Friday, January 28, 2005

Crowt-A worm or virus whatever you call it

Crowt-A worm has used a cool social engineering technique to get into ppl's machines and the way it happens with Win machines This just in! Your windows box is mine!

Crowt-A's subject line and attachment share the same name, but continually change to mirror the front-page headline on CNN's website. The message text is also lifted from CNN as part of a social engineering technique designed to trick users into believing infected emails are pukka.

You can know more on the virus here at the securityfocus website.


Monday, January 17, 2005

vgpd aka Virtual Gateway Protocol Daemon

Found a application similar to HSRP on Linux by Marco Tizzoni and does HSRP Kinda stuff on Linux

It is called the Virtual Gateway Protocol Daemon

I have tired it out and has the same features as HSRP but remmeber it is not compatible with HSRP
The best part about this application is that it puts log entries with the default log deamon which is syslogd on most systems.

You can access this deamon via

A few words before you go on to have a test run at it.

1. It requires gcc version > 3.0 which i guess is on all the systems
2. You need to generate a sha key for it to start so that it can be run. I feel this is not documented properly but you can generate a key and place it in a file :

-rw-r--r-- 1 root root 47 Jan 17 01:42 /etc/vgp-key

The way to run is :

vgpd -a -i eth0 -p 100
You can specify the group and also by default -l or --log option is on to log to default system logger deamon.

A snip from the messages file is below :

Jan 17 01:42:53 jabber vgpd[4043]: vgpd started, entering initialization phase...
Jan 17 01:42:53 my_test_sys vgpd[4043]: Interface : eth0
Jan 17 01:42:53 my_test_sys vgpd[4043]: Virtual interface : eth0
Jan 17 01:42:53 my_test_sys vgpd[4043]: vgp priority set to : 0x64
Jan 17 01:42:53 my_test_sys vgpd[4043]: vgp group set to : 0x01
Jan 17 01:42:53 my_test_sys vgpd[4043]: Hello time : 2
Jan 17 01:42:53 my_test_sys vgpd[4043]: Hold time : 6
Jan 17 01:42:53 my_test_sys vgpd[4043]: Virtual IP :
Jan 17 01:42:53 my_test_sys vgpd[4043]: Virtual MAC : 00:00:5E:00:01:01
Jan 17 01:42:56 my_test_sys vgpd[4044]: set_ipaddr(): Successfully set ip address:

I have tried it out and it works great.

Remember it is not compatible with HSRP on cisco router's / MLS switches.

Coming up how dynamic DNS can ease up your life if you use DHCP Server on the network to give IP addr's to the client machine and this one is specially for my good friend Nikhil whos alwayz got a machine for me to test new stuff on.


Sunday, January 16, 2005

HSRP Exploit : Continuing on with my previous posts on HSRP

Hey ALL on a Sunday evening,

Many of us have implemented HSRP in our network if we have a an all Cisco devices which is enerally the case in India. Just though about mentioning a HSRP hack , a very old one though. Before i go on in case u wanna know more on HSRP and how to configure it you can go to my previous posts Linux and HSRP or call it LINUX HSRP and it links to all the previous posts too:).

Continuing with todays topic on the exploit in HSRP :

HSRP uses UDP port 1985 to communicate with other routers about its support for HSRP (It sends packets on the multicast address of Since by default (Cisco doesn't recommend this but most systems are installed in this manner) HSRP's authentication process is done in clear text it is possible to spoof a valid HSRP session. One of the options that can be accomplished by spoofing the protocol is a DoS attack.

What Cisco's is gotta say on this is below :

Cisco recommends that IPSec is deployed to prevent such protocol spoofing and you can access a how-to by them here.

I haven't tried it in with VRRP but i guess VRRP shld also be venurable to this exploit. It is just spoofing of mac ID in layman terms and you need not worry until you have a micreant on the network who wants to take you for a ride.

I am off to coffee now with my pals at quicky's the indian version of starbucks.

Till the next time happy working:)


Saturday, January 15, 2005

RAM with an LED ticker

Corsair has shipped a RAM stick with a mini-LED pixelboard built into it. It's intended to show the temperature of the RAM, but you can also customize it to display your own messages in a continuous scrolling ticker that splashes unread messages in red light on the inside of your case.

Corsair FilterBetter yet, you can use Corsair's Memory Dashboard to program the memory to display your own personalized greeting (or obnoxious salute). Type in a message, you can have three messages of up to 23 characters each, click a button, and your message gets sent to some spare bits on the memory. (Where exactly? According to Corsair "the default message is stored in a microcontroller on the DIMM; user programmable messages are stored on the hard drive and loaded in Startup.") And from then on, that message will scroll across the display like your very own tiny Times Square Zipper...except it won't be giving you the latest news headlines and sports scores.

The source of this post is extremetech


Saturday, January 08, 2005

Fault in Linux Kernel 2.4 => 2.4.29-rc2, 2.6 => 2.6.10

According to Paul Starzetz, there is a nasty privilege escalation bug in the linux kernel where unprivileged local users can gain elevated (root!) privileges.

Picked from the Article :

Locally exploitable flaws have been found in the Linux binary format loaders' uselib() functions that allow local users to gain root privileges.


Paul further describes the level of this vulnerability:

We have found at least three different ways to exploit this vulnerability. The race condition an be easily won by consuming a big amount of memory. The code attached uses a similar technique like the do_brk exploit and uses a LDT call gate to gain CPL0 privileges. However another exploitation vectors exist: through page reference counters and 'ghost PTEs'.

Paul was kind enough to provide an exploit as well, which is available on the same page.

Time to tighten up the user environment on your linux box but remmeber you can take it easy if you trust your internal users. :-)

UPDATE: 2.6.10-ac has been patched. 2.4.29 to be fixed shortly.

The linux community just rocks!


Wednesday, January 05, 2005

Netcraft Anti-Phishing Toolbar

The Netcraft Toolbar uses Netcraft's enormous databases of web site information to show you all the attributes of each site you visit on the Web, including the sites' hosting location, country, longevity and popularity. This is good for the exact reason the site mentions, clear display of sites' hosting location at all times helps you validate fraudulent urls (e.g. the main online banking site of a large US bank is unlikely to be hosted in the former Soviet Union). Also, the Netcraft Anti-Phishing Toolbar happily coexists with Google and other Toolbars.

Firefox users: Development of a Firefox version of the toolbar is underway, and started just before Christmas. It will available as soon as possible.