lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <MTE2MzU0MDg5My53eWtreWQ.1163540893@dissimulo.com>
Date: Tue, 14 Nov 2006 16:48:13 -0500 (EST)
From: "Bardus Populus" <disclosure@...kyd.securecoffee.com>
To: "ragdelaed" <ragdelaed@...il.com>
Cc: 'William Stanley' <vegacash@...oo.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: Austin Decking 512-385-5334 Austindecking
 wholesale

I sit here wondering how valuable (or legitimate) the certifications Mr
Swafford sites in his sig really are when he scanned some company server
because he was too [lazy|ignorant|distracted] to read the mail headers or
perform some simple whois queries, nslookups or a traceroute (all fairly
benign and non-intrusive).

"Owning" a uri does not mean they own or host the server.  Lumbermax is
listed as an Austin, TX, USA company, and is hosted on an "ironhosting"
server - the company mentioned coincidentally in the second spam
purportedly from Mr Stanley.

www.lumbermax.com resolves to 66.185.124.10 which is IP space residing in
Illinois.

So, you nmap scanned a company residing in Austin TX, which is really a
website hosted on a server in Illinois, because of a spam sent originally
from a system in Austria.

I would have thought a CEH/CCNA/Network+/Security+ could (or would) have
done better.

-bp

>>>From the original header:
> Received: from [194.24.158.16] by web58409.mail.re3.yahoo.com via HTTP;
> 	Tue, 14 Nov 2006 00:46:24 PST
> Date: Tue, 14 Nov 2006 00:46:24 -0800 (PST)
> From: William Stanley <vegacash@...oo.com>
> To: full-disclosure@...ts.grok.org.uk
>
> 194.24.158.16 is not lumbermax.com, it’s a box in Austria.
>
> If I was a spammer, it would be easy to sub a known blacklisted spammer to
> try and hide my point of origin.
>
> "William Stanley" is the real spammer and he used a box in Austria or
> "William Stanley" has nothing to do with this and someone else used a box
> in
> Austria.
>
> Always look for the source. Since the 194.24.158.16 address is recorded in
> the header by the webmail yahoo box, I would probably say the
> 194.24.158.16
> address is not forged. That is the originating address of this email.
>
> Don’t believe anything else below it unless you actually sent it. It can
> be
> forged.
>
> And did you scan lumbermax.org from inside archbishop alter high school?
> If
> so, be very careful about doing that. The high school administration may
> not
> appreciate you scanning a legit company from inside their domain. And
> don’t
> explore any of the open ports from inside the high school.
>
> But then again, you are listed as the high schools network engineer, so I
> guess you would be the point of contact if lumbermax.com has an issue,
> correct?
>
> ________________________________________
> From: full-disclosure-bounces@...ts.grok.org.uk
> [mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of David
> Swafford
> Sent: Tuesday, November 14, 2006 9:07 AM
> To: full-disclosure@...ts.grok.org.uk; William Stanley
> Subject: Re: [Full-disclosure] Austin Decking 512-385-5334 Austindecking
> wholesale
>
> Golden.......
>
> NMAP shows the following (lumbermax.com):
> 21/TCP - OPEN - FTP
> 22/TCP - OPEN - SSH
> 25/TCP - OPEN - SMTP
> 53/TCP - OPEN - DOMAIN
> 80/TCP - OPEN - HTTP
> 110/TCP - OPEN - POP3
> 111/TCP - OPEN - RPCBIND
> 135/TCP - FILTERED - MSRPC
> 137/TCP - FILTERED - NETBIOS-NS
> 138/TCP - FILTERED - NETBIOS-DGM
> 139/TCP - FILTERED - NETBIOS-SSN
> 143/TCP - OPEN - IMAP
> 443/TCP - OPEN - HTTPS
> 445/TCP - FILTERED - MICROSOFT-DS
> 593/TCP - FILTERED - HTTP-RPC-EPMAP
> 631/TCP - OPEN - IPP
> 3306/TCP - OPEN - MYSQL
>
>
> - Running Apache 2.052 (so there's some exploitable flaws here as current
> ver is 2.059).  Its running on a CENTOS box and the apache error says the
> domain is LYFE-CARD.com
> - The SMTP services are Sendmail 8.13.1
>
>
> ____________________________________________________
>
> David A. Swafford, Network Engineer
> Information Technology Team
> Archbishop Alter High School
>
> EC-Council Certified Ethical Hacker
>
> A Cisco Systems, Inc., Certified Network Associate (CCNA)
> and a CompTIA Network+ and Security+ Certified Professional
>
>
> <snip>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ