Jump to content

izatt82

Active Members
  • Posts

    15
  • Joined

  • Last visited

Everything posted by izatt82

  1. Thanks guys this should be a fun ride. hahah
  2. I am looking to dive into malware analysis and wanted to see if you guys have tips and or resources to put me on the right track? Any thing you guys have small or large would be awesome. I can script and program although rusty and do a lot of firewall admin/infrastructure security stuff now. I like the fact of knowing more about the enemy will allow me to make a more security environment. Either way thanks for any advise you guys have.
  3. After further research they may all be spoofed, but from the looks of the header it looks like they are spoofing the message and boucing it off of fedex's SMTP servers. This may all be a spoof, but from our end it is hard to tell. It's also hard to block because we use FEDEX. I tried a few rules that hopefully won't also block valid emails, but we will see.
  4. We have been getting hammered with spam emails from Received: from prh00393.prod.fedex.com (prh00393.prod.fedex.com [199.81.10.49]) by mx22.infosec.fedex.com (FedEx MX) with SMTP id 81.MD.55510.XCX3W0TL; Tue, 7 Aug 2012 15:17:39 +0100 Which looks to be a valid SMTP server at fedex. Anybody else seeing anything like that?
  5. As much bandwidth as you can afford and or a clustered system with an IPS system outside of your edge. Really need more info as to where this would be and how it would be used.
  6. I updated W3AF to 5109 and now when i select some of the profiles in the GUI I get the error the option list object doesn't contain an option with the name: equ algorithm Anyone else get this? Thanks
  7. Yeah I have been watching him I finally got a 404 page which was different than the blank page. I am starting to find out that SQL injection is a real PITA when going up against a pretty solid setup. I used this and others like it and got the 404 page: if (select user) = 'sa' waitfor delay '0:0:10' but it did not wait for 10 secs so it might be filtering all this stuff. I actually hope I can't get into it that way I know my vendors shit is secure and we aren't getting screwed.
  8. So basically the deal is I want to know if I should be worried. I am doing something like this .asp?ID=1' and I get back a blank page so I am assuming my only option is to do blind injection, but what else might this mean? If it doesn't work then I get a different message saying the session has ended so seems like there might be a hole there. I need schooled on sql injection. I haven't tried seeing if there is a WAF in place or encoding I just tried to do the basics and want to make sure I understand what the blank page means. Thanks guys
  9. Vendor was no help, but after some further inspection of the network traffic we are comfortable with white listing that event. Thanks for the replies and i am glad it wasn't more than that :D
  10. Yes it is on everyone. This is looking like the problem started when the IPS defs updated on Friday right when the problem started happening.
  11. Since some time on Friday when we use Chrome to browse sites like MSN or yahoo our IPS system is banning users with IBM.Domino.iNotes.Foldername.Buffer.Overflow as the type. Is anybody else seeing this type of thing? It does not happen at all with IE, but firefox does seem to have the same results as Chrome. Our logging for this event isn't helpful and just wanted to see if we were all alone or not.
  12. Agreed. I am pretty impressed that IPS vendors are catching up and our building modules to check traffic on a port to verify what it really is. For example trying to send a reverse shell over port 80 will get caught in these systems now. The real problem for us is we can't do deep packet inspection on SSL traffic because we have sites that do mutual authentication and of course it breaks those sites. So if an attacker sent traffic out 443 it is hard to track unless it make a little to much noise or is going to a weird IP. On the spam note we use hosted exchange and I am not impressed with the services. We are switching, but until then I get to fight them on why the SPAM solution isn't doing a good job 50-60% block rate is what they told us once they looked at our domain report. It should be 85-95% IMO I know spam filtering is hard and just like with any security someone will get around it just a matter of time, but that doesn't mean do not try.
  13. Right two different things didn't mean to make that confusing. spam filters to help with spam and then the firewall/web filter for for other stuff.
  14. On the spam issues, we are currently working to resolve that issue with a vendor. Basically I just wanted this to be kind of an open forum for people to discuss ways to get past the firewall. I figured I would know most of the ways, but maybe there would be some that i didn't and could learn about them. Either way thanks for your reply any ideas and opinions are great. I am just trying to school myself as I wear many hats so sometimes it is hard to keep up with the changing security world. :D
  15. Hello This topic to discuss ways attackers are getting past the firewall now days. I know spam/phishing is still big, but just to get a nice list how are you guys doing it or what kind of attempts are you seeing? You might ask where is this coming from well I am trying to make sure I am not missing something I didn't know about. I try to keep as up to date on attacks, but thought I would post a question here and get some community feedback. I will start it off by saying currently I am seeing targeted spam mostly with hyperlinks generally pointing to either java or adobe exploits. A lot of these hyperlinks are located on very low traffic websites all over the web mostly inside the USA. I have contacted the companies and they never call me back most likely figure he doesn't know what he is talking about. Most of this spam is coming from Brazil, but not all of it. Most of the links have a file inside the root of the web directory with a name like file-index.htm or something close with index in the name. What are you guys seeing whether it is during pentests or inside business you deal with? Thanks
×
×
  • Create New...