l33t5h@rk

This is pretty alarming yet can be considered almost a victory in some ways. Technology is finally being recognized.

@alucian wrote:

I think that the access to this courses and the fact that part of the money will go to support some OWASP projects justify the 50$ for membership.

I’ll join OWASP as a member.

Thanks!

Yeah huge value in my opinion, wealth of information for the cost!

@alucian wrote:

This courses/learning are offered to the members only, or they are offered to the public?

Hi Alucian – Don’t see that it is restricted, give it a shot:

http://www.owaspa.org/learning_blocks/login/index.php

@MaXe wrote:

There’s also the Owasp Mailing lists, that occasionally has “good” info too.

The webappsec.org mailing is however, heavily moderated and rarely contains the really cool stuff you would see on less heavily moderated lists. But it’s a good list to follow none the less. ~ My personal opinion hehe  🙂

I am a member of OWASP and wanted…[Read more]

@don wrote:

Yes. The sponsor was a little behind in getting some details. Working out the kinks. Seems like everyone needs extra time after the holidays.

Amen to that, I’m still trying to get adjusted, 2 weeks vacation and 10 lbs later, I think I’m ready to get back after it in 2012  😀

Congrats!

@SephStorm wrote:

once I VPN in, I am considered on the local network right? All smb traffic would be going through the tunnel and not directly accessible?

Correct, it would all be tunneled and the cifs ports will not be exposed. It’s unlikely the ports are exposed externally as you would have to have explicitly defined this. Hope this helps!

Are the other sites similar sites to this or common social networking sites and this is a portal to those? Just curious as to the goal.

Interesting experiences, very good reads from both of you!

@lorddicranius wrote:

https://help.ubuntu.com/community/dhcp3-server

This page says the lease time is configured in /etc/dhcp3/dhcpd.conf.

Would think it is on srv side

What does the master password do exactly?

I have written an app before that used a similar setup but the master password was more of the value of an  encryption key that was stored (hashed) in a configuration file, with the keys residing at the OS level.

Happy Holidays to all EH-Netters across the world!

@Jamie.R wrote:

Maybe EH should have a projects page where people can give back 😛

+1

@knwminus wrote:

At any rate that is my 18 month goal (CCNP:S,CCNP,CCIE:S) with OSCP possibly mixed in there.

Holy aggressive batman

@rance wrote:

I think you just volunteered!  ;D

I’d chip in, if that helps.

That’s interesting I figured it was just a php vuln that was exploited.

Best of luck

If you’re just trying to add:
psexec srvName icacls.exe D:temp* /grant user-name:(D,GR,X)

Obviously it will need a little tweaking w/ the switches but this should do you for a starter.

That’s good news, have you got any info on whether or not the db was backed up?

@dynamik wrote:

If you can’t use Powershell, psexec and icacls should do the trick.

Yep – these can all do it. If you don’t have powershell, figure out what the ACL should look like, write out the icacls.exe command & variables, then save it in a batch file and script it out to the other boxes.

What OS(es) are involved? All W2K3?

I (hesitantly) went to the site and it does look like they just defaced it instead of actually hacking the thing, likely somebody just found a leak in the vBulletin software and exploited it that way. I’d say if you can restore the database w/ the updated software that’s probably the most you can do for now.

FYI – this thing sadly happens a lot…[Read more]