Security Incidents mailing list archives

Re: pimpshiz / put i.txt

From: Jason Witty <jason () WITTYS COM>
Date: Fri, 6 Oct 2000 05:47:09 -0500

I may be going out on a limb here, but the 'exploit' PimpShitz is using
looks more like a simple HTTP PUT instead of an HTTP GET.  A friend of mine
just got hit last week (I havn't seen the logs, but he described them), and
the i.txt file was placed into a directory, via a standard HTTP PUT (wrong
permissions on the directory).  So his little '0-Day 3xp01t' is probably
nothing more than Netscape HTML Editor's publish function or Front Page for
that matter.  Just my two....

Jason


At 12:08 AM 10/6/00 GMT, Tony Turk wrote:

I have spoken to pimpshiz, and he DOES NOT use the RDS' sploit.  He does use
a 0day, but I am unsure of it's nature.  He has defaced all IIS/NT servers,
so that at least narrows it down.  More logs would be nice though.

From: Steve <Steve () SECURESOLUTIONS ORG>
Reply-To: Steve <Steve () SECURESOLUTIONS ORG>
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: pimpshiz / put i.txt
Date: Thu, 5 Oct 2000 06:27:19 -0600

I attemtped to contact Pimpshiz and got the following;

"I will do an interview but I will not discuss my techniques or exploit."

He has told media outlets that he has some 0day sploit that no one knows
about.  I would love to see more logs as I am starting to think that he is
simply using the RDS exploit.

For those of you who have been defaced by this, in my opinion, script
kiddie, check www.wiretrip.net/rfp for the original advisory on the RDS
exploit, there is a spot that talks about log entries to watch for.

-Steve

-----Original Message-----
From: Jonathan Rickman
To: INCIDENTS () SECURITYFOCUS COM
Sent: 10/4/00 7:07 PM
Subject: Re: pimpshiz / put i.txt

I seem to remember seeing one of his recent defacements mention that one
could look for the file i.txt as well as several others once the main
page
was restored as proof that he still owned them. Don't quote me on that,
but I'm pretty sure that's what it said. Check the attrition archives.

you could just email pimpshiz and ask...he'll probably tell you.

--
Jonathan Rickman
X Corps Security
http://www.xcorps.net


_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Share information about yourself, create your own public profile at
http://profiles.msn.com.

Current thread:

pimpshiz / put i.txt Rewt, Kit (Oct 04)
- Re: pimpshiz / put i.txt Jonathan Rickman (Oct 04)
- <Possible follow-ups>
- Re: pimpshiz / put i.txt Steve (Oct 05)
- Re: pimpshiz / put i.txt Larimer, Jon (ISSAtlanta) (Oct 05)
- Re: pimpshiz / put i.txt Tony Turk (Oct 06)
  - Re: pimpshiz / put i.txt Jason Witty (Oct 06)
    - Re: pimpshiz / put i.txt Steve (Oct 10)
- Re: pimpshiz / put i.txt Cashdollar, Larry (Oct 10)
- Re: pimpshiz / put i.txt Abe Getchell (Oct 11)