Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: New article on SecurityFocus
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Fri, 6 Jan 2006 10:36:58 -0800

I can confirm that this is indeed a legitimate issue and there is real
traffic happening. I can't give specifics but where I work we've blacklisted
2 entire subnets due to this issue, a /19 and /20 respectively. The majority
of the sites hosted within the subnets are porn but there are also
legitimate sites that appear to have been compromised with tagged payloads
that are not related to the ad network Larry mentions. 

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 


-----Original Message-----
From: Larry Seltzer [mailto:larry () larryseltzer com] 
Sent: Friday, January 06, 2006 8:48 AM
To: 'Brady McClenon'; 'Drew Simonis'; 'Thor (Hammer of God)'; 
'Erin Carroll'; pen-test () securityfocus com
Cc: focus-ms () securityfocus com
Subject: RE: New article on SecurityFocus

The numbers come mostly from porn sites that use a low brow 
ad network that is inserting the graphics into the sites. If 
you really want to see one, go to 600pics[dot]com, but be 
forewarned of hardcore porn.

I haven't seen any reports of innocent sites being affected by this.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: Brady McClenon [mailto:BMcClenon () uamail albany edu]
Sent: Friday, January 06, 2006 11:29 AM
To: Drew Simonis; Thor (Hammer of God); Erin Carroll; 
pen-test () securityfocus com
Cc: Larry Seltzer; focus-ms () securityfocus com
Subject: RE: New article on SecurityFocus

Just curious.  I hear media reports and people saying that 
there's hundreds or thousands of compromised web site from 
this, but I have ask where these numbers come from?  Where is 
this data, or is it pure speculation?  I'm also curious how 
one could compromise a web server with this exploit.  Putting 
files on a web server to dole out and compromise other 
computers I can see, but is the web server really compromised 
in this case?  If so, was it by way of the WMF exploit?

One last question:  Has anyone here experienced or know 
anyone that has a "legitimate" web server compromised (or 
serving out) by the WMF exploit.
I'm trying to determine if there are those with actual 
knowledge that the sky is indeed falling, or if we are all 
shaking over unsubstantiated media hype.


-----Original Message-----
From: Drew Simonis [mailto:simonis () myself com]
Sent: Friday, January 06, 2006 10:22 AM
To: Thor (Hammer of God); Erin Carroll; pen-test () securityfocus com
Cc: Larry Seltzer; focus-ms () securityfocus com
Subject: Re: New article on SecurityFocus


Overall, I think community's coverage of wmf has been 
delivered with 
an ounce of perception, and a pound of obscurity.  It's 
almost as if 
people *want* it to be worse than it is.  I'm not surprised, of 
course.  But regardless,  my call is that we'll see a little 
activity here and there, the patch will come out, most 
will install 
it (or have it installed automatically) and the whole issue will 
fade away.  But that's all.

We'll know for sure shortly, either way.


Thor,
I think your path of thought is stuck a bit in the past.  
Worms are neat as a technical exercise, but we see more and 
more that 
the attackers are increasingly aware of the value of these 
vulnerabilities from a financial perspective, not merely for 
notoriety.  As such, it benefits the attacker to have a less subtle 
attack, one that does not sensationalize the vulnerability.
Complacency is their ally.

That said, there are already numerous (hundreds+) "legitimate" web 
sites that have been compromised and had exploit images 
injected into 
their content.  There are also already hundreds of thousands of 
machines that have been infected with Trojans or bots.  
These infected 
machines will patch, but they won't be safe, and the problem gets 
worse.

So no, there won't be some catastrophic worm event.  But I 
posit that 
what there will be could be much worse.

--
___________________________________________________
Play 100s of games for FREE! http://games.mail.com/


--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------



--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.14/222 - Release 
Date: 1/5/2006
 


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.371 / Virus Database: 267.14.14/222 - Release Date: 1/5/2006
 


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault