[Owasp-delhi] Fwd: Fackbook Password Disclosure - Vulnerability

Atul Agarwal atul at secfence.com
Thu Nov 18 06:49:16 EST 2010


After some basic analysis, it appears to me that the JAR finally drops a
server.exe (2/40 - VT
http://www.virustotal.com/file-scan/report.html?id=ebc79807e87ec1171a085569f7eee866f6cbea50d15e643573bdb77641e918ea-1290077246
).

The server.exe appears to be meterpreter_reverse_https which injects into
iexplore.exe and tries to connect to 121.242.69.84.static-delhi.vsnl.net.in.

21/tcp   open   ftp?
25/tcp   closed smtp
53/tcp   closed domain
80/tcp   closed http
443/tcp  closed https
3389/tcp open   ms-term-serv?
4444/tcp closed krb524
5555/tcp closed freeciv
5800/tcp open   vnc-http?
5900/tcp open   vnc?

The listener however, seems down ATM. Hmm..

Thanks,
Atul Agarwal
Secfence Technologies
www.secfence.com



On Thu, Nov 18, 2010 at 2:48 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:

> Or may be, passed the BUG to save own time ;-)
>
>
>
> *From:* owasp-delhi-bounces at lists.owasp.org [mailto:
> owasp-delhi-bounces at lists.owasp.org] *On Behalf Of *Chintan Dave
> *Sent:* 18 November 2010 13:51
> *To:* Muslim Koser
> *Cc:* owasp-delhi at lists.owasp.org
> *Subject:* Re: [Owasp-delhi] Fwd: Fackbook Password Disclosure -
> Vulnerability
>
>
>
> Or is it social engineering to entice security professionals, thinking they
> might not understand whats happening? :P
>
> Wait a minute..... Should this be tried here? May be not!
>
> On Thu, Nov 18, 2010 at 12:43 PM, Muslim Koser <mkoser at isightpartners.com>
> wrote:
>
> Hi Komal,
>
> Have you tested this before posting on the list ? I found this to be a
> possible malware dropper.
>
> There are two suspicious files in the /data folder which write in to remote
> process memory.
> /data/app.exe and /data/dummy.exe
>
>
> Best Regards,
> Muslim
>
>
> On 17/11/10 10:47 PM, "Komal Taneja - DHL Delhi" <komal.dhl.1665 at gmail.com>
> wrote:
>
>
> Facebook recently launched its email and it created a vulnerability ,
>
> Malicous user can change the passowrd of victim.
>
> Download the POC tool and tutorial from
> http://www.mediafire.com/?9xllotl0n4nla6f , Hurry before facebook fix the
> gap.
>
> Komal
>
> ------------------------------
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
>
> --
> Regards,
> Chintan Dave,
>
> LinkedIn: http://in.linkedin.com/in/chintandave
> Blog:http://www.chintandave.com
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20101118/be26a1b8/attachment.html 


More information about the Owasp-delhi mailing list