is there any GOOD alternative other than packet storm???
On 11/4/09, Jon Kibler <Jon.Kibler (at) aset (dot) com [email concealed]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> Starting yesterday afternoon, I had a bunch of people begin to ask me about
> inj3ct0r.com. Google it and you find:
>
> 1) "milw0rm.com is dead, inj3ct0r.com is born!"
> 2) "New BuGTraCk project ( Exploits database ) inj3ct0r.com"
>
> Two red flags right off the bat. (A Bugtrack project? Get real!)
>
>
> Asking several well connected folks in the industry, only one had ever heard
> of
> the site and his opinion was exactly the same as mine: evil site. Any
> legitimate
> effort to distribute exploits for defensive purposes would require being
> known
> in the industry and being trusted by your peers before there could be a
> reasonable expectation of site contributions. This is a BIG RED FLAG to have
> an
> unknown person taking on such a task.
>
> If you visit the site, it just looks bogus. It has the appearance of a
> sloppy
> and incomplete wget of milw0rm, with some editing to make links work and to
> provide some replacement scripts. The site just looks completely bogus.
> Another
> set of big red flags!
>
>
> Checking inj3ct0r.com's registration record:
> - ----------
> whois -h whois.PublicDomainRegistry.com inj3ct0r.com
> Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
> PUBLICDOMAINREGISTRY.COM
> Registration Service Provided By: RU@HOSTING
> Contact: +7.38526996373
>
> Domain Name: INJ3CT0R.COM
>
> Registrant:
> milw0rm now at inj3ct0r.com
> str0ke aka r00t0ro0t3r (e-c-h-0 (at) mail (dot) ru [email concealed])
> Burdenko 43
> inj3ct0r
> Adana,123000
> TR
> Tel. +7.4953216549
>
> Creation Date: 13-Dec-2008
> Expiration Date: 13-Dec-2013
>
> Domain servers in listed order:
> ns.secondary.net.ua
> wateam.org.ua
>
>
> Administrative Contact:
> inj3ct0r
> str0ke aka r00t0ro0t3r (e-c-h-0 (at) mail (dot) ru [email concealed])
> Burdenko 43
> inj3ct0r
> Adana,123000
> TR
> Tel. +7.4953216549
>
> Technical Contact:
> inj3ct0r
> str0ke aka r00t0ro0t3r (e-c-h-0 (at) mail (dot) ru [email concealed])
> Burdenko 43
> inj3ct0r
> Adana,123000
> TR
> Tel. +7.4953216549
>
> Billing Contact:
> inj3ct0r
> str0ke aka r00t0ro0t3r (e-c-h-0 (at) mail (dot) ru [email concealed])
> Burdenko 43
> inj3ct0r
> Adana,123000
> TR
> Tel. +7.4953216549
>
> Status:ACTIVE
> - ----------
>
> Okay, how many red flags to we see here?
>
> 1) Clams to be owned by str0ke.
> 2) Has a .ru email address.
> 3) Has a claimed TR address (.ru + TR has been a past RBN clue).
> 4) Is trying to associate itself with milw0rm.
>
> And those are just the red flags that I see without doing any more research!
>
>
> Next, where is the site hosted?
>
> - ----------
> $ host www.inj3ct0r.com
> www.inj3ct0r.com is an alias for inj3ct0r.com.
> inj3ct0r.com has address 77.120.101.8
>
> $ wip 77.120.101.8
> checking whois.arin.net...
> checking whois.ripe.net...
>
> inetnum: 77.120.101.0 - 77.120.101.255
> netname: VOLIA-DC
> descr: Volia DC colocation #6
> remarks: Send spam reports to: abuse (at) dc.volia (dot) com [email concealed]
> country: UA
> admin-c: VDCA-RIPE
> tech-c: VDCT-RIPE
> status: ASSIGNED PA
> mnt-by: VOLIA-DC-MNT
> source: RIPE # Filtered
>
> person: Volia DC Admin contact
> address: Ukraine, Kiev
> phone: +38 044 2852716
> abuse-mailbox: abuse (at) dc.volia (dot) com [email concealed]
> nic-hdl: VDCA-RIPE
> mnt-by: VOLIA-DC-MNT
> source: RIPE # Filtered
> - ----------
>
> Hosted in Kiev, UA. Not a good sign.
>
>
> Everything about the site looks and smells suspect.
>
> As it is said...
> "If it looks like a duck, and
> it quacks like a duck, then
> it is probably a duck."
>
> In my professional opinion, everything about this site is "wrong." I would
> strongly recommend avoiding it. It just looks too bogus and it is trying too
> hard to appear legitimate, but no one knows who is behind it.
>
> Never trust a site handing out exploits if you don't know who is providing
> the
> exploits!
>
> So what could be the purpose of this site? These are only some hypothesis
> and
> speculations... no hard evidence to date to back up my thoughts:
>
> 1) The site could be phishing for new 0-day exploits that could be used in
> targeted or wide spread attacks by criminal organizations.
>
> 2) The site could be modifying know exploits, adding back doors (if you are
> a
> script kiddie, are you going to check the embedded shell code?) that had
> over
> compromised boxes to some botnet.
>
> 3) A means of infecting systems that visit the site. (No sign of that at
> this time.)
>
> 4) Other?
>
>
> Bottom line: My recommendation is to avoid this site like the plague.
>
> Also, don't count milw0rm as dead yet. Str0ke had a lot of friends. Let's
> wait
> and see if anyone picks up his site and runs with it.
>
> Jon
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> o: 843-849-8214
> c: 843-813-2924
> s: 843-564-4224
> s: JonRKibler
> e: Jon.Kibler (at) aset (dot) com [email concealed]
> e: Jon.R.Kibler (at) gmail (dot) com [email concealed]
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkrxiqsACgkQUVxQRc85QlNl4ACdFTyCPjmn8/GyLOgqhh0HuLSO
> XC0AnijJsGAfIY/sPkJEqWi7LkvFVjsE
> =Cpy5
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
>
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
On 11/4/09, Jon Kibler <Jon.Kibler (at) aset (dot) com [email concealed]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> All,
>
> Starting yesterday afternoon, I had a bunch of people begin to ask me about
> inj3ct0r.com. Google it and you find:
>
> 1) "milw0rm.com is dead, inj3ct0r.com is born!"
> 2) "New BuGTraCk project ( Exploits database ) inj3ct0r.com"
>
> Two red flags right off the bat. (A Bugtrack project? Get real!)
>
>
> Asking several well connected folks in the industry, only one had ever heard
> of
> the site and his opinion was exactly the same as mine: evil site. Any
> legitimate
> effort to distribute exploits for defensive purposes would require being
> known
> in the industry and being trusted by your peers before there could be a
> reasonable expectation of site contributions. This is a BIG RED FLAG to have
> an
> unknown person taking on such a task.
>
> If you visit the site, it just looks bogus. It has the appearance of a
> sloppy
> and incomplete wget of milw0rm, with some editing to make links work and to
> provide some replacement scripts. The site just looks completely bogus.
> Another
> set of big red flags!
>
>
> Checking inj3ct0r.com's registration record:
> - ----------
> whois -h whois.PublicDomainRegistry.com inj3ct0r.com
> Registrar: DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A
> PUBLICDOMAINREGISTRY.COM
> Registration Service Provided By: RU@HOSTING
> Contact: +7.38526996373
>
> Domain Name: INJ3CT0R.COM
>
> Registrant:
> milw0rm now at inj3ct0r.com
> str0ke aka r00t0ro0t3r (e-c-h-0 (at) mail (dot) ru [email concealed])
> Burdenko 43
> inj3ct0r
> Adana,123000
> TR
> Tel. +7.4953216549
>
> Creation Date: 13-Dec-2008
> Expiration Date: 13-Dec-2013
>
> Domain servers in listed order:
> ns.secondary.net.ua
> wateam.org.ua
>
>
> Administrative Contact:
> inj3ct0r
> str0ke aka r00t0ro0t3r (e-c-h-0 (at) mail (dot) ru [email concealed])
> Burdenko 43
> inj3ct0r
> Adana,123000
> TR
> Tel. +7.4953216549
>
> Technical Contact:
> inj3ct0r
> str0ke aka r00t0ro0t3r (e-c-h-0 (at) mail (dot) ru [email concealed])
> Burdenko 43
> inj3ct0r
> Adana,123000
> TR
> Tel. +7.4953216549
>
> Billing Contact:
> inj3ct0r
> str0ke aka r00t0ro0t3r (e-c-h-0 (at) mail (dot) ru [email concealed])
> Burdenko 43
> inj3ct0r
> Adana,123000
> TR
> Tel. +7.4953216549
>
> Status:ACTIVE
> - ----------
>
> Okay, how many red flags to we see here?
>
> 1) Clams to be owned by str0ke.
> 2) Has a .ru email address.
> 3) Has a claimed TR address (.ru + TR has been a past RBN clue).
> 4) Is trying to associate itself with milw0rm.
>
> And those are just the red flags that I see without doing any more research!
>
>
> Next, where is the site hosted?
>
> - ----------
> $ host www.inj3ct0r.com
> www.inj3ct0r.com is an alias for inj3ct0r.com.
> inj3ct0r.com has address 77.120.101.8
>
> $ wip 77.120.101.8
> checking whois.arin.net...
> checking whois.ripe.net...
>
> inetnum: 77.120.101.0 - 77.120.101.255
> netname: VOLIA-DC
> descr: Volia DC colocation #6
> remarks: Send spam reports to: abuse (at) dc.volia (dot) com [email concealed]
> country: UA
> admin-c: VDCA-RIPE
> tech-c: VDCT-RIPE
> status: ASSIGNED PA
> mnt-by: VOLIA-DC-MNT
> source: RIPE # Filtered
>
> person: Volia DC Admin contact
> address: Ukraine, Kiev
> phone: +38 044 2852716
> abuse-mailbox: abuse (at) dc.volia (dot) com [email concealed]
> nic-hdl: VDCA-RIPE
> mnt-by: VOLIA-DC-MNT
> source: RIPE # Filtered
> - ----------
>
> Hosted in Kiev, UA. Not a good sign.
>
>
> Everything about the site looks and smells suspect.
>
> As it is said...
> "If it looks like a duck, and
> it quacks like a duck, then
> it is probably a duck."
>
> In my professional opinion, everything about this site is "wrong." I would
> strongly recommend avoiding it. It just looks too bogus and it is trying too
> hard to appear legitimate, but no one knows who is behind it.
>
> Never trust a site handing out exploits if you don't know who is providing
> the
> exploits!
>
> So what could be the purpose of this site? These are only some hypothesis
> and
> speculations... no hard evidence to date to back up my thoughts:
>
> 1) The site could be phishing for new 0-day exploits that could be used in
> targeted or wide spread attacks by criminal organizations.
>
> 2) The site could be modifying know exploits, adding back doors (if you are
> a
> script kiddie, are you going to check the embedded shell code?) that had
> over
> compromised boxes to some botnet.
>
> 3) A means of infecting systems that visit the site. (No sign of that at
> this time.)
>
> 4) Other?
>
>
> Bottom line: My recommendation is to avoid this site like the plague.
>
> Also, don't count milw0rm as dead yet. Str0ke had a lot of friends. Let's
> wait
> and see if anyone picks up his site and runs with it.
>
> Jon
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC USA
> o: 843-849-8214
> c: 843-813-2924
> s: 843-564-4224
> s: JonRKibler
> e: Jon.Kibler (at) aset (dot) com [email concealed]
> e: Jon.R.Kibler (at) gmail (dot) com [email concealed]
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkrxiqsACgkQUVxQRc85QlNl4ACdFTyCPjmn8/GyLOgqhh0HuLSO
> XC0AnijJsGAfIY/sPkJEqWi7LkvFVjsE
> =Cpy5
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>
>
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]