[Owasp-delhi] Fwd: Fackbook Password Disclosure - Vulnerability

Sheik Nizamuddin sheikn at promindsglobal.com
Thu Nov 18 11:15:02 EST 2010


@Atul Exactly..  It drops the server.exe and as you have mentioned the file
itself is suspicious. I had some suspicious behavior on my system even
though I blocked the server.exe file. My IDS immediately started picking up
detection 

It made me even more curious and trying to figure out what all I have done
on the recent past and I see only this JAR file which I tried to execute.

 

Anyways this is my IDS Log

11/18/2010 4:17:30 PM  Intrusion.Win.MSSQL.worm.Helkern      219.146.143.209
UDP       1434

11/18/2010 4:19:37 PM  Intrusion.Win.MSSQL.worm.Helkern      218.201.144.133
UDP       1434

 

They both track down to Chinese IP though.

 

Speaking about all this did someone find any luck on the facebook
vulnerability as mentioned on the first mail of this chain?

 

Regards,

A.Sheik Nizamuddin

Security Analyst

+91-8008001292

cid:image001.png at 01CB3627.6A478E90

ProMinds Consulting Pvt Ltd | SEI Transition Partner | CERT-In Empanelled
Company | ISO 9001:2008 Certified | NASSCOM Member

 <http://www.promindsconsulting.com/> www.promindsglobal.com | 


P ProMinds assumes a responsibility towards our environment. Please consider
printing this e-mail or any other document unless and absolutely necessary.

----------------------------------------------------------------------------
----------------------------------------------------------------------------
------------------------------------------------------------------------
Confidentiality Notice & Disclaimer
This message and any attachments are solely intended for the addressee(s).
It may also be ProMinds Consulting's confidential, privileged and / or
subject to copyright. Access to this email by anyone else is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
that may be unlawful. If you have received this in error, please notify the
sender immediately by return e-mail and delete it from your computer. While
all care has been taken, ProMinds Consulting's management disclaims all
liabilitIes for loss or damages to person(s) or properties arising from
misuse of any information provided or the message being infected by computer
virus or other contamination.

----------------------------------------------------------------------------
----------------------------------------------------------------------------
------------------------------

 

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Atul Agarwal
Sent: Thursday, November 18, 2010 5:19 PM
To: dhruv.soi at owasp.org
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Fwd: Fackbook Password Disclosure - Vulnerability

 

After some basic analysis, it appears to me that the JAR finally drops a
server.exe (2/40 - VT
http://www.virustotal.com/file-scan/report.html?id=ebc79807e87ec1171a085569f
7eee866f6cbea50d15e643573bdb77641e918ea-1290077246).

The server.exe appears to be meterpreter_reverse_https which injects into
iexplore.exe and tries to connect to 121.242.69.84.static-delhi.vsnl.net.in.

21/tcp   open   ftp?
25/tcp   closed smtp
53/tcp   closed domain
80/tcp   closed http
443/tcp  closed https
3389/tcp open   ms-term-serv?
4444/tcp closed krb524
5555/tcp closed freeciv
5800/tcp open   vnc-http?
5900/tcp open   vnc?

The listener however, seems down ATM. Hmm..

Thanks,
Atul Agarwal
Secfence Technologies
www.secfence.com




On Thu, Nov 18, 2010 at 2:48 PM, Soi, Dhruv <dhruv.soi at owasp.org> wrote:

Or may be, passed the BUG to save own time ;-)

 

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Chintan Dave
Sent: 18 November 2010 13:51
To: Muslim Koser
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] Fwd: Fackbook Password Disclosure - Vulnerability

 

Or is it social engineering to entice security professionals, thinking they
might not understand whats happening? :P

Wait a minute..... Should this be tried here? May be not!

On Thu, Nov 18, 2010 at 12:43 PM, Muslim Koser <mkoser at isightpartners.com>
wrote:

Hi Komal, 

Have you tested this before posting on the list ? I found this to be a
possible malware dropper. 

There are two suspicious files in the /data folder which write in to remote
process memory.
/data/app.exe and /data/dummy.exe


Best Regards,
Muslim 


On 17/11/10 10:47 PM, "Komal Taneja - DHL Delhi" <komal.dhl.1665 at gmail.com>
wrote:


Facebook recently launched its email and it created a vulnerability , 

Malicous user can change the passowrd of victim.

Download the POC tool and tutorial from
http://www.mediafire.com/?9xllotl0n4nla6f , Hurry before facebook fix the
gap.

Komal


  _____  


_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi


_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi




-- 
Regards,
Chintan Dave,

LinkedIn: http://in.linkedin.com/in/chintandave
Blog:http://www.chintandave.com


_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20101118/3a228ad7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 25800 bytes
Desc: not available
Url : https://lists.owasp.org/pipermail/owasp-delhi/attachments/20101118/3a228ad7/attachment-0001.png 


More information about the Owasp-delhi mailing list