Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: pimpshiz / put i.txt

Re: pimpshiz / put i.txt

From: Jason Witty <jason_at_WITTYS.COM>
Date: Fri, 6 Oct 2000 05:47:09 -0500

I may be going out on a limb here, but the 'exploit' PimpShitz is using
looks more like a simple HTTP PUT instead of an HTTP GET. A friend of mine
just got hit last week (I havn't seen the logs, but he described them), and
the i.txt file was placed into a directory, via a standard HTTP PUT (wrong
permissions on the directory). So his little '0-Day 3xp01t' is probably
nothing more than Netscape HTML Editor's publish function or Front Page for
that matter. Just my two....

Jason

At 12:08 AM 10/6/00 GMT, Tony Turk wrote:
>I have spoken to pimpshiz, and he DOES NOT use the RDS' sploit. He does use
>a 0day, but I am unsure of it's nature. He has defaced all IIS/NT servers,
>so that at least narrows it down. More logs would be nice though.
>
>
>>From: Steve <Steve_at_SECURESOLUTIONS.ORG>
>>Reply-To: Steve <Steve_at_SECURESOLUTIONS.ORG>
>>To: INCIDENTS_at_SECURITYFOCUS.COM
>>Subject: Re: pimpshiz / put i.txt
>>Date: Thu, 5 Oct 2000 06:27:19 -0600
>>
>>I attemtped to contact Pimpshiz and got the following;
>>
>>"I will do an interview but I will not discuss my techniques or exploit."
>>
>>He has told media outlets that he has some 0day sploit that no one knows
>>about. I would love to see more logs as I am starting to think that he is
>>simply using the RDS exploit.
>>
>>For those of you who have been defaced by this, in my opinion, script
>>kiddie, check www.wiretrip.net/rfp for the original advisory on the RDS
>>exploit, there is a spot that talks about log entries to watch for.
>>
>>-Steve
>>
>>-----Original Message-----
>>From: Jonathan Rickman
>>To: INCIDENTS_at_SECURITYFOCUS.COM
>>Sent: 10/4/00 7:07 PM
>>Subject: Re: pimpshiz / put i.txt
>>
>>I seem to remember seeing one of his recent defacements mention that one
>>could look for the file i.txt as well as several others once the main
>>page
>>was restored as proof that he still owned them. Don't quote me on that,
>>but I'm pretty sure that's what it said. Check the attrition archives.
>>
>>you could just email pimpshiz and ask...he'll probably tell you.
>>
>>--
>>Jonathan Rickman
>>X Corps Security
>>http://www.xcorps.net
>
>_________________________________________________________________________
>Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
>
>Share information about yourself, create your own public profile at
>http://profiles.msn.com.
>
>
Received on Oct 06 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos