RE: New article on SecurityFocus

From: Brady McClenon (BMcClenon@uamail.albany.edu)
Date: Mon Jan 09 2006 - 10:27:21 EST


The question is whether the knoppix web server was compromised, or if an
untrustworthy employee just threw it out there. Are we seeing, or have
seen, any worm-like activity with this vulnerability? If so, how
rampant is it? We here in the news that it's all over... Hundreds!....
Thousands!... But yet ask any one to name a site or confirm they have
first hand experience, or have a friend or colleague with fist hand
experience and all you get is them naming one of a handful of sites we
all heard about through media reports. I'm not saying this isn't a real
threat. I'm saying I believe it's exploit distribution has been greatly
exaggerated.
 

> -----Original Message-----
> From: Murad Talukdar [mailto:talukdar_m@subway.com]
> Sent: Sunday, January 08, 2006 10:20 PM
> To: Brady McClenon; 'Drew Simonis'; 'Thor (Hammer of God)';
> 'Erin Carroll'; pen-test@securityfocus.com
> Cc: 'Larry Seltzer'; focus-ms@securityfocus.com
> Subject: RE: New article on SecurityFocus
>
> That was it; SANS
> http://handlers.dshield.org/jullrich/wmffaq.html
> So it can even get onto 'Trusted' websites.
> (At least they are saying they had a 'report').
> Digital whispers....
>
>
> Regards
> Murad Talukdar
>
> -----Original Message-----
> From: Brady McClenon [mailto:BMcClenon@uamail.albany.edu]
> Sent: Saturday, January 07, 2006 2:29 AM
> To: Drew Simonis; Thor (Hammer of God); Erin Carroll;
> pen-test@securityfocus.com
> Cc: Larry Seltzer; focus-ms@securityfocus.com
> Subject: RE: New article on SecurityFocus
>
> Just curious. I hear media reports and people saying that there's
> hundreds or thousands of compromised web site from this, but
> I have ask
> where these numbers come from? Where is this data, or is it pure
> speculation? I'm also curious how one could compromise a web server
> with this exploit. Putting files on a web server to dole out and
> compromise other computers I can see, but is the web server really
> compromised in this case? If so, was it by way of the WMF exploit?
>
> One last question: Has anyone here experienced or know
> anyone that has
> a "legitimate" web server compromised (or serving out) by the WMF
> exploit. I'm trying to determine if there are those with actual
> knowledge that the sky is indeed falling, or if we are all
> shaking over
> unsubstantiated media hype.
>
>
> > -----Original Message-----
> > From: Drew Simonis [mailto:simonis@myself.com]
> > Sent: Friday, January 06, 2006 10:22 AM
> > To: Thor (Hammer of God); Erin Carroll; pen-test@securityfocus.com
> > Cc: Larry Seltzer; focus-ms@securityfocus.com
> > Subject: Re: New article on SecurityFocus
> >
> > >
> > > Overall, I think community's coverage of wmf has been delivered
> > > with an ounce of perception, and a pound of obscurity.
> It's almost
> > > as if people *want* it to be worse than it is. I'm not
> surprised,
> > > of course. But regardless, my call is that we'll see a little
> > > activity here and there, the patch will come out, most
> will install
> > > it (or have it installed automatically) and the whole issue will
> > > fade away. But that's all.
> > >
> > > We'll know for sure shortly, either way.
> > >
> >
> > Thor,
> > I think your path of thought is stuck a bit in the past.
> > Worms are neat as a technical exercise, but we see more and
> > more that the attackers are increasingly aware of the value
> > of these vulnerabilities from a financial perspective, not
> > merely for notoriety. As such, it benefits the attacker to
> > have a less subtle attack, one that does not sensationalize
> > the vulnerability. Complacency is their ally.
> >
> > That said, there are already numerous (hundreds+)
> > "legitimate" web sites that have been compromised and had
> > exploit images injected into their content. There are also
> > already hundreds of thousands of machines that have been
> > infected with Trojans or bots. These infected machines will
> > patch, but they won't be safe, and the problem gets worse.
> >
> > So no, there won't be some catastrophic worm event. But I
> > posit that what there will be could be much worse.
> >
> > --
> > ___________________________________________________
> > Play 100s of games for FREE! http://games.mail.com/
> >
> >
> > --------------------------------------------------------------
> > -------------
> > --------------------------------------------------------------
> > -------------
> >
> >
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
>
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:20 EDT