22-10-07

Archive of 499 hacked Belgian sites in 2007 online again

you can subscribe to the RSS feed http://www.furl.net/members/mailforlen/rss.xml?topic=hacked

or you can go over to http://be-hacked.skynetblogs.be 

the only archive that exists on the web

if it is important (and .be) and it was defaced in 2006-2007 you can probably find it here

00:04 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

18-10-07

Corruptie signalisatiebedrijf Janssens : Who is next

Wel laat ons eens op de website van het bedrijf kijken bij referenties

want hoe stelt het bedrijf zich voor ?

De Groep Janssens is samengesteld uit verschillende bedrijven welke gespecialiseerd zijn in het produceren, verhuren en plaatsen van verkeerssignalisatie.

Uitgegroeid tot één van de topbedrijven in zijn brache, worden er producten ontwikkeld en geproduceerd voor zeer uiteenlopende afnemers (o.a. de verschillende afdelingen Wegen en Verkeer van het Ministerie, provincies, steden en gemeenten, diensten voor toerisme, maatschappijen voor nutsleidingen en openbaar vervoer, wegenbouwers, aannemers, industriële ondernemingen, e.a.).

Uitgaande van 'co-partnership' hecht de bedrijvengroep Janssens grote waarde aan het meedenken met de opdrachtgever. Met deze visie als maatstaf, en rekening houdend met de specifieke eisen van de klant, bieden wij u onze diensten aan.

-------------------------------------------------------------------------------------

Dit betekent ook dat de netwerkoperatoren van deze instellingen nu de maatregelen moeten nemen om ervoor te zorgen dat geen eventueel bewijsmateriaal vernietigd wordt en op een zodanige manier wordt bewaard dat het aanvaardbaar is in het onderzoek of toch voldoende indicaties kan blijven geven zonder een direct bewijs te zijn. De procureur sprak immers over tientallen betrokken ambtenaren. (Misschien is het een Vlaamse zwam om PS termen te gebruiken).

  • N60 Oudenaarde
  • Noorderlaan Antwerpen
  • Complex aan afritten E17 Waregem
  • Uitritborden A12
  • Uitritborden E19
  • Diverse grote borden R0 Brussel
  • E313 Antwerpen
  • Knooppunten R1 Antwerpen
  • Industrieterrein Malle
  • Diverse steden en gemeenten: Assenede, Boutersem, Brussel, Gent, Kapelle o/d Bos, Knokke-Heist, Londerzeel, Ranst, Sint-Niklaas, Turnhout,...
  • Onderhoudswerken Pittem
  • Metropolis Antwerpen
  • Wetstraat Brussel
  • Luchthaven Brussel Nationaal
  • Heraanleg Grote Markt Sint-Niklaas
  • http://www.groupjanssens.com/NL/netbuilder.asp?sid=1

    of bedoelde de procureur dit contract ?

    De afdeling Verkeerstechnieken bij de firma Janssens is op 1 januari 2004 opgestart met als doel het onderhoud van alle verkeerslichten in Vlaanderen die eigendom zijn van het Ministerie van de Vlaamse Gemeenschap - Departement Leefmilieu en Infrastructuur. Concreet gaat het om de installaties die gelegen zijn langs gewestwegen.

    Het grondgebied wordt hierbij opgedeeld in Lot 1 (Oost- en West Vlaanderen) en Lot 2 (Brabant, Antwerpen en Limburg).

    Het is duidelijk dat de firma Janssens met het binnenhalen van dit contract een nieuwe weg is ingeslagen. Hiervoor zijn mensen aangetrokken met een zeer goede know-how en een jarenlange ervaring. Hun eerste zorg is de goede werking van al deze installaties garanderen...

    14:04 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (2) |  Facebook |

    17-10-07

    unofficial patch for Windows URI bug

    Researcher posts unofficial patch for Windows URI bug

    A researcher beat Microsoft to the patch punch Sunday by publishing an unofficial fix for a critical flaw in Windows XP and Server 2003 on PCs with Internet Explorer 7.

    KJK::Hyperion, a.k.a. "Hackbunny," a researcher believed to live in Italy, posted a link to the 16KB patch on both his Web site and the Full Disclosure security mailing list Sunday. KJK's patch, dubbed "ShellExecuteFiasco," blocks the execution of malformed URLs and forces normalization of valid URLs. URL normalization, which can include tasks such as changing a URL to all-lowercase and stripping out the "www" part of the address, is a technique used by search engines to reduce indexing of duplicate pages.

    Users who apply the patch do so at their own risk, KJK warned. "The present patch is dramatically under-tested and it has underwent [sic] no quality assurance procedure whatsoever, so please deploy with the greatest care," he said in the notes accompanying the fix. "It has a very good chance of misbehaving and making your system unusable."

    His patch targets the URI (Universal Resource Identifier) vulnerability that Microsoft acknowledged last week. On Thursday, the company's security group issued an advisory that spelled out the problem, which could allow attackers to compromise systems running Internet Explorer 7 if users clicked on malicious links embedded in e-mail messages or posted on a Web page. Microsoft also said it would release a fix but would not commit to a schedule.

    "The update will be part of our normal product update process [and] will be released as soon as we feel it's ready," said Mark Miller, director of the Microsoft Security Response Center, last week.

    Microsoft typically takes a dim view of third-party patches like the one KJK posted. Although it did not immediately reply to a request for comment Monday, in past cases, it has cautioned users against deploying any unsanctioned fix.

    Symantec gave much the same warning to customers of its DeepSight threat network Monday. In the advisory, Symantec said it had not been able to verify the integrity of KJK's work and told users to "use extreme caution when using patches from third-party sources."

    The unsanctioned patch can be downloaded from KJK's Web site.

    14:41 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

    15-10-07

    Hack of the week (RTBF)

    from be-hacked.skynetblogs.be and zone-h.org

    an archive of about 700 hacks of .be belgian websites can be found here

    http://be-hacked.skynetblogs.be

    The RSS updates coming from furl.net seem to have a technical hiccup for now and if they can't fix it, than I will resolve the updates another way in the next days. 

    Over the weekend the FREEBSD servers of the RTBF were defaced and so many of their websites had another page - this time from Iranian hackers being too radio-active. Luckily it weren't flemish extremists placing messages about the end of Belgium and so forth, that would have made headlines all over the place.

    time for a security check-up before others try to do the same thing. One hacked, always attacked.  And just to have an idea, how long to get everything up and running and having closed the holes.

    bot_004

    13:10 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

    How long does it take to close down a fraudulent paypal site

    Very long

    if you read the blogposting by fsecure about finding a specific paypal phishing fraud set up on the 16th of SEPTEMBER

    and you do the googling with the same terms  than you will find the following sites still up and running and taking your paypal credentials - thank you


    209209 Host Locked.paypal-accounts1.com/
    209209 Host Locked.paypal-accounts-login.com/
    209209 Host Locked.paypal1-login.com/ 
    209209 Host Locked.paypal-user-update.com/
    209209 Host Locked.paypal-team.com/
    209209 Host Locked.paypal-accounts-login.com/
    209209 Host Locked.paypal-user-update.com/
    209209 Host Locked.paypal-accounts-update.com/
    209209 Host Locked.paypal-online-account.com/
    209209 Host Locked.paypal-accounts1.com/
    209209 Host Locked.paypal-support1.com/
    209209 Host Locked.paypal-account-protection.com/

    A few remarks

    * First it is incredible that anyone can register an account like that without any limits. Paypal is a trademark and a financial business so you should know that if that registration doesn't come from Paypal it is a fraud. The registering firms and domain handlers have to be made accountable for such neglicence. They are not acting as a good housefather in the legal interpretation. They should preceed with caution when they have demands for such registrations. I think it shouldn't be too hard to make up a list of a thousands names of institutions and payment methods that should have limits on their use in domainnames.  

    * Secondly it is quite amazing that these websites aren't taken down after they have been made public nearly a month ago. I thought that paypal had a take-down antifraud operation or is paying someone to do this for them.

    * you should try to block these sites and find a way to whitelist only the legitimate links and teach your users about phishing with as number one thing DO NEVER CLICK ON LINKS TO PAYPAL. Always type your financial links by hand in a NEW browserwindow.

    12:40 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

    Belgacom infected Botnet attacks give Belgium Bronze in Botnet battle

    Should it be true what sources are telling ? That the Russian problem on our Belgian net is bigger than the media let us to believe ?

    The numbers on this international attack monitoring site may give us more info

    http://atlas.arbor.net/cc/BE 

    For the moment we are the third country in the whole world infected by attacks and attacking others just behind China and the US. Wow this little country can be famous in so many mysterious ways.

    The traffic is mostly windows port 445 and 135 and some 139

    80% of these attacks is according to Atlas  the ASN CVE-2003-0818

    Age: 1321 daysSeverity: HighCVSS Score: 7.0
    Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings.

    and for this kind of attack we have won the Olympic Gold medal

    bot_001

     

    And Belgacom network is the main source of the attack

     

    bot_002

     

    and the main sources are

     

    bot_003

     

     We are also conducting botnet DDOS attacks against others, which is normal if you are infected and also scanning for other vulnerable computers.

    And further down the pages you can see there is actually one botnet

    So how much time will it cost to bring down 1 (you have read it right) botnet and clean up the mess of the infected pc/servers (before another botnet recuperates them) ?

    Tips for network admins

    * Block all ICQ  traffic on your firewall if you haven't do so already. Period. Why because most of the botnetcommands come by ICQ. Also block on every port any destination with ICQ in it. And are you sure everybody needs pure FTP on port 21 ? Or that any PC has to be he's own mailserver on port 25 ?  

    * look at your firewall for internal scanning traffic if you have diverted all non-responsive scanning traffic (to non-existant servers for example). Throw the pc's and servers that are scanning wildly your internal network off the network. Period. Desinfect and monitor and if it ain't succesful you will need an antirootkit tool or in the worst case you have lost the pc/server and you will have to backup on a seperated backup the docs and totally re-install the server/pc.

    * contact the networkadmins of the official network or the ISP's about belgian based scanning and attacking traffic. You can try the e-cops or BIPT but I am not sure if they already have a cyberinfrastructure defense procedure. ...

    * limit your outbound traffic to normal ports (for users this would only be 80, 8000, 8080, 443, 53 (if you don't have an internal DNS relay server),....)

    * I presume that your pc's/servers are all updated and have a antivirus, firewall and so on ?

    and please, help those guys building placing more monitors http://www.arbornetworks.com/atlas_register.php

    09:30 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

    14-10-07

    more than 500 other belgian sites with porn and spaminfected comments

    buy levitra viagra porn site:.be   but this in Google and change .be with the name of your site

    the problem with this spam is that it is possible to insert links that let the reader instantly go to another site where he eventually can be infected with malware and other stuff if he isn't patched or updated or protected.

    22:50 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |