Received: from lists.grok.org.uk ([195.184.125.51]) by
> >bay0-pamc1-f5.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830);
> Wed,
> >5 Apr 2006 13:02:29 -0700
> >Received: from lists.grok.org.uk (localhost [127.0.0.1])by
> >lists.grok.org.uk (Postfix) with ESMTP id EE8F49B8;Wed,  5 Apr 2006
> >21:01:36 +0100 (BST)
> >Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.196])by
> >lists.grok.org.uk (Postfix) with ESMTP id 4AFD4861for
> ><full-disclosure@...ts.grok.org.uk>;Wed,  5 Apr 2006 21:01:14 +0100 (BST)
> >Received: by zproxy.gmail.com with SMTP id x3so18967nzdfor
> ><full-disclosure@...ts.grok.org.uk>;Wed, 05 Apr 2006 13:01:14 -0700 (PDT)
> >Received: by 10.35.39.2 with SMTP id r2mr1632pyj;Wed, 05 Apr 2006
> 13:01:14
> >-0700 (PDT)
> >Received: by 10.35.81.8 with HTTP; Wed, 5 Apr 2006 13:01:13 -0700 (PDT)
> >X-Message-Info: JGTYoYF78jF1123Vdz1Tm0nLIjUyMP7/Ma7BNwoBhSo=
> >X-Original-To: full-disclosure@...ts.grok.org.uk
> >Delivered-To: full-disclosure@...ts.grok.org.uk
> >DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta;
> >d=gmail.com
> ;h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;b=pAUwF0M5GrJQx7gfHZS304dsuhu2C0dFRaUjwIBXJY7t+M6ZiEsveZgY6xUKtvJaBGER0G1PYsIHWlsVTPukUAqIr6DbpGkMzbiwkJngIx3iqzG9oscibFVGNolh/aAyxsJ7i8Dnx6B583FCU/4ILI9jN5B+UpCeZeq+mASl3AA=
> >References:
> ><BAY112-F27B14A594D5CB1C1C6771F99CA0@....gbl><
> C6DE7C2B-BDD2-47AE-8890-ED1C9F54E578@...erpix.com><
> 4433052D.1010805@...il.com><
> 3a166c090604051059l39c0fcbfk42c3c9ca523e74d0@...l.gmail.com><
> Pine.LNX.4.63.0604052009520.6721@...se.vidarlo.net><
> 200604051823.k35IN0FJ015763@...ing-police.cc.vt.edu><
> 3a166c090604051150m5193994wfa5b029813231b87@...l.gmail.com><
> 3a166c090604051222q431c8cd7p2aa49f77f053237c@...l.gmail.com><
> 18f211400604051234p4784cc46o2ca7a1d9226d11c7@...l.gmail.com>
> >X-BeenThere: full-disclosure@...ts.grok.org.uk
> >X-Mailman-Version: 2.1.5
> >Precedence: list
> >List-Id: An unmoderated mailing list for the discussion of security
> >issues<full-disclosure.lists.grok.org.uk>
> >List-Unsubscribe:
> ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>,
> ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=unsubscribe>
> >List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
> >List-Post: <mailto:full-disclosure@...ts.grok.org.uk>
> >List-Help: <mailto:full-disclosure-request@...ts.grok.org.uk
> ?subject=help>
> >List-Subscribe:
> ><https://lists.grok.org.uk/mailman/listinfo/full-disclosure>,
> ><mailto:full-disclosure-request@...ts.grok.org.uk?subject=subscribe>
> >Errors-To: full-disclosure-bounces@...ts.grok.org.uk
> >Return-Path: full-disclosure-bounces@...ts.grok.org.uk
> >X-OriginalArrivalTime: 05 Apr 2006 20:02:29.0538 (UTC)
> >FILETIME=[DE379020:01C658EB]
> >
> >On messenger though, not even corporate users use a proxy, even though
> >Yahoo
> >offer their employees the "socks.yahoo.com" network. This is because
> using
> >a
> >proxy over messenger really does affect the whole operation of refresh
> ping
> >times on your messenger list status of users going on and offline etc.
> With
> >your method of just getting someone to view a file hosted on a webserver
> >wouldn't work if you were trying to hack Yahoo, because all employees,
> for
> >the internet explorer, firefox browser, they all use the socks, socks1,
> >socks2,socks3 and so on, so you would be in a highly unlikely position to
> >actually getting their actual hostname. On messenger its different, the
> >social psychology of corporate users is that they believe they are in a
> >false sense of security, wrapped in cotton wool, because by adding you to
> >their messenger list, you've already got by that "trust" element, and as
> >soon as you do get on a messenger list of a corporate user then you have
> >more or less suceeded in completing the most sicnificant part of the
> attack
> >to steal corporate data from an individual within a major dot-com. If you
> >want a non-proxy IP from a corporate user, messenger is the application
> >they
> >very rarely use with their corporate proxy, trust me, I know about this
> >stuff.
> >
> >On 4/5/06, Octal <octetstream@...il.com> wrote:
> > >
> > > If you have control over a webserver, send the friend a link to an
> >invalid
> > > image on that webserver and tell them to click on it.  Once they've
> >clicked
> > > the link check your server logs for that invalid image and you should
> >have
> > > their IP address (unless they're using a proxy like mentioned before).
> >You
> > > can also do this with an email if your "victim's" email client is
> >configured
> > > to automatically render images when an email is opened.  This
> technique
> >has
> > > been referred to as a "web bug".
> > >
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> > >
> > >
>
>
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >Hosted and sponsored by Secunia - http://secunia.com/
>
> _________________________________________________________________
> Are you using the latest version of MSN Messenger? Download MSN Messenger
> 7.5 today! http://join.msn.com/messenger/overview
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060405/660d4ebe/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ