cool,<br>HD Moore started a thread,<br><br>yeah, lets reply the more we can!!!<br><br><br><div><span class="gmail_quote">On 6/6/07, <b class="gmail_sendername">Kradorex Xeron</b> <<a href="mailto:admin@digibase.ca">admin@digibase.ca
</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">On Wednesday 06 June 2007 09:47, H D Moore wrote:<br>> Hello,<br>>
<br>> Some friends and I were putting together a contact list for the folks<br>> attending the Defcon conference this year in Las Vegas. My friend sent<br>> out an email, with a large CC list, asking people to respond if they
<br>> planned on attending. The email was addressed to quite a few people, with<br>> one of them being David Maynor. Unfortunately, his old SecureWorks<br>> address was used, not his current address with ErrattaSec.
<br>><br>> Since one of the messages sent to the group contained a URL to our phone<br>> numbers and names, I got paranoid and decided to determine whether<br>> SecureWorks was still reading email addressed to David Maynor. I sent an
<br>> email to David's old SecureWorks address, with a subject line promising<br>> 0-day, and a link to a non-public URL on the <a href="http://metasploit.com">metasploit.com</a> web server<br>> (via SSL). Twelve hours later, someone from a Comcast cable modem in
<br>> Atlanta tried to access the link, and this someone was (confirmed) not<br>> David. SecureWorks is based in Atlanta. All times are CDT.<br>><br>> I sent the following message last night at 7:02pm.<br>>
<br>> ---<br>> From: H D Moore <hdm[at]metasploit.com><br>> To: David Maynor <dmaynor[at]secureworks.com><br>> Subject: Zero-day I promised<br>> Date: Tue, 5 Jun 2007 19:02:11 -0500<br>> User-Agent: KMail/1.9.3
<br>> MIME-Version: 1.0<br>> Content-Type: text/plain;<br>> charset="us-ascii"<br>> Content-Transfer-Encoding: 7bit<br>> Content-Disposition: inline<br>> Message-Id: <200706051902.11544.hdm
[at]metasploit.com><br>> Status: RO<br>> X-Status: RSC<br>><br>> <a href="https://metasploit.com/maynor.tar.gz">https://metasploit.com/maynor.tar.gz</a><br>> ---<br>><br>> Approximately 12 hours later, the following request shows up in my Apache
<br>> log file. It looks like someone at SecureWorks is reading email addressed<br>> to David and tried to access the link I sent:<br>><br>> <a href="http://71.59.27.152">71.59.27.152</a> - - [05/Jun/2007:19:16:42 -0500] "GET /maynor.tar.gz
<br>> HTTP/1.1" 404 211 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en)<br>> AppleWebKit/419 (KHTML, like Gecko) Safari/419.3"<br>><br>> This address resolves to:<br>> <a href="http://c-71-59-27-152.hsd1.ga.comcast.net">
c-71-59-27-152.hsd1.ga.comcast.net</a><br>><br>> The whois information is just the standard Comcast block boilerplate.<br>><br>> ---<br>><br>> Is this illegal? I could see reading email addressed to him being within
<br>> the bounds of the law, but it seems like trying to download the "0day"<br>> link crosses the line.<br>><br>> Illegal or not, this is still pretty damned shady.<br>><br>> Bastards.<br>>
<br>> -HD<br><br>I will seldom touch on the legal side but I have a possible scenario:<br><br>-- If David is no longer at that address, it could be said that his mail<br>account was taken down and the mail sent ended up in a possible "catch all"
<br>box, perhaps someone at SecureWorks was looking through the said catchall<br>mailbox for any interesting mail sent to the <a href="http://secureworks.com">secureworks.com</a> domain (i.e. to<br>old employees) - It's quite common for companies and organizations to monitor
<br>former employee mailboxes in the event anyone that doesn't have any new<br>contact information to be able to still get somewhere with the old address.<br>And them being a security organization, maybe they proceeded to investigate
<br>the link sent.<br><br><br>><br>> _______________________________________________<br>> Full-Disclosure - We believe in it.<br>> Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>> Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">
http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br>Marcio Barbado, Jr.
<br>==============<br>==============