From: Erin Carroll (amoeba@amoebazone.com)
Date: Fri Jan 06 2006 - 15:08:18 EST
I can confirm that this is indeed a legitimate issue and
there is real traffic happening. I can't give specifics but
where I work we've blacklisted 2 entire subnets due to this
issue, a /19 and /20 respectively. The majority of the sites
hosted within the subnets are porn but there are also
legitimate sites that appear to have been compromised with
tagged payloads that are not related to the ad network Larry
mentions.
--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"
> > -----Original Message-----
> > From: Larry Seltzer [mailto:larry@larryseltzer.com]
> > Sent: Friday, January 06, 2006 8:48 AM
> > To: 'Brady McClenon'; 'Drew Simonis'; 'Thor (Hammer of God)'; 'Erin
> > Carroll'; pen-test@securityfocus.com
> > Cc: focus-ms@securityfocus.com
> > Subject: RE: New article on SecurityFocus
> >
> > The numbers come mostly from porn sites that use a low brow
> ad network
> > that is inserting the graphics into the sites. If you
> really want to
> > see one, go to 600pics[dot]com, but be forewarned of hardcore porn.
> >
> > I haven't seen any reports of innocent sites being affected by this.
> >
> > Larry Seltzer
> > eWEEK.com Security Center Editor
> > http://security.eweek.com/
> > http://blog.ziffdavis.com/seltzer
> > Contributing Editor, PC Magazine
> > larryseltzer@ziffdavis.com
> >
> > -----Original Message-----
> > From: Brady McClenon [mailto:BMcClenon@uamail.albany.edu]
> > Sent: Friday, January 06, 2006 11:29 AM
> > To: Drew Simonis; Thor (Hammer of God); Erin Carroll;
> > pen-test@securityfocus.com
> > Cc: Larry Seltzer; focus-ms@securityfocus.com
> > Subject: RE: New article on SecurityFocus
> >
> > Just curious. I hear media reports and people saying that there's
> > hundreds or thousands of compromised web site from this, but I have
> > ask where these numbers come from? Where is this data, or
> is it pure
> > speculation? I'm also curious how one could compromise a
> web server
> > with this exploit. Putting files on a web server to dole out and
> > compromise other computers I can see, but is the web server really
> > compromised in this case? If so, was it by way of the WMF exploit?
> >
> > One last question: Has anyone here experienced or know anyone that
> > has a "legitimate" web server compromised (or serving out)
> by the WMF
> > exploit.
> > I'm trying to determine if there are those with actual
> knowledge that
> > the sky is indeed falling, or if we are all shaking over
> > unsubstantiated media hype.
> >
> >
> > > -----Original Message-----
> > > From: Drew Simonis [mailto:simonis@myself.com]
> > > Sent: Friday, January 06, 2006 10:22 AM
> > > To: Thor (Hammer of God); Erin Carroll; pen-test@securityfocus.com
> > > Cc: Larry Seltzer; focus-ms@securityfocus.com
> > > Subject: Re: New article on SecurityFocus
> > >
> > > >
> > > > Overall, I think community's coverage of wmf has been
> > delivered with
> > > > an ounce of perception, and a pound of obscurity. It's
> > almost as if
> > > > people *want* it to be worse than it is. I'm not surprised, of
> > > > course. But regardless, my call is that we'll see a little
> > > > activity here and there, the patch will come out, most
> > will install
> > > > it (or have it installed automatically) and the whole
> issue will
> > > > fade away. But that's all.
> > > >
> > > > We'll know for sure shortly, either way.
> > > >
> > >
> > > Thor,
> > > I think your path of thought is stuck a bit in the past.
> > > Worms are neat as a technical exercise, but we see more and
> > more that
> > > the attackers are increasingly aware of the value of these
> > > vulnerabilities from a financial perspective, not merely for
> > > notoriety. As such, it benefits the attacker to have a
> less subtle
> > > attack, one that does not sensationalize the vulnerability.
> > > Complacency is their ally.
> > >
> > > That said, there are already numerous (hundreds+)
> "legitimate" web
> > > sites that have been compromised and had exploit images
> > injected into
> > > their content. There are also already hundreds of thousands of
> > > machines that have been infected with Trojans or bots.
> > These infected
> > > machines will patch, but they won't be safe, and the problem gets
> > > worse.
> > >
> > > So no, there won't be some catastrophic worm event. But I
> > posit that
> > > what there will be could be much worse.
> > >
> > > --
> > > ___________________________________________________
> > > Play 100s of games for FREE! http://games.mail.com/
> > >
> > >
> > > --------------------------------------------------------------
> > > -------------
> > > --------------------------------------------------------------
> > > -------------
> > >
> > >
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.371 / Virus Database: 267.14.14/222 - Release
> > Date: 1/5/2006
> >
> >
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.371 / Virus Database: 267.14.14/222 - Release
> Date: 1/5/2006
>
>
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.14/222 - Release Date: 1/5/2006 ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:19 EDT