looks like CDU has been hacked : http://www.cdu-bundestag.de/
shows a nice Stop-Sign π
Actually, it isn’t hacked: cdu-bundestag.de (same as spd-bundestag.de) is a hoax;
it never belonged to the party.
Archive for the ‘Allgemein’ Category
nice Stop – Sign
Saturday, July 4th, 2009New Honeypot
Tuesday, June 16th, 2009The nepenthes-teammembers have been busy working on a new (low interaction) honeypot.
The name dionaea is taken from another carnivore. Here is the link to the project-homepage. Sounds interesting, since it is written in C with python-modules attached.
FTC shuts down pricewert
Friday, June 5th, 2009The FTC shuts down a rogue Provider known for hosting phishing and malware sites.
Good Job! Story
torpig powned
Tuesday, May 5th, 2009Elvis still alive!
Wednesday, April 22nd, 2009Elvis has an E-Passport π Look at the video at
the thc epassport page.
Blackhat Europe 2009 Toolbox
Sunday, April 19th, 2009The Blackhat Europe 2009 Conference is over; some new technics and exploits have been published:
the Blackhat Europe 2009 Toolbox
Scam-Page
Thursday, April 9th, 2009There was another scam-page discovered: http://www.scam7.net/which not
only shows different packed phishing-kits, but also some tools for spamming and usernames / passwords for the smtp-server smtp.orange.fr: “http://www.scam7.net/smtp/index.html
LetΓ’β¬β’s see how long this side stays up.
ophcrack
Wednesday, March 4th, 2009Stormfucker
Saturday, January 10th, 2009Recently a team of scientists posted an article about dealing with the Storm – Botnet.
leder_at_informatik.uni-bonn.de posted some parts of the source-code “stormfucker” in the mailing-list “Full Dislosure”.
Here is the alpha code for Stormfucker. Patched a few things to not make
it work out of the box.
QlpoOTFBWSZTWZCbNyYBVlN/////////////////////////////////////////////4TAs912+
+94tbufA4+gD77BpzqdxS0zeLwUezfXsV0ddu49dtzvgHvsHnnnp3c5BjtTPM71fcjZuzwHo94vu
Dop5AABQAD77B7ym3y7vALrmz7Q8AVtsgAAeSc3PAd9j7469igoDHgOdgBQA+jR87AAADe5n0gvn...
If you want to work with this code, you need to undecrypt the source. Here is a version of
python:
1) save the source in a file
2) start python:
$ python
Python 2.5.1 (r251:54863, May 18 2007, 16:56:43)
[GCC 3.4.4 (cygming special, gdc 0.12, using dmd 0.125)] on cygwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from base64 import *
>>> a=file("stf.txt",'r')
>>> b=a.read()
>>> c=b64decode(b)
>>> a=file("stf.out",'w')
>>> a.write(c)
>>> a.close()
^D
Now we have a stf.out - file, which is bzip2 compressed. (check with "file")
$ bzip2 -d stf.out
bzip2: Can't guess original name for stf.out -- using stf.out.out
Now we have tar-file.. lets have a look:
$ tar tvf stf.out.out
drwxr-xr-x tw/tw 0 2008-01-01 00:00 stormfucker/
-rw-r--r-- tw/tw 610 2008-01-01 00:00 stormfucker/routing.h
-rw-r--r-- tw/tw 75 2008-01-01 00:00 stormfucker/install.h
..
Extract with tar xvf and have phun..:)
submit-mwserv.conf
Thursday, January 1st, 2009When dealing with submit modules of nepenthes, you will find several notices about the favourite one of the authors of nepenthes, namely submit-mwserv (with the appropriate submit-mwserv.conf – file).
However, there is no hint on how to write the necessary ‘submit’ application on the receiving server-side..
To see what data is actually sent, I set up a listening socket and wrote the incoming raw – data to a file.
They looked like:
POST /heartbeat HTTP/1.1
User-Agent: nepenthes 0.2.2 (Linux, x86, g++)
Host: www.spamversand.de:8989
Accept: */*
Content-Length: 487
Expect: 100-continue
Content-Type: multipart/form-data; boundary=----------------------------285dc72e
916a
A normal http-post request. Not really normal though, because the Expect: “100-continue” header was new to me. A quick google-check found rfc2616 : 8.2.3 Use of the 100 (Continue) Status So I will answer the request with a “100” response and will see what data will follow..