Demented Ramblings of a Sysadmin Turned Infosec
Bitcoins gratefully accepted: 1BBB3p5xm8ncHNTbzsEdyddgdDsK1Gf2mT
a very basic video tutorial covering how to compile with debug information, load your app into gdb, set breakpoints and step through it.
No where near as much details as I wanted, but I never seem to get time to finish the full version, this will help in the interim.
NOTE: you will need XviD codec or use VLC.
If you re-distribute the video please give a link back (don’t force me to start water marking).
[FLOWPLAYER=gdb.flv,600,450]
Sorry for the delay in the new articles, seems I’ve been “snowed” under, metaphoracly and litterally (brrr it’s cold!)
The following are in the works and are to be posted soon:
Nasty little bug this one, it’s a mutator, and despite having booted the machine into safe mode, used process explorer to kill every process it hooked into and finally having to use a command window to remove the offending .dll, once this thing got an active internet connection the fun and games started again!
The best thing you can do is go strait for the removal tool here
There is also links on that page for more information on the virus.
I suggest you remove the infected machine from having any network connection, download the removal tool to a known “good” workstation, and load the .exe onto removable storage (usb), to be run on the infected machine.
UPDATE: Just using the tool for me at least isn’t working! I am now trying this in safe mode.
UPDATE2: OK! Wonderfull the symantec removal tool is not working at all I am trying another tool VundoFix
I’ll post anoth update once the scan has finished
UPDATE3: Nope, role on tool #3 COMBOFIX
UPDATE4: Combofix did the job, this tool does advertise the fact that 1/100 machines die from running this tool, so if the symantec tool doesn’t work use combofix (at your own risk). NOTE: I ran this in safe mode, it then rebooted windows normally and ran the log dump, the system may hang while it does this, mine recovered after about 5 mins, I also copied the program to C:\ prior to running.
Well this is a barrel of laughs…
“The problem is that the ORDB blacklist (which was decommissioned on Dec 18 2006) has been reactivated, but in such a way that it returns a positive match for every query. The operators have done this in order to prompt people who were still using the list to remove it from their configuration.”
Source: https://forums.whirlpool.net.au/forum-replies-archive.cfm/944800.html
At the moment this is effecting our exchange servers, and it’s unclear if this is a legacy smtp event or part of the anti spam software…
Everything is being bounced, needless to say I can tell you working for a company that has over a million emails a day this is NOT GOOD!
If your clients are receiving bounce backs I suggest you contact them immediately, and inform them of the situation.
ORDB SORT YOUR ACT OUT!
I will update as I find a workaround!
UPDATE!!!!
For exchnage 2003 use the following article as a guide (Thanks KERM!):
https://www.msexchange.org/tutorials/Blacklist_Support_Exchange_2003.html
Remove ORDB! (see below)
(UPDATE: OR remove wirehub: see new post)
Acies Latin: a sharp edge or point; mental acuity, sharpness of vision
A fitting name I thought for my new project, rather a name of a framework (yes I actually intend to finish this one!), initially the framework will comprise of code I have written over the years (brought in-line with PHP5).
More details will appear @ https://acies.blog.oneiroi.co.uk as I complete the modules.
There are several projects lined up awaiting completion of Acies, once in place I should be able to turn these around quite rapidly.
More Soon