Archive for May, 2005

MySQL hack attempt?

Wednesday, May 11th, 2005

I dunno about you, but this sure as heck looks like a MySQL hack attempt…

/?search=%20UNION%20ALL%20SELECT%201,1,1,1,user_pass,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1%20FROM%20wp_users%20WHERE%20user_login%20=%20′admin’/*

the rest of the log looked like the following with the dude crawling my site for a bit before doing his deed, note the user agent.

IP Address: 211.5.160.52

Http Code: 200 Date: May 10 20:18:27 Http Version: HTTP/1.0 Size in Bytes: 21743

Referer: -

Agent: Metscope/6.0 (CP/M; 7-bit)

what this blog needs is a sappy tag

Tuesday, May 10th, 2005

Oh no, not about me… about them.

The best commentary I saw on fark was “He had her at howdy” and “Props to them for keeping it quiet and not making a huge spectacle. He’s a hottie in his own lovely redneck way.”

What is this world coming to? I just called a country singer a hottie.

program.exe trick

Tuesday, May 10th, 2005

There was a thread today and yesterday on the Full Disclosure mailing list about the MS Spyware beta and how it unfortunately has an inadvertent security hole. I’m posting the explanation here because I think it’s pretty interesting.

From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of pretty vacant

Sent: Tuesday, May 10, 2005 9:53 AM

To: James Tucker

Cc: full-disclosure@lists.grok.org.uk

Subject: Re: [Full-disclosure] Useless tidbit

You may or may not know that Windows applications often use the registry to store information about where to find applications within their file system. Due to the way in which Windows handles filenames, situations where this information is stored in an unquoted fashion, can leave the application open to an attack commonly referred to as the “Program.exe trick”.

As you know, it’s quite common to have files and/or directories with spaces in the name (e.g. C:Program Files). Windows is unique in that it essentially doesn’t exactly know what it’s doing if the command isn’t quoted and contains spaces. For example look at the following command:

c:program fileswindows media playerwmplayer

If unquoted, Windows tries the following:

1st try

Execute: c:program.exe

Arg1: fileswindows

Arg2: media

Arg3: playerwmplayer

2nd try

Execute: “c:program fileswindows.exe”

Arg1: media

Arg2: playerwmplayer

3rd try

Execute: “c:program fileswindows media”

Arg1: playerwmplayer

4th try

Execute: “c:program fileswindows media playermwplayer.exe”

Well in the case of MS AntiSpyware (and hundreds of other applications), AntiSpyware, it starts up by executing “AntiSpywareMain.exe” which in turn displays a nice splash screen, performs some other misc activities before calling the gsasDtServ.exe. The problem is that the execution of gsasDtServ.exe is unquoted, while the app tries to execute c:program filesmicrosoft antispywaregsasDtServ.exe, if c:program.exe exists, it will be executed instead and MS Antispyware never actually gets loaded.

With XPSP2, the OS will actually warn you about files like c:Program.bat, or c:Program.exe, but not of c:program filesinternet.exe.

Sadly, this isn’t uncommon and when I tested this on my system the first time, 7 applications were executed over a 48 hour period. Try it for yourself. My Program.exe logs the executing user and command args to c:program.log.

Google was not hacked

Sunday, May 8th, 2005

I wrote this as a response to a posting over at OTB about Google being hacked on Saturday night

Since I took so much time writing it, I figured I might as well share it with you…

No, google was not hacked. What happened was threefold…

One, a Google employee was updating Google DNS records on a Saturday and messed up the initial update. Which, hey, could happen to anybody… Even though the update was apparently fixed soon after the initial DNS edit - the edit was cached and there was a wait for worldwide DNS server caches to flush. The unfortunate thing is that the initial mistake caused 1 in 4 google.com DNS lookups to fail. Oopsy.

Secondly, some browsers for some dumb reason will automatically append a .net to a domain name if the .com lookup fails. So, when someone went looking google.com, the lookup failed and then their browser sent them to www.google.com.net which apparently redirected to sogosearch.com (FYI: I tried tonight and it didn’t work for me.). Registering the domain name of google.com.net is not illegal, but pretty sneaky.

Thirdly, what caused a frenzy was that when people were doing Whois lookups and some people with a weird sense of humor used unusual names for their DNS nameserver machines. So people not familiar with DNS nameserver practices were seeing these unusual names (that don’t mean anything) and posting on various Web sites starting that “OMG Google was hacked”.

Oddly enough, the only reason why I noticed that Google was down was that I was rushing out the door and needed directions to a restaurant…so I ended up getting frustrated and had to use Yahoo…oh the humanity.

Some additional thoughts… Google’s IP address is 216.239.57.99

Here is the Slashdot thread

An interesting post at Broadband Reports.com scroll down

This is all

Sunday, May 8th, 2005

:-)

Hiptop that!

Saturday, May 7th, 2005

Someone reading my blog via their Hiptop Sidekick…the IP address resolves back to a Web proxy at danger.com, which is the corporate site.

Host: 216.220.208.110
/blog/archives/000735.html
Http Code: 200 Date: May 07 16:35:19 Http Version: HTTP/1.0
Size in Bytes: 12934
Referer: -
Agent: Mozilla/5.0 (compatible; AvantGo 3.2; ProxiNet; Danger hiptop 1.0)

A sweet sweet afternoon of nothing

Saturday, May 7th, 2005

During this afternoon of doing sweet [redacted] nothing, I downloaded Beck’s Guero as a treat from the iTunes music store and oh my god it rocks.

Now I have some laundry to do and I should figure out what to wear tonight.

I hope it busts…

Tuesday, May 3rd, 2005

I hope it busts, I hope it busts, I hope it busts

I need a wider sample to verify

Sunday, May 1st, 2005

From a craigslist posting… Why Geeks and Nerds Are Worth It

They *already* made the movie

Sunday, May 1st, 2005

I’m already pretty sick of hearing about this whole Runaway Bride thing which was garnering Fox News Alerts! last night (although I’ll bet you that Michael Jackson is probably pleased to hear about this new national distraction), but I have to admit these words of wisdom are pretty funny.

Note to self: Justice of the Peace and a spectacular honeymoon.