Posted by reto on 24 October, 2006 20:02

PHPSecInfoThe PHP Security Consortium has release v0.1.1 of their PHPSecInfo tool. From their website:
The idea behind PHPSecInfo is to provide an equivalent to the phpinfo() function that reports security information about the PHP environment, and offers suggestions for improvement. It is not a replacement for secure development techniques, and does not do any kind of code or app auditing, but can be a useful tool in a multilayered security approach.
As PHPSecInfo doesn't provide any new information, at least with this release, I see it as a useful tool for the one's that are not very familiar with php and only want to set up some downloaded scripts on their own web server. What I'd like to see in upcoming versions is a LOT more verbosity. Explaining the settings in depth and giving advices on secure programming linked to some of the settings they test (like input validation without magic_quotes_gpc, handling globals with globals off etc.)

Phishing for Postfinance (Part 2)

Posted by reto on 19 June, 2006 23:39

They are phishing for Postfinance logins again. And although the e-mail looks much nicer this time, they still have too many typos in it. ;-)
Another not so clever idea they had, was to use port 8081 for all their links, be it for the logo (yes, they didn't link it from the original site, but from their phishing server!) or the phishing URL ( [modified email domain]) itself. According to a whois query the ip range belongs to an ISP from tokyo: (More)

Get Request from

Posted by reto on 10 October, 2005 23:46

Something you never ever want to see in your webservers access log is a get request from zone-h.orgs wget utility looking like that: - - [02/Oct/2005:13:48:00 +0200] "GET / HTTP/1.0" 200 25 "-" "Wget/1.9.1" is a site where hackers Skript Kiddies can post sites they have defaced and/or tested to be vulnerable to remote exploits. The xmlrpc bug, which was found this summer and affected numerous CMS/Portal scripts, is one of the common bugs exploitet since, resulting in hundreds of defaced websites.

One of those kiddies hit my badly maintained PostNuke site last week (oops, now it's out). Fortunately I didn't have any data loss. The index file was all that was damaged, so I guess I was lucky (probably because it was a publicly available script used for defacing standard PostNuke installations...).
Oh, and yes, pLog isn't vulnerable :).

Update on phishing at PostFinance

Posted by reto on 06 June, 2005 22:35

I searched for any messages on the phishing attack on PostFinance and came accross a posting from Kaspar Manz. He got the phishing mail, too and got indexed even faster than the official message made by PostFinance.
While giving some good advices to users, he reckons that PostFinance will hopefully not even dare to send any messages in HTML format. Well as a customer of PostFinance I've got to tell you: The opposite is true! They started a Newsletter Service shortly ago, I'm not even sure I already got one. But reading the FAQ, they already prepared reveals this: (More)

Generic Phishing Attack or an attack on PostFinance?

Posted by reto on 06 June, 2005 00:00

I found this mail in my spam folder recently (subject: "PostFinance Email Confirmation - retohugi (at)"):
Dear PostFinance Customer,

This email was sent by the PostFinance server to verify 
your e-mail address. You must complete this process by
clicking on the link below and entering in the small window 
your PostFinance online access details. This is done for
your protection - because some of our members no longer 
have access to their email addresses and we must verify it.

To verify your e-mail address, click on the link below:

The mail is in HTML format so, the link above was actually just linked text. The real hyperlink points to: " 9.asp?target=http://%6d8%74je%767.%64%%09A%%%2e%09%%%%72u%%%%09/" (this is one long URL)

SET your Passwords!

Posted by reto on 16 March, 2004 01:32

screenshotThis entry may concern many, but I'm addressing it to the owner of a HP LaserJet 1300n. That could be many, right? Ok, but there is this one guy, setting up his LaserJet in a LAN, activating HTTP over Port 80 and allowing everybody - without ANY password to access his beloved printer, printing testpages all night... (More)




Recent Comments

Feed URL



Useless Info

Bad Behavior has blocked 80 access attempts in the last 7 days.